Understanding OAuth
Understanding OAuth2 for Visma API integration, including roles, tokens, scopes, grants, and necessary endpoints for secure resource access.
Authentication
Authentication to Business NXT API via Visma Connect involves multi-tenant identity providers. Requires creating an app in Visma Developer Portal.
Authentication to Business NXT API is done through Visma Connect. Visma Connect is a multi-tenant identity provider. Tenants are organizations (businesses) that provide an API-context. A given user may have access to multiple tenants and will choose which to connect to your application upon each single sign-on flow.
Tip
You’ll need to create an application in the Visma Developer Portal, available at https://oauth.developers.visma.com, before getting started.
Tip
To learn more about this process see this document https://oauth.developers.visma.com/service-registry/documentation/overview. Please explore Visma Developer Portal documentation.
Endpoints
Visma Connect endpoint details:
| Endpoint | URL |
|---|---|
| Discovery | https://connect.visma.com/.well-known/openid-configuration |
| Authorization | https://connect.visma.com/connect/authorize |
| Token | https://connect.visma.com/connect/token |
| Userinfo | https://connect.visma.com/connect/userinfo |
| Endsession | https://connect.visma.com/connect/endsession |
Visma Connect Token
Your application requests specific permission scopes and is granted an access token upon a user’s approval.
There are two scenarious that are supported by Visma Connect:
- Interactive authentication of users, that must provide their credentials in a login form. That requires the authentication flow to use the Authorization Code with PKCE grant type.
- Authentication of a service, using a client ID and a client secret. That requires the authentication flow to use the Client credentials grant type.
Once the authentication process has completed successfully, you can make API calls by providing the valid access token with each API request using the authorization header.
Visma Connect Webhooks
Rather than authenticating yourself against connect, your application will have to validate that the webhooks comes from Visma Connect. You will have to make a public endpoint that can take a POST from Visma Connect. The validation
Services
Guide for integrating services with Business NXT via GraphQL, including registration, authentication, and setup instructions on Visma Developer Portal.
Web applications
Learn how to set up web applications for integrating with Business NXT, including OAuth authorization essentials.