OAuth 2.0

Overview

This guide introduces the ID.me OAuth 2.0 implementation and explains how partners can use it to access user data securely.

ID.me uses OAuth 2.0 RFC 6749 to authorize access to its APIs. To retrieve a user’s community data, your application must obtain an access_token. This token is user-specific, should be stored securely, and expires 5 minutes after issuance.

ID.me supports both full-page redirects and popup windows for the authorization flow. Once you’ve registered your application, you’ll find sample code, documentation, and the option to upload your company logo on the application details page.

ID.me supports Authorization Code Flow with PKCE (Proof Key for Code Exchange, RFC 7636). PKCE works with OAuth 2.0 Authorization Code Flow and is required by OAuth 2.1 guidance.

Diagram showing the ID.me OAuth 2.0 data flow between three parties — User, Partner, and ID.me — across 7 steps: the user signs in and is redirected to ID.me, which issues an authorization request and release, passes an authorization code back to the Partner, the Partner requests and receives an access token, calls the REST API attributes endpoint, receives the user payload in JSON, then redirects the user back to the Partner.