For PartnersFor Acquiring Partners
Grant access via Deep Link

Implement the recommended access solution featuring two entry points: deep linking from your portal and an AP button on Klarna's login page. This complete package provides secure, passwordless access with the best user experience.

Overview

The recommended approach for granting access to Klarna Partner Portal combines two entry points that work together as a complete solution:

The two entry points

Entry PointDescriptionUse Case
From Acquiring PortalA button or link in your Partner-facing admin portal that uses the Deep Link API to provision access and redirect Partners directly to Klarna Portal.Partners already logged into your portal who want to access Klarna features.
From Klarna Portal loginA button on Klarna Portal's login page that redirects Partners to your authentication system, then provisions access via Deep Link API.Partners starting their journey from Klarna Portal or bookmarking Klarna Portal directly.

Both entry points use the same Deep Link API and JWT signing mechanism. You only need to implement the JWT generation once to enable both entry points.

Prerequisites

Before implementing this solution, ensure you have completed the common prerequisites.

Additionally, you will need:

  • Public-facing URL (for Klarna Portal login) where Partners can authenticate

Important: This method requires JWT signing with a client certificate. If you haven't completed the JWT setup yet, follow the JWT signing setup in the Overview page first.

Implementation steps

Follow these steps to implement both entry points:

Build and sign your JWT

After completing the JWT signing setup, create your JWT with the following structure:

Sample header

{
  "alg": "ES256",
  "typ": "JWT",
  "x5c": ["<your_cert_base64>"]
}

Sample payload

{
  "amr": ["pwd"],
  "iss": "krn:partner:global:account:live:LYABCDEI",
  "jti": "a4728c02-9885-41bf-b539-251ffa7f7eaa",
  "sub": "portal.user@merchant.com",
  "iat": 1716768000,
  "exp": 1716892720,
  "account_id": "krn:partner:global:account:test:MB6KIE1P",
  "on_behalf_of": "krn:partner:global:account:test:MB6KIE1P",
  "roles": ["merchant:admin"]
}

Note: The amr (authentication methods reference) field is required for deep linking. Use ["pwd"] to indicate password authentication is implemented on your side.

See the full JWT parameter documentation hereKlarna Icon.

Entry Point 1: From Acquiring Partner Portal

This entry point allows Partners to access Klarna Portal directly from your Partner-facing admin portal.

How it works

  1. Partner clicks a button/link in your portal
  2. Your system generates a signed JWT with the Partner's information
  3. Your system calls the Deep Link API with the JWT
  4. Your system redirects the Partner to the URL returned by the API
  5. Partner accesses Klarna Portal without password setup

Creating a deep link

Deep links are created using a POST request to createDeepLinkKlarna Icon endpoint.

Request payload:

{
  "jwt": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.<....>SMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

On success, the endpoint responds with 200 OK, returning a JSON payload that includes a url property to use as the deep link.

Important characteristics:

  • One-time use: Each deep link can only be used once
  • Expires in 60 seconds: Request a new link if not used immediately
  • Session timeout: The session is automatically terminated after 8 hours of inactivity.

Only request deep links when the Partner explicitly wants to enter Klarna Portal. Deep links may only be generated for accounts onboarded via your services.

sequenceDiagram participant A as User participant B as Acquiring Partner participant C as Management API participant D as Klarna Portal A->>B: User clicks "Go to Klarna" B->>C: Creates short lived deep-link URL alt Signed request (JWT) - Klarna will require 2FA only for the User to log in Note over B,C: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> <<Signed JSON Web Token (JWT)>> else Unsigned request - Klarna will require both password and 2FA to log in note over B,C: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> {<br/>"subject": "john.doe@example.com",<br/>"roles": [<br/>"merchant:admin"<br/>} end B -->>C: 200 note over B,C: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} B -->>A: 200 note over A,B: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} A ->>D: User is redirected to the Klarna Portal

Revoking a deep link session

Deep link access can be revoked at any time between its creation and session expiration (8 hours after generation).

When to revoke

  • Unused Links: Revoke a deep link if it will not be utilized
  • Security Concerns: Revoke access to terminate a user's ability to access Klarna Portal

How to revoke

Make a DELETE request using deleteDeepLinkKlarna Icon endpoint:

  • {partner_account_id}: The Partner Account ID for which the deep link was created
  • {deep_link_id}: The unique identifier received when creating the deep link

When a deep link is revoked, the user will lose access to the Partner Account after, at most, 5 minutes.

Entry Point 2: From Klarna login Portal

This entry point displays a "Continue with [Acquiring Partner]" button on Klarna Portal's home screen. When Partners click this button, they are redirected to your authentication system.

How it works

  1. Partner visits Klarna Portal login page
  2. Partner clicks "Continue with [Acquiring Partner]" button
  3. Klarna redirects Partner to your Klarna Access Provision URL with a deeplink_session_token
  4. Your system authenticates the Partner (if not already logged in)
  5. Your system generates a signed JWT and calls the Deep Link API, including the deeplink_session_token
  6. Your system redirects the Partner to Klarna Portal using the URL from the Deep Link API response

Step 1: Create the Klarna Access Provision URL

Create a publicly accessible URL where Partners can authenticate and receive Klarna Portal access. This URL should:

  • Prompt Partners to login if not already authenticated
  • Leverage your existing identity and access management solutions
  • Handle the deeplink_session_token query parameter added by Klarna

Sample URL format:

HTTP
https://partner.example.com/login?source=klarna&deeplink_session_token=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzNTQ2N2RlZi1iYzRj

Provide this URL to your designated Klarna technical point of contact. Klarna will configure it in the "Continue with [Acquiring Partner]" button.

Step 2: Provide access via Deep Link API

Upon successful authentication:

  • Extract the deeplink_session_token from the query parameters
  • Generate your signed JWT (same process as Entry Point 1)
  • Call the createDeepLinkKlarna Icon endpoint with the JWT, including the deeplink_session_token from Klarna
  • Redirect the Partner to the URL returned by the Deep Link API
sequenceDiagram participant A as User participant B as Klarna Portal participant C as Acquiring Partner Portal participant D as Management API A->>B: User clicks "Continue with Acquiring Partner" button B->>A: Redirect to AP's Klarna Access Provision URL<br/> with {deeplink_session_token} A->>C: Load Klarna Access Provision URL opt If the user is not already authenticated with the Acquiring Partner system A->>C: Enter credentials C->>C: Authenticates end C->>D: Creates short lived deep-link URL alt Signed request (JWT) - Klarna will require 2FA only for the User to log in Note over C,D: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> <<Signed JSON Web Token (JWT)>> else Unsigned request - Klarna will require both password and 2FA to log in note over C,D: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> {<br/>"subject": "john.doe@example.com",<br/>"roles": [<br/>"merchant:admin"<br/>],<br/> "deeplink_session_token": "<<deeplink_session_token>>"<br/>} end D -->>C: 200 note over C,D: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} C -->>A: 200 note over A,C: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} A ->>B: User is redirected to the Klarna Portal

Following these steps will enable the "Continue with [Acquiring Partner]" button on Klarna Portal's login screen and ensure a secure and streamlined login experience for Partners.

If you cannot implement signed JWT deep linking due to technical constraints, unsigned deep linking is available as a fallback.

Not Recommended: This approach requires users to set up a password when accessing Klarna Portal, adding an additional step that degrades user experience. Only use this if signed deep linking cannot be implemented.

With unsigned deep linking:

  • You call the Deep Link API without providing a JWT
  • You provide the user's email address and other parameters directly
  • MFA is enforced within Klarna Portal (instead of your portal)
  • Users must set up a password on first access

For unsigned deep linking parameters, see createDeepLinkKlarna Icon .

Related articles
Klarna Partner Portal Overview
How to position Klarna to your Partners
API & SDK references
Create a deep linkKlarna Icon
Delete a deep linkKlarna Icon
Delete a deep linkKlarna Icon
Create a deep linkKlarna Icon