Overview
Authentication Flow
Every API call requires a valid JWT token obtained from the Get Token endpoint. The typical flow is:
1. GET /api/organization/gettoken
Headers: WebMobileIDAuthorization + OReference
→ Returns: JWT token (valid 5 minutes)
2. POST /api/organization/<action>
Headers: Authorization: Bearer <JWT>
→ Triggers action on user's mobile
3. POST /api/organization/<action>/checkStatus?ref=<ref>
Headers: Authorization: Bearer <JWT>
→ Poll until status = approved / rejected / expired
Credentials You Need
| Credential | Description | Where to use |
|---|---|---|
WebMobileIDAuthorization | Static API key assigned to your organization | Get Token header |
OReference | UUID identifying your organization | Get Token header |
JWT Token | Short-lived token (5 min) obtained from Get Token | Authorization: Bearer header on all other calls |
:::caution Security
Never expose WebMobileIDAuthorization or OReference in client-side code. These credentials must remain server-side.
:::
Response Pattern
Asynchronous endpoints (Authentication, Payment Authorization, e-Consent) return a ref token in the response body. Use this ref to poll the corresponding checkStatus endpoint until the operation completes.
{
"ref": "<encrypted_reference_token>"
}
Possible status values:
| Status | Meaning |
|---|---|
pending | Waiting for user action on mobile |
approved | User confirmed |
rejected | User declined |
expired | Timeout reached |