Publisert - 06.07.2026

Authorization

In order to be authorized to use the service in production the client must first be authenticated using HelseID

The service in the DEV environment is without authentication. See environments for an overview

HelseID

A DPoP token from HelseID is required for authorization of organization and health care personell. Bearer tokens will not be allowed.

Note that the EPJ system must provide the org. nr. of the actual work place (point of care) of the health care personell when requesting the access token. This will make sure that the request is connected to the correct organization.

Claims - required in access token to the API

The client must do a token refresh/exchange with HelseID to set correct audience and scope for this service.

Claim Description
scope nhn:papla/api
aud nhn:papla
helseid://claims/client/claims/orgnr_parent Org. nr. at the top level (legal entity). Required for all.
helseid://claims/client/claims/orgnr_child Org. nr. at the lower level (point of care). For some organizations the same as orgnr_parent. Required for all.

Claims documentation for HelseID can be found here.

Documentation on how to set organization nrs. as claims for a multi-tenant client can be found here.

Documentation to set single audience can be found here

Headers

Name Description Required
Authorization: DPoP HelseID DPoP access token. Yes
DPoP DPoP proof. Yes

Søk i Utviklerportalen

Søket er fullført!