Upcoming Changes

Consent service deprecation

The experimental Consent service that provides unverified user data (email, address, phone), exposed through the Userinfo endpoint is planned to be discontinued - likely replaced by a new service.

This could impact your integration if you call the Userinfo endpoint and use any of the following scopes:

• email
• address
• phone
• nnin

Profile information such as full name, birthdate and potentially NNIN (nnin_altsub) are available in the ID Token via profile scope.

More information and documentation on migrating to alternative services will be available soon.

API Version changes from October/November 2025

In April 2025 we announced changes to the BankID OpenID Connect platform in the end of October/November 2025. The minimum API version was set to 4.

This included changes to basic requirements, such as:

• It's always required to use PKCE (Proof Key for Code Exchange) in Authorization Code flow.
  • Azure B2C integrations can opt-out. Contact BankID support or your BankID partner.
• The following parameters in Authorization Code flow are now required:
  • response_type
  • state
  • nonce
• NNIN (Fødselsnummer) login_hint must be securely transmitted using PAR or encrypted request objects.
• ID and Access tokens will be signed using ES256 signature algorithm.
  • Signing keys will be rotated more regularly. Get keys from the JWKS endpoint, and see how to validate tokens.
• Information on proof of transaction is available here.

Read about all API changes here.

Test your integration

You can always override the API version to use. Just add the parameter api_version with the desired version to the Authorize Request. The minimum value is 4.