Skip to content

API Specification Changelog

This page documents changes to the BankID Signing API specifications. It is intended to help merchants track when API contracts (required fields, validation rules, endpoint behaviour) have changed.

For service-level changes (bugfixes, performance improvements, new features), see the Release Notes: CSC | WYSIWYS | Timestamp | B2B

For planned future changes, see the Upcoming Changes: CSC | WYSIWYS | Timestamp | B2B

CSC Signing API

2026-03-12

  • Enforcement of required field hashAlgorithmOID on credentials/authorize: The gateway now validates that hashAlgorithmOID is present in the request body. This field has been marked as required in the OpenAPI specification since the initial version, but was not previously enforced at runtime. Requests without hashAlgorithmOID will now be rejected.
  • Enforcement of required field hashes on credentials/authorize: The hashes array is now validated as required with a maximum of 50 entries. Previously not enforced at runtime.
  • Validation of numSignatures on credentials/authorize: The numSignatures parameter now requires a value between 1 and 50.
  • Maximum hashes reduced from 100 to 50: The maximum number of hashes accepted per call to credentials/authorize and signatures/signHash has been reduced from 100 to 50.
  • Token single-use enforcement: Each access token from csc/v2/oauth2/token must now follow a strict endpoint order (credentials/listcredentials/authorizesignatures/signHash). Reusing a token at an endpoint it has already been used at will result in a token_already_used error (HTTP 400).

2026-01-26

  • Validation of lang parameter on /csc/v2/oauth2/authorize: The lang parameter is now validated server-side. Only supported language codes (nb, nn, en) are accepted; unsupported values are ignored and the default language is used.

2026-01-18

  • New endpoint credentials/info: Added the POST /csc/v2/credentials/info endpoint, returning detailed credential information including the certificate chain, key parameters, and authorisation settings.

WYSIWYS Signing API

2026-03-19

  • Increased maximum PDF document size: The allowed size of PDF documents in a PAdES sign order increased to 10 MB per document (Base64-encoded size).

2026-03-05

  • signerInfo field populated on DELETE: The signerInfo field in the PAdES-V1-API DELETE call now contains a JSON Web Token with signer information if requested during sign order creation.

2026-02-18

  • New field signProperties.continueButtonTargetText: Allows merchants to customise the label of the "Continue" button on the finish page.
  • New field signProperties.merchantWorkflowState: Allows WYSIWYS to differentiate between a stand-alone sign order and a merchant workflow.

B2B Signing API

2026-04-24

  • New PAdES and XAdES signing support: Added PAdES and XAdES Baseline-B and Baseline-LT signing support.

2026-01-18

  • New CSC Pkcs1 endpoints: Added CSC Pkcs1 endpoints.

Timestamp API

No specification changes recorded yet.