Skip to main content

Configure your service for production

Warning You must configure your service for production at least 2 weeks before you start using the production environment in private beta or public beta.

Before you can configure your service for production, you must integrate with GOV.UK One Login’s integration environment.

  1. Tell your Engagement Manager that you need to configure your service in production – if you do not have an Engagement Manager, complete the form to register your interest. You’ll need to complete this form a minimum of 6 weeks before your go-live date.
  2. You only need to send your Engagement Manager the service name and client ID of the client you’ve been testing in your integration configuration. The GOV.UK One Login team will send you a draft configuration in JSON format including the new client ID for your production service.
  3. Update the JSON configuration by replacing the placeholder values with your service’s configuration. There’s guidance on understanding the JSON configuration.
  4. Send your modified JSON configuration back to your Engagement Manager by email. The GOV.UK One Login team will check your production configuration and contact you if we need more information.
  5. Configure the new client ID into your own application code and deploy to your production environment.
  6. Test your application works in production. This could be a limited test with a small number of users or a limited private beta.

Use the table to understand the JSON configuration

Field Notes
BackChannelLogoutUri If you want to receive logout notifications from GOV.UK One Login, specify the production URI of the endpoint you want GOV.UK One Login to call.

This must be a production-grade URI with domains without reference to http:// and localhost.

There’s further guidance on requesting logout notifications from GOV.UK One Login.
ClientID GOV.UK One Login will fill in ClientID with your production client ID. You do not need to do anything.
Claims If you’re doing identity verification, you’ll need to specify which claims your service requires. You may choose one or more of the following:
  • https://vocab.account.gov.uk/v1/passport
  • https://vocab.account.gov.uk/v1/drivingPermit
  • https://vocab.account.gov.uk/v1/coreIdentityJWT
  • https://vocab.account.gov.uk/v1/address
  • https://vocab.account.gov.uk/v1/returnCode
ClientName Choose your client name. The client name will appear in the user interface when GOV.UK One Login redirects your user back to your service so choose something your users would recognise.

There’s further guidance on naming your service.
ClientType Leave this field as web.
ConsentRequired Leave this field as false.
Contacts Enter your service’s technical contact email addresses – this can be a group email or multiple separate email addresses, or a combination of both.
CookieConsentShared Leave this field as false.
IdentityVerificationSupported If you’re using identity verification, this should be true.

If you only need authentication, this should be false.
IdTokenSigningAlgorithm This will be ES256 or RS256. You can find the one you’re using in your application’s code.
LandingPageUrl LandingPageUrl is only required if you’re making identity requests.

GOV.UK One Login supports a single LandingPageUrl after a user returns from an offline journey. Specify the production URL your user will be redirected to after they visit the Post Office. This link will allow them to continue their sign up process for your service.

These must be production-grade URLs without reference to http:// and localhost.
OneLoginService Leave this field as false.
PostLogoutRedirectUrIs If you want to redirect your users after they log out, input one or more production URLs. These will be where you redirect your users to after you have logged them out.

These must be production-grade URLs without reference to http:// and localhost.

There’s further guidance on logging your user out of GOV.UK One Login.
PublicKey PublicKey is only required if you’re using the private_key_jwt token authentication method.

Enter the contents of your public key Privacy Enhanced Mail (PEM) file (or whichever file was created when you created your key pair).

There’s further guidance on generating a key pair.
IsInternalService Leave this field as false.
JarValidationRequired GOV.UK One Login will fill in this field.
RedirectUrls Enter one or more of your service’s production redirect URLs. These must be production-grade URLs without reference to http:// and localhost.
Scopes Enter the scopes your service requires. You must include the openid scope.

You may choose one or more of the following:
  • email
  • phone


There’s further guidance on choosing which user attributes your service can request.
SectorIdentifierUri Specify your service’s sector identifier.

You must not change the sector identifier once your service has started to sign up or migrate users. Doing this will change the subject identifiers GOV.UK One Login creates for each individual user.

There’s further guidance on choosing your sector identifier.

If your service has more than one redirect_uri, you must set the sector identifier in line with the OpenID Connect Core 1.0 specification.
ServiceType Leave this field as MANDATORY.
SubjectType Leave this field as pairwise.
TestClient Leave this field as false.
TokenAuthMethod Specify the token authentication method your service is using. This will be private_key_jwt or client_secret_post.

There’s further guidance on using the correct token authentication method for your service.

Use the production discovery endpoint

You can use the production discovery endpoint (viewed at https://oidc.account.gov.uk/.well-known/openid-configuration).

This page was last reviewed on 20 February 2025.