Skip to content


Server to server token

Authentication is done using a bearer token, set it in the Authorization header as follows:

Authorization: Bearer Token

You can use an API token for server to server communication, and you can issue a valet key for use by mobile/web clients.


Please do not put your api token into an untrusted client like a mobile application!

Shortlived token

For a mobile/web application, you have two options:

  • Call our Access API (server side) to issue a valet key that the application can use to talk to Smartscan on your behalf.
  • If you have an OpenID Connect based identity provider (e.g Visma Connect), you can reuse existing authentication.

Reusing existing authentication for mobile will be beneficial both for performance and you can avoid having to do backend work. The flow used on mobile is called "PKCE for OAuth2.0" (RFC7636). We support both Access Tokens and Identity Tokens, for ease of use and quick on-boarding. Please note that this technique is not limited to Visma Connect, any OAuth / OpenID Connect provider that exposes a JSON Web Key Endpoint can be used.

Contact us on support if you would like to implement this flow.

Valet Key Request

You provide a sub(ject) and get back a token. The subject is optional, but highly recommended.

The subject will later be used for tagging any data stored by smartscan, so you can later delete said data for GDPR compliance. You will be able to add additional tags when we store the data through the feedback endpoint.

You will get back an ID and a Token which can be used as bearer token. The ID is not currently used, but we plan to support revoking tokens by ID.

You can set a custom expiration date by providing an unix timestamp in the field "exp", but it has to be less than 48 hours in the future. We only support short lived tokens for the valet key flow. The default expiry is 8 hours.

POST v1/access/valetkey

Authorization - Bearer Token

Token: demo

Body - raw (json)