Access token API guide
Use the Access Token API to get an authorization token that can be used with Vipps MobilePay API requests.
All API requests must include an
Authorization header with
a JSON Web Token (JWT), which we call the access token.
The Access token API allows you to get this token.
To make requests to the Vipps MobilePay APIs you need to:
- First make a request to
POST: /accesstoken/getto get an access token.
- Use the access token from (1) in the HTTP header of the other API requests.
Get an access token
The access token is obtained by calling
and providing these values in the HTTP header:
client_id(think of it as the username)
client_secret(think of it as the password)
Ocp-Apim-Subscription-Key(specifies which API products you can access)
See Getting Started for information about API keys, product activation, how to make API calls, etc.
POST without a body, to an endpoint with
get in the URL. Too late to change it now, sorry.)
Please note: You can have multiple access tokens, and they can be used at the same time as long as they are valid.
Please note: Partners should use partner keys if possible.
The response from
is like this:
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>"
access_token is the most important part.
An explanation of the contents of the access token (the JWT properties):
|It’s a |
|Token expiry duration in seconds.|
|Extra expiry time. Not used.|
|Token expiry time in epoch time format.|
|Token creation time in epoch time format.|
|For the product for which token has been issued.|
|The actual access token that needs to be used in |
Please note: The access token is valid for 1 hour in the test environment
and 24 hours in the production environment. To be sure that you are using
correct time please use
The access token is a JWT (JSON Web Token), and uses UTC time.
You now have the access token and can make subsequent API calls with the following HTTP headers:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1Ni <truncated>
Important: Remember to specify
Bearer. If not, you may get a
HTTP 401 Unauthorized error. See the FAQ:
Why do I get
HTTP 401 Unauthorized?.
Problems? See: FAQ: Common errors