Strong Customer Authentication¶
This section describes how to verify that a customer are who they say they are. Currently only Swedish BankID is available.
Creating an SCA session¶
The first step is to create an SCA session that the client can use to initiate an SCA method.
Parameter |
Description |
|---|---|
idempotencyKey |
Idempotency key is required to prevent double processing a request. See also Idempotency keys. |
sePersonalNumber |
12 digit Swedish personnummer. If set it will enforce that only the provided personnummer is allowed to sign |
onSuccessRedirecturl |
Once the SCA is done the end user will be redirected to this URL |
User signs using BankID¶
Now take the token that you got in the response from the newScaSession mutation and redirect the end user to https://staging.kronor.io/bankId?token=TOKEN_FROM_MUTATION_GOES_HERE (or https://kronor.io/bankId?token=TOKEN_FROM_MUTATION_GOES_HERE for production).
Once the customer has signed they will be redirected to the URL provided in the mutation.
Trust but verify¶
At this point it’s advised that you verify from your backend that the SCA was a success. Use the scaSessionId from the newScaSession mutation call to query for successful bankIdAuth.