diff --git a/api/server-server/openid.yaml b/api/server-server/openid.yaml
new file mode 100644
index 00000000..0eac48c8
--- /dev/null
+++ b/api/server-server/openid.yaml
@@ -0,0 +1,63 @@
+# Copyright 2017 Kamax.io
+# Copyright 2018 New Vector Ltd
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+swagger: '2.0'
+info:
+  title: "Matrix Federation OpenID API"
+  version: "1.0.0"
+host: localhost:8448
+schemes:
+  - https
+basePath: /_matrix/federation/v1
+produces:
+  - application/json
+paths:
+  "/openid/userinfo":
+    get:
+      summary: Exchange an OpenID token for user information
+      description: |-
+        Exchanges an OpenID access token for information about the user
+        who generated the token. Currently this only exposes the Matrix
+        User ID of the owner.
+      operationId: exchangeOpenIdToken
+      parameters:
+        - in: path
+          name: access_token
+          type: string
+          description: |-
+            The OpenID access token to get information about the owner for.
+          required: true
+          x-example: SomeT0kenHere
+      responses:
+        200:
+          description: |-
+            Information about the user who generated the OpenID access token.
+          schema:
+            type: object
+            properties:
+              sub:
+                type: string
+                description: The Matrix User ID who generated the token.
+                example: "@alice:example.com"
+            required: ['sub']
+        401:
+          description: The token was not recognized or has expired.
+          schema:
+            $ref: "../client-server/definitions/errors/error.yaml"
+          examples:
+            application/json: {
+              "errcode": "M_UNKNOWN_TOKEN",
+              "error": "Access token unknown or expired"
+            }
diff --git a/specification/server_server_api.rst b/specification/server_server_api.rst
index 84a76639..e6fc8936 100644
--- a/specification/server_server_api.rst
+++ b/specification/server_server_api.rst
@@ -995,6 +995,18 @@ that can be made.
 
 {{query_ss_http_api}}
 
+OpenID
+------
+
+Third party services can exchange an access token previously generated by the 
+`Client-Server API` for information about a user. This can help verify that a
+user is who they say they are without granting full access to the user's account.
+
+Access tokens generated by the OpenID API are only good for the OpenID API and 
+nothing else.
+
+{{openid_ss_http_api}}
+
 Send-to-device messaging
 ------------------------