Login.gov

Login.gov OpenID Connect API

The Login.gov OIDC integration surface used by relying parties. Conforms to the iGov OpenID Connect Profile. Supports authorization code flow with private_key_jwt (web apps) or PKCE (native apps); implicit flow is not supported. Exposes discovery, JWKS, authorize, token, userinfo, and RP-initiated logout endpoints in both sandbox (idp.int.identitysandbox.gov) and production (secure.login.gov).

Login.gov OpenID Connect API is one of 2 APIs that Login.gov publishes on the APIs.io network, described by a machine-readable OpenAPI specification.

This API exposes 1 machine-runnable capability that can be deployed as REST, MCP, or Agent Skill surfaces via Naftiko and 2 JSON Schema definitions.

Tagged areas include OIDC, OpenID Connect, Authentication, SSO, and Federal. The published artifact set on APIs.io includes API documentation, an OpenAPI specification, a JSON-LD context, 1 Naftiko capability spec, and 2 JSON Schemas.

GitHub OpenAPI

Documentation

📖
Documentation
https://developers.login.gov/oidc/
📖
Documentation
https://developers.login.gov/oidc/getting-started/
📖
Documentation
https://developers.login.gov/oidc/authorization/
📖
Documentation
https://developers.login.gov/oidc/token/
📖
Documentation
https://developers.login.gov/oidc/user-info/
📖
Documentation
https://developers.login.gov/oidc/logout/
📖
Documentation
https://developers.login.gov/oidc/certificates/

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/login-gov/refs/heads/main/openapi/login-gov-oidc-openapi.yml

Schemas & Data

📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/login-gov/refs/heads/main/json-schema/login-gov-userinfo-schema.json
📊
JSONSchema
https://raw.githubusercontent.com/api-evangelist/login-gov/refs/heads/main/json-schema/login-gov-id-token-schema.json

Other Resources

🔗
SignUp
https://portal.int.identitysandbox.gov
🔗
JSONLD
https://raw.githubusercontent.com/api-evangelist/login-gov/refs/heads/main/json-ld/login-gov-context.jsonld
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/login-gov/refs/heads/main/capabilities/oidc-authentication.yaml
🔗
SpectralRuleset
https://raw.githubusercontent.com/api-evangelist/login-gov/refs/heads/main/rules/login-gov-rules.yml

OpenAPI Specification

login-gov-oidc-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: Login.gov OpenID Connect API
  version: '2026-01'
  description: |
    Login.gov is the U.S. federal government's secure single sign-on service for public-facing
    government applications, operated by the General Services Administration's Technology
    Transformation Services. This OpenAPI describes the OpenID Connect (OIDC) integration
    surface used by relying parties (service providers) to authenticate users at IAL1 (auth
    only) and IAL2 (identity-verified) assurance levels.

    Login.gov conforms to the iGov OpenID Connect Profile. Implicit flow is not supported.
    Client authentication uses private_key_jwt (preferred for web apps) or PKCE
    (preferred for native mobile apps).
  contact:
    name: Login.gov Partner Support
    url: https://developers.login.gov
    email: [email protected]
  license:
    name: Public Domain (U.S. Government Work)
    url: https://www.usa.gov/government-works
servers:
- url: https://idp.int.identitysandbox.gov
  description: Sandbox (integration) environment
- url: https://secure.login.gov
  description: Production environment
tags:
- name: Discovery
  description: OIDC discovery and public key endpoints.
- name: Authorization
  description: OAuth 2.0 authorization endpoint where the user authenticates.
- name: Token
  description: Token exchange using private_key_jwt or PKCE.
- name: UserInfo
  description: User attribute retrieval with a bearer access token.
- name: Logout
  description: RP-initiated logout and session termination.
paths:
  /.well-known/openid-configuration:
    get:
      tags:
      - Discovery
      summary: Get OIDC Discovery Document
      operationId: getOpenidConfiguration
      description: Returns the OpenID Connect discovery document listing supported endpoints, scopes, response types, claims, and acr_values.
      responses:
        '200':
          description: Discovery metadata.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/DiscoveryDocument'
  /api/openid_connect/certs:
    get:
      tags:
      - Discovery
      summary: Get JWKS Signing Keys
      operationId: getJwks
      description: Returns Login.gov's public signing key(s) in JWK Set format. Keys are rotated at least annually; clients should fetch dynamically rather than hard-coding.
      responses:
        '200':
          description: JSON Web Key Set.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/JwkSet'
  /openid_connect/authorize:
    get:
      tags:
      - Authorization
      summary: Start Authorization Flow
      operationId: authorize
      description: |
        Begins the OIDC authorization code flow. The user is redirected to Login.gov, authenticates,
        consents to the requested scopes, and is redirected back to `redirect_uri` with an
        authorization `code` and the original `state` value.
      parameters:
      - name: client_id
        in: query
        required: true
        description: Registered relying party identifier.
        schema:
          type: string
      - name: response_type
        in: query
        required: true
        description: Must be `code`. Implicit flow is not supported.
        schema:
          type: string
          enum:
          - code
      - name: scope
        in: query
        required: true
        description: Space-separated list of requested scopes. Must include `openid`.
        schema:
          type: string
          example: openid email profile
      - name: redirect_uri
        in: query
        required: true
        description: Pre-registered redirect URI. Must match exactly.
        schema:
          type: string
          format: uri
      - name: nonce
        in: query
        required: true
        description: Random string (minimum 22 characters) bound to the id_token to prevent replay.
        schema:
          type: string
          minLength: 22
      - name: state
        in: query
        required: true
        description: Opaque value (minimum 22 characters) returned with the callback for CSRF protection and request/callback correlation.
        schema:
          type: string
          minLength: 22
      - name: prompt
        in: query
        required: true
        description: Must be `select_account`.
        schema:
          type: string
          enum:
          - select_account
      - name: acr_values
        in: query
        required: false
        description: Requested authentication context. Combines a service level and an authenticator assurance level.
        schema:
          type: string
          example: urn:acr.login.gov:auth-only http://idmanagement.gov/ns/assurance/aal/2
      - name: locale
        in: query
        required: false
        description: Override the user's locale.
        schema:
          type: string
          enum:
          - ES
          - FR
      - name: code_challenge
        in: query
        required: false
        description: PKCE code challenge (base64url SHA-256 of `code_verifier`). Required for native apps using PKCE instead of private_key_jwt.
        schema:
          type: string
      - name: code_challenge_method
        in: query
        required: false
        description: PKCE method. Login.gov supports `S256`.
        schema:
          type: string
          enum:
          - S256
      responses:
        '302':
          description: Redirect to Login.gov for authentication, then back to `redirect_uri` with `code` and `state`.
  /api/openid_connect/token:
    post:
      tags:
      - Token
      summary: Exchange Authorization Code for Tokens
      operationId: exchangeToken
      description: |
        Exchanges the authorization code for an `access_token` and a signed `id_token`. Web apps
        authenticate using `private_key_jwt`; native apps use PKCE with a `code_verifier`.
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/TokenRequest'
      responses:
        '200':
          description: Token response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenResponse'
        '400':
          description: Invalid request.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
  /api/openid_connect/userinfo:
    get:
      tags:
      - UserInfo
      summary: Get Authenticated User Attributes
      operationId: getUserInfo
      description: Returns user attributes consented to during authorization. Requires a bearer `access_token`.
      security:
      - bearerAuth: []
      responses:
        '200':
          description: User attributes.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UserInfo'
        '401':
          description: Invalid or expired access token.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
  /openid_connect/logout:
    get:
      tags:
      - Logout
      summary: RP-Initiated Logout
      operationId: logout
      description: |
        Ends the user's Login.gov session. After confirmation the browser is redirected to the
        pre-registered `post_logout_redirect_uri` with the original `state` value.
      parameters:
      - name: client_id
        in: query
        required: true
        description: Registered relying party identifier.
        schema:
          type: string
      - name: post_logout_redirect_uri
        in: query
        required: true
        description: Pre-registered post-logout redirect URI.
        schema:
          type: string
          format: uri
      - name: state
        in: query
        required: false
        description: Opaque value (minimum 22 characters) echoed back to `post_logout_redirect_uri`.
        schema:
          type: string
          minLength: 22
      responses:
        '302':
          description: Redirect back to `post_logout_redirect_uri` after the user confirms logout.
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: opaque
  schemas:
    DiscoveryDocument:
      type: object
      properties:
        issuer:
          type: string
          example: https://idp.int.identitysandbox.gov
        authorization_endpoint:
          type: string
          format: uri
        token_endpoint:
          type: string
          format: uri
        userinfo_endpoint:
          type: string
          format: uri
        end_session_endpoint:
          type: string
          format: uri
        jwks_uri:
          type: string
          format: uri
        scopes_supported:
          type: array
          items:
            type: string
        response_types_supported:
          type: array
          items:
            type: string
        acr_values_supported:
          type: array
          items:
            type: string
        token_endpoint_auth_methods_supported:
          type: array
          items:
            type: string
        id_token_signing_alg_values_supported:
          type: array
          items:
            type: string
        subject_types_supported:
          type: array
          items:
            type: string
        claims_supported:
          type: array
          items:
            type: string
    JwkSet:
      type: object
      properties:
        keys:
          type: array
          items:
            $ref: '#/components/schemas/Jwk'
    Jwk:
      type: object
      properties:
        kty:
          type: string
          example: RSA
        kid:
          type: string
        use:
          type: string
          example: sig
        alg:
          type: string
          example: RS256
        'n':
          type: string
        e:
          type: string
    TokenRequest:
      type: object
      required:
      - grant_type
      - code
      properties:
        grant_type:
          type: string
          enum:
          - authorization_code
        code:
          type: string
          description: Authorization code returned from `/openid_connect/authorize`.
        client_assertion_type:
          type: string
          description: Required for private_key_jwt clients.
          enum:
          - urn:ietf:params:oauth:client-assertion-type:jwt-bearer
        client_assertion:
          type: string
          description: Signed JWT (RS256) where `iss` and `sub` are `client_id`, `aud` is the token endpoint, and `jti`, `iat`, `exp` are set. Minimum 2048-bit key.
        code_verifier:
          type: string
          description: PKCE code verifier matching the original `code_challenge`. Used by native apps in lieu of `client_assertion`.
    TokenResponse:
      type: object
      properties:
        access_token:
          type: string
          description: Opaque bearer token for the userinfo endpoint.
        token_type:
          type: string
          example: Bearer
        expires_in:
          type: integer
          description: Lifetime of the access token in seconds.
        id_token:
          type: string
          description: Signed JWT (RS256) carrying authenticated user identity claims.
    UserInfo:
      type: object
      properties:
        sub:
          type: string
          description: Stable per-RP user UUID v4.
        iss:
          type: string
          format: uri
        email:
          type: string
          format: email
        email_verified:
          type: boolean
        all_emails:
          type: array
          items:
            type: string
            format: email
        locale:
          type: string
        ial:
          type: string
          description: Identity assurance level granted (e.g. `http://idmanagement.gov/ns/assurance/ial/1`).
        aal:
          type: string
          description: Authenticator assurance level granted.
        given_name:
          type: string
          description: Available at IAL2.
        family_name:
          type: string
          description: Available at IAL2.
        address:
          $ref: '#/components/schemas/Address'
        phone:
          type: string
          description: E.164 phone number. Available at IAL2.
        phone_verified:
          type: boolean
        birthdate:
          type: string
          format: date
          description: Available at IAL2.
        social_security_number:
          type: string
          description: Available at IAL2 with the `social_security_number` scope; SSN may be unmasked or last-4 depending on configuration.
        verified_at:
          type: integer
          description: Unix timestamp when the user's identity was verified. Null if never verified.
        x509_subject:
          type: string
        x509_issuer:
          type: string
        x509_presented:
          type: boolean
    Address:
      type: object
      properties:
        formatted:
          type: string
        street_address:
          type: string
        locality:
          type: string
        region:
          type: string
        postal_code:
          type: string
        country:
          type: string
    Error:
      type: object
      properties:
        error:
          type: string
        error_description:
          type: string