Maskinporten reference¶
Claims¶
See the Access Token reference in Maskinporten for a list of all claims.
Runtime Variables & Credentials¶
Your application will automatically be injected with environment variables at runtime.
Variables for acquiring tokens¶
These variables are used to 
consume an external API.
| Name | Description |
|---|---|
MASKINPORTEN_CLIENT_ID |
Client ID that uniquely identifies the client in Maskinporten. |
MASKINPORTEN_CLIENT_JWK |
Private JWK (RSA) for the client. |
MASKINPORTEN_WELL_KNOWN_URL |
The well-known URL for the metadata discovery document |
MASKINPORTEN_ISSUER |
issuer from the metadata discovery document. |
MASKINPORTEN_TOKEN_ENDPOINT |
token_endpoint from the metadata discovery document. |
Variables for validating tokens¶
These variables are used to secure your API.
| Name | Description |
|---|---|
MASKINPORTEN_WELL_KNOWN_URL |
The well-known URL for the metadata discovery document |
MASKINPORTEN_ISSUER |
issuer from the metadata discovery document. |
MASKINPORTEN_JWKS_URI |
jwks_uri from the metadata discovery document. |
Scope Naming¶
A Maskinporten scope consists of a prefix and a subscope:
Prefix¶
The prefix is set to nav for all scopes.
Subscope¶
A subscope should describe the resource to be exposed as accurately as possible. It consists of three parts; product, separator and name:
- product
-
The
productis a logical grouping of resources, such asarbeid,helse, orpensjon. - separator
-
The
separatorshould be set to/. - name
-
The
namedescribes the resource itself. It may contain multiple parts separated by/.The name may also contain a suffix to separate between access levels. For instance, you could separate between
writeaccess:...and
readaccess:
Example¶
For the following scope definition:
spec:
maskinporten:
enabled: true
scopes:
exposes:
# nav:helse/sykepenger/afp.read
- enabled: true
product: "helse"
separator: "/"
name: "sykepenger/afp.read"
the subscope is then:
which results in the fully qualified scope:
Spec¶
See the 
NAIS application reference.