How do I get API credentials for OneLogin?

You can obtain API credentials (Client ID and Client Secret) by logging into the OneLogin Admin Console, navigating to 'Developers' > 'API Credentials', and creating a new credential. Remember to record the Client Secret immediately.

Does OneLogin support Multi-Factor Authentication (MFA)?

Yes, OneLogin fully supports Multi-Factor Authentication (MFA) with various factors, including OneLogin Protect, SMS, email, YubiKey, and third-party authenticators, to enhance security for user logins.

Can OneLogin be used as an Identity Provider (IdP) for Single Sign-On (SSO)?

Yes, OneLogin functions as an Identity Provider (IdP) to enable Single Sign-On (SSO) for various applications, primarily utilizing industry standards like SAML 2.0 and OpenID Connect.

What are the security best practices for OneLogin API integration?

Key security best practices include using the principle of least privilege for API credentials, securely storing client secrets, regularly rotating credentials, ensuring all communications use HTTPS, and monitoring API usage logs for anomalies.

Are there SDKs available to help with OneLogin authentication?

Yes, OneLogin provides official SDKs in multiple programming languages, including Python, Ruby, Java, PHP, Node.js, and Go, to simplify API integrations and authentication processes.

OneLogin Authentication: Methods, Credentials, and Security (2026)

Q: What is the primary authentication method for OneLogin's API?

The primary authentication method for the OneLogin API is OAuth 2.0, specifically using the Client Credentials grant type for server-to-server interactions and the Authorization Code grant type for applications acting on behalf of users.

OneLogin authentication: OneLogin provides various methods for securing access to applications and APIs, primarily leveraging OAuth 2.0 for API access and SAML for Single Sign-On (SSO). It supports multi-factor authentication (MFA) and offers programmatic credential management for developers to integrate identity services into their applications.

Authentication overview

OneLogin offers a unified identity and access management (IAM) platform, providing various authentication mechanisms for both end-users accessing applications and developers integrating with the OneLogin API. The core of OneLogin's authentication strategy for API interactions is built upon the OAuth 2.0 framework, ensuring secure delegation of access without sharing user credentials directly. For user-facing applications, OneLogin primarily utilizes industry-standard protocols like Security Assertion Markup Language (SAML) 2.0 and OpenID Connect for Single Sign-On (SSO) capabilities, enabling users to access multiple applications with a single set of credentials.

OneLogin's API allows programmatic management of users, applications, and authentication policies, requiring robust authentication for all API requests. This ensures that only authorized applications and services can interact with the OneLogin platform to provision users, manage access, and retrieve identity-related data. The platform also integrates Multi-Factor Authentication (MFA) across its services, adding an additional layer of security beyond traditional username and password combinations.

Supported authentication methods

OneLogin supports a range of authentication methods tailored for different use cases, from securing API calls to enabling seamless user access to enterprise applications. The primary methods include OAuth 2.0 for API access and SAML/OpenID Connect for user SSO.

OAuth 2.0 for API Access

For API integrations, OneLogin recommends and supports OAuth 2.0, an authorization framework that enables an application to obtain limited access to a user's account on an HTTP service. OneLogin's implementation of OAuth 2.0 typically involves the Client Credentials grant type for server-to-server communication and the Authorization Code grant type for applications acting on behalf of a user. The OAuth 2.0 specification is detailed by the IETF RFC 6749 document.

Client Credentials Grant: This flow is suitable for applications that need to access API resources on their own behalf, rather than on behalf of a user. It involves exchanging a Client ID and Client Secret for an access token.
Authorization Code Grant: Used by confidential and public clients to exchange an authorization code for an access token. This is generally used when an application needs to access resources protected by OneLogin on behalf of an authenticated user.

SAML 2.0 for Single Sign-On (SSO)

SAML 2.0 is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). OneLogin acts as an IdP, allowing users to authenticate once and gain access to multiple SAML-enabled applications without re-entering credentials. This streamlines the user experience and centralizes identity management.

OpenID Connect (OIDC)

Built on top of the OAuth 2.0 framework, OpenID Connect is an identity layer that allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user. OneLogin supports OIDC for modern application integrations and user authentication flows, offering a simpler and more developer-friendly alternative to SAML in some scenarios. For a comprehensive understanding of OIDC, consult the OpenID Connect specifications.

Multi-Factor Authentication (MFA)

OneLogin integrates MFA across its platform, supporting various factors such as OneLogin Protect, SMS, email, YubiKey, and third-party authenticators. MFA adds a critical layer of security by requiring users to provide two or more verification factors to gain access to resources.

Authentication Methods Overview

Method	When to Use	Security Level
OAuth 2.0 (Client Credentials)	Server-to-server API calls, background services	High (requires secure client secret management)
OAuth 2.0 (Authorization Code)	Web applications, mobile apps accessing user data	High (redirect-based, secure token exchange)
SAML 2.0	Enterprise Single Sign-On (SSO) for web applications	High (cryptographically signed assertions)
OpenID Connect	Modern application SSO, identity verification on top of OAuth 2.0	High (leveraging JSON Web Tokens and OAuth 2.0)
Multi-Factor Authentication (MFA)	Any user login for enhanced security	Very High (adds a secondary verification factor)

Getting your credentials

To interact with the OneLogin API, you typically need to obtain API credentials, which primarily consist of a Client ID and a Client Secret for OAuth 2.0. These credentials are generated within the OneLogin administration console.

Log in to the OneLogin Admin Console: Access your OneLogin administrator account.
Navigate to Developers > API Credentials: In the left-hand navigation menu, locate the 'Developers' section and click on 'API Credentials'.
Create New Credentials: Click the 'New Credential' button.
Configure Credential Scope: Provide a descriptive name for your credentials and select the necessary API permissions (scopes) that your application requires. Granting the least privilege necessary is a key security practice.
Generate Client ID and Client Secret: Upon saving, OneLogin will generate a unique Client ID and Client Secret. It is crucial to record the Client Secret immediately, as it may not be retrievable after leaving the page. Treat these credentials as sensitive information.

For applications using the Authorization Code grant type, you may also need to configure Redirect URIs within the application settings in OneLogin. These URIs define where OneLogin should send the authorization code after a user successfully authenticates. Detailed instructions for configuring API credentials and OAuth applications are available in the OneLogin API Authentication guide.

Authenticated request example

This example demonstrates how to obtain an OAuth 2.0 access token using the Client Credentials grant type and then use that token to make an authenticated API request to OneLogin. We'll use Python for this example, leveraging the requests library.

First, obtain an access token:


import requests
import os

# Replace with your actual Client ID and Client Secret
CLIENT_ID = os.environ.get('ONELOGIN_CLIENT_ID')
CLIENT_SECRET = os.environ.get('ONELOGIN_CLIENT_SECRET')
BASE_URL = "https://api.us.onelogin.com"

token_url = f"{BASE_URL}/auth/oauth/v2/token"
token_headers = {
    "Content-Type": "application/json",
    "Authorization": f"client_id:{CLIENT_ID},client_secret:{CLIENT_SECRET}"
}
token_payload = {
    "grant_type": "client_credentials"
}

try:
    response = requests.post(token_url, headers=token_headers, json=token_payload)
    response.raise_for_status() # Raise an exception for HTTP errors
    token_data = response.json()
    access_token = token_data.get("access_token")
    print(f"Access Token: {access_token}")
except requests.exceptions.RequestException as e:
    print(f"Error getting access token: {e}")
    access_token = None

Next, use the obtained access_token to make an authenticated API call, for example, to list users:


if access_token:
    users_url = f"{BASE_URL}/api/2/users"
    users_headers = {
        "Authorization": f"Bearer {access_token}"
    }

    try:
        users_response = requests.get(users_url, headers=users_headers)
        users_response.raise_for_status()
        users_data = users_response.json()
        print("Users:")
        for user in users_data.get("data", [])[:5]: # Print first 5 users
            print(f"  - {user.get('firstname')} {user.get('lastname')} ({user.get('email')})")
    except requests.exceptions.RequestException as e:
        print(f"Error fetching users: {e}")
else:
    print("Could not proceed with API call without an access token.")

This code snippet demonstrates the two-step process: first, authenticating the client application to OneLogin's authorization server to receive an access token, and then using that access token as a bearer token in subsequent requests to access protected resources via the OneLogin API. Remember to replace placeholder URLs and credentials with your specific OneLogin instance details and securely manage your Client ID and Client Secret.

Security best practices

When integrating with OneLogin and handling authentication, adhering to security best practices is essential to protect user data and maintain system integrity. These practices apply to both API integrations and end-user authentication flows.

Least Privilege: When creating API credentials, grant only the minimum necessary permissions (scopes) required for your application to function. Avoid granting broad administrative access if only specific read or write operations are needed. Review and adjust permissions regularly.
Secure Credential Storage: Never hardcode API keys or client secrets directly into your application code. Use environment variables, secure configuration files, or dedicated secret management services (e.g., AWS Secrets Manager, Azure Key Vault, Google Secret Manager) to store sensitive credentials.
Rotate Credentials Regularly: Implement a policy for regular rotation of API keys and client secrets. This reduces the window of exposure if credentials are compromised. OneLogin allows you to generate new credentials and revoke old ones.
HTTPS/TLS Everywhere: Ensure all communication with OneLogin APIs and authentication endpoints occurs over HTTPS (TLS). This encrypts data in transit, preventing eavesdropping and tampering. OneLogin's APIs enforce TLS by default.
Error Handling: Implement robust error handling for API authentication failures. Avoid exposing sensitive information (e.g., specific reasons for authentication failure) in error messages returned to end-users or less privileged applications.
Validate Redirect URIs: For OAuth 2.0 Authorization Code flows, strictly configure and validate redirect URIs in OneLogin. This prevents malicious clients from intercepting authorization codes.
Implement Multi-Factor Authentication (MFA): Mandate MFA for all administrative users in OneLogin and encourage its adoption for all end-users. MFA significantly reduces the risk of credential-based attacks. OneLogin supports various MFA factors for enhanced security.
Monitor API Usage and Logs: Regularly review OneLogin's audit logs and API usage metrics for unusual activity or potential security incidents. Set up alerts for failed login attempts or unauthorized API calls.
Use Official SDKs: Where available, utilize OneLogin's official SDKs (e.g., Python, Node.js, Ruby) for API interactions. These SDKs are designed to handle authentication securely and correctly.
Keep Dependencies Updated: Ensure that all libraries, frameworks, and operating systems used in your application are kept up to date to patch known security vulnerabilities.

OneLogin Authentication: Methods, Credentials, and Security (2026)

Authentication overview

Supported authentication methods

OAuth 2.0 for API Access

SAML 2.0 for Single Sign-On (SSO)

OpenID Connect (OIDC)

Multi-Factor Authentication (MFA)

Authentication Methods Overview

Getting your credentials

Authenticated request example

Security best practices

Frequently asked questions

Reviews

Discussion

Written by