Setup of Swedish BankID

Integration with BankID is done similarly to Signicat's other ID methods. This page describes the specifics for setting up BankID. For more general information on how to integrate with Signicat's protocols, see the Quick start guide.

Initial preparations

The setup descriptions below assume you have completed the following initial preparations:

• Sign up to the Signicat Dashboard.
• In the Signicat Dashboard, set up an organisation, an account and a domain.

Sandbox account

We recommend that you test our services with your sandbox account before implementing them in production.

Add BankID in the Dashboard

Sign an agreement

You do not need any agreement to add BankID with a sandbox account. However, before you can start integrating in production, you need to configure BankID access with an onboarding manager. To get help with this, follow the steps in Sign agreements and order certificate or contact us.

To add BankID to the list of supported ID methods:

1. In the Signicat Dashboard, go to eID Hub > ID Methods.
2. Click Add new.
3. Choose Swedish BankID in the list and click Save.

You can now continue with selecting a protocol and configuring the ID method.

Select protocol and configure

This section describes how you select and set up different BankID integrations. You can choose between the following protocols:

• OIDC
• SAML 2.0
• Authentication REST API: This API provides either a redirect or a headless flow. See the general documentation for a concept description of the available flows.

Which protocol?

Choice of protocol depends on what you prefer and what you want to achieve. The Signicat Authentication REST API gives you a lot of flexibility and enables options such as headless flow in addition to redirect. Between the other two, we recommend using OIDC, since SAML 2.0 is much more complex to implement on your side and usually requires a federation agent already in place. OIDC is industry standard and you do not need to manage user sessions on your own (like with the Authentication REST API).

You can find more information about the different types in the general section, Authentication protocols.

OpenID Connect

OIDC

This section details how to set up Swedish BankID with the OIDC protocol.

1. Add OIDC configuration

Before you start building the integration, you need to set up an OIDC client and create a client secret in the Dashboard. Follow the steps in the Quick start guide.

For an overview of available scopes for BankID (needed when you define the OIDC client), see the Scopes and claims for OIDC.

2. Control the BankID flow

Signicat provides different flow options for BankID (for example, QR flow). This section describes how to control those flow options when using the OIDC protocol.

Example authorization request

You can pre-select an ID method in your authorization request by including the name of the identity provider (idp) in the acr_values parameter. To pre-select Swedish BankID, include acr_values=idp:sbid in your authorization request.

Here is an example on an authorization URL:

https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize?
client_id=sandbox-example-client-123
&response_type=code
&scope=openid
&prompt=login
&acr_values=idp:sbid
&redirect_uri=https://myservice.example/redirect

The URL consist of a base URL https://<YOUR_SIGNICAT_DOMAIN>/auth/open/connect/authorize and the following parameters:

• client_id: OIDC Client ID you created in the Dashboard.
• scope: OIDC scopes that determine the BankID flow. openid is a required parameter. For an overview of available scopes and claims for BankID, see the Scopes and claims for OIDC.
• redirect_uri: The URI where the end-user is redirected to at the end of the authentication flow. This must be the same as you defined in the OIDC configuration in the Dashboard.
• response_type: Based on the response flow you set for the OIDC Client (this is an advanced feature).

The acr_values and login_hintparameters are described in more detail below.

acr_values

You can use the acr_values parameter to adjust how the authentication flow behaves by using the following available parameters and corresponding values:

Name	Values	Description
sbid_app_redirect	myapp://redirect	Possibility to apply the app redirect URL that you have added to the allowlist in the Dashboard Configuration page.
sbid_initial_flow	DETECT, APP_LAUNCH or REMOTE_FLOW	Controls which authentication flow should be presented first to the user: - DETECT automatically determines if the user is on a mobile or a desktop device, and presents APP_LAUNCH or REMOTE_FLOW respectively. This is the default behaviour. - APP_LAUNCH launches the BankID app locally. - REMOTE_FLOW presents the QR code flow.
sbid_require_mrtd	true or false	Setting this parameter to true, will enforce the end-user to do an additional confirmation with either their Swedish ID-Card or their Swedish passport. This should be used in transactions where extra security might be warranted, for example high risk transactions. For this parameter to work, you must also add the sbid-extra scope in the request. This scope includes the sbidMrtd claim. Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter. For feature details, see the About page > MRTD.
sbid_auth_type	NORMAL or PHONE	Controls which type of flow is started for Swedish BankID: - NORMALlaunches the regular Authentication flow (can be further specified by sbid_initial_flow) . - PHONE launches the Phone flow. Notes: : - For the Phone flow to work, you must also include sbid_phone_initiator and enable the Phone flow in the Dashboard configuration. - It must be a "trusted" parameter (see note below this table)
sbid_phone_initiator	USERor OPERATOR	Defines the default selected radio button in the first screen of the Phone flow: - USER means the User radio button is selected as default. - OPERATOR means the Operator button is selected as default. Note: It must be a "trusted" parameter (see note below this table)
sbid_intention_text	VGVzdCBpbnRlbnRpb24gdGV4dAo=	A text specifying the intention of the authentication. Notes: - Must be encoded in UTF8 Base64 format. - Max length of the Base64 encoded string: 1500 characters. For more details, see Define intention text.
sbid_intention_text_format	simpleMarkdownV1	Defines the format of the intention text to be simpleMarkdownV1. For more details, see Define intention text.

The Phone flow requires "trusted" acr_values

You must send sbid_auth_type and sbid_phone_initiatoras "trusted" parameters. This means you must use signed authorisation requests (see code examples in the general eID Hub docs).

Examples

Remote flow with QR code and intention text:

acr_values=idp:sbid sbid_initial_flow:REMOTE_FLOW sbid_intention_text:VGVzdCBpbnRlbnRpb24gdGV4dAo=

Phone flow:

acr_values=idp:sbid sbid_auth_type:PHONE sbid_phone_initiator:OPERATOR

login_hint (prefill user information)

You can use the login_hint parameter to prefill information about the user, for example, so the transaction is locked down to a specific user.

Only for nin

Prefilling of user information only applies to the national identification number (nin) for Swedish BankID. You cannot prefill other user data.

Name	Description
nin	Prefills the national identity number. The prefilled value will lock down BankID to restrict the authentication to a person with that national identity number.

Example

login_hint=nin:199002171234

This will prefill the national identity number of the end-user to the specified value.

See also

• Scopes and claims for OIDC
• High level use case descriptions with screen images
• General descriptions of acr_values and login_hint

SAML 2.0

SAML 2.0

Documentation will follow later.

Authentication REST API

Authentication REST API

This page details how to set up authentication for Swedish BankID using Signicat's Authentication REST API, either with redirect or headless flow. Requests are sent from your backend server to Signicat's Authentication REST API.

The currently supported mechanisms for authentication with Swedish BankID are:

• QR code: Launches the QR code flow on a remote device.
• App launch: Launches the BankID app locally on the same device.
• MRTD check: Adds an extra security check to a normal authentication flow.
• Phone flow: Allows authentication via a telephone call.

The mechanisms are set up in the same way, except for some minor differences in field values, as described in the following sections.

General documentation

If you want to read more about the basics of our eID Hub product before you start integrating with Swedish BankID, see the:

• Authentication REST API documentation for a conceptual description of the flows.
• API Reference for endpoint descriptions.

Redirect flow

This section details how to set up authentication for Swedish BankID using the redirect flow. The redirect flow allows you to pass a URL to your end-users which they will open in a browser.

Overview of the setup

This is an overview of what you need to do to set up a redirect flow:

• Set up the API client
• Create a session
• Get the session status

Set up the API client

Before you can make a request to the Authentication REST API, you need to set up an API client to obtain client credentials. You use these client credentials in a request to obtain an access token. How to do this is described in the Accessing Signicat API products section. The access token needs to be passed in as an HTTP Bearer authentication header when sending the requests.

Create a session

Request

To create a session, send a POST request to https://api.signicat.com/auth/rest/sessions (for reference details, see the Create a new session endpoint description).

Request example: Remote flow (QR)

Here is an example request body for an authentication, using the remote flow (QR code).

{
    "allowedProviders": ["sbid"],
    "flow": "redirect",
    "additionalParameters": {
        "sbid_initial_flow": "REMOTE_FLOW",
        "sbid_intention_text": "VGVzdCBpbnRlbnRpb24gdGV4dAo="
    },
    "prefilledInput": {
        "nin": "1234567890"
    },
    "requestedAttributes": [
        "name",
        "firstName",
        "lastName",
        "dateOfBirth",
        "nin"
    ],
    "callbackUrls": {
        "success": "https://example.com/success",
        "abort": "https://example.com/abort",
        "error": "https://example.com/error"
    }
}

Upon sending this request, the BankID session will start.

If the authentication completes successfully, the final result will contain the attributes that were requested.

Request example: Remote flow (QR) with MRTD

Here is an example request body for an authentication, where the MRTD security check is added to the normal QR code flow. This reqest will result in an MRTD transaction.

Important

When setting the additional parameter sbid_require_mrtd to true, remember to also add sbidMrtd in reqestedAttributes. If you do not set both parameters, the transaction will fail. You must also validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter.

{
    "flow": "redirect",
    "allowedProviders": [
        "sbid"
    ],
    "additionalParameters": {
        "sbid_intial_flow": "QR",
        "sbid_require_mrtd": "true"
    },
    "requestedAttributes": [
        "name",
        "nin",
        "sbidMrtd"
    ],
    "callbackUrls": {
        "success": "https://signicat.com",
        "abort": "https://example.test/abort",
        "error": "https://example.test/error"
    }
}

If the authentication completes successfully, the final result will contain the attributes that were requested.

For a feature description of the MRTD check, see the About page.

Phone flow

Here is an example request body for an authentication with the Phone flow:

{
    "allowedProviders": ["sbid"],
    "flow": "redirect",
    "additionalParameters": {
        "sbid_auth_type": "PHONE",
        "sbid_phone_initiator": "OPERATOR"
    },
    "prefilledInput": {
        "nin": "1234567890"
    },
    "requestedAttributes": [
        "name",
        "firstName",
        "lastName",
        "dateOfBirth",
        "nin"
    ],
    "callbackUrls": {
        "success": "https://example.com/success",
        "abort": "https://example.com/abort",
        "error": "https://example.com/error"
    }
}

Field descriptions

To initialise an authentication with BankID, you can use the following fields in the initial request:

Field	Required	Example value	Description
allowedProviders	No	["sbid"]	Specify ["sbid"] if you want to be sent directly to Swedish BankID. Don't send this field if you want to show a list of all the ID methods your account has connections for.
flow	Yes	redirect	MUST have the value redirect.

See below for a description of additionalParameters and the API Reference for the other fields.

Control the user flow (additionalParameters)

You use additionalParameters to control the redirect flow. This is not a required field.

Name	Values	Description
sbid_initial_flow	DETECT, APP_LAUNCH or REMOTE_FLOW	Controls which authentication flow should be presented first to the user: -DETECT automatically determines if the user is on a mobile or a desktop device, and presents APP_LAUNCH or REMOTE_FLOW respectively. This is the default behaviour. -APP_LAUNCH launches the BankID app locally. -REMOTE_FLOW presents the QR code flow.
sbid_app_redirect	myapp://redirect	Possibility to apply the app redirect URL that you have added to the allowlist on the Dashboard configuration page.
sbid_require_mrtd	true or false	Setting this parameter to true, will enforce the end-user to do an additional confirmation with either their Swedish ID-Card or their Swedish passport. This should be used in transactions where extra security might be warranted, for example high risk transactions. When this is set to true, you must also include sbidMrtd in the requestedAttribute. Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter. For feature details, see the About page page.
sbid_auth_type	NORMAL or PHONE	Controls which type of flow is started for Swedish BankID: - NORMAL launches the regular Authentication flow (can be further specified by sbid_initial_flow) . - PHONE launches the Phone flow. Note: For the Phone flow to work, you must also include sbid_phone_initiator and enable the Phone flow in the Dashboard configuration.
sbid_phone_initiator	USERor OPERATOR	Defines the default selected radio button in the first screen of the Phone flow: - USER means the User radio button is selected as default. - OPERATOR means the Operator radio button is selected as default.
sbid_intention_text	VGVzdCBpbnRlbnRpb24gdGV4dAo=	A text specifying the intention of the authentication. Notes: - Must be encoded in UTF8 Base64 format. - Max length of the Base64 encoded string: 1500 characters. For more details, see Define intention text.
sbid_intention_text_format	simpleMarkdownV1	Defines the format of the intention text to simpleMarkdownV1. For more details, see Define intention text

User information (requestedAttributes)

You can request the following attributes from users of Swedish BankID. These attributes are common for both the redirect and headless flows.

You add them in the requestedAttributes as shown in the request examples above.

Attribute	sub-field	Example value in response	Description
name		Sven Svensson	The full name of the end-user
firstName		Sven	The first name of the end-user.
lastName		Svensson	The surname of the end-user.
dateOfBirth		1990-02-17	The date of birth of the end-user (ISO 8601 format).
idpId		199002171234	Personal identifier set by the identity provider.
nin	value	199002171234	The national identity number (“fødselsnummer”) of the end-user.
	type	PERSON	The type of national identity number. Always PERSON for Swedish BankID.
	issuingCountry	SE	The issuing country of the national identity. Always SE for Swedish BankID.
sbidDeviceIp		3.127.53.67	The IP address of the end-user's device where the BankID app was run during the authentication.
sbidCertificateNotBefore		2022-10-18T22:00:00.000Z	The time from when the certificate is valid.
sbidCertificateNotAfter		2023-10-19T21:59:59.000Z	The time the certificate expires.
sbidOcspResponderId		C=SE,O=Testbank A AB (publ),SERIALNUMBER=111111111111,CN=Testbank A Customer CA1 v1 for BankID Test OCSP Signing	The responder ID of the certificate used to sign the OCSP response (extracted from sbidOcspResponse).
sbidOcspResponse		MIIHfgoBAKCCB3cwggdzBgkrBgEFBQcwAQ...	Base64 encoded OCSP response for end user's BankID certificate
sbidXmlSignature		PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNv...	Base64 encoded XML signature returned by BankID as proof of authentication
sbidMrtd		true	Required in the MRTD check when the sbid_require_mrtd additional parameter is set to true. Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter.

Prefill user information (prefilledInput)

You can use the prefilledInput parameter to prefill information about the user, for example, so the user does not have to fill in this information manually.

Only for nin

Prefilling of user information only applies to the national identification number (nin) for Swedish BankID. You cannot prefill other user data.

Name	Required	Example value	Description
nin	No	"prefilledInput": {"nin": "1234567890"}	Prefills the national identity number. If prefilled, only the user with that nin value will be able to authenticate.

Response

Here is an example response after you have created a session:

{
    "id": "58126fb8-c5e2-...",
    "accountId": "a-sdge-...",
    "authenticationUrl": "https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/external-service/login?messageId=21b064c3-28b...",
    "status": "CREATED",
    "callbackUrls": {
        "success": "https://example.com/success?sessionId=58126fb8-c5e2...",
        "abort": "https://example.com/abort?sessionId=58126fb8-c5e2...",
        "error": "https://example.com/error?sessionId=58126fb8-c5e2..."
    },
    "allowedProviders": [
        "sbid"
    ],
    "flow": "redirect",
    "requestedAttributes": [
        "name",
        "firstName",
        "lastName",
        "dateOfBirth",
        "nin"
    ],
    "sessionLifetime": 600
}

What you need to do with the response

You must redirect the end-user to the authenticationUrl found in the response. This is a unique URL which allows the user to perform the Swedish BankID authentication in context of the session you just created.

Get the session status

Request

No data specific for Swedish BankID needs to be provided in this request.

To get the status of a session, send a GET request to https://api.signicat.com/auth/rest/sessions/{id}. You can find the id value in the response that was returned when you created the session. For more information about the "Get session status" endpoint, see the API Reference description.

Response

The response will contain a status field, which you must use to see what the current status of the session is. Below you can see an example response for a successfully completed session:

{
    "id": "58126fb8-c5e2-...",
    "accountId": "a-sdge-...",
    "authenticationUrl": "https://<YOUR_SIGNICAT_DOMAIN>/broker/sp/external-service/login?messageId=21b064c3-28b...",
    "status": "SUCCESS",
    "provider": "sbid",
    "subject": {
        "id": "opuc4kyFUWPkfdmfYTzjS89u6ZCWLHWLZfPR5hpBW24=",
        "idpId": "199010270537",
        "firstName": "Sven",
        "lastName": "Svensson",
        "nin": {
            "value": "199010270537",
            "issuingCountry": "SE",
            "type": "PERSON"
        }
    },
    "callbackUrls": {
        "success": "https://example.com/success?sessionId=58126fb8-c5e2...",
        "abort": "https://example.com/abort?sessionId=58126fb8-c5e2...",
        "error": "https://example.com/error?sessionId=58126fb8-c5e2..."
    },
    "allowedProviders": [
        "sbid"
    ],
    "flow": "redirect",
    "requestedAttributes": [
        "name",
        "firstName",
        "lastName",
        "dateOfBirth",
        "nin"
    ],
    "sessionLifetime": 600
}

Status overview

Status	Description
WAITING_FOR_USER	The user has not started to authenticate yet.
SUCCESS	The authentication is successful. Authentication result is present in the response.
ABORT	The session was cancelled by the end-user.
ERROR	The BankID session was not completed in time.

What you need to do with the response

If the returned status is SUCCESS, you will find information about the authenticated user in the subject object.

You will also see what provider was actually used by checking the provider field. This can be useful if you allowed more than one provider when you created the session.

Headless flow

This section details how to set up headless authentication for Swedish BankID. This means that you can provide your own user interface within your app or website.

Overview of the headless setup

This is an overview of what you need to do to set up a headless authentication:

• Set up the API client
• Create a session
• Get the session status
• Cancel a session (optional)
• How to complete a headless flow with QR or app launch

Set up the API client (headless)

Before you can make a request to the Authentication REST API, you need to set up an API client to obtain client credentials. You use these client credentials in a request to obtain an access token. How to do this is described in the Accessing Signicat API products section. The access token needs to be passed in as an HTTP Bearer authentication header when sending the requests.

Create a session (headless)

Request

You can use the https://api.signicat.com/auth/rest URL and send the request to the /sessions endpoint, including the accountId parameter. The full request URL should look like this:

https://api.signicat.com/auth/rest/sessions?signicat-accountId={accountId}

You can find the accountId in the Signicat Dashboard.

For reference details, see the Create a new session endpoint description.

Request example: QR code flow

Here is an example request body for a headless authentication, using the QR code flow. This example also applies to the App Launch flow (just replace QR with APP_LAUNCH). If the authentication completes successfully, the final result will contain the attributes that were requested.

{
    "allowedProviders": ["sbid"],
    "flow": "headless",
    "additionalParameters": {
        "sbid_flow": "QR",
        "sbid_end_user_ip": "123.123.123.123",
        "sbid_intention_text": "VGVzdCBpbnRlbnRpb24gdGV4dAo="
    },
    "prefilledInput": {
        "nin": "1234567890"
    },
    "requestedAttributes": [
        "name",
        "firstName",
        "lastName",
        "dateOfBirth",
        "nin"
    ]
}

Request example: Phone flow

Here is an example request body for headless authentication, using the Phone flow:

{
    "allowedProviders": ["sbid"],
    "flow": "headless",
    "additionalParameters": {
        "sbid_auth_type": "PHONE",
        "sbid_phone_initiator": "OPERATOR"
    },
    "requestedAttributes": [
        "name",
        "firstName",
        "lastName",
        "nin",
        "dateOfBirth",
        "sbidAge",
        "sbidOcspResponse",
        "sbidXmlSignature",
        "sbidOcspResponderId",
        "sbidVerificationTime",
        "sbidVerificationSignature"
    ],
    "prefilledInput": {
        "nin": "196809179176"
    }   
}

Field descriptions

To initialise a headless authentication with BankID, you must specify the following required fields in the initial request:

Field	Required	Example value	Description
allowedProviders	Yes	["sbid"]	MUST have the value ["sbid"].
flow	Yes	headless	MUST have the value headless.

Control the user flow (additionalParameters)

You use additionalParameters to control the headless flow:

Field	Required	Example value	Description
sbid_flow	Yes	QR	Legal values: -QR for the QR code flow - APP_LAUNCH for the BankID app launch flow Note: Regardless of whether QR or APP_LAUNCH is specified here, the API responses will contain the necessary data to conduct an app launch flow. However, to get the necessary data for a QR flow, the value MUST be given as QR.
sbid_require_mrtd	No	true or false	Adds the MRTD check to a normal authentication. When this is set to true, you must also include sbidMrtd in the requestedAttribute. Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter. For feature details, see the About page page.
sbid_auth_type	No	NORMAL or PHONE	Controls which type of flow is started for Swedish BankID: - NORMALlaunches the regular Authentication flow (can be further specified by sbid_flow) . - PHONE launches the Phone flow. Notes: - For the Phone flow to work, you must also include sbid_phone_initiator and enable the Phone flow in the Dashboard configuration. - You must send nin as prefilled.
sbid_phone_initiator	No	USERor OPERATOR	Defines the default selected radio button in the first screen of the Phone flow: - USER means the User radio button is selected as default. - OPERATOR means the Operator button is selected as default.
sbid_end_user_ip	Yes	123.123.123.123	IP address representing the user-agent/device of the end-user as seen by your service. This could be gathered from the requests you receive from the end user's user-agent/device. This must be in a valid IPv4 or IPv6 format.
sbid_intention_text	No	VGVzdCBpbnRlbnRpb24gdGV4dAo=	A text specifying the intention of the authentication. Notes: - Must be encoded in UTF8 Base64 format. - Max length of the Base64 encoded string: 1500 characters. For more details, see Define intention text.
sbid_intention_text_format	No	simpleMarkdownV1	Defines the format of the intention text to be simpleMarkdownV1. For more details, see Define intention text.

User information (requestedAttributes)

You can request the following attributes from users of Swedish BankID. These attributes are common for both the redirect and headless flows.

You add them in the requestedAttributes as shown in the request examples above.

Attribute	sub-field	Example value in response	Description
name		Sven Svensson	The full name of the end-user
firstName		Sven	The first name of the end-user.
lastName		Svensson	The surname of the end-user.
dateOfBirth		1990-02-17	The date of birth of the end-user (ISO 8601 format).
idpId		199002171234	Personal identifier set by the identity provider.
nin	value	199002171234	The national identity number (“fødselsnummer”) of the end-user.
	type	PERSON	The type of national identity number. Always PERSON for Swedish BankID.
	issuingCountry	SE	The issuing country of the national identity. Always SE for Swedish BankID.
sbidDeviceIp		3.127.53.67	The IP address of the end-user's device where the BankID app was run during the authentication.
sbidCertificateNotBefore		2022-10-18T22:00:00.000Z	The time from when the certificate is valid.
sbidCertificateNotAfter		2023-10-19T21:59:59.000Z	The time the certificate expires.
sbidOcspResponderId		C=SE,O=Testbank A AB (publ),SERIALNUMBER=111111111111,CN=Testbank A Customer CA1 v1 for BankID Test OCSP Signing	The responder ID of the certificate used to sign the OCSP response (extracted from sbidOcspResponse).
sbidOcspResponse		MIIHfgoBAKCCB3cwggdzBgkrBgEFBQcwAQ...	Base64 encoded OCSP response for end user's BankID certificate
sbidXmlSignature		PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNv...	Base64 encoded XML signature returned by BankID as proof of authentication
sbidMrtd		true	Required in the MRTD check when the sbid_require_mrtd additional parameter is set to true. Note: You must validate that the sbidMrtd value is returned as true to prevent any tampering with the sbid_require_mrtd parameter.

Prefill user information (prefilledInput)

You can use the prefilledInput parameter to prefill information about the user, for example, so the transaction is locked down to a specific user.

Only for nin

Prefilling of user information only applies to the national identification number (nin) for Swedish BankID. You cannot prefill other user data.

Name	Required	Example value	Description
nin	Sometimes	"prefilledInput": {"nin": "1234567890"}	Prefills the national identity number. If prefilled, only the user with that nin value will be able to authenticate. For the PHONE flow this field is required, otherwise it is not required.

Response

Here is an example response for the session creation:

{
    "id": "3d07c219-...",
    ...
    "idpData": {
        "autoStartToken": "db65b172-c9a4-43e3-82bf-0db09d7f922e",
        "qrData": "bankid.c157aec7-e179-424..."
    }
}

Field descriptions

The response to the session creation will contain an idpData field, which in turn contains the necessary data that you need in your frontend.

Field	Example value	Description
autoStartToken	db65b172-c9a4-43e3-82bf-0db09d7f922e	Must be used when building the URL for launching the BankID app on the same device. - iOS: https://app.bankid.com/?autostarttoken=<autoStartToken>&redirect=<urlToYourAppOrWebPage> - Android (modern): https://app.bankid.com/?autostarttoken=<autoStartToken>&redirect=null - Android 4 and 5: bankid:///?autostarttoken=<autoStartToken>&redirect=null
qrData	bankid.c157aec7-e179-424d-bee7-d54c9ece06fa.0.5b6b54c5a8939fa152da2a9689bf 50c14233ada0c79a67a2a52b1f8ba579ff35	Initial data to display in a QR code. The QR code must be updated with the qrData you receive as a result of every request to get the session status. Only available if you started the session with "sbid_flow": "QR"

What you need to do with the response

Based on the type of flow you are using, do the following:

• QR: Display a QR code to the end-user with the idpData.qrData as content. For more details, see the separate QR code flow section below.
• APP_LAUNCH: Display a launch button for triggering the app launch URL. For more details, see the description of autoStartToken in the table above and the separate APP_LAUNCH flow section below.

Errors

HTTP Status Code	Error code	Description
400	idp:sbid:already-in-progress	A request for the given NIN (National Identity Number) is already in progress. Both sessions are cancelled.
400	idp:sbid:invalid-parameter	You have sent an invalid parameter to BankID’s infrastructure, for example an invalid end-user IP address (see sbid_end_user_ip in the additionalParameters table above).
500	idp:sbid:rp-service-error	Failed to create a transaction towards BankID’s infrastructure.
500	idp:server-problem	Internal server error occurred while creating the session.

Get the session status (headless)

Request

No data specific for Swedish BankID needs to be provided in this request.

You send the request to /sessions/{id}?signicat-accountId={accountId}. You can find the id value in the response that was returned when you created the session. You can find the accountId in the Signicat Dashboard. For more information about the "Get session status" endpoint, see the API Reference description.

Response

Content of idpData

The response will contain an idpData field, which contains necessary input data for your frontend.

If you are using the QR flow, you must update your QR code with the data received in the qrData field.

Field	Example value	Description
qrData	bankid.c157aec7-e179-424d-bee7-d54c9ece06fa.0.5b6b54c5a8939fa152da2a9689bf50c14233ada0c79a67a2a52b1f8ba579ff35	Updated data to display in a QR code. Only available if you started the session with "sbid_flow": "QR" and you received status WAITING_FOR_USER.
sbidStatus	OUTSTANDING_TRANSACTION	Can be used to get more detailed status information, which can be used to make decisions. See possible values in the Status table below.

Status

In the response you will get a top level status in the status field. For some of these statuses you will find a more detailed status in idpData.sbidStatus.

Backwards compatibility

To prevent your integration from breaking if we add more statuses to idpData.sbidStatus and error.code, please handle unexpected values as follows:

• Unknown idpData.sbidStatus with top level status WAITING_FOR_USER: Treat as OUTSTANDING_TRANSACTION
• Unknown error.code with top level status ERROR: Treat as an unknown error

Here are some response examples with different statuses (see the Status table below for descriptions of the different statuses):

Example response: WAITING_FOR_USER

{
	"id": "4c88a3e2-b10e-4148-914d-f3f93f1ad76f",
	"status": "WAITING_FOR_USER",
    "idpData": {
        "sbidStatus": "OUTSTANDING_TRANSACTION",
        "qrData": "bankid.c157aec7-e179-424d-bee7-d54c9ece06fa.0.5b...",
    },
    ...
}

Example response: ABORT

{
	"id": "4c88a3e2-b10e-4148-914d-f3f93f1ad76f",
	"status": "ABORT",
    ...
}

Example response: ERROR

{
	"id": "4c88a3e2-b10e-4148-914d-f3f93f1ad76f",
	"status": "ERROR",
    "error": {
        "code": "idp:sbid:timeout",
        ...
    },
    ...
}

Status overview

Status	idpData.sbidStatus	error.code	Description
WAITING_FOR_USER	OUTSTANDING_TRANSACTION		The user has not started to authenticate yet. End-user guidance: Instruct the user on what they need to do (e.g. scan QR code or click a button to launch the app). BankID recommends the RFA13 or RFA1 user messages, but these do not take the QR code into consideration.
	NO_CLIENT		The BankID app has not been started yet. For all practical purposes this can be treated the same way as OUTSTANDING_TRANSACTION.
	STARTED		No BankID found on device yet. This may take a few seconds. BankID recommends you to continue polling if you get this status. For mobile device you can in practice choose to stop polling if you get this status more than a few times in a row. End-user guidance: Instruct the user that they need to wait. BankID recommends the RFA14 or RFA15 user messages. In practice though, it might not make sense to show such long messages which in the majority of cases will only be shown until the next poll.
	USER_SIGN		The user has started to authenticate. End-user guidance: Instruct the user to complete the authentication in their app. BankID recommends RFA9, but this is a bit misleading for fingerprint.
SUCCESS			The authentication is successful. Authentication result is present in the response.
ABORT			The session was cancelled by the end-user.
CANCELLED			The session was cancelled by you or the end-user.
ERROR		idp:sbid:timeout	The BankID session was not completed in time.
		idp:sbid:cert-error	The end-user certificate could not be trusted (invalid security code, revoked or invalid certificate).
		idp:sbid:start-failed	The BankID app was not started within a certain time limit.
		idp:sbid:rp-service-error	An error occurred when contacting the BankID service.
		idp:sbid:cancelled	The session was cancelled since someone started a parallel session for the user (security feature by BankID).
		idp:sbid:unknown-error	Unknown error occurred.

What you need to do with the response

Depending on the top level status you receive in the response, you need to handle the response a bit differently:

• For WAITING_FOR_USER status you want to read the idpData.sbidStatus and handle the response accordingly. See information in the Status table above on what to do.
• For SUCCESS status you will find the authentication result in the subject field.
• For ABORT status you can assume that the end-user intentionally cancelled the transaction.
• For ERROR status you can check the error.code field to see what kind of error occurred.
• For CANCELLEDstatus you or the end-user has cancelled the transaction.

If you get statuses that are not listed here, see Backwards compatibility in the start of this section.

Cancel a session (optional)

You can stop an ongoing authentication session by using the Cancel flow endpoint.

This is useful if you want to:

• Provide a way for your end-users to cancel the transaction, both at Signicat and Swedish BankID (via a link/button). It is especially useful if you lock the transaction to a particular national identity number.
• Cancel an ongoing transaction for a particular national identity number before starting a new transaction for the same person.

A successful cancellation returns 200 OK of type CANCELLED.

Example response

{
  "id": "3d07c219-0a88-45be-9cfc-91e9d095a1e9",
  "accountId": "string",
  "status": "CANCELLED",
  "provider": "sbid",
  ...
}

Errors

HTTP Status Code	error.code	Description
500	idp:server-problem	Internal server error occurred while cancelling the session.

How to complete a headless flow

The following sections describe how you can set up a complete headless flow for QR code and APP_LAUNCH, using the above information.

QR code flow

For the QR code flow, you must display an “animated” QR code to the end-user. Animating the QR code is done by updating the content of the displayed QR code for every status call. This is a mandatory security feature of Swedish BankID.

The process is as follows:

1. Create a new session with sbid_flow set to QR.
2. Take the idpData.qrData from the initial response and display as a QR code to the end-user.
3. Poll for status every 1 to 3 seconds. If you receive top level status WAITING_FOR_USER:
   • If idpData.sbidStatus is OUTSTANDING_TRANSACTION or NO_CLIENT, you must update the displayed QR code with the content of the idpData.qrData returned in the status responses.
   • For other values of idpData.sbidStatus, see the description in the Status table above for information on what to show. Continue polling until the value for status is either SUCCESS, ABORT, or ERROR, at which point the session is finalized.

APP_LAUNCH flow

The APP_LAUNCH flow is for launching the Swedish BankID app on a mobile device or a desktop computer. You can only launch the app on the same device as you are displaying the launch button.

The process is as follows:

1. Create a new session with sbid_flow set to APP_LAUNCH.
2. Take the autoStartToken from the initial response and build a launch URL as described in the Status table above. Display a launch button/link with that URL.
3. Poll for status every 1 to 3 seconds. If you receive the top level status WAITING_FOR_USER:
   • If idpData.sbidStatus is OUTSTANDING_TRANSACTION or NO_CLIENT you should still display the launch button and keep polling.
   • For other values of idpData.sbidStatus, see the description in the the Status table above for information on what to show. Continue polling until the value for status is either SUCCESS, ABORT, or ERROR, at which point the session is finalized.

Define intention text

You may add an intention text on the IDENTIFICATION screen of the BankID app to underline the purpose of the authentication for the end-user.

Your intention text will always be prefixed with "My intent", as shown in the following example, where the intention text is set to Log into my online banking account:

Front matching

You may also add security related information (see a screen example in the next section).

Do not use the text space for marketing or sales

Swedish BankID does not allow using this text space for other than intention of the identification and security-related information.

You can define the intention text in two ways:

• Via configuration in the Dashboard.
• By prefilling parameters.

Add intention text in the Dashboard

1. Open the Swedish BankID configuration page in the Dashboard.
2. Add your intention text in the Intention text input field.

Note

If the intention text is long and needs a scrollbar, the end-user must scroll to the bottom before they can proceed.

3. Optionally, you may add formatting to the text in simple markdown format (simpleMarkdownV1). This allows you to add headings, bullets and more (for details, see Swedish BankID's guide). Here is an example text in markdown format:

Log into my online banking account

### Security note
Remember, we will never contact you directly by telephone, email or SMS to verify your identity and will never ask you to provide your passwords or codes.

If anyone contacts you directly about this, please contact us by telephone or mail:
+ 111 11 111
+ bank@bank.se

This would look as follows:

Front matching

4. If the intention text contains formatting, choose simpleMarkdownV1 from the Intention text format drop-down menu.

Add intention text using prefilling

You may also add intention text per transaction by using prefilling of the two additional parameters, sbid_intention_text and sbid_intention_text_format.

Notes about prefilling

• You cannot mix prefilled and configured (in the Dashboard) values. Prefilling will override the intention text you have defined in the Dashboard (see the above section).
• The additional parameters must be trusted. The Authentication REST API makes this easy, since it always provides trusted parameters. For OIDC, you must use signed authorisation requests (see the general eID Hub documentation on how to do this).

To add the intention text in your integration code:

1. Create your intention text. You may format the intention text using simple markdown format (see the above example).
2. Encode the text into UTF-8 Base64 format. The maximum length of the the Base64 encoded string is 1500 characters.
3. Include the Base64 encoded intention text into your request. For protocol specific setup and examples, see the separate Authentication REST API and OIDC sections.
4. You can verify that the text looks as expected by testing a transaction in the sandbox environment.

Theming

You can set your own theme with logo and colours in the Dashboard. For more details, see Account theming.