Klarna Docs - Grant access
API and SDKsSupport
Grant access

Secure and streamline access to Klarna's Partner Portal by leveraging deep linking, SAML IdP, or the User Access Management API to manage roles and user permissions efficiently.

Klarna provides access to Booster features such as Express Checkout, On-site Messaging, and Sign in with Klarna, through the Klarna Portal. Access enables Partners to retrieve credentials and complete setup within Klarna’s ecosystem Acquiring Partners are required to grant access to the Klarna Portal to support these functionalities.

Key features of the Klarna Portal:

  • Boost features access: Access to key conversion-enhancing features like Klarna Boost products is enabled through access to the portal.
  • Credential Management: Partners are enabled to generate restricted credentials to supplement their Acquiring Partner integration.

Partners cannot access features altering transaction statuses or privileged information, such as dispute or settlement management, unless otherwise enabled through their Acquiring Partner with Klarna.

Granting Portal Access

Access is managed through roles assigned collaboratively by Klarna and the Acquiring Partner. Multiple access methods are supported; however, the recommended approach must be leveraged wherever possible. Alternative solutions may be agreed upon with Klarna based on technical or business constraints.

The presentation of any link between your Partner-facing admin portal must be agreed and signed off in accordance with Klarna’s user experience guidelines. Details are available in Klarna’s user experience guidelines.

Recommended SolutionAlternate Solutions
Signed [https://docs.klarna.com/api/kn/klarna-management-api/klarna-management-api-v2-r6/#operation/createDeepLink Deep Linking]
Use signed deep links secured with a JSON Web Token (JWT) to enable access without requiring password setup. Multi-factor authentication (MFA) is enforced on the Partner’s portal.Applicability: Suitable for all Acquiring Partners with a Partner-facing admin portal.		X
Unsigned [https://docs.klarna.com/api/kn/klarna-management-api/klarna-management-api-v2-r6/#operation/createDeepLink deep linking] to Klarna Portal:
Relies on MFA enforced within the Klarna Portal and requires users to set up a password.Applicability: For Partners unable to support JWT-signed deep linking due to Klarna-approved limitations.		X
Acquiring Partner as identity provider (SAML IdP):
Delegates authentication to the Acquiring Partner using SAML v2.0. No MFA is required on the Klarna Portal as MFA is managed by the Partner.Applicability: Ideal for Partners with advanced technical capabilities to implement SAML IdP, providing a seamless user experience.		X
Klarna Portal user management API:
Grants API-based access for Partners without an admin portal to invite and manage users.Applicability: Suitable for Partners without admin portal capabilities.		X

Deep linking facilitates seamless user access to Klarna’s Partner Portal via either a signed or unsigned method.

When the user clicks a link that should redirect to the Klarna Portal from the your portal, the acquiring partner should use the Deep link API and redirect the User to Klarna using the url from the response. You need to share the email address of the User that will then need to create or log-in their Klarna Portal Account.

By leveraging signed deep linking, the Acquiring Partner simplifies access to the Klarna Portal, avoiding password setup, supporting audit-ability of access, and ensuring non-repudiation. It can be enabled through the steps below:

  • Step 1: Generate a key and a public certificate to sign the JWT.

    • To generate these, follow steps 2 to 4 listed here. When reaching out to Klarna to ask for the certificate, make sure to mention that the purpose of it is for JWT signing, not mTLS.

    • Use the private key generated in the previous step 2 to sign the JWT (it is an ECDSA key, so the ES256 algorithm must be used).

    • The public certificate provided by Klarna must be included in the “x5c” header of the JWT. (See here the official technical definition of this header and here an example of how it looks).
  • Step 2: Generate a JWT containing the parameter listed here and a session token for redirection.
  • Step 3: Use Klarna’s Deep Link API to generate a one-time URL.
  • Step 4: Redirect the user to Klarna Portal using the URL.
sequenceDiagram participant A as User participant B as Acquiring Partner participant C as Management API participant D as Klarna Portal A->>B: User clicks "Go to Klarna" B->>C: Creates short lived deep-link URL alt Signed request (JWT) - Klarna will require 2FA only for the User to log in Note over B,C: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> <<Signed JSON Web Token (JWT)>> else Unsigned request - Klarna will require both password and 2FA to log in note over B,C: POST /v2/accounts/{partner_account_id}/<br/>portal/deep-links <br/> {<br/>"subject": "john.doe@example.com",<br/>"roles": [<br/>"merchant:admin"<br/>} end B -->>C: 200 note over B,C: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} B -->>A: 200 note over A,B: {<br/>"url": "https://auth.eu.portal.klarna.com/..."<br/>} A ->>D: User is redirected to the Klarna Portal

Alternate: Unsigned deep linking

Should you not be able to sign a JWT with the requested information, it is possible to use the Deep link API as a regular REST endpoint.  In this case, the user would be forced to set a password when accessing the Klarna Portal leading to an additional step in the user journey which we would rather avoid. Both approaches are shown below.

Creating a deep link

Deep links for Partners are created using a POST request to /v2/accounts/{account_id}/portal/deep-links and are valid for one-time use, expiring after 60 seconds. Deep links should only be requested after the Partner expresses a desire to enter the Klarna Portal, and may only be generated for accounts onboarded via your services. The provisioned accesses remain valid until the user is logged out from Klarna.

You can define the level of access granted to the user by setting the roles array.

  • merchant:admin - provides access allowing the Partner to access all apps defined within the Acquiring Partner agreement.
  • merchant:developer - provides access only to those apps which will assist a developer in implementing Klarna. Allows for the creation of client-side tokens and implementation of Klarna Boost features.

The deep-link API returns a URL for redirecting the user to Klarna. Parameters vary based on the method used:

  • Signed JWT - Definition 1, delegates authentication to the Acquiring Partner.
  • Regular payload - Definition 2, requires the user to set a password.
Definition 1: Content of the JWT that will be signed
TypeParameterDefinition
HeaderalgAlgorithm is used to generate the signature.Accepts “ES256”.
HeadertypAccepts “JWT” only.
Headerkid or x5cCertificate serial number (kid) or the Certificate encoded (x5c).
PayloadissPSP’s account ID, e.g. “krn:partner:global:account:live:LWT2XJSE”.
PayloadjtiToken ID. Must be unique per request
PayloadsubThe email address of the user.
PayloadiatTime at which the JWT was issued. Either an integer or decimal, representing seconds past 1970-01-01 00:00:00Z, e.g. “1422779638”.
PayloadexpTime at which the JWT expires. Either an integer or decimal, representing seconds past 1970-01-01 00:00:00Z, e.g. “1422779638”.
The maximum interval after this value during which the JWT will be accepted is 1 minute. (i.e., if iat is more than 1 minute in the past, the JWT will no longer be valid.).
PayloadamrArray of authentication methods used.Accepts “pwd” and “mfa”, but “pwd” is at least required.
Payloadaccount_idID of the sub-partner account, e.g. “krn:partner:global:account:live:LWT2XJSE”.
Payloadroles[]Roles given to the User once they access the Portal. Roles give privileges for specific operations.
SignatureComputed signature following the JWT standard.
Definition 2: Content of an unsigned Payload - will require users to create their own password
ParameterDefinition
subjectThe email address of the user.
roles[]Roles given to the User once they access the Portal. Roles give privileges for specific operations.
session_tokenWhen a Deep link is created due to the access to the Klarna User Access Provisioning URL, the session_token should be forwarded to Klarna. This session_token helps Klarna to redirect the User to the correct page they were looking for. It is a base64 token.

Revoking a deep link

Deep link access can be revoked at any time between its creation and session expiration, which occurs 8 hours after the link is generated.

Recommendations for Revocation
  • Unused Links: Revoke a deep link if it is known it will not be utilized.
  • Security Concerns: Revoke access if there is a need to terminate a user’s ability to access the Klarna Partner Portal.

Deep links for Partners can be manually revoked using a DELETE request to /v2/accounts/{account_id}/portal/deep-links/{deep_link_id}

  • {deep_link_id}: the unique identifier received when creating a deep-link.
  • {account_id}: the account associated with the Partner.

Manually revoking a deep link endpoint will be made available in future releases.

An Identity Provider (IdP) is a system that authenticates users and authorizes their access to applications and services. In this setup, The Acquiring Partner acts as the IdP and Klarna acts as the Service Provider (SP).  By leveraging SAML v2.0, this setup ensures:

  • Secure Authentication: User credentials remain securely managed by the IdP.
  • Policy Enforcement: Enables security policies such as MFA.
  • Enhanced Efficiency and Compliance: Centralized user management.

To enable Klarna Portal to leverage the Acquiring Partner as an IdP the following setup is required:

Step 1: Share SAML Configuration with Klarna

  • Provide Klarna with the required SAML configuration details (e.g., metadata, certificates, endpoints).
  • Klarna will complete the necessary configuration on their end.

Step 2: Set Up Klarna Portal as the Service Provider

  • Configure Klarna Portal to accept SAML assertions from your IdP.
  • Enforce MFA during SAML authentication for enhanced security.

Step 3: Map User Attributes

  • Define and map user attributes from your IdP to the corresponding Klarna Portal users.
  • Attributes may include partner account IDs, roles, and other relevant details.

Step 4: Handle SAML Authentication Requests

  • Receive SAML authentication requests from Klarna.
  • Process the requests in accordance with the SAML v2.0 protocol and return SAML authentication responses.

Step 5: Provision Access

  • Use the Deep Link API or SAML Response to grant users access to the Klarna Portal.

The SAML IdP solution will be included in future releases. If you are interested in proceeding with this option for Partner Portal access please reach out to your Klarna representative to discuss further.

Klarna Portal accounts can also be created via the user access management API. This API is similar to deep linking, except instead of giving a user temporary access to the portal via a link, this creates (semi-)permanent access.

Creating user access

User access for Partners are created using a POST request to /v2/portal/user-access.

You can define the level of access granted to the user by setting the roles array.

  • merchant:admin - provides access allowing the Partner to access all apps defined within the Acquiring Partner agreement.
  • merchant:developer - provides access only to those apps which will assist a developer in implementing Klarna. Allows for the creation of client-side tokens and implementation of Klarna Boost features.

We will create a Klarna Portal user for the supplied email (sub), give them access to the sub-account and send an invitation email to them, containing an activation link. The user will then need to follow the activation flow (accept T&Cs, update their given/family name, and set up their password and 2FA).

Definition 1: Content of the JWT that will be signed
TypeParameterDefinition
HeaderalgAlgorithm is used to generate the signature.Accepts “ES256”.
HeadertypAccepts “JWT” only.
Headerx5cCertificate encoded (x5c).
PayloadissPSP’s account ID, e.g. “krn:partner:global:account:live:LWT2XJSE”.
PayloadjtiToken ID. Must be unique per request
PayloadsubThe email address of the user.
PayloadiatTime at which the JWT was issued. Either an integer or decimal, representing seconds past 1970-01-01 00:00:00Z, e.g. “1422779638”.
The maximum interval after this value during which the JWT will be accepted is 1 minute. (i.e., if iat is more than 1 minute in the past, the JWT will no longer be valid.).
PayloadexpTime at which the JWT expires. Either an integer or decimal, representing seconds past 1970-01-01 00:00:00Z, e.g. “1422779638”.
Payloadaccount_idID of the sub-partner account, e.g. “krn:partner:global:account:live:LWT2XJSE”.
Payloadroles[]Roles given to the User once they access the Portal. Roles give privileges for specific operations.
Payloadexpires_at(Optional) The date when the access expires in YYYY-MM-DD format, e.g. 2026-12-31. Must be a future date.
Payloadinactivity_grace_period(Optional) ISO 8601 duration string specifying how long the access remains valid after user inactivity, e.g. P30D for 30 days. Must be between 1 day and 6 months.
SignatureComputed signature following the JWT standard.

Inviting and managing users will be further defined in later releases.