Recommendations for testing our APIs

For API-testing, download Postman or Telerik Fiddler where you can easily set the HTTP headers and parameters.

We also have a browser-based API tester available at . This tool allows you to see our browser-based logins in action, when run in an iframe as well as on the same page.

For Postman testing contact us for Postman Collections and Environments to get a quick start.

In Fiddler’s Composer tab, you can go to the Compose-Raw tab and paste the text below and tap the Execute button (or use the Scratchpad tab where your text is automatically saved)

User-Agent: Fiddler
Content-Length: 27
Content-Type: application/x-www-form-urlencoded
Authorization: Your access token


Exchange the above Authorization token with your merchant-token received upon registration. Also note that you during testing should remove the target link from the above call.

After having marked the command text and clicked Execute you will see the network traffic on the left side in Fiddler. When the new call at the bottom of the list is finished it will show Result = 200. Then you can double-click that line to see the HTTP response details on the right side, default format is JSON. Select instead to see in Raw format so that the REDIRECT_URL becomes clickable. Click on the REDIRECT_URL, which will start the authentication workflow in a new browser tab. During production it will is probably look best to run this workflow in an HTML IFRAME in the browser.

What is shown in the browser during login is ZignSec’s standard form templates, for example the spinning wait wheel and the text “Start your BankID app”, the company name “ZignSec” name and the ZignSec logo at the top of the page. But all this appearance can, in production, be adapted to your corporate standard.

Observe that the above Swedish code example uses the API-URL which is BankID’s test environment with fake BankID certificates. This means that you must also install a test version of Swedish BankID app (either for file or for mobile), to be able to complete the authentication process.

Webhook testing

To test that your merchant’s callback end-point is reachable from ZignSec servers (not blocked by firewall) issue a GET like below example.

This webhook/test GET needs to include the access token as other APIs do.

The response json will include the http status code for the call, and how many milliseconds the call took.