Last modified: Nov 26, 2024

Authentication with Maskinporten

Altinn supports the use of Maskinporten tokens in several APIs

  • API for service owners in connection with data for Altinn Apps
  • API for system providers in connection with system users

Description of how service owners’ systems can use Maskinporten to access APIs.

Collaboration Portal

In My Profile in the Collaboration Portal, you have access to self-service for Maskinporten, where you can create new integrations (clients).

Environments in Maskinporten
Environments in Maskinporten

Access as a service owner

To retrieve data from Storage in Altinn 3 via API as a service owner, you must create an integration (client) in Maskinporten with the necessary scopes.

The following scopes are created by Altinn and delegated to the service owner. These scopes are necessary to use the APIs related to instances as a service owner:

altinn:serviceowner/instances.read
altinn:serviceowner/instances.write

Clients with write scope can, among other things, instantiate apps on behalf of users via the app’s own API, upload data, update metadata, and process status. Clients with read scope can only read data, metadata, and events.

In most cases, a client for the service owner will need both scopes.

Client creation can be done via API or in the Collaboration Portal.

POST https://integrasjon.difi.no/clients/
{
    "integration_type": "maskinporten",
    "client_name": "DIHE test client for instances",
    "client_type": "CONFIDENTIAL",
    "description": "Client to retrieve data from my apps",
    "scopes": [ "altinn:serviceowner/instances.read", "altinn:serviceowner/instances.write" ],
    "token_reference": "SELF_CONTAINED"
}

New integration
Create new integration (client) in the Collaboration Portal. Remember to choose the correct environment.

Exchange to Altinn token

Altinn does not accept Maskinporten tokens directly. These must be exchanged for Altinn tokens. See details in the scenario below.

More information