Quick Start
The Ledyer Access uses the OAuth 2.0 authorization code flow.
To begin, obtain your client credentials from Ledyer support.
We will ask you to provide one or more redirect_url(s).
Your client credentials carry many privileges, so be sure to keep them secure! Do not share your credentials in publicly accessible areas such as GitHub, email, instant-message or client-side code.
All API requests must be made over HTTPS otherwise they will fail.
Configure
Configure your Oauth2 Client library with the Ledyer Access OAuth2/OIDC endpoints
Sandbox
https://access.sandbox.ledyer.com/oauth2/authhttps://access.sandbox.ledyer.com/oauth2/tokenhttps://access.sandbox.ledyer.com/userinfo
Live
https://access.live.ledyer.com/oauth2/authhttps://access.live.ledyer.com/oauth2/tokenhttps://access.live.ledyer.com/userinfo
Alternatively the endpoint configuration can be fetched from:
Sandbox
https://access.sandbox.ledyer.com/.well-known/openid-configuration
Live
https://access.live.ledyer.com/.well-known/openid-configuration
Continue configuring client credentials, redirect url, scopes, state etc.
Params
country
OptionalCountry code such as SE, FI etc (ISO 3166-1 alpha-2). Defaults to SE if omitted.
redirect_method
Optionalif redirect_method is set to postmessage the auth flow will end with a postmessage being sent instead of redirecting the user to the redirect_uri
See Embedding in an iframe for an example listener.
redirect_url
Redirect URI to which the response will be sent. This URI MUST exactly match one of the Redirection URI registered at your Ledyer Access client account.
response_type
Response type. Only valid value is code.
scope
Use openid + onboarding for the onboarding flow.
Use openid for the login flow.
state
An opaque value used to maintain state between the request and the callback. It's important to generate a "state" to protect the client from CSRF attacks. This can be a random string that the client generates and stores in the session. Your app will verify that the state parameter in the redirect from Ledyer matches the one that was created at the start of the flow.
ui_locales
OptionalEnd user's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference
Generate the login URL
Example login URL (preferably automatically generated by your OAuth2 library)
https://access.sandbox.ledyer.com/oauth2/auth
?client_id=yourclientid
&country=SE
&redirect_method=postmessage
&redirect_uri=https%3A%2F%2Flocalhost%3A1234%2Fcallback
&response_type=code
&scope=openid+onboarding
&state=vqguhnHa90cPLf9fgiqaCFJbabTkRYnB9MZ1C30J3EE%3D
&ui_locales=sv-SE
Embedding in an iframe
<iframe src={loginURL} title="Ledyer Access" height="350px" width="100%"></iframe>
<script>
window.addEventListener("message", (event) => {
if (
event.origin !== "https://access.sandbox.ledyer.com" &&
event.origin !== "https://access.live.ledyer.com"
) {
return;
}
if (event.data?.type !== "authorization_response") {
return;
}
...
// Post the event data to your backend "redirect" url and exchange the code with a token.
</script>
Exchange the auth code with a token
In your callback endpoint you should verify the state and exchange the authorization code with an access token
Fetch end user info
You can now use the access token to get the user info by calling the /userinfo endpoint.
Example response
{
"company": {
"addresses": [
{
"care_of": "",
"city": "Stockholm",
"company_name": "TestBolaget AB",
"country": "SE",
"postal": true,
"postal_code": "111 33",
"street_address": "Testgatan 1",
"type": "hq"
}
],
"company_id": "5555555555",
"company_name": "Testbolaget AB",
"company_vatid": "SE555555555501"
},
"country": "SE",
"name": "Per Persson",
"ssn": "19800101XXXX",
"sub": "f27a2559-9e7a-41dc-a218-4796fe180943"
}