diff --git a/api/client-server/openid.yaml b/api/client-server/openid.yaml
new file mode 100644
index 00000000..4b89232e
--- /dev/null
+++ b/api/client-server/openid.yaml
@@ -0,0 +1,103 @@
+# Copyright 2018 New Vector Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+swagger: '2.0'
+info:
+  title: "Matrix Client-Server OpenID API"
+  version: "1.0.0"
+host: localhost:8008
+schemes:
+  - https
+  - http
+basePath: /_matrix/client/%CLIENT_MAJOR_VERSION%
+consumes:
+  - application/json
+produces:
+  - application/json
+securityDefinitions:
+  $ref: definitions/security.yaml
+paths:
+  "/user/{userId}/openid/request_token":
+    post:
+      summary: Get an OpenID token object to verify the requester's identity.
+      description: |-
+        Gets an OpenID token object that the requester may supply to another
+        service to verify their identity in Matrix. The generated token is only
+        valid for exchanging for user information from the federation API for
+        OpenID.
+
+        The access token generated is only valid for the OpenID API. It cannot
+        be used to request another OpenID access token or call ``/sync``, for
+        example.
+      operationId: requestOpenIdToken
+      security:
+        - accessToken: []
+      parameters:
+        - in: path
+          type: string
+          name: userId
+          description: |-
+            The user to request and OpenID token for. Should be the user who
+            is authenticated for the request.
+          required: true
+          x-example: "@alice:example.com"
+        - in: body
+          name: body
+          description: An empty object. Reserved for future expansion.
+          required: true
+          schema:
+            type: object
+            example: {}
+      responses:
+        200:
+          description: |-
+            OpenID token information. This response is nearly compatible with the
+            response documented in the `OpenID 1.0 Specification <http://openid.net/specs/openid-connect-core-1_0.html#TokenResponse>`_
+            with the only difference being the lack of an ``id_token``. Instead,
+            the Matrix homeserver's name is provided.
+          examples:
+            application/json: {
+              "access_token": "SomeT0kenHere",
+              "token_type": "Bearer",
+              "matrix_server_name": "example.com",
+              "expires_in": 3600,
+            }
+          schema:
+            type: object
+            properties:
+              access_token:
+                type: string
+                description: |-
+                  An access token the consumer may use to verify the identity of
+                  the person who generated the token. This is given to the federation
+                  API ``GET /openid/userinfo``.
+              token_type:
+                type: string
+                description: The string ``Bearer``.
+              matrix_server_name:
+                type: string
+                description: |-
+                  The homeserver domain the consumer should use when attempting to
+                  verify the user's identity.
+              expires_in:
+                type: int
+                description: |-
+                  The number of seconds before this token expires and a new one must
+                  be generated.
+            required: ['access_token', 'token_type', 'matrix_server_name', 'expires_in']
+        429:
+          description: This request was rate-limited.
+          schema:
+            "$ref": "definitions/errors/rate_limited.yaml"
+      tags:
+        - OpenID
diff --git a/specification/modules/openid.rst b/specification/modules/openid.rst
new file mode 100644
index 00000000..63406719
--- /dev/null
+++ b/specification/modules/openid.rst
@@ -0,0 +1,24 @@
+.. Copyright 2018 New Vector Ltd.
+..
+.. Licensed under the Apache License, Version 2.0 (the "License");
+.. you may not use this file except in compliance with the License.
+.. You may obtain a copy of the License at
+..
+..     http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS,
+.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+.. See the License for the specific language governing permissions and
+.. limitations under the License.
+
+OpenID
+======
+
+.. _module:openid:
+
+This module allows users to verify their identity with a third party service. The
+third party service does need to be matrix-aware in that it will need to know to
+resolve matrix homeservers to exchange the user's token for identity information.
+
+{{openid_cs_http_api}}
diff --git a/specification/targets.yaml b/specification/targets.yaml
index 53957e0a..5480bbc5 100644
--- a/specification/targets.yaml
+++ b/specification/targets.yaml
@@ -66,6 +66,7 @@ groups:  # reusable blobs of files when prefixed with 'group:'
     - modules/stickers.rst
     - modules/report_content.rst
     - modules/third_party_networks.rst
+    - modules/openid.rst
 
 
 title_styles: ["=", "-", "~", "+", "^", "`", "@", ":"]