Skip to main content

SSOe OAuth: Token Introspect Service and Secure Token Service (STS)

These services are necessary for API service to verify the Access Token obtained on successul login through SSOe OAuth. This verification is required to authorize API requests from the client (currently the VA Mobile App).

Overview and Terminology

SSOe is operated by the VA Identity and Access Management (IAM) team - the same team that operates MVI. SSOe and MVI are independent systems (one might be up or down separately from the other) but they do interact with one another.

This integration relates to the OAuth signin pattern provided by SSOe.

Introspect Service

This service provides partners implementing an OAuth client or resource server the ability to access the Introspect endpoint to validate the access token and obtain a full set of user traits.

STS Access Token Exchange (future)

This SSOi token service offers a capability where partners can be authorized to exchange an OAuth access token for a STS SAML token.

Integration Endpoints

For Introspect and UserInfo, the following endpoint pattern is used: https:// <env> <contextroot> /sps/oauth/oauth20/ <endpoint name>

We are configured to use ContextRoot=oauthe

We currently do not integrate with the userinfo endpoint.

The fully qualified endpoint URLs for the Introspect service are as follows:

  • Introspect

    • iDEV:

    • SQA:

    • PREPROD:

    • PROD:

The Secure Token Service uses a different pattern.

The fully qualified endpoint URLs for the STS service are as follows:

  • Secure Token Exchange:

    • iDEV:

    • SQA:

    • PREPROD:

    • PROD:

Required Configuration

PKI Certificates are required for access to the STS and Introspect endpoints.

  • The current dev/staging certificate is named Mobile_App_API_Server_Lowers.cer.

  • The current production certificate is named Mobile_App_API_Server.cer.

  • The private key is stored in AWS Parameter Store under /dsva-vagov/vets-api/<env>/mobile_app_api_key

  • The Public Key for the certificate has been added to the SSOe KeyStore.

  • This cert was acquired from the VA PKI team. See here for how to get internal certs from the VA.

You should be able to test that the certificate is functioning by running some curl commands from a fwdproxy instance.

curl -v --cert /etc/pki/tls/certs/vagov-mobile-app-api-server-lowers.pem --key /etc/pki/tls/private/vagov-mobile-app.key
# NOTE: without the cert and key flags you should get an html page with an error indicating the client ssl failure
#       with the approved cert and key you should get a 400 bad request (we aren't providing valid request we are just checking ssl client certs and connectivity)

curl -v --cert /etc/pki/tls/certs/vagov-mobile-app-api-server-lowers.pem --key /etc/pki/tls/private/vagov-mobile-app.key
# NOTE: without the cert and key we should see an error in the ssl handshake
#       with approved cert and key we should see a successful ssl handshake and a soap response

Known External Dependencies




Outage Status and Maintenance Windows

Service Level Agreement


Escalation Procedure

IAM has a 24x7 on call rotation for production SSOe issues.

Per communications from IAM team:

If notices a Prod issues and needs IAM support the best escalation path is to create a SNOW ticket and ask for it to be assigned to ‘AcS Tier 3’.


IAM Team:





Damien DeAntonio


Perry Vessels

IAM Contact

Linda Lotier (Engility)

IAM Engineering Resource

Prashant Mukadam (By Light)

Project Manager

LeeAnne Branum

VA Mobile team:




Product Manager

Ayush Chakravarty

Ad Hoc Engineer

Jonathan Julian

Ad Hoc Engineer

Patrick Saxton

Ad Hoc Engineer

Alastair Dawson

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.