---
title: Sign in with Little X Little
hide:
  - navigation
---

# Sign in with Little X Little

> One-line sign-in for any NGO site we host — and any partner you trust later.

`Sign in with Little X Little` is a standards-based [OpenID Connect 1.0](https://openid.net/specs/openid-connect-core-1_0.html) identity provider built on top of the platform's existing `accounts` directory. Drop one HTML element on your page and your site gets:

- :material-cursor-default-click: **Pre-rendered button** styled to match the platform.
- :material-bell-ring: **One-Tap prompt** that floats in for users with an active session.
- :material-flash: **Silent auto sign-in** for returning consenting users — no clicks.
- :material-shield-check: **Signed JWT identity** verified offline against our JWKS.
- :material-key-variant: **Permission claims** (`lxl.access`, `lxl.app`, `lxl.master`) so your backend never has to call back for RBAC.

---

## Pick your starting point

<div class="grid cards" markdown>

- :material-language-html5: **HTML only**

    ---

    One `<script>` tag, one `<div>`, no build tools.

    [:octicons-arrow-right-24: HTML quickstart](quickstarts/html.md)

- :material-language-javascript: **JavaScript SDK**

    ---

    `@littlexlittle/id` — One-Tap, FedCM, PKCE, all wrapped.

    [:octicons-arrow-right-24: JS quickstart](quickstarts/js-sdk.md)

- :material-language-php: **PHP SDK**

    ---

    `littlexlittle/id-php` for server-side verification and login.

    [:octicons-arrow-right-24: PHP quickstart](quickstarts/php-sdk.md)

- :material-api: **Pure OAuth 2.0**

    ---

    No SDK. Hit the endpoints directly from any language.

    [:octicons-arrow-right-24: From scratch](quickstarts/oauth-from-scratch.md)

</div>

---

## How it works (in 30 seconds)

```mermaid
sequenceDiagram
  autonumber
  participant U as User browser
  participant N as NGO site
  participant L as id.littlexlittle.org
  U->>N: Visit page
  N->>U: Render <div data-lxl-id="...">
  U->>L: GET /oidc/authorize?... (PKCE)
  L->>U: Consent screen (or auto-skip if previously granted)
  L-->>N: 302 redirect_uri?code=...
  N->>L: POST /oidc/token (code + verifier)
  L-->>N: id_token + access_token + refresh_token
  N->>N: Verify id_token signature via JWKS
  N->>U: Set session cookie, log user in
```

Three trust tiers, all standards:

| Token | Format | Purpose | Lifetime |
|---|---|---|---|
| `id_token` | JWT (RS256) | Identity assertion. Verify offline. | 1 hour |
| `access_token` | Opaque | Bearer for `/oidc/userinfo` and platform APIs. | 1 hour |
| `refresh_token` | Opaque, rotating | Background renewal. Replay-detected. | 30 days, max 90 |

---

## Who can register a client today

The identity platform is **closed** to NGOs already hosted on Little X Little. Register clients via the [Developer portal](https://app.littlexlittle.org/developers) inside your NGO's app area. Third-party self-serve registration is on the roadmap.

[Open the developer portal :octicons-link-external-16:](https://app.littlexlittle.org/developers){ .md-button .md-button--primary }
[Read the changelog](changelog.md){ .md-button }

---

## At a glance

- **Issuer:** `https://id.littlexlittle.org`
- **Discovery:** [`/.well-known/openid-configuration`](https://id.littlexlittle.org/.well-known/openid-configuration)
- **JWKS:** [`/.well-known/jwks.json`](https://id.littlexlittle.org/.well-known/jwks.json)
- **Spec compliance:** OpenID Connect Core 1.0, OAuth 2.0 (RFC 6749), PKCE (RFC 7636), Token Revocation (RFC 7009), Introspection (RFC 7662), RP-Initiated Logout 1.0, FedCM (where supported).
- **Algorithms:** RS256 only. Keys rotate every 90 days; old keys remain in JWKS until all issued tokens expire.