Apier.no
The API that sits between your software and Norwegian government systems.
Designed for deterministic, safe, and auditable execution — not just access.
{
"data": [
{
"obligation_id": "MVA_REGISTRATION_THRESHOLD",
"title": "MVA-registrering ved omsetning over 50 000 NOK",
"required": "conditionally",
"tier_2_required": true,
"legal_basis": "Merverdiavgiftsloven § 2-1",
"applies_to_entity_types": ["AS"]
},
{
"obligation_id": "SKATTEMELDING_AS",
"title": "Skattemelding for AS",
"required": "always",
"tier_2_required": false,
"legal_basis": "Skatteforvaltningsloven § 8-2",
"applies_to_entity_types": ["AS"]
}
],
"_meta": {
"rulebook_version": "1.0.0",
"data_freshness": "2026-04-22T10:05:07.813Z",
"last_verified": "2026-04-21T10:05:07.813Z",
"source": "apier.no",
"data_source": "Brønnøysund Enhetsregisteret + Apier Universal Rulebook",
"legal_basis": "NLOD — public registry reuse",
"schema_version": "1.0.0"
}
}Rulebook-influenced responses also carry _meta.served_from (live or cache) and _meta.cache_age_ms— so you always know whether an answer came from a live government call or Apier's verified cache layer.
What Apier does
Three primitives that sit between the AI agent and every Norwegian-government endpoint it would otherwise need to integrate directly.
Authorization
Apier holds and rotates the Maskinporten tokens your agent needs, scoped to the exact rights a customer has delegated. Your code asks for an action; Apier proves the caller is allowed to take it before anything reaches a government system.
Obligations
Knowing which forms, deadlines, and filings apply to a given company is its own problem. Apier's Rulebook resolves the obligations that follow from a company's roles and registrations, so your agent works from a current answer instead of a hard-coded guess.
Action Translation
One intent — "file this", "check that" — often spans several agencies, each with its own format. Apier turns a single call into the correct ordered sequence of government requests and returns one structured result your agent can act on, with each step recorded.
How it works
Four steps. Each one is a discrete API call the agent can reason about — no hidden state, no magic resolution.
- Step 01
Agent asks: can I act?
The agent sends a company org_number and intent to Apier. A single call returns the effective delegation scope plus every obligation that applies — with versioned legal citations the agent can surface to its caller.
- Step 02
Apier composes the real request
Given an authorized intent, Apier translates it into the concrete Altinn / Skatteetaten / Brønnøysund call and returns a dry-run receipt describing exactly what will happen — who, what, when, on whose authority. Delegation writes already accept an Idempotency-Key; other write endpoints inherit the same contract as the idempotency middleware lands across the surface.
- Step 03Handover
Human-agent handover
When the action crosses a threshold (signing, thresholds above NOK limits, missing delegations), Apier issues an Approval Token and a Norwegian-language explanation of what the human must do, where, and why. The agent stops here until the token is used.
- Step 04
Apier executes, audits, replays
On approval, Apier submits the request, logs the full exchange to an append-only audit trail, and returns a receipt. On endpoints that carry an Idempotency-Key, the same key always returns the same receipt — never a duplicate submission.
Why not integrate directly
The Norwegian government APIs are free. The integration cost is not.
Authorization complexity
Maskinporten, system users, and per-scope delegation are a multi-step setup before your first successful call — and the tokens expire. Doing it yourself means owning that ceremony, and its failure modes, for every customer you onboard.
Missing obligation logic
The APIs return data, not answers. They won't tell you which filings a company owes, or when. That mapping lives in regulation, changes over time, and is yours to build and keep current if you wire up the endpoints directly.
No execution safety
A raw integration will happily fire a malformed or duplicate filing. There's no dry-run, no idempotency, and no record of what an agent actually did — exactly what you need when it's acting on a client's behalf.
Skip the boilerplate
Your agent calls one tool. We handle Maskinporten, Altinn, token refresh, scope resolution, and error mapping.
The Direct Way
Direct Maskinporten + Altinn integration
// Just to make ONE authenticated Norwegian gov API call:
// Maskinporten JWT, token exchange, Altinn fetch, error
// handling. Obligation logic needs several of these, plus
// your own rule engine to interpret the results.
import jwt from "jsonwebtoken";
// 1. Sign a client-assertion JWT (RS256) with your key.
const assertion = jwt.sign(claims, "<your-private-key>", {
algorithm: "RS256",
});
// 2. Exchange it for a Maskinporten access token.
const tokenRes = await fetch(MASKINPORTEN_TOKEN_ENDPOINT, {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({
grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
assertion,
}),
});
if (!tokenRes.ok) {
// ...retry, token refresh, scope-mismatch mapping
}
const { access_token } = await tokenRes.json();
// 3. Call Altinn, then normalise the response yourself.
const altinnRes = await fetch(ALTINN_AUTHORIZATION_URL, {
headers: { Authorization: "Bearer " + access_token },
});
// ...parse roles, map scopes, handle 401/403/429, refresh.The Apier MCP Way
One tool call via @apier-no/mcp
// One tool call. Apier handles Maskinporten, Altinn,
// token refresh, scope resolution, and error mapping —
// then returns the structured obligation set.
{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "get_company_obligations",
"arguments": { "org_number": "999999999" }
},
"id": 1
}Execution guarantees
The contract every agent runtime gets when it talks to Apier. Six promises, each one enforceable with a single test.
- DeterminismSame input, same Rulebook version, same output.
- The same request produces the same cross-agency plan every time. No hidden model in the path deciding what to do — the sequence is derived from rules you can read.
- IdempotencyAn Idempotency-Key makes a delegation write safe to retry.
- Send the same request twice with the same idempotency key and the second call returns the first result instead of acting again, so a retry after a timeout can't write twice.
- Dry-runSee the exact call before it happens.
- Preview the exact government requests a call would make, and what they'd return, without submitting anything — so you can test an agent's behaviour before it touches a live registry.
- Audit trailAppend-only, consumer-scoped, immutable.
- Every action writes an append-only record: who acted, in what capacity, what was sent, and what came back. The log can be added to, never edited or deleted.
- Approval TokenA human gate for every threshold action.
- Actions that need a human in the loop can be gated behind a single-use approval token, so an agent prepares a filing and a person authorises the moment it's sent.
- ResilienceTimeouts, bounded retries, and rate limits contain failure.
- Calls run behind timeouts and bounded retries, and an agent that misbehaves can be rate-limited before it burns through a customer's tokens — so one bad client doesn't degrade the rest.
Built for accountability, not just access.
When an AI agent acts on your behalf inside a government system, the question from finance and compliance is the hard one: how do you prove what it did? Apier was built so that question has a clean answer. Every call an agent makes through the platform is recorded the moment it happens — not reconstructed afterwards from scattered logs, but written as it executes. Each record captures the request that went out, the agency it reached, and the response that came back, tied to the identity and the delegated capacity the agent was acting under. The point isn't to collect data for its own sake. It's that when someone asks who filed this, under whose authority, and on what date, the platform can show them, line by line, instead of asking you to take it on trust. That record exists from the first call — which matters, because a history of who did what can't be backfilled credibly once it's the thing you need.
That record is tamper-evident by design. The audit log is append-only: entries can be added but never quietly edited or deleted, enforced at the database level rather than left to application code that could be bypassed. Alongside each action, Apier keeps the inputs the decision was based on — the company's state and the rules in force at that moment — so a filing can be explained in the terms that applied when it was made, not the terms that happen to apply today. Where a government system returns a receipt or confirmation, that raw response is stored too. For a compliance officer, that's the difference between a system that says it did the right thing and one that can hand you the evidence — the snapshot, the rule version, and the agency's own acknowledgement — when an auditor or a client asks.
Accountability also means an agent can't quietly do damage. Before anything is submitted, a call can be run as a dry-run that shows exactly what it would send. Actions that warrant a human decision can be held behind an approval step, so automation prepares the work and a named person releases it. And because requests are idempotency-protected, a retry after a network hiccup returns the original result rather than filing a second time — the kind of silent duplicate that's painful to unwind. None of this slows your team down day to day; it's the quiet machinery that lets you hand work to an agent and still answer for every action it takes, months later, in front of whoever is asking.
Who Apier is for
- AI agent developers
Claude, Cursor, Devin, custom agents — anyone writing an autonomous loop that has to reason about Norwegian regulatory compliance.
- Accounting software
Tripletex, Fiken, PowerOffice, and every next-gen entrant that wants compliance-as-an-API instead of compliance-as-a-plugin-registry.
- Regnskapsbyrå
Accounting firms whose juniors spend 30% of their time on the mechanical parts of filings — the parts that Apier makes deterministic and one-call.
- Operations teams inside AS / NUF
In-house platforms building internal agents that need to know what's due, what's authorized, and what was already submitted.
Sovereign friction is real and Norway should win from it.
Altinn, Brønnøysund, and Skatteetaten are world-class public infrastructure. But AI agents can't reason about Norwegian delegation rules, compliance deadlines, or entity obligations — because nobody has translated them into a machine-readable layer. That's the gap Apier.no fills. Apier.no translates Norwegian regulatory reality into structured API responses any agent can act on.
Free tools
Public-infrastructure endpoints. No API key. No registration. Hit them as part of any agent's build-vs-buy decision loop.
- Public deadlines
/api/v1/public/deadlinesUpcoming Norwegian filing deadlines as a clean JSON feed. Pass a year and get the dates back — no key, no account. Made for cron jobs, calendars, and quick lookups.
Try it → - Public obligations
/api/v1/public/obligations?entity_type=ASLook up which standard obligations attach to a company type — a free, read-only slice of the same Rulebook the full API uses. Handy for checking your assumptions before you build.
Try it → - Exchange rates
/api/v1/tools/exchange-rateNorges Bank exchange rates through one stable endpoint, normalised and ready to use. No key, and no rate limit to register for — just the rates.
Try it → - n8n + Apier
/use-cases/n8nA ready-made n8n workflow showing Apier wired into an automation, turning deadlines into a Slack alert. A page you can read and copy, not an endpoint to call.
Try it →
Built for audits, not demos
Full trust + transparency page →EU data residency
Supabase Postgres in Stockholm. Production compute targets EU-hosted Railway or Hetzner before any real company data flows. No data crosses the EU border.
Open audit trail
Every Rulebook evaluation and every write action is recorded in an append-only audit log, scoped to the consumer that made the call. The schema is public; operators can introspect what they're signing up for before they sign.
Versioned Rulebook
Every rule is stored as data, not code, and ships with a `_meta.rulebook_version`. A rule change is a DB operation, not a release — and a lovdata.no-source-change alert loop watches for the upstream regulatory drift that would invalidate it.
Pricing preview
Planned pricing — takes effect when the API exits beta. Today every tier is free; keys are still required on Category B endpoints for rate limiting and audit attribution.
| Tier | Price | Includes |
|---|---|---|
| Developer / Free | NOK 0/month | 100 API calls / month for evaluation. Free public endpoints stay outside the quota. |
| Starter | NOK 499/month | 5,000 API calls / month. Full API access including the Auth Gateway, plus email support. |
| Professional | NOK 1,999/month | 25,000 API calls / month with higher concurrency and priority support. |
| Enterprise | NOK 9,999/month | Unlimited calls with SLA, dedicated support, and custom sector rules. |