.svg){kind=logo}
Intro
Vinmonopolet needs to ensure that all data which is subject to the duty of confidentiality is not shared with anyone else than the owner of the goods. Therefore, the data given back by some of the APIs is limited to products related to the goods owner (wholesaler). However, the goods owner can share access to its own data with business partners by using the mechanism described below.
How-to
Data access authorization management can be easily achieved through Vinmonopolet’s Supplier Portal. See further explanation below, or download "Fullmaktsstyring guide v2" in Norwegian.
Once logged into the Supplier Portal, please click on "Informasjonsbibliotek" in the menu and then "API - digital samhandling" in the middle of page. On next page shown above, click on the link "API for Fullmaktsstyring" on the sidebar.
Initially, the wholesaler’s primary contact person must log on and register a desired email address in order to access and maintain its own data. This main email address must be the same as the one registered in the Developer Portal in order to access the available APIs.
Example: api@wholesaler.no has been registered as the primary email address.
Once the wholesaler’s primary email address is registered, additional email addresses can be granted access to the different APIs. Once again, these email addresses must be the same as the ones registered in the Developer Portal.
Example: api@distributor.no will be granted access to the wholesaler's data.
For each email address, a Main Role must be selected. Purpose of main role is to show which roles can be selected for this type of partner. Select main role FULL_SERVICES to see all roles that can be given to each partner (mail address).
As from june 2021, a new feature is available. This new feature allows the wholesaler to determine whether a partner / mail address is related to a specific distributor, and as such should only be allowed access to data for products relevant for this distributor. Meaning that if the distributor is not distributing the product on behalf of the wholesaler, they should not have access to data for this product. This limitation to data access can be set / unset for each role, so the wholesaler must decide what product range should be available for each partner / mail address.
Example: This partner has Main Role = Full_services and is related to distributor Vectura. This partner is granted access to read price details and product details for all product ranges as well as stock data for the wholesaler products. The partner will also be allowed to send new GTIN bar codes, status updates , vintages and other product details to Vinmonopolet. However, for all roles a limitation is set so only relevant products for this distributor can be prosessed (except for stock data where stock for this wholesaler's entire product range are returned)
In the example above, a wholesaler grants access to a distributor so that the distributor can access the APIs for this wholesaler's products.
The distributor's mail address (here exemplified as: api@distributor.no) has to be registered by the distributor in the Developer Portal.
A mail is sent to the mail address, asking the user to confirm its mail adress.
Subscription key
Every user that subscribes to a Product in the Developer Portal gets a Subscription key which must be sent in every API call. A Subscription key identifies each user, so that the APIs return data according to the access level which the user has been granted by the goods owner.
Either the Primary or the Secondary key can be sent in your API calls
/auth API
For those wholesalers who need to maintain authorizations for a large number of email addresses and that would like to automate the process, the /auth API can be used.
This API can only be accessed by the email address registered by the primary contact at the Supplier Portal. Once this initial pre-requisite is done (it can only be achieved via the Supplier Portal), this email address will be able grant/deny permission to business partners by using the /auth API.
Please remember that the email address specified in the Supplier Portal must be the same one as the one submitted in the Developer Portal.
We recommend using the Supplier Portal to maintain authorizations since it will provide you with a much more user-friendly experience.
