Last modified: Jul 16, 2026

Protect an API with Altinn Authorization

How to register a resource, define rules and enforce an authorisation decision in your API.

This guide gives service owners one main journey for protecting an API outside Altinn. Register what the API protects, define who may perform each action and check every request with Altinn Authorization.

Use the linked guides for screenshots, API contracts and examples.

Before you start

Decide which service and actions you will protect, which party each action concerns, whether a person is present and whether access can be delegated.

Use the integration chooser if authentication or representation is unclear.

Follow the journey

  1. Clarify ownership and agreements. Identify who owns the service, resource, rules, API and production approval. Set up access to Resource Administration.
  2. Describe the resource and actions. Use a stable resource identifier and actions that match the operations exposed by the API.
  3. Create the resource and policy. Connect resource, action and the role or access package that grants access. Create and publish the resource.
  4. Choose optional mechanisms. Add system users, consent, access lists or guardianship only when required.
  5. Authenticate the client. Verify the ID-porten or Maskinporten token before using its contents. See the authentication guides.
  6. Find represented parties when required. Authorized Parties may help the client choose a party, but it does not replace the final decision. Integrate with Authorized Parties.
  7. Request a PDP decision. Supply the identity, resource, action and affected party. Integrate with the PDP.
  8. Enforce the result. Grant access only for an explicit Permit. Treat Deny and NotApplicable as no access and Indeterminate as a technical evaluation failure.
  9. Test the complete journey. Cover expected permit and deny results, invalid tokens, wrong parties and resources, withdrawn access and unavailable dependencies.
  10. Prepare production. Verify production resources, policies, scopes, clients, logging, tracing, rollback and contact information.

Never place tokens, national identity numbers, keys or personal data in documentation or defect reports.

Check the current status of Altinn Authorization before production.