Getting started
Login.gov allows partners and Relying Parties (RPs) to notify us of various security-related events through our API.
Submitting a Security Event Token (SET)
Login.gov supports Push-Based SET Token Delivery Using HTTP. The SETs are signed JWTs (JSON Web Tokens), similar to those used in the OpenID Connect Authorization flow.
The OpenID RISC Profile defines some very specific properties of these JWTs, and Login.gov will validate against them, providing clear error messages where possible.
Auto-discovery
Login.gov provides a JSON endpoint for OpenID Connect auto-discovery at /.well-known/risc-configuration
. In our agency integration environment, this is available at https://idp.int.identitysandbox.gov/.well-known/risc-configuration
Supported Incoming Events
Login.gov accepts custom events, based on the OpenID RISC Event Types, but not specific events from that list at this time.
Authorization Fraud Detected
RPs should submit this event when they believe a user’s credentials have been compromised, that somebody who is not the user was able to sign in to a user’s account. Login.gov may force reset of the user’s password when we receive this event.
The event_type for this is:
https://schemas.login.gov/secevent/risc/event-type/authorization-fraud-detected
Identity Fraud Detected
RPs should submit this event when they suspect an account has been used to commit identity theft or related fraudulent activity. Login.gov may reset the user’s profile and verified attributes data when we receive this event.
The event_type for this is:
https://schemas.login.gov/secevent/risc/event-type/identity-fraud-detected
Request
To submit a SET, send an HTTP POST request to the /api/risc/security_events
endpoint. The body of the request is a signed JWT.
JWTs must be signed by the client application’s private key using RS256, the same one used for the private_key_jwt
flow for OpenID Connect.
HTTP Request
- Content-Type (required)
The request must have a Content-Type ofapplication/secevent+jwt
JWT Headers
-
alg (required)
The JWT must be signed with the RS256 algorithm. -
typ (required)
The type header must be set to secevent+jwt
JWT Claims
-
aud (required)
The audience for this JWT, which is the full URL for the/api/risc/security_events
endpoint. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov/api/risc/security_events
-
iat
Time at which the JWT was issued, an integer timestamp representing the number of seconds since the Unix Epoch. -
iss (required)
The issuer of this SET, which should be your client application’s client ID. For example:urn:gov:gsa:openidconnect:test:risc:sets
-
jti (required)
JWT Identifier. This should be a unique identifier for this event, Login.gov will attempt to de-duplicate events by this key. -
events
An object containing an event, keyed by event type. See Supported Incoming Events for possible keys.
The event (the value) contains:
-
subject (required)
An event should contain a subject object, with the following keys:-
subject_type
Must be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub
The UUID identifying the user. This is provided as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
-
occurred_at
Time at which the security event occurred, an integer timestamp representing the number of seconds since the Unix Epoch. This optional field can be used to back-date reports of events, if they are not detected immediately.
Example:
{ "<$EVENT_TYPE>": { "subject": { "subject_type": "iss-sub", "iss": "https://idp.int.identitysandbox.gov", "sub": "<$SUB>" }, "occurred_at": 1590000000 } }
-
Example request
For a Security Event like this:
{
"iss": "urn:gov:gsa:openidconnect:test:risc:sets",
"jti": "abcdefghijklmnopqrstuvwxyz",
"iat": 1595532178,
"aud": "https://idp.int.identitysandbox.gov/api/risc/security_events",
"events": {
"https://schemas.login.gov/secevent/risc/event-type/authorization-fraud-detected": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "123d4f56-jkl7-891011-t12vw-y13a1415d1617ghi18"
},
"occurred_at": 1590000000
}
}
}
With the JWT headers of:
{
"typ": "secevent+jwt",
"alg": "RS256"
}
After being encoded as a JWT and signed with a private key, the entire request would look like:
POST /api/risc/security_events
Content-Type: application/secevent+jwt
Accept: application/json
eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJhbGciOiJSUzI1NiJ9
.
eyJpc3MiOiJ1cm46Z292OmdzYTpvcGVuaWRjb25uZWN0OnRlc3Q6cmlzYzpzZXRzIiwianRpIjoiYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoiLCJpYXQiOjE1OTU1MzIxNzgsImF1ZCI6Imh0dHBzOi8vaWRwLmludC5pZGVudGl0eXNhbmRib3guZ292L2FwaS9yaXNjL3NlY3VyaXR5X2V2ZW50cyIsImV2ZW50cyI6eyJodHRwczovL3NjaGVtYXMubG9naW4uZ292L3NlY2V2ZW50L3Jpc2MvZXZlbnQtdHlwZS9hdXRob3JpemF0aW9uLWZyYXVkLWRldGVjdGVkIjp7InN1YmplY3QiOnsic3ViamVjdF90eXBlIjoiaXNzX3N1YiIsImlzcyI6Imh0dHBzOi8vaWRwLmludC5pZGVudGl0eXNhbmRib3guZ292Iiwic3ViIjoiMTIzZDRmNTYtamtsNy04OTEwMTEtdDEydncteTEzYTE0MTVkMTYxN2doaTE4In0sIm9jY3VycmVkX2F0IjoxNTkwMDAwMDAwfX19
.
O-B3WJwITdMYWaEf0MNErEdy-Hy33DQ6wi7uMYgYHkFgq4hDoIoee4_sgsaYELqEA7zehljn_7FHFVN6sQYKVBQh3OVg281i2aRFUk9SjL8dsnecV_wxz9sYLm4ndO9IOSRjX5sZ7pv6zVTjz1-pTfaYHXx0nuqzRTlm5WZ4NP47XgDXEwsiv6Z1s4VLAqnPl7yuXu_ZNIqj0ww0v6xWA2Zkt_NM8F9grZ0kx5imbVrX2zoXnO7nkBzJThUuZh_CTNRItMolY2IblzHyHYxWRvkEjCLFjtI4vtAvhGN8ZEPk16yUZ2EnY8ptvacI3ZBoG12On-POsIltZekW7JpOqg
Response
Successful response
A successful SET submission will receive an empty response body with a 202 “Accepted” status.
HTTP/1.1 202 Accepted
Error response
An unsuccessful SET submission will receive a 400 “Bad Request”, with a JSON body containing error information.
-
err (string)
An error code defined by Security Event HTTP Push spec. -
description (string)
A more human-readable description of the error.
HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"err":"jwtHdr",
"description":"typ header must be secevent+jwt"
}
Receiving a Security Event Token (SET)
Configuration
To configure your application to receive notifications from Login.gov, you must supply Login.gov with a URL.
The URL must:
- Be publicly accessible with HTTPS,
- Allow POST requests from Login.gov,
- Use a certificate signed by a trusted certificate authority, and
- Must use port 443 (if specifying a port).
Agency integration environment:
- Use the portal to register the
push_notification_url
for your application - Your
push_notification_url
will be automatically added to the integration environment’s outbound proxy allowlist by 5PM UTC.
Production environment:
- The
push_notification_url
will be deployed as part of the application promotion process. Please specify in the
promotion request that you are including a SET configuration so that we know to add your URL to our outbound proxy allowlist. - It may require three weeks notice to allow the domain for outbound communication.
Supported Outgoing Events
Login.gov notifies for these events from the OpenID RISC Event Types:
- Account Disabled
- Account Enabled
- Account Locked Due to MFA (Multi-Factor Authentication) Limit Reached
- Account Purged
- Identifier Changed
- Identifier Recycled
- Password Reset
- Recovery Activated
- Recovery Information Changed
- Reproofing Completed
Account Disabled
Login.gov pushes this event when a user account suspended.
For more information, see the specification for Account Disabled.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/account-disabled
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
-
reason (string)
Optional, describes why was the account disabled.
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/account-disabled": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
},
"reason": "account-suspension"
}
}
Account Enabled
Login.gov pushes this event when a user account reinstated.
For more information, see the specification for Account Enabled.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/account-enabled
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/account-enabled": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Account Locked Due to MFA (Multi-Factor Authentication) Limit Reached
Login.gov pushes this event when a user fails MFA with their second factor enough times to hit the rate limit, and is subsequently locked out of their account for a period of time.
The event_type for this is:
https://schemas.login.gov/secevent/risc/event-type/mfa-limit-account-locked
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.login.gov/secevent/risc/event-type/mfa-limit-account-locked": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Account Purged
Login.gov pushes this event when a user deletes their account.
For more information, see the specification for Account Purged.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/account-purged
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/account-purged": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Identifier Changed
Login.gov pushes this event when a user changes the email address associated with their account.
For more information, see the specification for Identifier Changed.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/identifier-changed
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be email -
email (string)
This is the email address that no longer belongs to any user.
-
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/identifier-changed": {
"subject": {
"subject_type": "email",
"email": "<$EMAIL>"
}
}
}
Identifier Recycled
Login.gov pushes this event when a user removes an email address from their account, freeing up the email address as an identifier.
For more information, see the specification for Identifier Recycled.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/identifier-recycled
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be email -
email (string)
This is the email address that no longer belongs to any user.
-
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/identifier-recycled": {
"subject": {
"subject_type": "email",
"email": "<$EMAIL>"
}
}
}
Password Reset
Login.gov pushes this event when a user completes a password reset, either as part of account recovery or intentionally through the account page.
The event_type for this is:
https://schemas.login.gov/secevent/risc/event-type/password-reset
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.login.gov/secevent/risc/event-type/password-reset": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Recovery Activated
Login.gov pushes this event when a user starts the “Forgot Password” flow for an account.
For more information, see the specification for Recovery Activated.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/recovery-activated
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/recovery-activated": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Recovery Information Changed
Login.gov pushes this event when a user changes any of their second factor authentication methods, for example, adding or removing an email, phone address, TOTP authentication app, backup codes, or PIV/CAC.
For more information, see the specification for Recovery Information Changed.
The event_type for this is:
https://schemas.openid.net/secevent/risc/event-type/recovery-information-changed
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.openid.net/secevent/risc/event-type/recovery-information-changed": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Reproofing Completed
Login.gov pushes this event when a user re-verifies their identity (with the identity proofing process). This event is only sent if they previously had an active verified profile, not for the first-time identity verification.
The event_type for this is:
https://schemas.login.gov/secevent/risc/event-type/reproof-completed
The event payload has:
-
subject
An event will include a subject object, with the following keys-
subject_type (string)
Will be iss-sub, this indicates the sub is the subject provided by the original issuer (Login.gov) -
iss (string)
This is Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
sub (string)
The UUID identifying the user. This is the same as thesub
inside theid_token
JWT in the OpenID Token endpoint.
-
Example:
{
"https://schemas.login.gov/secevent/risc/event-type/mfa-limit-account-locked": {
"subject": {
"subject_type": "iss-sub",
"iss": "https://idp.int.identitysandbox.gov",
"sub": "<$SUB>"
}
}
}
Request
Login.gov will make a POST request to your app’s push_notification_url
, see Configuration for more details on setting that up. The JWT will be signed with Login.gov’s private key. See the OpenID Connect guide for information on how to get Login.gov’s public key from the Certificates Endpoint.
If your app had the client ID of urn:gov:gsa:openidconnect:test:risc:sets
and was configured to receive events at https://agency.example.gov/events
, and a user freed up email@example.com
Login.gov would make a request like this.
With a JWT payload:
{
"iss": "https://idp.int.identitysandbox.gov/",
"jti": "abcdefghijklmnopqrstuvwxyz",
"iat": 1595532178,
"aud": "https://agency.example.gov/events",
"events": {
"https://schemas.openid.net/secevent/risc/event-type/identifier-recycled": {
"subject": {
"subject_type": "email",
"email": "email@example.com"
}
}
}
}
POST /events
Host: agency.example.gov
Content-Type: application/secevent+jwt
Accept: application/json
eyJ0eXAiOiJzZWNldmVudCtqd3QiLCJraWQiOiJmNWNlMTIzOWUzOWQzZGE4MzZmOTYzYmNjZDg1Zjg1ZDU3ZDQzMzVjZmRjNmExNzAzOWYyNzQzNjFhMThiMTNjIiwiYWxnIjoiUlMyNTYifQ
.
eyJpc3MiOiJodHRwczovL2lkcC5pbnQuaWRlbnRpdHlzYW5kYm94Lmdvdi8iLCJqdGkiOiJhYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5eiIsImlhdCI6MTU5NTUzMjE3OCwiYXVkIjoiaHR0cHM6Ly9hZ2VuY3kuZXhhbXBsZS5nb3YvZXZlbnRzIiwiZXZlbnRzIjp7Imh0dHBzOi8vc2NoZW1hcy5vcGVuaWQubmV0L3NlY2V2ZW50L3Jpc2MvZXZlbnQtdHlwZS9pZGVudGlmaWVyLXJlY3ljbGVkIjp7InN1YmplY3QiOnsic3ViamVjdF90eXBlIjoiZW1haWwiLCJlbWFpbCI6ImVtYWlsQGV4YW1wbGUuY29tIn19fX0
.
KS0KvsV0eIRIhvg8wGdN6luIgsXi4nqp9ZY3OF2ft2fUwsk5rk2O_e2-I2Lf8yj0HN1BQ8IIAChWB9_dv-FMAFhShcCpuSHP_dQzBXLATc57PC0fAOZwqAgBuwnB08Z6o_I0OyBZCla5SctYwk1mfK0Wyup7EHdszvuc3i8K5uJV0bPii-VKbJ3YFnMcJD3OVaU3CkaJTqnmdtxYb02uWvImK5D3H9aPgQgJUYsARN-qMmcn5vUGCxWXpMmV53X-Czcf9RGBiK4ZLHL4st2Sxjza3UzC_p_S82rff_g-pJvZbIXL_II02gF9jOsMXELfaX40_SFsnyY6HDCOy3HIAw
HTTP Request
- Content-Type (required)
The request will have a Content-Type ofapplication/secevent+jwt
JWT Headers
-
alg (string)
The JWT will be signed with the RS256 algorithm. -
typ (string)
The type header will be set to secevent+jwt -
kid (string)
The kid header provides a hint indicating which key was used to sign the JWT. The keys are listed in the Certificates Endpoint.
JWT Claims
-
aud (string)
The audience for this JWT, which is your application’spush_notification_url
-
iat (integer)
Time at which the JWT was issued, an integer timestamp representing the number of seconds since the Unix Epoch. -
iss (string)
The issuer of this SET, which will be Login.gov’s issuer, the root URL for Login.gov. In the agency integration environment, this ishttps://idp.int.identitysandbox.gov
-
jti (required)
JWT Identifier. This will be a random, unique identifier for this event, you should be able to de-duplicate based on this. -
events
An object containing an event, keyed by event type. The keys and values depend on the event types, see Supported Outgoing Events for event types and their payloads. -
exp (integer)
Time at which the JWT expires (12 hours after it was issued), an integer timestamp representing the number of seconds since the Unix Epoch.
Response
Login.gov will interpret any response other than a 200-level status as a failure, and will ignore any response body. Failure requests may be retried.
Edit this page