Release notes

The following tables summarizes relevant changes and information meant for relying parties and integrators of BankID on OpenID Connect.

Changelog

March 25, 2026

• Introducing Rich Authorization Details for providing transaction context (Payment info, text verification etc.) using the existing Permissions feature.
• The state parameter char limit was 4000 - now it is 5000. Still, be careful about using too big state values in URLs. JWT's can get quite big!
• The parameter error_description is now properly forwarded, when available, in OIDC callback.

January 20, 2026

• Added checks for missing or replayed nonce in Authorization Requests. Always send a unique nonce value.
• Fixed a bug with cancellation flows redirecting to callbacks with wrong query params.

October 29. 2025

• Updated scopes_supported list in OpenID Discovery configuration.
• Added back additionalCertInfo with serialnumber, certValidFrom and certValidTo in ID Token - this will be removed in a future API version.

September 17, 2025

• Fixes an issue with updated_at sometimes being represented as milliseconds, it's now always in seconds as per the spec.
• Allows clients using Azure B2C integration to opt-out of PKCE - even beyond API version 4.

August 13, 2025

• Some minor visual updates to BankID dialogs, adding display name in all dialogs.
• Adds additional values to amr claim for API version 2+. Read more here.
• Fixes issues related to DPoP integration and B2B signing.

May 28, 2025

• New visual design of BankID.

April 29, 2025

• DPoP (Demonstrating Proof of Possession) is now available for Clients in preview. DPoP is required in the upcoming B2B Signing API.

April 8, 2025

• Adds support for API Version 4 which makes several breaking changes and will be enforced for all in 28^th of October 2025. Read announcement.

January 15, 2025

• Adds new light design for the NNIN input in BankID High authorization flow. The new design also removes any custom logo. More info under Deprecations.