Swedish BankID

GII supplies a headless API for Swedish BankID.

Examples

Auth

The Auth-endpoint is used for logging in a user.

Flow:

  1. Call Auth.
  2. Call Poll every 2 seconds with the value from the Location-header returned from Auth as long as HTTP status code is 202.

Request

The Auth-endpoint is called when starting a login. Called using the HTTP method POST.

Request parameters:

  • ip: IP of person that is logging in. String in v4 or v6 format. JSON-name: IP.
  • personal_number: Optional. Personal number of person that is logging in. Full format (YYYYMMDDNNNN). It is not recommended do use this! JSON-name: PersonalNumber.
  • get_qr: Optional. Set to true when a QR-code is requested. It is recommended do use this instead of personal_number! JSON-name: GetQR.
  • autostart_token_required: Optional. Set to true when it is required that the login is performed by either automatically starting the device (on same device) or by scanning the QR-code. JSON-name: AutostartTokenRequired.

Example request (curl):

curl -v https://demo-api.gii.cloud/api/ip/bankid-se/s2s/auth --data "ip=83.250.5.1&get_qr=true&autostart_token_required=true" --user my-user:my-password

Example request (http form parameters):

POST /api/ip/bankid-se/s2s/auth HTTP/2
 Host: demo-api.gii.cloud
 Authorization: Basic bXktdXNlcjpteS1wYXNzd29yZAo=
 Content-Length: 55
 Content-Type: application/x-www-form-urlencoded

 ip=83.250.5.1&get_qr=true&autostart_token_required=true

Example request (JSON payload):

POST /api/ip/bankid-se/s2s/auth HTTP/2
 Host: demo-api.gii.cloud
 Authorization: Basic bXktdXNlcjpteS1wYXNzd29yZAo=
 Content-Length: 62
 Content-Type: application/json

 {"IP":"83.250.5.1","GetQR":true,"AutostartTokenRequired":true}

Response

The response is a JSON-object with the parameters:

  • AutoStartToken: Useful when creating a custom AutoStartURL.
  • AutoStartURL: Use this to start BankID on same device. Example JavaScript: location.href = resp.AutoStartURL will open BankID on same device.
  • QR: Contains a base64-encoded png (200x200) of a QR-code that can be inserted in an img-tag. Example HTML: <img src="<%= resp.QR %>" width="200" height="200" />

Example reponse (JSON):

{
    "AutoStartToken": "[TOKEN]",
    "AutoStartURL": "bankid:///?autostarttoken=[TOKEN]&redirect=null",
    "QR": "data:image/png;base64,cXItaW1hZ2UK"
}

Example response (full):

HTTP/2 201
 date: Tue, 18 Sep 2018 13:37:00 GMT
 content-type: application/json
 cache-control: no-cache, no-store, must-revalidate
 expires: 0
 location: https://demo-api.gii.cloud/api/ip/bankid-se/s2s/auth?id=89839028338
 pragma: no-cache

{"AutoStartToken":"f11dd910-046e-4fca-b995-60928226c98b","AutoStartURL":"bankid:///?autostarttoken=f11dd910-046e-4fca-b995-60928226c98b\u0026redirect=null","QR":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEvklEQVR4nOyd3W7cOgwGTw7y/q+cXuTCyEJWSfOzM1vM3DW7st0dELRE/Xx+ff0nIP7/7QeQnygEhkJgKASGQmAoBMbnz39+fCQuWn2V3t9tdZWjxfHp6m/Vu/WfdHXfCa9PYITAUAgMhcBQCIzPsw/6Y1zVJDdJzBnSrwvJ38oIgaEQGAqBoRAYp0n9oN+fXrWdJL6j7WQMYJLKJ6MB+yd4xQiBoRAYCoGhEBiFpH4f6fTZT+X9v92NEQJDITAUAkMhMB5L6vsEuU+p/Tp2tUW/9343RggMhcBQCAyFwCgk9UyVu9oX76f3amLek0nl89/KCIGhEBgKgaEQGKdJ/dmh50ltuz9gP7nH/spzjBAYCoGhEBgKgfGS1O+be55O29Vh9X3Kn/x/7/mtjBAYCoGhEBgKgXG6Tj0zCD2ZrZ5Z+tZ/Ncisst8/yzlGCAyFwFAIDIXA+DhLNJMUOOlZr66y+l5/ytz++TKfrui1MEJgKASGQmAoBEarp95PvVWqCXySUvdXvi+B916KjBAYCoGhEBgKgXFaU++v2+6n8v7d0kPjmTp7cj88IwSGQmAoBIZCYARr6v2paxMyK9b7V0lP33vFCIGhEBgKgaEQGC819fTkr35dfLLt7H0L49Lb3Z5jhMBQCAyFwFAIjNOJcn9p9uhWLZNU/sR9q1ReIYwQGAqBoRAYCoFROHo1PYN9xWRe/b4u3q/WV5fX7bn6axghMBQCQyEwFAKjNVFuT7+evO9jT45nqc49X10lU/2/+npkhMBQCAyFwFAIjFZNPVOBTq9Y71/5iXXqV6vwRggMhcBQCAyFwDjd+72/Srw6/Sy9aUt6j/jMrvKrT/d3+8YIgaEQGAqBoRAYwaNX0+eh/cZ+btdarNoe2FN/axQCQyEwFAJjPPt9RWau+Op6mQH2yVOlj6Oxpw5HITAUAkMhMAp7v1eZHLvS577T3Pqf7p+v2uIbIwSGQmAoBIZCYNzSU1+R7jFXrzwhszmONfW3RiEwFAJDITAK28TuSa9O7zNZjPZE1bw3gmGEwFAIDIXAUAiM04lyk6p0deb8fbXyfduDTJFhxdXT4YwQGAqBoRAYCoFxcZ36qsWknzzpWT87dJ952TnHCIGhEBgKgaEQGIV16isy+6/1r9Jf995fQ55Zp351Ex0jBIZCYCgEhkJgFNapV/ucmX53eoe66vfS0+2ulhuMEBgKgaEQGAqBcXHzmfsONH02RVd3mq/W4ycb63xjhMBQCAyFwFAIjItL2sqXj6wc76foKpPtbvtPYE39DVEIDIXAUAiMwtGrffaV5Wr/t78xzKRqvvp0z/6+1tT/ERQCQyEwFALj4kS5FZMUPWFyrttknKLf1p76G6IQGAqBoRAYFyfKHaTTYrXKvWrRPwluf5XJyvarkwWNEBgKgaEQGAqBETylbU+1H98fnJ+MAVQLBasn6OPs9zdEITAUAkMhMB5L6v1JZ5O14ZNe/r7tZGSi8kJghMBQCAyFwFAIjEJSzwywTzZVXX0vMzN9slK+v1zPnvobohAYCoGhEBiFvd8npA9WSa+Krz5pdRb/vChghMBQCAyFwFAIjJvXqUsXIwSGQmAoBIZCYCgEhkJgKATGnwAAAP//GS15xw/4KuQAAAAASUVORK5CYII="}

Example HTML for rendering the output:

<!DOCTYPE html>
<html lang="sv">

<head>
    <meta charset="utf-8">
    <meta name="referrer" content="no-referrer">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <!-- automatically reload page after 2 sec -->
    <meta http-equiv="refresh" content="2">
</head>

<body>
    <!-- display qr code to scan. Use the QR-response -->
    <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEvklEQVR4nOyd3W7cOgwGTw7y/q+cXuTCyEJWSfOzM1vM3DW7st0dELRE/Xx+ff0nIP7/7QeQnygEhkJgKASGQmAoBMbnz39+fCQuWn2V3t9tdZWjxfHp6m/Vu/WfdHXfCa9PYITAUAgMhcBQCIzPsw/6Y1zVJDdJzBnSrwvJ38oIgaEQGAqBoRAYp0n9oN+fXrWdJL6j7WQMYJLKJ6MB+yd4xQiBoRAYCoGhEBiFpH4f6fTZT+X9v92NEQJDITAUAkMhMB5L6vsEuU+p/Tp2tUW/9343RggMhcBQCAyFwCgk9UyVu9oX76f3amLek0nl89/KCIGhEBgKgaEQGKdJ/dmh50ltuz9gP7nH/spzjBAYCoGhEBgKgfGS1O+be55O29Vh9X3Kn/x/7/mtjBAYCoGhEBgKgXG6Tj0zCD2ZrZ5Z+tZ/Ncisst8/yzlGCAyFwFAIDIXA+DhLNJMUOOlZr66y+l5/ytz++TKfrui1MEJgKASGQmAoBEarp95PvVWqCXySUvdXvi+B916KjBAYCoGhEBgKgXFaU++v2+6n8v7d0kPjmTp7cj88IwSGQmAoBIZCYARr6v2paxMyK9b7V0lP33vFCIGhEBgKgaEQGC819fTkr35dfLLt7H0L49Lb3Z5jhMBQCAyFwFAIjNOJcn9p9uhWLZNU/sR9q1ReIYwQGAqBoRAYCoFROHo1PYN9xWRe/b4u3q/WV5fX7bn6axghMBQCQyEwFAKjNVFuT7+evO9jT45nqc49X10lU/2/+npkhMBQCAyFwFAIjFZNPVOBTq9Y71/5iXXqV6vwRggMhcBQCAyFwDjd+72/Srw6/Sy9aUt6j/jMrvKrT/d3+8YIgaEQGAqBoRAYwaNX0+eh/cZ+btdarNoe2FN/axQCQyEwFAJjPPt9RWau+Op6mQH2yVOlj6Oxpw5HITAUAkMhMAp7v1eZHLvS577T3Pqf7p+v2uIbIwSGQmAoBIZCYNzSU1+R7jFXrzwhszmONfW3RiEwFAJDITAK28TuSa9O7zNZjPZE1bw3gmGEwFAIDIXAUAiM04lyk6p0deb8fbXyfduDTJFhxdXT4YwQGAqBoRAYCoFxcZ36qsWknzzpWT87dJ952TnHCIGhEBgKgaEQGIV16isy+6/1r9Jf995fQ55Zp351Ex0jBIZCYCgEhkJgFNapV/ucmX53eoe66vfS0+2ulhuMEBgKgaEQGAqBcXHzmfsONH02RVd3mq/W4ycb63xjhMBQCAyFwFAIjItL2sqXj6wc76foKpPtbvtPYE39DVEIDIXAUAiMwtGrffaV5Wr/t78xzKRqvvp0z/6+1tT/ERQCQyEwFALj4kS5FZMUPWFyrttknKLf1p76G6IQGAqBoRAYFyfKHaTTYrXKvWrRPwluf5XJyvarkwWNEBgKgaEQGAqBETylbU+1H98fnJ+MAVQLBasn6OPs9zdEITAUAkMhMB5L6v1JZ5O14ZNe/r7tZGSi8kJghMBQCAyFwFAIjEJSzwywTzZVXX0vMzN9slK+v1zPnvobohAYCoGhEBiFvd8npA9WSa+Krz5pdRb/vChghMBQCAyFwFAIjJvXqUsXIwSGQmAoBIZCYCgEhkJgKATGnwAAAP//GS15xw/4KuQAAAAASUVORK5CYII=" />

    <script>
        // try to start BankID automatically. Use the AutoStartURL-response.
        location.href = "bankid:///?autostarttoken=f11dd910-046e-4fca-b995-60928226c98b\u0026redirect=null";
    </script>

</body>

Sign

The Sign-endpoint is used for signing a text.

Flow:

  1. Call Sign.
  2. Call Poll every 2 seconds with the location returned from Sign as long as 202.

Request

The Sign-endpoint is called when starting a signing request. Called using the HTTP method POST. The request parameters are similar to the Auth endpoint but got two additional parameters (visibleText and hiddenText).

Request parameters:

  • ip: IP of person that is logging in. String in v4 or v6 format. JSON-name: IP.
  • personal_number: Optional. Personal number of person that is logging in. Full format (YYYYMMDDNNNN). It is not recommended do use this! JSON-name: PersonalNumber.
  • get_qr: Optional. Set to true when a QR-code is requested. It is recommended do use this instead of personal_number! JSON-name: GetQR.
  • autostart_token_required: Optional. Set to true when it is required that the login is performed by either automatically starting the device (on same device) or by scanning the QR-code. JSON-name: AutostartTokenRequired.
  • visible_text: Required. The visible text to sign. JSON-name: VisibleText.
  • hidden_text: Optional. Hidden text to sign. Typically a file hash or an internal reference number. JSON-name: HiddenText

Example request (curl):

curl -v https://demo-api.gii.cloud/api/ip/bankid-se/s2s/sign --data "ip=83.250.5.1&get_qr=true&autostart_token_required=true&visible_text=texttosign&hidden_text=REF1337" --user my-user:my-password

Example request (http form parameters):

POST /api/ip/bankid-se/s2s/auth HTTP/2
 Host: demo-api.gii.cloud
 Authorization: Basic bXktdXNlcjpteS1wYXNzd29yZAo=
 Content-Length: 55
 Content-Type: application/x-www-form-urlencoded

 ip=83.250.5.1&get_qr=true&autostart_token_required=true&visible_text=texttosign&hidden_text=REF1337

Example request (JSON payload):

POST /api/ip/bankid-se/s2s/auth HTTP/2
 Host: demo-api.gii.cloud
 Authorization: Basic bXktdXNlcjpteS1wYXNzd29yZAo=
 Content-Length: 62
 Content-Type: application/json

 {"IP":"83.250.5.1","GetQR":true,"AutostartTokenRequired":true,"VisibleText":"texttosign","HiddenText":"REF1337"}

Response

The response is a JSON-object with the parameters:

  • AutoStartToken: Useful when creating a custom AutoStartURL.
  • AutoStartURL: Use this to start BankID on same device. Example JavaScript: location.href = resp.AutoStartURL will open BankID on same device.
  • QR: Contains a base64-encoded png (200x200) of a QR-code that can be inserted in an img-tag. Example HTML: <img src="<%= resp.QR %>" width="200" height="200" />

The location-header points to the resource that should be polled.

Example reponse (JSON):

{
    "AutoStartToken": "[TOKEN]",
    "AutoStartURL": "bankid:///?autostarttoken=[TOKEN]&redirect=null",
    "QR": "data:image/png;base64,cXItaW1hZ2UK"
}

Example response (full):

HTTP/2 201
 date: Tue, 18 Sep 2018 13:37:00 GMT
 content-type: application/json
 cache-control: no-cache, no-store, must-revalidate
 expires: 0
 pragma: no-cache
 location: https://demo-api.gii.cloud/api/ip/bankid-se/s2s/sign?id=2038382922020

{"AutoStartToken":"9046f685-4b03-48ca-bf25-108809dc69e9","AutoStartURL":"bankid:///?autostarttoken=9046f685-4b03-48ca-bf25-108809dc69e9\u0026redirect=null","QR":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEpUlEQVR4nOydwW7rMAzAtof9/y/vHXoIFjiCFMkpC5C3taudjRAU24r68/v7JSD+vfsC5C8KgaEQGAqBoRAYCoHx8/fH7++JQWdupY9ricer/97B6hOd8eqc5zBCYCgEhkJgKATGz9Ub9cScTXKrpNlJ4PUrzaby7G3A5P/KCIGhEBgKgaEQGJdJ/SBO1p0kvBo5m95jOqvyzhV0/lcvjBAYCoGhEBgKgZFI6tPsS9sr4lRef213lY4RAkMhMBQCQyEwHkvq2aR50Emf8W5APEd2I34PRggMhcBQCAyFwEgk9em1aWeju/7Z7Mj1m47ObNcYITAUAkMhMBQC4zKpT69N43T8Oa+tmPxfGSEwFAJDITAUAuN77xlxvJ6eLkmbnmN6lAxGCAyFwFAIDIXAOCX1mfPkzvPiMwVw0w+trdizOW+EwFAIDIXAUAiMRFJfvbuik2bro3xi8jepfyAKgaEQGAqBkdh+r6fUTlOZLJ31dP38vH4KX7+WF0YIDIXAUAgMhcDYslLvpPyZx9xIo8TjmdThKASGQmAoBEai+j37yFh9Mz2e7YmHzKY38fu3PUYIDIXAUAgMhcAoFcrtq2CfbtI6fVAwfVXXGCEwFAJDITAUAuO0Uu98H9rMpvtMYVtM9ktZOn9vzPXIRggMhcBQCAyFwLgslOtsdD/x2ek0O7mF/tWo9jdCYCgEhkJgKATGzd7vq9Q2/ShYPO/BTIX9s0Vxnql/DAqBoRAYCoGRWKm/60G2mRK8mQ37+s3J3VN4IwSGQmAoBIZCYJS232f6qMezTZfMHcyMshpvsjmOEQJDITAUAkMhME7b751Euq+x7MH0jUP8e6vry27i3z1kMEJgKASGQmAoBEbiTH2VqDqb351PxFe1YvoAIPtafafjhRECQyEwFAJDITBK36ceJ9Js25j6Z+Pf66ys6zX003/HGSMEhkJgKASGQmCUvnp1po/6ipn19Ayd2fqNb40QGAqBoRAYCoFxc/s9fndf05b4+up0bgg6jXRdqX8MCoGhEBgKgXFZKHcw/f1l7yqKy/aS7xT81Ud2pQ5HITAUAkMhMLb0fq+/djDzdHqWJ5rS1jBCYCgEhkJgKATGzUK5+N1sb/V6X7pO2Vu9Yn96X2CFK3U4CoGhEBgKgXGzTezBdBua+rvZlL/6RHbeDrXdBSMEhkJgKASGQmCUCuVWzJxA1+ft1KjX9wCy5/H9/vdGCAyFwFAIDIXAKD3SdmP4B9rLxLPFzBwtZK8g83cYITAUAkMhMBQCI1H9Xqde6R6P0km4M8l6Rb2GIHOLY4TAUAgMhcBQCIzL7feZrz+ZOb2ub6ZnR+nUt+/pjm+EwFAIDIXAUAiMwTP1LM8+gpal82R7PN5BZgfDCIGhEBgKgaEQGO3q9w71s/K4mU3nTL2zhZ6dYzWK2+9wFAJDITAUAuOtST27Ob+v33q9Wr1zI5LBCIGhEBgKgaEQGKXmM3XqPej2FbZ12uTMzLsa74wRAkMhMBQCQyEwLpP6TB38TLf47Midlf/MV7T2DwWMEBgKgaEQGAqBsfk5dalihMBQCAyFwFAIDIXAUAgMhcD4HwAA///gL3uso3r6ZgAAAABJRU5ErkJggg=="}

Example HTML for rendering the output:

<!DOCTYPE html>
<html lang="sv">

<head>
    <meta charset="utf-8">
    <meta name="referrer" content="no-referrer">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <!-- automatically reload page after 2 sec -->
    <meta http-equiv="refresh" content="2">
</head>

<body>
    <!-- display qr code to scan. Use the QR-response -->
    <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEpUlEQVR4nOydwW7rMAzAtof9/y/vHXoIFjiCFMkpC5C3taudjRAU24r68/v7JSD+vfsC5C8KgaEQGAqBoRAYCoHx8/fH7++JQWdupY9ricer/97B6hOd8eqc5zBCYCgEhkJgKATGz9Ub9cScTXKrpNlJ4PUrzaby7G3A5P/KCIGhEBgKgaEQGJdJ/SBO1p0kvBo5m95jOqvyzhV0/lcvjBAYCoGhEBgKgZFI6tPsS9sr4lRef213lY4RAkMhMBQCQyEwHkvq2aR50Emf8W5APEd2I34PRggMhcBQCAyFwEgk9em1aWeju/7Z7Mj1m47ObNcYITAUAkMhMBQC4zKpT69N43T8Oa+tmPxfGSEwFAJDITAUAuN77xlxvJ6eLkmbnmN6lAxGCAyFwFAIDIXAOCX1mfPkzvPiMwVw0w+trdizOW+EwFAIDIXAUAiMRFJfvbuik2bro3xi8jepfyAKgaEQGAqBkdh+r6fUTlOZLJ31dP38vH4KX7+WF0YIDIXAUAgMhcDYslLvpPyZx9xIo8TjmdThKASGQmAoBEai+j37yFh9Mz2e7YmHzKY38fu3PUYIDIXAUAgMhcAoFcrtq2CfbtI6fVAwfVXXGCEwFAJDITAUAuO0Uu98H9rMpvtMYVtM9ktZOn9vzPXIRggMhcBQCAyFwLgslOtsdD/x2ek0O7mF/tWo9jdCYCgEhkJgKATGzd7vq9Q2/ShYPO/BTIX9s0Vxnql/DAqBoRAYCoGRWKm/60G2mRK8mQ37+s3J3VN4IwSGQmAoBIZCYJS232f6qMezTZfMHcyMshpvsjmOEQJDITAUAkMhME7b751Euq+x7MH0jUP8e6vry27i3z1kMEJgKASGQmAoBEbiTH2VqDqb351PxFe1YvoAIPtafafjhRECQyEwFAJDITBK36ceJ9Js25j6Z+Pf66ys6zX003/HGSMEhkJgKASGQmCUvnp1po/6ipn19Ayd2fqNb40QGAqBoRAYCoFxc/s9fndf05b4+up0bgg6jXRdqX8MCoGhEBgKgXFZKHcw/f1l7yqKy/aS7xT81Ud2pQ5HITAUAkMhMLb0fq+/djDzdHqWJ5rS1jBCYCgEhkJgKATGzUK5+N1sb/V6X7pO2Vu9Yn96X2CFK3U4CoGhEBgKgXGzTezBdBua+rvZlL/6RHbeDrXdBSMEhkJgKASGQmCUCuVWzJxA1+ft1KjX9wCy5/H9/vdGCAyFwFAIDIXAKD3SdmP4B9rLxLPFzBwtZK8g83cYITAUAkMhMBQCI1H9Xqde6R6P0km4M8l6Rb2GIHOLY4TAUAgMhcBQCIzL7feZrz+ZOb2ub6ZnR+nUt+/pjm+EwFAIDIXAUAiMwTP1LM8+gpal82R7PN5BZgfDCIGhEBgKgaEQGO3q9w71s/K4mU3nTL2zhZ6dYzWK2+9wFAJDITAUAuOtST27Ob+v33q9Wr1zI5LBCIGhEBgKgaEQGKXmM3XqPej2FbZ12uTMzLsa74wRAkMhMBQCQyEwLpP6TB38TLf47Midlf/MV7T2DwWMEBgKgaEQGAqBsfk5dalihMBQCAyFwFAIDIXAUAgMhcD4HwAA///gL3uso3r6ZgAAAABJRU5ErkJggg==" />

    <script>
        // try to start BankID automatically. Use the AutoStartURL-response.
        location.href = "bankid:///?autostarttoken=9046f685-4b03-48ca-bf25-108809dc69e9&redirect=null";
    </script>

</body>

Poll

The Poll-endpoint is called when polling for authentication or signature status. Called using the HTTP method GET. Use the location-header value supplied from the Auth or Sign request.

Request

Example request (curl):

curl 'https://demo-api.gii.cloud/api/ip/bankid-se/s2s/auth?id=229292292099' --user my-user:my-password

Example request (http):

GET /api/ip/bankid-se/s2s/auth?id=229292292099 HTTP/1.1
 Host: demo-api.gii.cloud
 Authorization: Basic bXktdXNlcjpteS1wYXNzd29yZAo=
 Content-Length: 0

Response

The response is a JSON-object with the parameters:

  • MessageSV: String. Message to user in plain Swedish. Empty if complete (HTTP status code 200).
  • MessageEN: String. Message to user in plain English. Empty if complete (HTTP status code 200).
  • CompletionData: Object when complete (HTTP status code is 200), otherwise null.
    • Signature: String. Signature.
    • OCSPResponse: String. OCSP that validate the certificate.
    • User: Object
      • PersonalNumber: String. Personal number of user that logged in or signed.
      • Name: String. Name of user that logged in or signed.
      • GivenName: String. Given name of user that logged in or signed.
      • Surname: String. Surname of user that logged in or signed.
    • Device: Object
      • IPAddress: IP address of device that logged in or signed.
    • Cert: Object
      • NotBefore: Start time the users cert is valid.
      • NotAfter: End time the users cert is valid.

Possible HTTP status codes are:

  • 200: The request is completed successfully. Stop polling.
  • 202: Continue to poll.
  • 4XX: Client errors.
  • 410: The request failed (user error). This is e.g. user cancelled login or never started the BankID-app.
  • 5XX: Internal server errors.

Polling should continue as long as the HTTP status code is 202. See Errors for handling error responses.

Example reponse for pending (JSON):

{
    "MessageSV": "Identifiering eller underskrift pågår.",
    "MessageEN": "Identification or signing in progress."
}

Example response for pending (full):

HTTP/2 202 
 date: Tue, 18 Sep 2018 13:37:00 GMT
 content-type: application/json
 cache-control: no-cache, no-store, must-revalidate
 expires: 0
 pragma: no-cache

{"MessageSV": "Identifiering eller underskrift pågår.","MessageEN": "Identification or signing in progress."}

Example response for complete (JSON):

{
    "CompletionData": {
        "Signature": "[SIGNATURE]",
        "OCSPResponse": "[OCSPResponse]",
        "User": {
            "PersonalNumber": "4205111018",
            "Name": "Ture Abrahamsson",
            "GivenName": "Ture",
            "Surname": "Abrahamsson"
        },
        "Device": {
            "IP": "83.250.5.1"
        },
        "Cert": {
            "NotBefore": "[DATE]",
            "NotAfter": "[DATE]"
        }
    }
}

Example HTML for rendering the output (pending):

<!DOCTYPE html>
<html lang="sv">

<head>
    <meta charset="utf-8">
    <meta name="referrer" content="no-referrer">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <!-- automatically reload page after 2 sec -->
    <meta http-equiv="refresh" content="2">
</head>

<body>
    <!-- display qr code to scan. Use the QR-response -->
    <img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADIEAAAAADYoy0BAAAEpUlEQVR4nOydwW7rMAzAtof9/y/vHXoIFjiCFMkpC5C3taudjRAU24r68/v7JSD+vfsC5C8KgaEQGAqBoRAYCoHx8/fH7++JQWdupY9ricer/97B6hOd8eqc5zBCYCgEhkJgKATGz9Ub9cScTXKrpNlJ4PUrzaby7G3A5P/KCIGhEBgKgaEQGJdJ/SBO1p0kvBo5m95jOqvyzhV0/lcvjBAYCoGhEBgKgZFI6tPsS9sr4lRef213lY4RAkMhMBQCQyEwHkvq2aR50Emf8W5APEd2I34PRggMhcBQCAyFwEgk9em1aWeju/7Z7Mj1m47ObNcYITAUAkMhMBQC4zKpT69N43T8Oa+tmPxfGSEwFAJDITAUAuN77xlxvJ6eLkmbnmN6lAxGCAyFwFAIDIXAOCX1mfPkzvPiMwVw0w+trdizOW+EwFAIDIXAUAiMRFJfvbuik2bro3xi8jepfyAKgaEQGAqBkdh+r6fUTlOZLJ31dP38vH4KX7+WF0YIDIXAUAgMhcDYslLvpPyZx9xIo8TjmdThKASGQmAoBEai+j37yFh9Mz2e7YmHzKY38fu3PUYIDIXAUAgMhcAoFcrtq2CfbtI6fVAwfVXXGCEwFAJDITAUAuO0Uu98H9rMpvtMYVtM9ktZOn9vzPXIRggMhcBQCAyFwLgslOtsdD/x2ek0O7mF/tWo9jdCYCgEhkJgKATGzd7vq9Q2/ShYPO/BTIX9s0Vxnql/DAqBoRAYCoGRWKm/60G2mRK8mQ37+s3J3VN4IwSGQmAoBIZCYJS232f6qMezTZfMHcyMshpvsjmOEQJDITAUAkMhME7b751Euq+x7MH0jUP8e6vry27i3z1kMEJgKASGQmAoBEbiTH2VqDqb351PxFe1YvoAIPtafafjhRECQyEwFAJDITBK36ceJ9Js25j6Z+Pf66ys6zX003/HGSMEhkJgKASGQmCUvnp1po/6ipn19Ayd2fqNb40QGAqBoRAYCoFxc/s9fndf05b4+up0bgg6jXRdqX8MCoGhEBgKgXFZKHcw/f1l7yqKy/aS7xT81Ud2pQ5HITAUAkMhMLb0fq+/djDzdHqWJ5rS1jBCYCgEhkJgKATGzUK5+N1sb/V6X7pO2Vu9Yn96X2CFK3U4CoGhEBgKgXGzTezBdBua+rvZlL/6RHbeDrXdBSMEhkJgKASGQmCUCuVWzJxA1+ft1KjX9wCy5/H9/vdGCAyFwFAIDIXAKD3SdmP4B9rLxLPFzBwtZK8g83cYITAUAkMhMBQCI1H9Xqde6R6P0km4M8l6Rb2GIHOLY4TAUAgMhcBQCIzL7feZrz+ZOb2ub6ZnR+nUt+/pjm+EwFAIDIXAUAiMwTP1LM8+gpal82R7PN5BZgfDCIGhEBgKgaEQGO3q9w71s/K4mU3nTL2zhZ6dYzWK2+9wFAJDITAUAuOtST27Ob+v33q9Wr1zI5LBCIGhEBgKgaEQGKXmM3XqPej2FbZ12uTMzLsa74wRAkMhMBQCQyEwLpP6TB38TLf47Midlf/MV7T2DwWMEBgKgaEQGAqBsfk5dalihMBQCAyFwFAIDIXAUAgMhcD4HwAA///gL3uso3r6ZgAAAABJRU5ErkJggg==" />

    <!-- display message in Swedish. Use the MessageSV-response -->
    <p>Identifiering eller underskrift pågår.</p>

</body>

Errors

Error responses (HTTP status code >= 400) has these parameters:

  • MessageSV: String. Message to user in plain Swedish.
  • MessageEN: String. Message to user in plain English.
  • Details: String. Internal error message that should not be displayed to users.

Example response (JSON):

{
    "MessageSV": "Internt tekniskt fel. Försök igen.",
    "MessageEN": "Internal error. Please try again.",
    "Details": "It took too long time to transmit the request."
}