Login.gov website screenshot

Login.gov

Login.gov is the U.S. federal government's secure single sign-on and identity verification service for the public, operated by the General Services Administration's Technology Transformation Services (GSA TTS). Relying parties — federal, and in some cases state and local — federate user authentication to Login.gov via OpenID Connect (iGov profile) or SAML 2.0, with support for IAL1 (auth-only) and IAL2 (identity-verified) assurance and AAL2 multi-factor authentication including phishing-resistant and PIV/CAC authenticators.

2 APIs 14 Features
GovernmentFederalGSAIdentityAuthenticationSSOOIDCSAMLIAL2AAL2

APIs

Login.gov OpenID Connect API

The Login.gov OIDC integration surface used by relying parties. Conforms to the iGov OpenID Connect Profile. Supports authorization code flow with private_key_jwt (web apps) or ...

Login.gov SAML 2.0 API

SAML 2.0 federation surface for relying parties that prefer SAML over OIDC. Uses HTTP-Redirect SSO and HTTP-POST SLO with the persistent NameID format (UUID v4). Endpoints are y...

Collections

Pricing Plans

Login Gov Plans Pricing

2 plans

PLANS

Rate Limits

Login Gov Rate Limits

0 limits

RATE LIMITS

Features

Single account for the public to access participating federal services
OpenID Connect (iGov profile) and SAML 2.0 federation
Authorization code flow with private_key_jwt or PKCE; implicit flow not supported
IAL1 (authentication only) and IAL2 (identity-verified) assurance levels
AAL2 with TOTP, SMS/voice, push, security keys, PIV/CAC, and platform passkeys
Phishing-resistant AAL2 variant and HSPD-12 (PIV/CAC) AAL2 variant
Identity proofing with optional facial-match step
Self-service Partner Portal (sandbox and production) for client registration and scope/cert management
JWKS endpoint with at-least-annual key rotation; SAML certs rotated yearly with year-versioned endpoints
{"User attributes scoped per OIDC scope/SAML attribute" => "email, all_emails, name, address, birthdate, phone, SSN, verified_at, locale, x509 subject/issuer/presented"}
{"Built and operated in the open" => "identity-idp (Ruby on Rails) and sample SP apps published under github.com/18F"}
English, Spanish, and French locales
Section 508 accessibility commitment; published privacy policy and PIA
Cost-recoverable funding model via Interagency Agreement (IAA); no public rate card

Semantic Vocabularies

Login Gov Context

29 classes · 4 properties

JSON-LD

API Governance Rules

Login.gov API Rules

7 rules · 5 errors 2 warnings

SPECTRAL

Example Payloads

Resources

🔗
Website
Website
🌐
Portal
Portal
🔗
Documentation
Documentation
📝
Signup
Signup
🚀
GettingStarted
GettingStarted
🔗
Sandbox
Sandbox
👥
GitHubOrganization
GitHubOrganization
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
👥
GitHubRepository
GitHubRepository
🟢
StatusPage
StatusPage
📰
Blog
Blog
🔗
Contact
Contact
🔗
BusinessInquiries
BusinessInquiries
📜
Privacy
Privacy
🔗
Accessibility
Accessibility
🔗
Plans
Plans
🔗
RateLimits
RateLimits
🔗
Vocabulary
Vocabulary

Sources

Raw ↑
opencollection: 1.0.0
info:
  name: Login.gov SAML 2.0 API
  version: 2026-01
items:
- info:
    name: Metadata
    type: folder
  items:
  - info:
      name: Get SAML 2.0 IdP Metadata
      type: http
    http:
      method: GET
      url: https://idp.int.identitysandbox.gov/api/saml/metadata2026
    docs: Returns the SAML 2.0 IdP metadata XML including entity ID, SSO/SLO endpoints, signing certificate, and supported
      NameID formats.
- info:
    name: Authentication
    type: folder
  items:
  - info:
      name: Initiate SAML SSO (HTTP-Redirect)
      type: http
    http:
      method: GET
      url: https://idp.int.identitysandbox.gov/api/saml/auth2026
      params:
      - name: SAMLRequest
        value: ''
        type: query
        description: Base64-encoded DEFLATE-compressed AuthnRequest.
      - name: RelayState
        value: ''
        type: query
        description: Opaque value echoed back in the SAML response.
      - name: SigAlg
        value: ''
        type: query
        description: Signature algorithm URI when the request is signed.
      - name: Signature
        value: ''
        type: query
        description: Base64-encoded signature over the request.
    docs: 'Accepts a Base64-encoded, DEFLATE-compressed `SAMLRequest` via HTTP-Redirect.

      The user authenticates with Login.gov and the IdP responds with a signed SAML

      assertion POSTed to the SP''s Assertion Consumer Service URL.

      '
- info:
    name: Logout
    type: folder
  items:
  - info:
      name: SAML Single Logout (HTTP-POST)
      type: http
    http:
      method: POST
      url: https://idp.int.identitysandbox.gov/api/saml/logout2026
      body:
        type: form-urlencoded
        data:
        - name: SAMLRequest
          value: ''
        - name: RelayState
          value: ''
    docs: Accepts a signed `LogoutRequest` from the SP and terminates the user's Login.gov session.
bundled: true