Intro

Vinmonopolet needs to ensure that all data which is subject to the duty of confidentiality is not shared with anyone else than the owner of the goods. Therefore, the data given back by some of the APIs is limited to products related to the goods owner (wholesaler). However, the goods owner can share access to its own data with business partners by using the mechanism described below.


How-to

Data access authorization management can be easily achieved through Vinmonopolet’s Supplier Portal.


Once logged into the Supplier Portal, please click on Administrasjon

Initially, the wholesaler’s primary contact person must log on and register a desired email address in order to access and maintain its own data. This main email address must be the same as the one registered in the Developer Portal in order to access the available APIs.


api@wholesaler.no has been registered as the primary email address

Once the wholesaler’s primary email address is registered, additional email addresses can be granted access to the different APIs. Once again, these email addresses must be the same as the ones registered in the Developer Portal.


api@distributor.no will be granted access to the wholesaler's data

Along with each email address, a Main Role must be selected, which will suggest specific APIs that the wholesaler can decide whether to allow access or not.


api@distributor.no has Main Role = Distribution and is granted access to read stock data for the wholesaler products

In the example above, a wholesaler grants access to a distributor so that the distributor can read stock level data for the wholesaler's products using the stock API.
The distributor's mail address (here exemplified as: api@distributor.no) has to be registered by the distributor in the Developer Portal.
A mail is sent to the mail address, asking the user to confirm its mail adress.

Subscription key

Every user that subscribes to a Product in the Developer Portal gets a Subscription key which must be sent in every API call. A Subscription key identifies each user, so that the APIs return data according to the access level which the user has been granted by the goods owner.


Either the Primary or the Secondary key can be sent in your API calls

/auth API

For those wholesalers who need to maintain authorizations for a large number of email addresses and that would like to automate the process, the /auth API can be used.

This API can only be accessed by the email address registered by the primary contact at the Supplier Portal. Once this initial pre-requisite is done (it can only be achieved via the Supplier Portal), this email address will be able grant/deny permission to business partners by using the /auth API.


Please remember that the email address specified in the Supplied Portal must be the same one as the one submitted in the Developer Portal.

We recommend using the Supplier Portal to maintain authorizations since it will provide you with a much more user-friendly experience.