We're implementing Nordea Instant Reporting/Corporate Payout Premium APIs. Is it possible to initiate the authorization flow for our admins and then send them a QR-code/link to BankID for them to sign? Is it possible to use BankID with the Redirect Corporate Access Authorization flow?
Yes, it's possible.
| APIs | PSD2 | Premium | ||||||
|
Authorization flow - authentication_type (availability) |
Redirect (YES) |
Decoupled (YES) |
Redirect (YES) |
Decoupled (YES) |
||||
|
Authentication app (availability) |
Nordea ID (YES) |
BankID (YES) |
Nordea ID (YES) |
BankID (NO) |
Nordea ID (YES) |
BankID (YES) |
Nordea ID (YES) |
BankID (NO) |
Q:
For the Corporate Access Authorization API there is a Decoupled Corporate Access Authorization flow (with Nordea ID) and Redirect Corporate Access Authorization flow - what is the main difference?
- In the Redirect flow the customer is redirected to Nordea Online Authentication Service (web page), where the user can choose authentication method and other authentication details.
- In the Decoupled flow the customer is using TPPs application to choose authentication method and other authentication details.
Note: In both cases the customer needs to confirm the authentication in the mobile application (Nordea ID for Redirect/Decoupled or BankID for Redirect).
Q:
Is Redirect URI just the address to where the signer is redirected after signing the request?
A:
Please refer to: Redirect URI (Access Authorization API) FAQ
Q:
We have two administrators that are going to sign the request. How is the flow when it comes to dual signing for Redirect? Can they use the same link or do I have to generate separate links for them?
A:
Please refer to: Redirect corporate access authorization workflow
Q:
We have a request from an end user on how to connect on the PSD2 Corporate interface - what steps the user should do to authenticate with “Card reader without cable”. After the user has filled in the agreement number on the PSD2 interface he doesn’t have this type of authentication available. What should be done to allow the user to connect on the Corporate account?
A:
This authentication method is not available in Nordea Open Banking APIs. eID card and card reader authentication methods will be decommissioned, hence they're not going to be supported.
Please refer to: Corporate access authorization API - details
Q:
(Sandbox) I'm not able to complete the Corporate Authentication flow. I'm stuck in Corporate Authentication. It tells me that "Token is missing":
2023/11/20 10:39:47 Calling Nordea API endpoint: PUT https://api.nordeaopenbanking.com/corporate/v2/authorize/fe1234d1-1dd1-1d12-1d12-bf123a1c12fa
2023/11/20 10:39:47 Body: {"authorizer_id":"12345678"}
2023/11/20 10:39:47 Headers:
2023/11/20 10:39:47 Digest: SHA-256=nqvcYQcDRhOndi123gzA1z+HCz1SW1Sr1sVHm1TbPgI=
2023/11/20 10:39:47 Signature: SKIP_SIGNATURE_VALIDATION_FOR_SANDBOX
2023/11/20 10:39:47 Content-Type: application/json
2023/11/20 10:39:47 X-IBM-Client-Id: 123fb1234567c123456789f12ba12d12
2023/11/20 10:39:47 X-IBM-Client-Secret: ***
2023/11/20 10:39:47 X-Nordea-Originating-Date: Mon, 20 Nov 2023 09:39:47 GMT
2023/11/20 10:39:47 X-Nordea-Originating-Host: api.nordeaopenbanking.com
2023/11/20 10:39:47
2023/11/20 10:39:47 ResponseBody:
2023/11/20 10:39:47 {"group_header":{"message_identification":"12b1db123b123c12aa12d12c12f12dee","creation_date_time":"2023-11-20T09:39:47.153970196Z","http_code":401},"error":{"request":{"url":"/v2/authorize/fe1234d1-1dd1-1d12-1d12-bf123a1c12fa"},"failures":[{"code":"error.resource.denied","description":"Token is missing."}]}}
How to specify/provide this token in the call to the endpoint:
PUT /corporate/v2/authorize/{access_id}A:
The mandatory parameter “Authorization” is missing from the header and it’s where you should provide the token. Please refer to:
Q:
In your documentation:
How to start traffic with Instant Reporting API
it's stated that I need to know:
- Your company's Corporate Netbank's agreement number (it can be found in the Corporate Netbank user interface)
- Your company's Corporate Netbank administrator's logon ID. Check with your company's Corporate Netbank administrator, if your company has one or several administrators.
I understand that the first one is required for the "agreement_number" in an authorize request. I do not understand where the second one will be supplied in the authentication process.
A:
The logon ID will not be supplied in the authentication process - you need to provide it. You can find it by logging it to Nordea Corporate Netbank (CN) and navigating to "My profile" page. The logon ID will be shown in the last line.
Q:
The said documentation also mentions "Signature using your self-signed certificate". Is signature made using a private key?
A:
When you create a self-signed certificate, one of the output is a private key. Signature is created using a private key.
Q:
Regarding the authentication methods that are available to our customers using Nordea Corporate API - we can only use the Logon ID for authentication but the Nordea corporate webpage also allows BankID for Sweden or Email ID and password. These two methods are not available to us through the PSD2 API. Do you plan to add these authentication methods to the PSD2 API?
A:
- In Decoupled Corporate Access Authorization flow only Nordea ID is available
- In Redirect Corporate Access Authorization flow you can also use BankID and Nordea ID
When confirming authorization with PUT request, you can choose "authentication_type" as REDIRECT.
Q:
What can be the reason of Agreement is not available error? Is this a problem from customer's side because he entered a wrong agreement number? How can we guide him to use a proper agreement number?
Request:
POST /corporate/v2/authorize HTTP/1.1 Content-Type: application/json X-IBM-Client-Id: *** 1234 X-IBM-Client-Secret: *** 1234 Signature: "[MASKED]" X-Nordea-Originating-Date: Tue, 13 Jun 2023 13:17:36 GMT X-Nordea-Originating-Host: open.nordea.com Content-Length: 77 Date: Tue, 13 Jun 2023 13:17:36 GMT Digest: [MASKED] { "scope": [ "ACCOUNTS_PSD2" ], "duration": 129600, "agreement_number": "1234567891" }
Response:
{
"group_header": {
"message_identification": "12cd12b1c1231234",
"creation_date_time": "2023-06-13T13:17:37.106188197Z",
"http_code": 403
},
"error": {
"request": {
"url": "/v2/authorize"
},
"failures": [
{
"code": "error.resource.denied",
"description": "Agreement is not available."
}
]
}
}
A:
Most probably the customer is trying to use logon id in the authorization initiation request which is an invalid behavior.
If TPP wants to provide the optional agreement number parameter during the authorization initiation then, the correct agreement number must be provided in request body:
When using Redirect corporate access authorization workflow is it possible to see how exactly the redirect page looks like when using BANKID_SE? Will there be an additional redirect to the BankID page from Nordea site? Or how will that work?
A:
In Redirect flow BankID authentication method shows QR code in Nordea page, then after a success/failure a customer is redirected to the link provided in the authorization confirmation request body.
Q:
Can you confirm that authorizer_id is a mandatory parameter in:
PUT /corporate/v2/authorize/<access_id>Is it a header field or a body field?
A:
We have two ways of authorization in Corporate Access Authorization API:
Authorizer_id parameter is relevant only in decoupled authorization flow. It is used in:
PUT /corporate/v2/authorize/<access_id>
During redirect flow, body of:
PUT /corporate/v2/authorize/<access_id>
is different and it's not using authorizer_id parameter:
{ "authentication_type": "REDIRECT", "redirect_uri": "https://example.com", "state": "<state>"}In response to this call you will get redirect URI which you need to follow to confirm authorization.
Note: X-Nordea-Mock-Authorizer-Id: <Authorizer_ID> header is used only in Sandbox redirect flow to mimic authorization which, in Production, is done on a web page.
Q:
What am I supposed to send in the "state" parameter?
A:
Please refer to:
API Reference - Corporate Access Authorization
Q:
We want to use Premium Instant Reporting API and we encounter authorizer_id parameter - how will it affect our data flow? Does it mean that every time we make an API call, an administrator has to accept? Is it mandatory to do this every time a call is made?
A:
The authorization by the administrator needs to be done once, just for the purpose of creating a consent (a consent can have a very long time of expiration for Premium APIs). After creating a consent, Access Token (access_token) can be used for 60 minutes as the authorization - after 60 minutes Access Token expires and needs to be refreshed. Operations with a refreshed Access Token do not have to be confirmed by the administrator.
Q:
What does FAILED status mean when polling for authorization code?
A:
Please refer to: FAILED status (Corporate Access Authorization API) FAQ
Q:
Why a corporate client is unable to perform an authorization (with two authorizers involved) and we receive the following API responses:
{"group_header":{"message_identification":"1dd1cb012345678e","creation_date_time":"2024-09-06T09:33:43.07459397Z","http_code":400},"error":{"request":{"url":"/v2/authorize/{access_id}
"},"failures":[{"code":"error.request.invalid","description":"No additional authorizers required."}]}}}
A:
The client needs to verify (contacting company's corporate agreement administrators or CN) if the authorizers involved have admin rights with a "Two together" confirmation rule in Corporate Netbank Administration. In addition, to be able to add second authorizer the client needs to call for a status and receive status "PARTIAL". Only then the second authorizer will be accepted.
Nordea Corporate Netbank contacts
Q:
While requesting Instant Reporting API endpoint:
GET /corporate/premium/v4/accounts/{account_id}/transactions
we encounter the following error ("code": "error.resource.denied", "description": "Token does not authorize the requested action."):
{
"code": "error.resource.denied",
"description": "Token does not authorize the requested action."
}
],
"request": {
"url": "/premium/v4/accounts/DK12345678901234-DKK/transactions"
}
},
"group_header": {
"creation_date_time": "2025-01-13T14:51:14.906244662Z",
"http_code": 403,
"message_identification": "34f349501527165e"
}
What could be the reason?
A:
Make sure that in the Authorization header of your request:
Authorization: Bearer <access_token>you include access_token received from:
POST /corporate/v2/authorize/token
Refer to:
Instant Reporting API examples
Q:
While requesting Instant Reporting API endpoint:
GET /corporate/premium/v4/accounts
we encounter the following error ("code":"error.signature.invalid","description":"Signature is invalid."):
Status: Unauthorized
Response: {"group_header":{"message_identification":"0f8cb89e9007166e","creation_date_time":"2024-12-12T11:35:43.246569632Z","http_code":401},"error":{"request":{"url":"/corporate/premium/v4/accounts"},"failures":[{"code":"error.signature.invalid","description":"Signature is invalid."}]}}
What might be the reason?
A:
Before sending requests to the above endpoint you need to authorise first and get Access Token. Refer to:
Corporate Access Authorization API
Postman and Swagger files (Nordea API Market)
Q:
While calling:
endpoint we encounter the following error ("code":"error.signature.invalid","description":"Signature is invalid."):
Status: Unauthorized
Response: {"group_header":{"message_identification":"0f8fb6d39007166e","creation_date_time":"2024-12-12T12:44:47.443876764Z","http_code":401},"error":{"request":{"url":"/corporate/v2/authorize"},"failures":[{"code":"error.signature.invalid","description":"Signature is invalid."}]}}
What might be the cause?
A:
It might be an issue with normalized string calculation. The description of this process is available here: How can I get started signing with eIDAS?
Refer also to: Signature creation FAQ
Q:
Do we need to do the authorization process through Nordea ID application every time we want to use GET /corporate/premium/v4/accounts (Instant Reporting API)?
A:
In order to use it you need to have a valid token, which has to be obtained during Corporate Access Authorization flow. In a result of a successful authorisation you will get Access and Refresh Tokens. Access Token is valid only an hour but Refresh Token is valid up to a few years (as large as integer value in minutes). You use Refresh Token to have a new Access Token. Therefore, there is no need to execute the authorisation flow every time you want to use API in case you set "duration" parameter for a long time.
Q:
(Sandbox) What could be the reason of the following 401 error ("code":"error.security.invalid","description":"Unspecified error with OBI authentication.")?
{"group_header":{"message_identification":"aa8c7d55d71daa0fab1414015c8a0e97","creation_date_time":"2024-12-16T09:22:40.971163813Z","http_code":401},"error":{"request":{"url":"/v2/authorize"},"failures":[{"code":"error.security.invalid","description":"Unspecified error with OBI authentication."}]}}A:
- Make sure that your framework doesn't add "; charset=utf-8" to the Content-Type header value.
- Check our Postman collection which contains Pre-Request script that creates a proper Signature and adds necessary headers
- For Sandbox purposes you can use Signature as: SKIP_SIGNATURE_FOR_SANDBOX_VERIFICATION
Q:
How long "client_token" is active? Is it possible to extend its duration? We receive the following response when testing in Sandbox: "Bearer token is not valid anymore".
A:
There are 3 minutes in Production environment for authorizers to complete the authorization and 2 minutes in Sandbox. At present it's not possible to extend these times. Please refer to:
Access authorization process details/Polling for authorization code (Corporate Authorization API)
Get status of the authorization process: GET /corporate/v2/authorize/{access_id}
FAILED status (Corporate Access Authorization API) FAQ
Q:
When I try to refresh the access token (using refresh_token) with the following payload:
POST /corporate/v2/authorize/token
grant_type=refresh_token&refresh_token=<token>I get:
{
"group_header": {
"message_identification": "1f0b4a5f9007166e",
"creation_date_time": "2025-03-07T14:16:12.313291693Z",
"http_code": 403
},
"error": {
"request": {
"url": "/v2/authorize/token"
},
"failures": [
{
"code": "error.token.expired",
"description": "Refresh token expired."
}
I assume that the refresh_token is static and won't change between calls to token refresh. Is that valid?
A:
The refresh token can be used only once to receive a new pair of access and refresh tokens. Please refer to:
Exchanging refresh token for a new access token (Corporate Access Authorization API)
Q:
Does Nordea support Redirect Corporate Access Authorization also for Denmark in Sandbox and Production?
A:
Yes.
Q:
While calling:
GET /corporate/v2/authorize/{access_id}
we encounter the following error ("code":"error.resource.denied","description":"Token is missing."):
{"group_header":{"message_identification":"0369763f816a1681","creation_date_time":"2025-05-22T21:32:23.023485204Z","http_code":401},"error":{"request":{"url":"/v2/authorize/7c98852c-{redacted}-2791fbc2ef2d"},"failures":[{"code":"error.resource.denied","description":"Token is missing."}]}}
Why is that?
A:
Requesting said endpoint requires a token (client_token sent in Authorization header) which is generated by calling:
Make sure that your request includes it. This token needs to be used until you get an authorization code that needs to be exchanged for an access and refresh tokens.
Q:
We encountered the following error: "code": "error.security.invalid",
"description": "Unspecified error with OBI authentication."
{"group_header":{"message_identification":"1d507607816a1681","creation_date_time":"2025-10-06T10:20:48.631392983Z","http_code":401},"error":{"request":{"url":"/corporate/v2/authorize/token"},"failures":[{"code":"error.security.invalid","description":"Unspecified error with OBI authentication."}]}}
Why is that?
A:
Please refer to: Signature Creation: FAQ
Q:
We are testing the authorisation flow in production for Instant Reporting API and encountering an issue. Our observations when making requests are as follows:
returns success (access_id and client_token), whilst:
PUT /corporate/v2/authorize/<access_id>
results in a 408 timeout after approximately 680ms with the error response: {"code": "error.request.timeout", "description": "Authorization request timeout."}
What could be causing this timeout in production? Is the authorisation flow different between sandbox and production environments? We are using authorizer_id: "70311198" from sandbox testing.
A:
In authorizer_id, you specify the logon ID (user ID) of the user you want to authorise access. This must be one of your administrators for the API services. Your Corporate Netbank administrators can identify who has authorisation access, which should have been configured during onboarding. The relevant user can find their ID by navigating to My Profile in the top right corner of the Corporate Netbank front page (the initial page displayed after logging on). The authorising user must also have an active NordeaID App on their phone, as this application is used to sign the request.
Q:
Why are we getting: "code": "error.request.timeout", "description": "Authorisation request timeout." error when executing the following authorisation flow for Instant Reporting API? The requests are milliseconds apart from each other, so should not result in a timeout. Logs:
Request
URL : POST https://open.nordea.com/corporate/v2/authorize
Headers: Digest: SHA-256=sCwtlbfL/8RNRhH5ypIUaWAeu***7KrRnuz8B+UfKE18T0= Signature: keyId="63bb***df53c",algorithm="rsa-sha256", headers="(request-target) x-nordea-originating-host x-nordea-originating-date content-type digest",signature="KrC3VyVkh***m2HYfT3PO03Ta/tow==" X-IBM-Client-Id: 63bb***df53c X-IBM-Client-Secret: *** X-Nordea-Originating-Date: Tue, 23 Dec 2025 10:00:27 GMT X-Nordea-Originating-Host: open.nordea.com Accept: application/json
Body: { "agreement_number": "12***46", "duration": 525600, "scope": [ "ACCOUNTS_BROADBAND" ] }
Response
Status Code: 201 Created
Body: { "group_header": { "message_identification": "05c993a6347b1692", "creation_date_time": "2025-12-23T10:00:28.924310199Z", "http_code": 201 }, "response": { "access_id": "0422ea1f-***-2ccec1339945", "status": "CREATED", "client_token": "eyJjdHkiOi***qql1bRfPYPerdv28RFCfjA", "_links": [ { "rel": "status", "href": "/v2/authorize/0422ea1f-***-2ccec1339945" } ] } }
Request
URL : PUT https://open.nordea.com/corporate/v2/authorize/0422ea1f-***-2ccec1339945
Headers: Authorization: Bearer eyJjdHkiOiJKV1***31u6dg.qql1bRfPYPerdv28RFCfjA Digest: SHA-256=MQE2D5kFl5HUnGlpKc69RVj/vtWcTQThmc1uo***AzcJf8= Signature: keyId="63bb***f53c",algorithm="rsa-sha256", headers="(request-target) x-nordea-originating-host x-nordea-originating-date content-type digest",signature="Pr0OIxTja***i8nW0h1MBhMwKSuv55dnqw==" X-IBM-Client-Id: 63b***df53c X-IBM-Client-Secret: *** X-Nordea-Originating-Date: Tue, 23 Dec 2025 10:00:28 GMT X-Nordea-Originating-Host: open.nordea.com Accept: application/json
Body: { "authorizer_id": "6***8-0***8" }
Response
Status Code: 408 Request TimeoutBody: { "group_header": { "message_identification": "05c993d7347b1692", "creation_date_time": "2025-12-23T10:00:29.667141957Z", "http_code": 408 }, "error": { "request": { "url": "/v2/authorize/0422ea1f-***-2ccec1339945" }, "failures": [ { "code": "error.request.timeout", "description": "Authorization request timeout."
A:
The authorizer_id that you use "6***8-0***8" is incorrect. There should not be any dash in this parameter. It appears to be a Swedish Personnummer (Social Security Number). The user needs to provide the Logon ID they can find when logging in to Corporate Netbank and checking under My Profile.
Reference (documentation/resources links):
OAuth 2.0 Authorization Framework
API Reference - Corporate Access Authorization API
Redirect corporate access authorization workflow
Decoupled corporate access authorization flow (Nordea ID)
Corporate access authorization API - details