Skip to content

Sign in with Little X Little

One-line sign-in for any NGO site we host — and any partner you trust later.

Sign in with Little X Little is a standards-based OpenID Connect 1.0 identity provider built on top of the platform's existing accounts directory. Drop one HTML element on your page and your site gets:

  • Pre-rendered button styled to match the platform.
  • One-Tap prompt that floats in for users with an active session.
  • Silent auto sign-in for returning consenting users — no clicks.
  • Signed JWT identity verified offline against our JWKS.
  • Permission claims (lxl.access, lxl.app, lxl.master) so your backend never has to call back for RBAC.

Pick your starting point

  • HTML only

    One <script> tag, one <div>, no build tools.

    HTML quickstart

  • JavaScript SDK

    @littlexlittle/id — One-Tap, FedCM, PKCE, all wrapped.

    JS quickstart

  • PHP SDK

    littlexlittle/id-php for server-side verification and login.

    PHP quickstart

  • Pure OAuth 2.0

    No SDK. Hit the endpoints directly from any language.

    From scratch

How it works (in 30 seconds)

sequenceDiagram
  autonumber
  participant U as User browser
  participant N as NGO site
  participant L as id.littlexlittle.org
  U->>N: Visit page
  N->>U: Render <div data-lxl-id="...">
  U->>L: GET /oidc/authorize?... (PKCE)
  L->>U: Consent screen (or auto-skip if previously granted)
  L-->>N: 302 redirect_uri?code=...
  N->>L: POST /oidc/token (code + verifier)
  L-->>N: id_token + access_token + refresh_token
  N->>N: Verify id_token signature via JWKS
  N->>U: Set session cookie, log user in

Three trust tiers, all standards:

Token Format Purpose Lifetime
id_token JWT (RS256) Identity assertion. Verify offline. 1 hour
access_token Opaque Bearer for /oidc/userinfo and platform APIs. 1 hour
refresh_token Opaque, rotating Background renewal. Replay-detected. 30 days, max 90

Who can register a client today

The identity platform is closed to NGOs already hosted on Little X Little. Register clients via the Developer portal inside your NGO's app area. Third-party self-serve registration is on the roadmap.

Open the developer portal Read the changelog

At a glance

  • Issuer: https://id.littlexlittle.org
  • Discovery: /.well-known/openid-configuration
  • JWKS: /.well-known/jwks.json
  • Spec compliance: OpenID Connect Core 1.0, OAuth 2.0 (RFC 6749), PKCE (RFC 7636), Token Revocation (RFC 7009), Introspection (RFC 7662), RP-Initiated Logout 1.0, FedCM (where supported).
  • Algorithms: RS256 only. Keys rotate every 90 days; old keys remain in JWKS until all issued tokens expire.