My Products

How to authorize a single Client ID to access many companies?

by jhmesso



I'd like to ask whether it is possible to authorize a single Client ID to access many companies. We would like to allow a system integrator company to access our test instance of and for them it would be convenient to use their own Client ID which they already use to generate the access token to our instance. I wonder whether this is possible?


by Yıldırım

Hello Jyrki, ERP API uses OAuth 2.0 bearer tokens (OAuth 2.0 Authorization Code Grant) to authenticate API calls.  This flow generate a token on behalf of the Visma.Net Financials user.
The authenticated user's access rights(Financials Administrator-Financials User) in determine that the generated token can be used on which company. (The user to whom the token belongs needs to have the aforementioned roles in that company in order to access via the API.)

Supposing that there is X ISV has 2 customers and integration running like
1st Customer: a-b-c companies
2nd customer: d-e-f companies

-When token request made from the same API CLIENT ID:
Each company should have its own Visma.Net user to generate a token and this token will work as covering the companies based on the authenticated users granted roles on the Visma.Net Financials.

The token belongs to USER and can be used on any company where the user has "Financials User"-"Financials Administrator" role granted.

The API integrator should provide the interface for the client/user to interact with the web browser, and each user should be authorized to generate a token by their own credentials.
If there are multiple companies, you should ask the user to select/specify which company is the integration made for.
This can be a one-time set-up at the beginning, then once you generate the token you can store it for that user and can be used on the companies which one the user has access to.

You can Get the companies available for the used token/Integration user via Context endpoint
for mapping, user/token = Financials Company resources/v1/context

Currently, Token Life Cycle does not have any specific interval, it's planned to facilitate as never expires. Each consecutively generated token automatically invalidates the recently created one.
(Request made from the Same CLIENT ID & the Same Visma.Net Financials user for all integrations/company) 

ISV / Integrator should ask their ERP Customer to have a different user for each integration/company. In this way, the integrator will use the same "client_Id" for all the integrations, but the ERP Customer will be using a different user for each company during the authorization. This is the recommended setup for our ISVs for obtaining a token while using the same ClientID for all the integrations.✔️ 

In this way, If something goes wrong with one of the integrations (e.g. token gets invalidated), ISV generates a new token, then the other integrations will not be affected thus ISV can continue to use their existing token/s.


Please let us know if you need any further clarification.

Accepted solution
Thomas  Skjørten

by Thomas Skjørten

Hi, a ClientID is the identifier of your application/integration and per definition has no connection to a specific company.

This means that your ClientID can access any company in ERP as long as the user used in the authorization-process to get the token has access to the company.

So for your question, the system integrator company could, and absolutely should, use it's own Client ID to generate the token (with a user that has access to your test instance).

Some concepts summarized:
Client: The application/integration that accesses the API.
User: A ERP user that has access to one or more companies.
Token: The "key" to access the API, the token contains information about both the Client and the user it represents.