MEF 128.1 LSO API Security Profile

2024 Apr

Amends: MEF 128

Primary Resource for: APIs

Product Portfolio: APIs

Standard Type: MEF Service Lifecycle


This document defines the security profile, security approaches and security architecture for LSO API security using OAuth2 and OIDC within either a centralized or federated identity provider framework. This document applies to all current and future LSO APIs.

The intended audience of this document is senior IT security professionals, in particular identity and security architects and compliance specialists implementing LSO APIs. This document is not a general reference on API security, but an LSO API-specific standard. 

The document first defines the LSO API security architecture and conformance requirements to that architecture. The standard then defines the following security components: 

  • JWT Best Practices for LSO API Security
  • JWKS Endpoints for cryptographic signatures and their verifications
  • Structure and conformance requirements for JWSs and JWEs
  • LSO API Payload Authenticity

Standards published by MEF are intended for general distribution to the public and may be downloaded from this site and reproduced without charge. Any reproduction of MEF documents shall contain the following statement: “Reproduced with permission of MEF Forum.” All rights granted to MEF under applicable copyright laws are expressly reserved. No permission is granted to any recipient or user of MEF publications to modify any of the information contained therein and MEF disclaims all responsibility and liability for such modifications.

Be In the Industry—Join with industry peers to advance digital service & API standards.

Join MEF