Developer Portal

<page>
<metadata>
<title>Developer Portal</title>
<path>/vismanetapi/setting-up-your-integration/developer-portal</path>
<kind>section</kind>
<description>Creating an account and application in Developer Portal</description>
<lastmod>2025-10-16T11:16:31+02:00</lastmod>
</metadata>
<content>
# Developer Portal

Creating an account and application in Developer Portal


## Getting Started with Visma Developer Portal

At Visma we want to create a dynamic network of Applications interacting with each other, to co-create and exchange value for the members of the ecosystem. We want to empower our ecosystem to deliver meaningful and easy to use solutions that simplifies and digitizes core business processes.

We believe we can empower people greatly through technology. But how technology empowers people depends on how it is being applied. This is where APIs come in. Our products and solutions become better when they connect to an ecosystem of great solutions.

Visma Developer Portal is an API-driven solution for professional services firms. It provides functionality for registering applications and managing integrations with Visma APIs and enabling Single Sign-On. It also allows for managing webhook subscriptions for client applications. Let’s create better technology together.

## Creating an Account

To begin using the Visma Net API, you must first create an account in the Visma Developer Portal. The steps below outline the registration process:

### Registration Steps

1. **Visit the Visma Developer Portal**
   - Navigate to the [Visma Developer Portal](https://oauth.developers.visma.com) to access the registration page.

2. **Sign Up for a Developer Account**
   - Click on the "Create Account" button to start creating a new developer account.
   - You will be prompted to enter your email address and create a password. Ensure you use a valid email address as it will be used for account verification.

3. **Verify Your Email**
   - After submitting your registration details, check your email inbox for a verification email from Visma.
   - Click the verification link provided in the email to activate your account.

4. **Complete Profile Setup**
   - Once your email is verified, log in to the Visma Developer Portal.
   - Complete the profile setup by providing additional information such as your organization name, if applicable, and other relevant details to set up your developer profile.

5. **Explore the Developer Dashboard**
   - After setting up your profile, you will have access to the developer dashboard where you can manage your applications, view API documentation, and track usage analytics.

### Additional Resources

For further guidance on getting started with Visma APIs, visit the [Visma Developer Documentation](https://oauth.developers.visma.com/service-registry/documentation/) for comprehensive instructions and support documents.</content>
</page><page>
<metadata>
<title>Service Integrations</title>
<path>/vismanetapi/setting-up-your-integration/developer-portal/service-integrations</path>
<kind>section</kind>
<description>Creating Service Integrations</description>
<lastmod>2025-10-16T11:16:31+02:00</lastmod>
</metadata>
<content>
# Service Integrations

Creating Service Integrations

## Service Integrations

A Service Integration is designed for machine-to-machine integrations where user interaction is not required. These applications strictly make API calls and utilize the `client_credentials` OAuth2 grant type to acquire access tokens from the Authorization Server. This type of application typically runs on a server or on-premise, and it is considered confidential.

## Key Characteristics

- **No End-User Authentication**: Service applications do not involve end-users in the authorization process.
- **Machine-to-Machine Use**: Ideal for backend integrations where applications communicate directly with each other.
- **Confidential**: Ensures that sensitive information, such as client secrets, remains secure on the server.

## Token Request

Service applications use the `client_credentials` OAuth2 grant type to obtain access tokens. Below is an example demonstrating how to request an access token:

```bash
curl --request POST --url https://connect.visma.com/connect/token --header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&scope=visma_api:read&client_id=demoapp&client_secret=SECRET&tenant_id=af1140c1-52e0-46c7-b684-df894d4b8a5a'
```

### Request Parameters

- **grant_type**: Must be `client_credentials`.
- **scope**: Specifies the scope of API access requested by your application.
- **client_id**: The unique identifier of the application, obtained during registration.
- **client_secret**: The confidential secret provided when registering the application.
- **tenant_id** (optional): Used to specify the tenant for API data access. Required for tenant-based APIs, such as `visma_api:read`.

Your application requires tenant administrator permission before using `tenant_id` in the token request.

## Token Response

Upon a successful request, the authorization server returns a token formatted as follows:

```json
{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjVENDc...7MTOBbdd5mgb2CHzxL0RFjs24pqC1pCeUqOjbg",
  "expires_in": 3600,
  "token_type": "Bearer",
  "scope": "visma_api:read"
}
```

By following these steps, developers can effectively configure service applications to securely interact with Visma APIs.</content>
</page><page>
<metadata>
<title>Interactive Integrations</title>
<path>/vismanetapi/setting-up-your-integration/developer-portal/interactive-integrations</path>
<kind>section</kind>
<description>Creating Interactive Integrations</description>
<lastmod>2025-10-16T11:16:31+02:00</lastmod>
</metadata>
<content>
# Interactive Integrations

Creating Interactive Integrations

## Interactive Integrations

Interactive integrations use the authorization code flow for secure authentication and access to Visma APIs. This flow is adaptable to different application types, each with unique characteristics.

### Application Types

#### 1. **Single Page Applications (SPAs)**

- **Execution Environment**: Runs entirely in the browser.
- **Security Approach**: Implements PKCE to secure authorization as client secrets cannot be safely stored.
- **Limitation**: SPAs do not receive refresh tokens because they lack the capability for offline access.

#### 2. **Server-Side Web Applications**

- **Execution Environment**: Operates on a server, managing secure interactions server-side.
- **Security Approach**: Can use traditional `authorization_code` flow with client secrets; PKCE is optional but enhances security.
- **Capability**: Eligible for refresh tokens when configured with `offline_access`.

#### 3. **Native Applications**

- **Execution Environment**: Runs on devices like desktops or mobiles.
- **Security Approach**: Uses external browsers for authorization requests; relies on PKCE to protect authorization codes.
- **Capability**: Like SPAs, does not typically utilize refresh tokens.

### Authorization Code Flow Steps

The authorization code flow involves several key steps, ensuring secure token exchange:

#### Step 1: Authorization Request

For all interactive applications, initiate the authorization request by generating a `code_verifier` and a `code_challenge` (if PKCE is used).

Example Request (Common Structure):

```bash
GET https://connect.visma.com/connect/authorize?client_id=YOUR_CLIENT_ID&response_type=code&scope=openid+email+profile&redirect_uri=YOUR_REDIRECT_URI&code_challenge=YOUR_CODE_CHALLENGE&code_challenge_method=S256&state=YOUR_STATE_PARAMETER&ui_locales=YOUR_LOCALE_PREFERENCES
```

Common Parameters:

- **client_id**: Unique identifier for your application.
- **response_type**: Always `code` for authorization code flow.
- **redirect_uri**: Specifies where the response is sent; must match registration details.
- **code_challenge (PKCE)**: BASE64-URL-encoded SHA256 hash; optional for server-side apps.
- **state**: Prevents CSRF and ensures response integrity.
- **ui_locales**: Preferred languages for user interface.

#### Step 2: User Consent

(Optional) Users may be prompted to approve the application access request. This step depends on application settings and user privileges.

#### Step 3: Authentication Response

Upon user consent, Visma returns an authorization code to the specified redirect URI.

Sample Response:

```
YOUR_REDIRECT_URI?code=AUTHORIZATION_CODE&state=YOUR_STATE_PARAMETER
```

### Step 4: Exchange Authorization Code for Tokens

Use the received authorization code and the `code_verifier` (for PKCE) to request access tokens.

Example Token Request:

```bash
curl --request POST --url https://connect.visma.com/connect/token --header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=authorization_code&redirect_uri=YOUR_REDIRECT_URI&code=AUTHORIZATION_CODE&client_id=YOUR_CLIENT_ID&code_verifier=YOUR_CODE_VERIFIER&client_secret=YOUR_CLIENT_SECRET'
```

- **grant_type**: `authorization_code` for interactive applications.
- **code_verifier**: Necessary for PKCE-enabled flows.
- **client_secret**: Required for server-side apps unless PKCE is used.

### Important Notes

- **Refresh Tokens**: Only server-side web applications configured with `offline_access` can request refresh tokens to renew expired access tokens.
- **Security Best Practices**: Use https and secure state management to prevent CSRF attacks.

By effectively implementing this standardized process, developers ensure secure and efficient integration with Visma API resources, tailored to their application type.</content>
</page>