Skip to main content
U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock ( Https ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

OpenID Connect

OpenID Connect (OIDC) is a simple identity layer built on top of the OAuth 2.0 protocol. supports version 1.0 of the specification and conforms to the iGov Profile.

We do not support the OpenID Connect (OIDC) “implicit flow” with client_secret because it is not recommended by the OAuth group for security reasons

Getting started

Choosing an authentication method supports two ways of authenticating clients: private_key_jwt and PKCE.

  • private_key_jwt (preferred for web apps)
    The client sends a JSON Web Token, or JWT, signed with a private key (minimum length of 2048 bits) when requesting access tokens. The corresponding public key is registered with the IdP ahead of time, similar to SAML.

  • PKCE (preferred for native mobile apps)
    Short for Proof Key for Code Exchange by OAuth Public Clients and pronounced “pixy.” In this method, the client sends a public identifier as well as a hashed random value generated by the client.

Unsupported methods

The following implementation methods of OIDC are not supported by for security reasons.

  • Implicit flow is not recommended by the OAuth group.
  • client_secret_param is not supported because it requires managing a shared secret in two places, both the client and the server. Private_key_jwt flow involves sharing public keys with the server and PKCE has a one-time secret.

Set up a Sandbox account

You are able to test authentication methods in real time with a testing account in our sandbox environment. To start, navigate to the Login Partner Dashboard Sandbox and follow the steps below:

  • Select the “Sign-in” button to create a new account. Anyone with a .gov or .mil email address may request an account.
  • Create a new team - see Testing page for instructions.
  • Create a certificate - before creating your application you’ll need to create a certificate that will be used to sign your requests. You can create a certificate using openssl. The example command to create the certificate from your terminal is:
    • openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
  • Create an application, at which point you will need to decide between private_key_jwt or PKCE.

It is important to note that your production account and your sandbox account are two separate accounts.


Consistent with the specification, provides a JSON endpoint for OIDC auto-discovery at

Integration URI:

Production URI:

Example Application

The team has created an example client to speed up your development, all open source in the public domain: identity-oidc-sinatra.

Next step: Authorization

Edit this page
Return to top