API and SDKs
Manage your API credentials

Secure your Klarna integration by managing API credentials responsibly, enforcing strong authentication standards, and following best practices for encryption, access control, and threat reporting.

To begin your integration with Klarna, the first step is to obtain your API credentials. Once your account is set up by Klarna, you will receive your initial API key through a secure link.

With your initial API key from Klarna, you can create new API keys and Client IDs through the Partner Management API. Here's how these credentials function:

  • API keys: Are used to authenticate server-side REST API requests towards Klarna. In addition, Klarna may use them to identify the source account.

Structure: klarna_<live|test>_api_<random>

  • Client IDs: Are used to authenticate client-side interactions towards Klarna's SDK. Due to the nature of frontend authentication, client keys require domain registration.

Structure: klarna_<live|test>_client_<random>

Learnings:

To ensure the security of Partner integrations, Klarna also requires Acquiring Partners to implement Mutual Transport Layer Security (mTLS) in order to access Klarna APIs.

Credential management is fully under the control of the Acquiring Partner, who can create and manage credentials for different services. This autonomy enhances security by enabling automatic credential rotation, reducing the need for manual updating by Klarna.

To minimize risk in the event of a security breach, assign unique credentials to each service and use the description field to clearly define each credential's purpose. This approach simplifies credential management and ensures that if one credential is compromised or needs to be deactivated, it won't affect the others, maintaining uninterrupted operation across your integration.

graph LR; A[Your service X] --> B[API Key for X] --> D[Klarna Partner APIs] C[Your service Y] --> E[API Key for Y] --> D F[Your client page X] --> G[Client Identifier for X] --> D

Other recommended practices:

  • Never store credentials in plaintext.
  • Implement strict access controls to limit credential exposure.
  • Regularly rotate credentials.
  • Immediately revoke and notify Klarna support if credentials are compromised.

Credentials can be managed for either live or test environments and are specific to client-side or server-side actions. When creating credentials, you can add a description to specify their use, which can be verified via the getCredentialsApiAPI.

Credentials inactive for two months will be disabled to prevent misuse and will be deleted after ten months of inactivity. In such cases, you can reactivate old credentials or generate new ones through Partner support, your Klarna account representative, or via APIs, maintaining the security and flexibility of your interactions with Klarna.

For rotating API-keys, it's recommended to support multiple credentials during the transition. The steps for key rotation involve:

  1. Use the createCredentialsApiAPIto request new API-key credentials
  2. Transition your service from existing API-key to the new API-key.
  3. Validate the new API-key have been correctly implemented.
  4. Use the deleteCredentialApiAPIto permanently disable the affected API-key.

Client IDs are not secret since they are available publicly so there is generally not a need to rotate them. If the need arises, e.g. to discourage abusive use, the following createCredentialsClientAPIendpoint is used to create new ones, and this for createCredentialsApiAPIAPI-keys.

Rate limiting considerations:

Rate limiting is enforced by Klarna on an account basis. The creation of multiple credentials will not enable increased rate limits. For more information see Rate Limiting.

Consult the API referenceAPI for a complete description of the request body parameters.

All server-side REST APIs require API keys for authentication, whereas the Klarna Web SDK uses Client IDs. Ensure all API requests are transmitted over HTTPS using TLS 1.2 protocol at a minimum. Attempts to connect without valid credentials or via plain HTTP will not succeed.

The API key should be included in the Authorization header for every request in the following format:

Authorization: Basic <API key>

The API key can be in it's raw form or base64-encoded.

If the API key is missing or incorrect, Klarna responds with 401 Unauthorized.

API keys are sensitive; handle them with utmost care.

For Klarna Partners working with multiple account_ids, you should consider the following:

  • account_id must be included in the path for operations on a specific Partner or its resources (use the account_id returned by the Management API)
    • e.g. /v1/accounts/{account_id}/payment/requests.

Our integration APIs are fortified with active DDOS protection measures designed to stop traffic identified as illegitimate or exhibiting atypical behaviors. If a DDOS protection rule is triggered, the HTTP-status code 403 will be returned, absent the typical error information object.

Further information about rate limiting is available in the Rate limiting section.

Effective API security requires careful management of the IP addresses used to access services. It is recommended to use a static IP address because dynamically allocated IPs might have been previously associated with malicious activities. This is particularly important in cloud environments, where IPs can be cycled between accounts if not explicitly architected. Reusing an IP with a history of abuse could lead to its inclusion on threat intelligence lists, potentially resulting in the blocking of legitimate service calls.

The global API endpoint is exposed via 2 anycast static IPs, enabling Partners to configure egress security measures within their IT infrastructure effectively.

The TLS certificates at API endpoints are issued by AWS Certificate Manager and are subject to automatic renewal as expiration approaches. We advise against reliance on specific certificate details, recommending instead trust in the root CA as outlined in the documentation.

Callbacks from Klarna will originate from specific IP addresses based on the environment, information which should be used to configure firewalls for enhanced security.

Security protocols vary by integration and should be assessed individually. However, some universal requirements include:

  • Maintaining up-to-date security across all system components, promptly applying the latest patches, and employing a thorough testing process before deployment.
  • Carrying out regular fraud assessments to pinpoint and address potential security issues.
  • Limiting administrative rights strictly to those who need them, adhering to the principle of least privilege.
  • Keeping a formal log of all individuals with access to Klarna systems and ensuring access is granted via corporate email addresses.
  • Regularly monitoring and updating access rights, especially after an employee's role changes or departure, and conducting periodic access reviews.
  • Avoiding shared accounts to ensure actions can be attributed to individual customers. - Enforcing the use of strong passwords (14 or more characters) and enabling two-factor authentication (2FA) where feasible.
  • Encrypting stored secrets and not keeping them in plaintext.
  • Considering suppliers and third-party providers within the organization's overall security strategy and conducting appropriate evaluations.
  • Enabling logging for sensitive actions and monitoring for suspicious activities. Klarna mandates that Partners report any suspicious activities through Partner support or the Partner portal chat. This includes unusual Klarna transaction processes. Such collaborative vigilance is crucial in detecting and mitigating potential threats early, ensuring a secure environment for all parties involved. Klarna reserves the right to disable API keys upon detecting any evidence of potential compromise. Adherence to these guidelines is essential for maintaining robust security standards and protecting against potential vulnerabilities.

Two authentication methods are used in the platform: API authentication via an API key and a client ID, employed to authenticate the calling account.

  • The API key is highly confidential and must never be exposed in clear-text beyond an API request.
  • The client-id is used in a browser environment and is not secret in itself, it must be configured with a list of approved websites from which it's approved to be used which will prevent some fraud scenarios Both API-keys and client-ids are signed tokens which are verified by the platform to ensure the integrity of the information.

The pattern for both API-keys and client-ids are:

  • Client ID structure: klarna_<live|test>_<client>_<random>
  • Client ID Example: klarna_test_client_elZGI1B5dHBIRWcjZrNldnbEVj[...]uefnc3
  • API Key Structure: klarna_<live|test>_<api>_<random>
  • API Key Example: klarna_live_api_elZGI1B5dHBIRWltRjF5cjZrNldnbEVjKnIqeC[...]Uybz0

The authentication information used by features of the platform:

FeatureAuthentication type
Web SDKClient-id
REST APIAPI-key
Sign-in-with-klarnaOAuth using client-id and API-key

Klarna uses best practices to secure the environments, including but not limited to automated security scanning, penetration tests, white and blackbox testing and resiliency testing.

To ensure the operational characteristics for all of our customers the following rules apply.

Do not perform any form of vulnerability scanning, penetration testing, performance testing, stress testing, denial-of-service simulation, or related activities on Klarna systems, networks, APIs, services, or infrastructure in any environment.

Limited performance testing is allowed only in Klarna's designated test environment and must strictly follow Klarna's specific guidelines and restrictions, as specified here.

Any unauthorized testing activities may lead to immediate remedial actions, such as service suspension, payment withholding, or legal proceedings.