Testing
Guide
1
�Payment products
Notes:
1. To interact with our payment products, you need to sign up for test
credentials in our playground environment, the Merchant Portal. Please
check this link for further instructions.
2. To authenticate to our APIs, you need to follow this guide.
3. We will use the term "baseURL" in the links below. Please, refer to this
documentation page to determine the base URL of the correspondent
region.
KP (Klarna Payments)
This product allows you to offer payment methods offered by Klarna (e.g. Pay
Later, Slice It, etc.) to your site checkout.
API definition: [Link]
Endpoint: baseURL + /payments/v1
JS library: [Link]
KCO (Klarna Checkout)
The checkout API is used to create a checkout with Klarna and update the
checkout order during the purchase.
API definition: [Link]
Endpoint: baseURL + /checkout/v3
JS library: [Link]
HPP (Hosted Payment Page)
HPP API is a service that lets you integrate Klarna Payments (KP) without the
need of hosting the web page that manages the client-side of Klarna Payments
(KP).
API definition: [Link]
2
�Endpoint: baseURL + /hpp/v1/sessions
Instant Shopping
The Instant Shopping API is serving two purposes:
1. To manage the orders as they result from the Instant Shopping purchase
flow;
2. To generate Instant Shopping Button keys necessary for setting up the
Instant Shopping flow both onsite and offsite.
Some Instant Shopping functions are also configurable through the Merchant
Portal itself.
API definition: [Link]
Endpoint: baseURL + /instantshopping/v1
JS library: [Link]
Shipping
Shipping consists of a callback API; no endpoints are exposed from Klarna. The
Klarna Shipping Service Callback API enables the communication between the
Klarna Shipping Service and the Integrator. Refer to the API documentation for
more detailed descriptions of the service.
API definition:
[Link]
You can use this tool in order to trigger callbacks: Klarna Shipping Service
Integrator Test Tool
OSM (On-Site Messaging)
JavaScript integrable advertisement component.
Consumers are not always aware of the different credit and financing options
available to them before they reach the checkout. This component allows
merchants to advertise Klarna payment and financing options directly on their
site.
API definition: [Link]
3
�JS Library: [Link]
Settlements API
The Settlements API helps you with the reconciliation of payments made by
Klarna to your bank account.
API definition: [Link]
Endpoint: baseURL + /settlements/v1
Order Management API
The Order Management API is used for handling an order after the customer has
completed the purchase. It is used for all actions you need to manage your
orders. Examples being: updating, capturing, reading, and refunding an order.
API definition: [Link]
Endpoint: baseURL + /ordermanagement/v1/orders
The user must be a "merchant" to be able to test the API and portal. The
"playground" environment is preferred for testing.
Merchant Card Service API
The Merchant Card Service API provides virtual credit cards to merchants, with
which they can settle orders towards their customers.
API definition: [Link]
Endpoint: baseURL + /merchantcard/v3/settlements
In order to be able to use this API, a test merchant will have to be created in the
product catalog. In addition, we will have to configure the merchant to be able to
use VCN. This second step is a manual one and can not be done by somebody
outside of Klarna. Feel free to contact us for assistance with these additional
steps. The "playground" environment (EU) is preferred for testing.
4
�Open Banking
The Open Banking solution allows merchants to access the consumer’s account
information data or initiate [Link] provides a way to handle all required
consumer interaction, e.g. the selection of the bank or the authorization of a
payment.
Partner Portal
The Partner Portal is a service for customer care and client management
purposes. Merchants and Klarna employees can have access and view sessions
that run through the open banking system and configure clients and their
products. It has its own user account management for the merchants.
Scope (EU playground)
[Link]
Credentials
You can create your account in the Open Banking portal above.
From your account, you can generate access tokens that are used to consume
the APIs below.
Restrictions
Don't try to access other clients or user data. Create multiple accounts if you
believe you may access another account’s data.
Known vulnerabilities
None.
Please observe that if you change a user's permissions, that user has to either
wait until their token expires and is renewed, change their client (if applicable)
in the top-left menu or log out and log back in.
Open Banking API
5
�The core product provides a single Open Banking API (called XS2A, access to the
account) to retrieve bank account data (AIS, account information service) and
facilitate bank transfers (PIS, payment initiation service) across over 5000 banks
in the EU.
Scope
[Link]
[Link]
[Link]
Documentation
Introduction · Open banking. by Klarna Documentation
Credentials
Tokens can be generated from the Partner Portal using your own account.
Restrictions
- Only use the playground environment in which we provide a test bank that
does not communicate with any real banks.
- Only use the bank codes from the documentation or banks shown by the
bank search-UI.
- The bank codes 44444444, 55555555, 66666666, 77777777 should not be
used in DE.
Known Vulnerabilities
None.
Account Insights API
Account Insights connects via Klarna Open Banking to a consumer's/business
bank account, retrieves the transaction history, categorizes the data (groceries,
insurances, monthly obligations, salary, etc.), and provides insights based on the
data as JSON reports.
Scope (EU playground)
[Link]
[Link]
6
�Documentation
Insights · Open banking. by Klarna Documentation
Credentials
Tokens can be generated from the Partner Portal using your own account.
Restrictions
Only use the playground environment in which we provide a test bank that does
not communicate with any real banks.
Quick start guide on testing the whole Open Banking scope
After signing up to the Open Banking portal, it might not be obvious what it is
used for and how to populate data in the “Sessions” part of the dashboard (and
therefore how to test the product as a whole). These steps will help you getting
started:
1. Create an account and generate an Access Token for your account.
2. Go to Quick Start AIS · Open banking. by Klarna Documentation.
3. Follow the quick start guide’s steps. The JWT used in step 3 is NOT your
access token but is the client_token you obtain from step 2.
4. When you finish the quick start guide, you can head over to the
dashboard’s “Sessions” tab and you'll find the session and flow you just
made using the API.
5. Now, you’ve interacted with the API, the dashboard, and the SDK. All of
these are in scope, and more. Explore the documentation, find exotic
bugs, and have fun :).
7
�Sofort
Sofort is a real-time bank transfer payment method that shoppers based in
Austria, Belgium, Germany and Switzerland can use to transfer funds directly to
merchants from their bank accounts.
Scope
[Link] (API endpoint to initiate payments)
[Link] (login to merchant portal, but also the payment
forms)
There are many other domains like [Link], [Link],
[Link], [Link] but all should forward to
[Link], so this is the only important one.
Documentation
Documentation Direct Bank Transfer - Merchant area
Direct Bank Transfer - API Documentation
Initiating a payment
Sofort uses two types of projects: Gateway and Classic. Gateway projects use the
API, and Classic projects use URL parameters under the merchant portal’s URL,
e.g.
[Link]
&amount=5&reason_1=bug-bounty
Please refer to the documentation linked above for more information.
Credentials
User ID Password
205340 !b/w8Kp5QbQr
205352 i.#VCdq5mEMt
8
�These accounts are marked as developer accounts and are not able to do live
transactions, only our demo bank is available.
Restrictions
If you decide to use the ‘login alias’ feature, please do not forget to remove the
alias after you’ve done so. If you don’t, you are blocking all other security
researchers to access the account.
Do not change the password.
Known vulnerabilities
User’s passwords are stored using MD5. This should be fixed during 2021.
