Authorization Getting started Authentication Maskinporten

Authentication with Maskinporten

Altinn supports the use of Maskinporten tokens in several APIs

API for service owners in connection with data for Altinn Apps
API for system providers in connection with system users

Prerequisites

To make use of Maskinporten authentication, you must first have access to a client registered with Maskinporten. If you need a detailed description on how to set this up, please refer to the guide below.

Vis/skjul innhold Guide on how to register a new Maskinporten integration in Samarbeidsportalen

Maskinporten clients are created in the self-service portal:

For the production environment, clients are created from: https://sjolvbetjening.samarbeid.digdir.no.
For the test environment, clients are created from: https://sjolvbetjening.test.samarbeid.digdir.no.

Start by logging into your account with your chosen method.
When logged into your account, the organisation you represent is shown in the top menu to the right.
The organisation you represent is shown in the top menu.
If you logged in to represent a synthetic organisation, you will also be able to change the synthetic organisation you represent in the drop down menu on that item.
You can change the synthetic organisation you represent in the drop down menu.
Select the Create client button to start creating a new client for the organisation you represent.
On the Add client page select Maskinporten.
On the Add Maskinporten client page fill in the display name, description and add your required scopes (these values can also be changed later). Then click the Create button.
The 'Add Maskinporten client' page.
You have now created a Maskinporten client for your organisation. To use this client you need to add at least one authentication key. The client supports JWK and PEM keys. Start by either locating an existing key or creating a new one. You can use the Altinn JWKS tool or other key generator of your choice for this. Next, navigate to the key section on your client page and select Add.
Keys can be added in the key section.
In the JWK or PEM format field paste your public key and click Save. The key is now added to the client. Store your private key from your JWK or PEM in a secure location, as it is used to authorize the use of this client. If you use Azure Key Vault to store your private keys, they need to be base64-encoded before uploading.
The JWK or PEM public key is pasted in this field
If you didn’t do so in step 5, you need to add the desired scopes to your client before it can be used.
From the Scopes tab on your client definition, click the Add button.
Scopes available to your organisation will be shown in the list. Select the required ones and click Submit.

Access as a service owner

To retrieve data from Storage in Altinn 3 via API as a service owner, you must create an integration (client) in Maskinporten with the necessary scopes.

The following scopes are created by Altinn and delegated to the service owner. These scopes are necessary to use the APIs related to instances as a service owner:

altinn:serviceowner/instances.read
altinn:serviceowner/instances.write

Clients with write scope can, among other things, instantiate apps on behalf of users via the app’s own API, upload data, update metadata, and process status. Clients with read scope can only read data, metadata, and events.

In most cases, a client for the service owner will need both scopes.

Exchange to Altinn token

Altinn does not accept Maskinporten tokens directly. These must be exchanged for Altinn tokens. See details in the scenario below.

More information

For more information, see documentation for API consumers from Maskinporten.
See also authentication scenario for more details (in English).