For PartnersFor Acquiring Partners

Grant access via Deep Link

Implement the recommended access solution featuring two entry points: deep linking from your portal and an AP button on Klarna's login page. This complete package provides secure, passwordless access with the best user experience.

Overview
The recommended approach for granting access to Klarna Partner Portal combines two entry points that work together as a complete solution:

The two entry points
Entry PointDescriptionUse Case
From Acquiring PortalA button or link in your Partner-facing admin portal that uses the Deep Link API to provision access and redirect Partners directly to Klarna Partner Portal.Partners already logged into your portal who want to access Klarna features.
From Klarna Partner Portal loginA button on Klarna Partner Portal's login page that redirects Partners to your authentication system, then provisions access via Deep Link API.Partners starting their journey from Klarna Partner Portal or bookmarking Klarna Partner Portal directly.
Both entry points use the same Deep Link API and JWT signing mechanism. You only need to implement the JWT generation once to enable both entry points.

Prerequisites
Before implementing this solution, ensure you have completed the common prerequisites.
Additionally, you will need:
  • Public-facing URL (for Klarna Partner Portal login) where Partners can authenticate
Important: This method requires JWT signing with a client certificate. If you haven't completed the JWT setup yet, follow the JWT signing setup in the Overview page first.

Implementation steps
Follow these steps to implement both entry points:

Build and sign your JWT
After completing the JWT signing setup, create your JWT with the following structure:
Sample header
JSON
1 2 3 4 5 6
{ "alg": "ES256", "typ": "JWT", "x5c": ["<your_cert_base64>"] }
Sample payload
JSON
1 2 3 4 5 6 7 8 9 10
{ "amr": ["pwd"], "iss": "krn:partner:global:account:live:LYABCDEI", "jti": "a4728c02-9885-41bf-b539-251ffa7f7eaa", "sub": "portal.user@merchant.com", "iat": 1716768000, "exp": 1716892720, "account_id": "krn:partner:global:account:test:MB6KIE1P", "on_behalf_of": "krn:partner:global:account:test:MB6KIE1P", "roles": ["merchant:admin"]
Note: The amr (authentication methods reference) field is required for deep linking. Use ["pwd"] to indicate password authentication is implemented on your side.
See the full JWT parameter documentation hereAPI.

Entry Point 1: From Acquiring Partner Portal
This entry point allows Partners to access Klarna Partner Portal directly from your Partner-facing admin portal.

How it works
  1. 1.
    Partner clicks a button/link in your portal
  2. 2.
    Your system generates a signed JWT with the Partner's information
  3. 3.
    Your system calls the Deep Link API with the JWT
  4. 4.
    Your system redirects the Partner to the URL returned by the API
  5. 5.
    Partner accesses Klarna Partner Portal without password setup
Deep links are created using a POST request to createDeepLinkAPI endpoint.
Request payload:
JSON
1 2 3 4
{ "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.<....>SMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }
On success, the endpoint responds with 200 OK, returning a JSON payload that includes a url property to use as the deep link.
Important characteristics:
  • One-time use: Each deep link can only be used once
  • Expires in 60 seconds: Request a new link if not used immediately
  • Session timeout: The session is automatically terminated after 8 hours of inactivity.
Only request deep links when the Partner explicitly wants to enter Klarna Partner Portal. Deep links may only be generated for accounts onboarded via your services.
sequenceDiagram participant A as User participant B as Acquiring Partner participant C as Management API participant D as Klarna Portal A->>B: User clicks "Go to Klarna" B->>C: Creates short lived deep-link URL alt Signed request (JWT) - Klarna will require 2FA only for the User to log in Note over B,C: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> <<Signed JSON Web Token (JWT)>> else Unsigned request - Klarna will require both password and 2FA to log in note over B,C: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> {<br/>"subject": "john.doe@example.com",<br/>"roles": [<br/>"merchant:admin"<br/>} end B -->>C: 200 note over B,C: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} B -->>A: 200 note over A,B: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} A ->>D: User is redirected to the Klarna Portal
Deep link access can be revoked at any time between its creation and session expiration (8 hours after generation).

When to revoke
  • Unused Links: Revoke a deep link if it will not be utilized
  • Security Concerns: Revoke access to terminate a user's ability to access Klarna Partner Portal

How to revoke
Make a DELETE request using deleteDeepLinkAPI endpoint:
  • {partner_account_id}: The Partner Account ID for which the deep link was created
  • {deep_link_id}: The unique identifier received when creating the deep link
When a deep link is revoked, the user will lose access to the Partner Account after, at most, 5 minutes.

Entry Point 2: From Klarna login Portal
This entry point displays a "Continue with [Acquiring Partner]" button on Klarna Partner Portal's home screen. When Partners click this button, they are redirected to your authentication system.

How it works
  1. 1.
    Partner visits Klarna Partner Portal login page
  2. 2.
    Partner clicks "Continue with [Acquiring Partner]" button
  3. 3.
    Klarna redirects Partner to your Klarna Access Provision URL with a deeplink_session_token
  4. 4.
    Your system authenticates the Partner (if not already logged in)
  5. 5.
    Your system generates a signed JWT and calls the Deep Link API, including the deeplink_session_token
  6. 6.
    Your system redirects the Partner to Klarna Partner Portal using the URL from the Deep Link API response

Step 1: Create the Klarna Access Provision URL
Create a publicly accessible URL where Partners can authenticate and receive Klarna Partner Portal access. This URL should:
  • Prompt Partners to login if not already authenticated
  • Leverage your existing identity and access management solutions
  • Handle the deeplink_session_token query parameter added by Klarna
Sample URL format:
HTTP
1 2
https://partner.example.com/login?source=klarna&deeplink_session_token=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzNTQ2N2RlZi1iYzRj
Provide this URL to your designated Klarna technical point of contact. Klarna will configure it in the "Continue with [Acquiring Partner]" button.
Upon successful authentication:
  • Extract the deeplink_session_token from the query parameters
  • Generate your signed JWT (same process as Entry Point 1)
  • Call the createDeepLinkAPI endpoint with the JWT, including the deeplink_session_token from Klarna
  • Redirect the Partner to the URL returned by the Deep Link API
sequenceDiagram participant A as User participant B as Klarna Portal participant C as Acquiring Partner Portal participant D as Management API A->>B: User clicks "Continue with Acquiring Partner" button B->>A: Redirect to AP's Klarna Access Provision URL<br/> with {deeplink_session_token} A->>C: Load Klarna Access Provision URL opt If the user is not already authenticated with the Acquiring Partner system A->>C: Enter credentials C->>C: Authenticates end C->>D: Creates short lived deep-link URL alt Signed request (JWT) - Klarna will require 2FA only for the User to log in Note over C,D: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> <<Signed JSON Web Token (JWT)>> else Unsigned request - Klarna will require both password and 2FA to log in note over C,D: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> {<br/>"subject": "john.doe@example.com",<br/>"roles": [<br/>"merchant:admin"<br/>],<br/> "deeplink_session_token": "<<deeplink_session_token>>"<br/>} end D -->>C: 200 note over C,D: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} C -->>A: 200 note over A,C: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} A ->>B: User is redirected to the Klarna Portal
Following these steps will enable the "Continue with [Acquiring Partner]" button on Klarna Partner Portal's login screen and ensure a secure and streamlined login experience for Partners.
If you cannot implement signed JWT deep linking due to technical constraints, unsigned deep linking is available as a fallback.
Not Recommended: This approach requires users to set up a password when accessing Klarna Partner Portal, adding an additional step that degrades user experience. Only use this if signed deep linking cannot be implemented.
With unsigned deep linking:
  • You call the Deep Link API without providing a JWT
  • You provide the user's email address and other parameters directly
  • MFA is enforced within Klarna Partner Portal (instead of your portal)
  • Users must set up a password on first access
For unsigned deep linking parameters, see createDeepLinkAPI .
Related articles
Klarna Partner Portal Overview
How to position Klarna to your Partners
API & SDK references
API
Create a deep link
Delete a deep link