Redirect flow
This guide shows you how to set up regular BankID authentication (High and Biometric), using the Signicat Authentication REST API with redirect flow.
Prerequisites
- Follow the steps on the Initial preparations page to establish a connection with Norwegian BankID.
-
Before you can start making requests to the Authentication REST API, you need to learn how to connect to it. To do this, see Connect to Signicat APIs Quick start guide.
Ensure that you set the Authentication REST API permission for your API client. When you have obtained an access token and are ready to make an API request, return here to resume this guide.
Learn more about the Signicat Authentication REST API- Authentication REST API for conceptual documentation.
- API Reference for endpoint descriptions.
1. Build the authentication request (Create a new session)
This section describes how to make an HTTP POST request to the /sessions endpoint, to create a new session and start an authentication.
To begin the authentication flow, your application must first start a session by utilising the /sessions endpoint. The endpoint automatically creates a session when you send a request. The flow and resulting information from the transaction depends on the parameters you pass in the body.
The response from this endpoint contains an authentication URL, to which you can embed in an iframe and present to the end-user to start their transaction.
To create a session, send a POST request to https://api.signicat.com/auth/rest/sessions?signicat-accountId={accountId}.
You can find your accountId in the Signicat Dashboard.
The following sub-sections show examples and descriptions of attributes that you can include in the request.
Request examples
Here are two example requests for creating a new session for a Norwegian BankID login for normal authentication and authentication with payment data:
- Normal
- Payment
{
"allowedProviders": ["nbid"],
"flow": "redirect",
"additionalParameters": {
"nbid_idp": "BID"
},
"prefilledInput": {
"nin": "17029012345"
},
"requestedAttributes": [
"dateOfBirth",
"firstName",
"lastName",
"name",
"nin"
],
"callbackUrls": {
"success": "https://example.com/success",
"abort": "https://example.com/abort",
"error": "https://example.com/error"
}
}
{
"flow": "redirect",
"allowedProviders": [
"nbid"
],
"language": "en",
"requestedLoa": "substantial",
"requestedAttributes": [
"nin",
"name",
"firstName",
"lastName",
"idpId",
"dateOfBirth",
"nbidUpdatedAt",
"nbidTid",
"nbidSid",
"nbidOriginator",
"nbidIdp",
"nbidAuthTime",
"nbidAlternativeSubject",
"nbidAdditionalCertInfo",
"nbidSubjectUuid",
"nbidMethod",
"nbidAuthType"
],
"additionalParameters": {
"nbid_auth_type": "PAYMENT"
},
"prefilledInput": {
"nin": "17029012345"
},
"paymentPrefillData": {
"reference": "composite-payment-1234",
"payments": [
{
"reference": "individual-payment-56",
"amount": "100",
"currency": "NOK",
"receiver": "ACME AS"
},
{
"reference": "individual-payment-78",
"amount": "200",
"currency": "NOK",
"receiver": "ACME AS"
}
]
}
}
Upon sending this request, the Norwegian BankID session will start.
If the authentication completes successfully, the final result will contain the attributes that were requested.
Attributes are described in more detail in the following sections.
Initialise authentication
To initialise an authentication with Norwegian BankID, you can use the following attributes in the initial request:
Control the user flow (additionalParameters)
You use additionalParameters to control the redirect flow. This is not a required field.
Prefill user information (prefilledInput)
You can use the prefilledInput parameter to prefill information about the user, for example, so the user does not have to fill in this information manually. If prefilled, only the user with the prefilled information will be able to authenticate. This is not a required field.
For Norwegian BankID, you can prefill the national identity number, nin:
"prefilledInput": {"nin": "17029012345"}
Payment data (paymentPrefillData)
When you want the end-user to approve a payment before the authentication, you set the additional parameter nbid_auth_type to PAYMENT (as shown shown in the examples above), and you must prefill data about the payment in the paymentPrefillData object.
The paymentPrefillData object is mandatory for payment.
Here is an example of a complete paymentPrefillData object:
{...},
"paymentPrefillData": {
"reference": "composite-payment-1234",
"payments": [
{
"reference": "individual-payment-56",
"amount": "100",
"currency": "NOK",
"receiver": "ACME AS"
},
{
"reference": "individual-payment-78",
"amount": "200",
"currency": "NOK",
"receiver": "ACME AS"
}
]
}
These are the mandatory attributes inside the paymentPrefillData object:
User attributes (requestedAttributes)
You can request the following attributes from users of Norwegian BankID.
Response examples
Here are two response examples from the "Create a session" response for normal authentication and authentication with payment data:
- Normal
- Payment
{
"id": "fb432801-...",
"accountId": "a-sdge-...",
"authenticationUrl": "https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/external-service/login?messageId=21b064c3-28b...",
"status": "CREATED",
"callbackUrls": {
"success": "https://example.com:443/?sessionId=fb432801-66f6-6141-9835-e2a3b42e2e35",
"abort": "https://example.com:443/abort?sessionId=fb432801-66f6-6141-9835-e2a3b42e2e35",
"error": "https://example.com:443/error?sessionId=fb432801-66f6-6141-9835-e2a3b42e2e35"
},
"allowedProviders": [
"nbid"
],
"flow": "redirect",
"requestedAttributes": [
"dateOfBirth",
"firstName",
"lastName",
"name",
"nin"
],
"sessionLifetime": 600
}
{
"id": "88fd4d1e-5f9a-4de7-9753-f48d863b771b",
"accountId": "a-sdge-oyNgetJTcOc5ba7Sj5ZR",
"authenticationUrl": "https://api.signicat.com/idps/sandbox/nbid/ciba/initialize-auth?transactionId=87d94a...&messageId=496e79...",
"status": "CREATED",
"paymentPrefillData": {
"reference": "composite-payment-1234",
"payments": [
{
"reference": "individual-payment-56",
"amount": "100",
"currency": "NOK",
"receiver": "ACME AS"
},
{
"reference": "individual-payment-78",
"amount": "200",
"currency": "NOK",
"receiver": "ACME AS"
}
]
},
"allowedProviders": [
"nbid"
],
"language": "en",
"flow": "redirect",
"requestedAttributes": [
"dateOfBirth",
"firstName",
"idpId",
"lastName",
"name",
"nbidAdditionalCertInfo",
"nbidAlternativeSubject",
"nbidAuthTime",
"nbidAuthType",
"nbidIdp",
"nbidMethod",
"nbidOriginator",
"nbidSid",
"nbidSubjectUuid",
"nbidTid",
"nbidUpdatedAt",
"nin"
],
"sessionLifetime": 1200,
"expiresAt": "2026-04-20T12:27:54.4334025+00:00"
}
What you need to do with the response
You must redirect the end-user to the authenticationUrl found in the response. This is a unique URL which allows the user to perform the Norwegian BankID authentication in context of the session you just created.
End-user authentication
The end-user follows these steps:
- On your website/application, the end-user clicks on a button to authenticate with BankID. Your application sends a request to start an authentication with BankID, as described in the previous section.
- The end-user is redirected to the BankID login page.
- The end-user logs in using their BankID credentials (this step may involve two-factor authentication).
After the end-user approves the request, the browser is redirected back to the relevant callbackUrl specified in the "Create a new session" request.
For screen examples, see About Norwegian BankID.
2. Obtain user information (Get session status)
Make an HTTP GET request to the /sessions endpoint to poll for information regarding the session and ongoing authentication.
Upon successful authentication, a response is returned that contains the user information requested in the "Create a new session" call carried out earlier.
Request
No data specific for Norwegian BankID needs to be provided in this request.
To get the status of a session, send a GET request to https://api.signicat.com/auth/rest/sessions/{id}.
You can find the id value in the response that was returned when you created the session.
Response example
The "Get session status" response contains a status field, which indicates the current status of the session. Below you can see an example response for a successfully completed session for normal authentication and authentication with payment data:
- Normal
- Payment
{
"id": "fb432801-...",
"accountId": "a-sdge-...",
"authenticationUrl": "https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/external-service/login?messageId=21b064c3-28b...",
"status": "SUCCESS",
"provider": "nbid",
"subject": {
"id": "opuc4kyFUWPkfdmfYTzjS89u6ZCWLHWLZfPR5hpBW24=",
"idpId": "9578-6000-4-1663921",
"name": "Kari Nordmann",
"firstName": "Kari",
"lastName": "Nordmann",
"dateOfBirth": "1990-02-17",
"nin": {
"value": "17029012345",
"issuingCountry": "NO",
"type": "BIRTH"
}
},
"callbackUrls": {
"success": "https://example.com/success?sessionId=58126fb8-c5e2...",
"abort": "https://example.com/abort?sessionId=58126fb8-c5e2...",
"error": "https://example.com/error?sessionId=58126fb8-c5e2..."
},
"allowedProviders": [
"nbid"
],
"flow": "redirect",
"requestedAttributes": [
"dateOfBirth",
"firstName",
"lastName",
"name",
"nin"
],
"sessionLifetime": 600
}
{
"id": "88fd4d...",
"accountId": "<ACCOUNT_ID>",
"authenticationUrl": "https://api.signicat.com/idps/sandbox/nbid/ciba/initialize-auth?transactionId=87d94a...&messageId=496e79...",
"status": "SUCCESS",
"provider": "nbid",
"subject": {
"id": "Zd-M6Bze8DPOGjzT5D0hxXkKhZn1kVRcbjQpRNuZYcU=",
"idpId": "9578-6000-4-1930136",
"name": "Kari Nordmann",
"firstName": "Kari",
"lastName": "Nordmann",
"dateOfBirth": "1990-02-17",
"nin": {
"value": "17029012345",
"issuingCountry": "NO",
"type": "BIRTH"
},
"nbidIdp": "BIS",
"nbidAuthType": "PAYMENT",
"nbidOriginator": "CN=BankID - TestBank1 - Bank CA 3,OU=123456789,O=TestBank1 AS,C=NO;OrginatorId=9980;OriginatorName=BINAS;OriginatorId=9980",
"nbidUpdatedAt": "1730117741",
"nbidSubjectUuid": "za7-4zkWYRUlMkZ6-dSHQj-tvgqmyr5NtBJdb-V1fBg",
"nbidAlternativeSubject": "9578-6000-4-1930136",
"nbidSid": "808ch4zl-Nx64_5iz349-upp8Kkr2anIiBj_djy-yFA",
"nbidMethod": "biometric"
},
"paymentPrefillData": {
"reference": "composite-payment-1234",
"payments": [
{
"reference": "individual-payment-56",
"amount": "100",
"currency": "NOK",
"receiver": "ACME AS"
},
{
"reference": "individual-payment-78",
"amount": "200",
"currency": "NOK",
"receiver": "ACME AS"
}
]
},
"loa": "substantial",
"allowedProviders": [
"nbid"
],
"language": "en",
"flow": "redirect",
"requestedAttributes": [
"dateOfBirth",
"firstName",
"idpId",
"lastName",
"name",
"nbidAdditionalCertInfo",
"nbidAlternativeSubject",
"nbidAuthTime",
"nbidAuthType",
"nbidIdp",
"nbidMethod",
"nbidOriginator",
"nbidSid",
"nbidSubjectUuid",
"nbidTid",
"nbidUpdatedAt",
"nin"
],
"sessionLifetime": 1200,
"expiresAt": "2026-04-20T12:27:54.4334025+00:00"
}
Status overview
What you need to do with the response
If the returned status is SUCCESS, you will find information about the authenticated user in the subject object.
You will also see what identity provider was actually used by checking the provider field. This can be useful if you allowed more than one identity provider when you created the session.
You have now completed an authentication flow with Norwegian BankID.
Next steps
Learn more about available request and response attributes for Norwegian BankID:
Dive deeper into Authentication REST API and improve your application with advanced security features:
For ecommerce customers under certain conditions, it is also possible to embed the BankID page into your own flow: