Skip to content

Project overview

This website provides technical documentation for the benefits application from the California Integrated Travel Project (Cal-ITP).

Cal-ITP Benefits - Landing - Laptop+Mobile

Cal-ITP Benefits is a web application that enables digital eligibility verification and enrollment for transit benefits onto transit riders’ existing contactless debit and credit cards.

The development of this publicly-accessible client is being managed by Caltrans’ California Integrated Travel Project (Cal-ITP), in partnership with the California Department of Technology (CDT). From the Cal-ITP site:

Our Cal-ITP Benefits web application streamlines the process for transit riders to instantly qualify for and receive discounts, starting with Monterey-Salinas Transit (MST), which offers a half-price Senior Fare. Now older adults (65+) who are able to electronically verify their identity are able to access MST’s reduced fares without the hassle of paperwork.

We worked with state partners on this product launch, and next we’re working to bring youth, lower-income riders, veterans, people with disabilities, and others the same instant access to free or reduced fares across all California transit providers, without having to prove eligibility to each agency.

Adoption by transit agencies

The following California transit agencies have launched Cal-ITP Benefits for their riders, with the following enrollment pathway options:

Transit agency Older adults Agency card Veterans Low-income Initial agency launch
Monterey-Salinas Transit Live Live Live 12/2021
Santa Barbara Metropolitan Transit District Live Live   10/2023
Sacramento Regional Transit District In test      

Supported enrollment pathways

The Cal-ITP Benefits app supports the following enrollment pathways that use the corresponding eligibility verification methods:

Enrollment pathway Eligibility verification Status Launch
Older adults ID Proofed Live 08/2022
Agency cards Eligibility API Live 11/2022
Veterans Veteran Confirmation API Live 09/2023
Low-income CalFresh Confirm API Live 07/2024

Read more about each enrollment pathway.

Technical and security details

benefits is a Django 5 web application. The application talks to one or more Eligibility Verification APIs or authentication providers. These APIs and the application itself are designed for privacy and security of user information:

  • The API communicates with signed and encrypted JSON Web Tokens containing only the most necessary of user data for the purpose of eligibility verification
  • The application requires no user accounts and stores no information about the user
  • Interaction with the application is anonymous, with only minimal event tracking for usage and problem analysis

Running the application locally is possible with Docker and Docker Compose. Hosting information.

The user interface and content is available in both English and Spanish. Additional language support is possible via Django’s i18n and l10n features.

The application communicates with external services like Littlepay via API calls and others like the Identity Gateway via redirects, both over the public internet. See all the system interconnections.


The Benefits application is deployed to Microsoft Azure. Traffic is encrypted between the user and the application, as well as between the application and external systems.

The network is managed by the California Department of Technology (CDT), who provide a firewall and distributed denial-of-service (DDoS) protection.

You can find more technical details on our infrastructure page.

Data storage

The Benefits application doesn’t collect or store any user data directly, and we minimize the information exchanged between systems. The following information is temporarily stored in an encrypted session in the user’s browser:

  • The user’s progress through an enrollment pathway
  • Credentials for interacting with the eligibility verification services

Sensitive user information exists in the following places:

None of that information is accessible to the Benefits system/team.

Learn more about the security/privacy practices of some of our third-party integrations:

Benefits collects analytics on usage, without any identifying information. You can find more details on our analytics page.


Dependabot immediately notifies the team of vulnerabilities in application dependencies.

Upon doing new major integrations, features, or architectural changes, the Benefits team has a penetration test performed by a third party to ensure the security of the system.

All code changes are reviewed by at least one other member of the engineering team, which is enforced through branch protections.