# Table of Contents - [Singpass APIs Documentation | Singpass Developer Docs](#singpass-apis-documentation-singpass-developer-docs) - [Quick Start | CIBA | Singpass Developer Docs](#quick-start-ciba-singpass-developer-docs) - [Step-up Authentication using Push Notifications | CIBA | Singpass Developer Docs](#step-up-authentication-using-push-notifications-ciba-singpass-developer-docs) - [Backchannel Authentication Endpoint | CIBA | Singpass Developer Docs](#backchannel-authentication-endpoint-ciba-singpass-developer-docs) - [Staging and Production Endpoints | CIBA | Singpass Developer Docs](#staging-and-production-endpoints-ciba-singpass-developer-docs) - [Error Response | CIBA | Singpass Developer Docs](#error-response-ciba-singpass-developer-docs) - [Token Endpoint | CIBA | Singpass Developer Docs](#token-endpoint-ciba-singpass-developer-docs) - [Key Principles | (Legacy) Verify | Singpass Developer Docs](#key-principles-legacy-verify-singpass-developer-docs) - [FAQ | (Legacy) Verify | Singpass Developer Docs](#faq-legacy-verify-singpass-developer-docs) - [Brand Guidelines and Resources | (Legacy) Verify | Singpass Developer Docs](#brand-guidelines-and-resources-legacy-verify-singpass-developer-docs) - [Overview | (Legacy) Verify | Singpass Developer Docs](#overview-legacy-verify-singpass-developer-docs) - [Verify API | (Legacy) Verify | Singpass Developer Docs](#verify-api-legacy-verify-singpass-developer-docs) - [Verify API Data Catalog | (Legacy) Verify | Singpass Developer Docs](#verify-api-data-catalog-legacy-verify-singpass-developer-docs) - [Data Catalog | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#data-catalog-legacy-myinfo-v3-v4-singpass-developer-docs) - [Legacy Myinfo v3/v4 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#legacy-myinfo-v3-v4-legacy-myinfo-v3-v4-singpass-developer-docs) - [Key Principles | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#key-principles-legacy-myinfo-v3-v4-singpass-developer-docs) - [.well-known Endpoints | CIBA | Singpass Developer Docs](#-well-known-endpoints-ciba-singpass-developer-docs) - [Testing with Test Personas | (Legacy) Verify | Singpass Developer Docs](#testing-with-test-personas-legacy-verify-singpass-developer-docs) - [Error Code | (Legacy) Verify | Singpass Developer Docs](#error-code-legacy-verify-singpass-developer-docs) - [Technical Requirements | (Legacy) Verify | Singpass Developer Docs](#technical-requirements-legacy-verify-singpass-developer-docs) - [Tutorials | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorials-legacy-myinfo-v3-v4-singpass-developer-docs) - [Resources | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#resources-legacy-myinfo-v3-v4-singpass-developer-docs) - [Myinfo v4 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#myinfo-v4-legacy-myinfo-v3-v4-singpass-developer-docs) - [Latest X.509 Public Key Certificate | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#latest-x-509-public-key-certificate-legacy-myinfo-v3-v4-singpass-developer-docs) - [Technical Concepts | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#technical-concepts-legacy-myinfo-v3-v4-singpass-developer-docs) - [Difference between v3 and v4 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#difference-between-v3-and-v4-legacy-myinfo-v3-v4-singpass-developer-docs) - [Myinfo Connectors | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#myinfo-connectors-legacy-myinfo-v3-v4-singpass-developer-docs) - [Technical Guidelines | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#technical-guidelines-legacy-myinfo-v3-v4-singpass-developer-docs) - [Proof of Key Code Exchange (PKCE) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#proof-of-key-code-exchange-pkce-legacy-myinfo-v3-v4-singpass-developer-docs) - [Resources | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#resources-legacy-myinfo-v3-v4-singpass-developer-docs) - [Myinfo v3 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#myinfo-v3-legacy-myinfo-v3-v4-singpass-developer-docs) - [OAuth 2.1 Concepts | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#oauth-2-1-concepts-legacy-myinfo-v3-v4-singpass-developer-docs) - [Tutorials | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorials-legacy-myinfo-v3-v4-singpass-developer-docs) - [Technical Guidelines | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#technical-guidelines-legacy-myinfo-v3-v4-singpass-developer-docs) - [Tutorial 1: Basic Person API | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorial-1-basic-person-api-legacy-myinfo-v3-v4-singpass-developer-docs) - [Myinfo Connectors | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#myinfo-connectors-legacy-myinfo-v3-v4-singpass-developer-docs) - [Client Assertions | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#client-assertions-legacy-myinfo-v3-v4-singpass-developer-docs) - [Tutorial 1: Myinfo Person sample Data | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorial-1-myinfo-person-sample-data-legacy-myinfo-v3-v4-singpass-developer-docs) - [JSON Web Token (JWT) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#json-web-token-jwt-legacy-myinfo-v3-v4-singpass-developer-docs) - [JSON Web Key Store (JWKS) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#json-web-key-store-jwks-legacy-myinfo-v3-v4-singpass-developer-docs) - [FAQ | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#faq-legacy-myinfo-v3-v4-singpass-developer-docs) - [Demonstration of Proof-of-Possession (DPoP) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#demonstration-of-proof-of-possession-dpop-legacy-myinfo-v3-v4-singpass-developer-docs) - [FAQ | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#faq-legacy-myinfo-v3-v4-singpass-developer-docs) - [Error Codes | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#error-codes-legacy-myinfo-v3-v4-singpass-developer-docs) - [Error Codes | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#error-codes-legacy-myinfo-v3-v4-singpass-developer-docs) - [User Device & Software Requirement | Singpass Developer Docs](#user-device-software-requirement-singpass-developer-docs) - [Pre-requisites for onboarding | Singpass Developer Docs](#pre-requisites-for-onboarding-singpass-developer-docs) - [User Journey | Singpass Developer Docs](#user-journey-singpass-developer-docs) - [Demo App & Sample Code | Singpass Developer Docs](#demo-app-sample-code-singpass-developer-docs) - [Singpass Login | Singpass Developer Docs](#singpass-login-singpass-developer-docs) - [Tutorial 2: Using OAuth2 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorial-2-using-oauth2-legacy-myinfo-v3-v4-singpass-developer-docs) - [Key Principles | Singpass Developer Docs](#key-principles-singpass-developer-docs) - [Tutorial 3: Implementing PKI Digital Signature | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorial-3-implementing-pki-digital-signature-legacy-myinfo-v3-v4-singpass-developer-docs) - [FAQ | Singpass Developer Docs](#faq-singpass-developer-docs) - [Singpass Myinfo | Singpass Developer Docs](#singpass-myinfo-singpass-developer-docs) - [Tutorial 2: End-to-end Integration with Myinfo v4 APIs | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#tutorial-2-end-to-end-integration-with-myinfo-v4-apis-legacy-myinfo-v3-v4-singpass-developer-docs) - [Integration Guide | Singpass Developer Docs](#integration-guide-singpass-developer-docs) - [Overview of Singpass | Singpass Developer Docs](#overview-of-singpass-singpass-developer-docs) - [Quick Start | Singpass Developer Docs](#quick-start-singpass-developer-docs) - [Data Display Guidelines | Singpass Developer Docs](#data-display-guidelines-singpass-developer-docs) - [Logo Download and Brand Guidelines | Singpass Developer Docs](#logo-download-and-brand-guidelines-singpass-developer-docs) - [Singpass Button Guidelines (For developers and designers) | Singpass Developer Docs](#singpass-button-guidelines-for-developers-and-designers-singpass-developer-docs) - [Scheduled Downtimes | Singpass Developer Docs](#scheduled-downtimes-singpass-developer-docs) - [Key Principles | Singpass Developer Docs](#key-principles-singpass-developer-docs) - [Understanding the basics of OIDC | Singpass Developer Docs](#understanding-the-basics-of-oidc-singpass-developer-docs) - [Migration Guides | Singpass Developer Docs](#migration-guides-singpass-developer-docs) - [Technical Concepts | Singpass Developer Docs](#technical-concepts-singpass-developer-docs) - [2. Handling the Redirect | Singpass Developer Docs](#2-handling-the-redirect-singpass-developer-docs) - [CPF Contribution History (up to 15 months) | Singpass Developer Docs](#cpf-contribution-history-up-to-15-months-singpass-developer-docs) - [OpenID Provider Configuration | Singpass Developer Docs](#openid-provider-configuration-singpass-developer-docs) - [5. The Userinfo Request | Singpass Developer Docs](#5-the-userinfo-request-singpass-developer-docs) - [Proof Key for Code Exchange (PKCE) | Singpass Developer Docs](#proof-key-for-code-exchange-pkce-singpass-developer-docs) - [Local Registered Birth Records and Sponsored Child Records | Singpass Developer Docs](#local-registered-birth-records-and-sponsored-child-records-singpass-developer-docs) - [Understanding the Data | Singpass Developer Docs](#understanding-the-data-singpass-developer-docs) - [API Specifications | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs](#api-specifications-legacy-myinfo-v3-v4-singpass-developer-docs) - [Pricing | Singpass Developer Docs](#pricing-singpass-developer-docs) - [Notice of Assessment (Detailed) | Singpass Developer Docs](#notice-of-assessment-detailed-singpass-developer-docs) - [Myinfo Test Personas | Singpass Developer Docs](#myinfo-test-personas-singpass-developer-docs) - [Overview of Singpass Flow | Singpass Developer Docs](#overview-of-singpass-flow-singpass-developer-docs) - [3. The Token Request | Singpass Developer Docs](#3-the-token-request-singpass-developer-docs) - [Catalog | Singpass Developer Docs](#catalog-singpass-developer-docs) - [App Description | Singpass Developer Docs](#app-description-singpass-developer-docs) - [Notice of Assessment (Basic) | Singpass Developer Docs](#notice-of-assessment-basic-singpass-developer-docs) - [Generation Of Client Assertion | Singpass Developer Docs](#generation-of-client-assertion-singpass-developer-docs) - [4. Parsing the ID Token | Singpass Developer Docs](#4-parsing-the-id-token-singpass-developer-docs) - [FAQ | Singpass Developer Docs](#faq-singpass-developer-docs) - [(Legacy) Pre-FAPI 2.0 API Specifications | Singpass Developer Docs](#-legacy-pre-fapi-2-0-api-specifications-singpass-developer-docs) - [JSON Web Key Sets (JWKS) | Singpass Developer Docs](#json-web-key-sets-jwks-singpass-developer-docs) - [Government Scheme | Singpass Developer Docs](#government-scheme-singpass-developer-docs) - [2. Token Endpoint | Singpass Developer Docs](#2-token-endpoint-singpass-developer-docs) - [For Mobile Developers | Singpass Developer Docs](#for-mobile-developers-singpass-developer-docs) - [Site URL | Singpass Developer Docs](#site-url-singpass-developer-docs) - [Changelog | Singpass Developer Docs](#changelog-singpass-developer-docs) - [Myinfo (v4) apps | Singpass Developer Docs](#myinfo-v4-apps-singpass-developer-docs) - [Testing with Singpass App | Singpass Developer Docs](#testing-with-singpass-app-singpass-developer-docs) - [Requesting Userinfo | Singpass Developer Docs](#requesting-userinfo-singpass-developer-docs) - [.well-known Endpoints | Singpass Developer Docs](#-well-known-endpoints-singpass-developer-docs) - [Redirection on success | Singpass Developer Docs](#redirection-on-success-singpass-developer-docs) - [Error Response | Singpass Developer Docs](#error-response-singpass-developer-docs) - [1. Authorization Endpoint | Singpass Developer Docs](#1-authorization-endpoint-singpass-developer-docs) - [Login / Myinfo (v5) apps | Singpass Developer Docs](#login-myinfo-v5-apps-singpass-developer-docs) - [Allowed Scopes | Singpass Developer Docs](#allowed-scopes-singpass-developer-docs) - [Redirect URL | Singpass Developer Docs](#redirect-url-singpass-developer-docs) - [Token-based Authentication | Singpass Developer Docs](#token-based-authentication-singpass-developer-docs) - [App Name | Singpass Developer Docs](#app-name-singpass-developer-docs) - [Contact | Singpass Developer Docs](#contact-singpass-developer-docs) - [Understanding the App Config Fields | Singpass Developer Docs](#understanding-the-app-config-fields-singpass-developer-docs) - [Support Emails | Singpass Developer Docs](#support-emails-singpass-developer-docs) - [Demonstrating Proof of Possession (DPoP) | Singpass Developer Docs](#demonstrating-proof-of-possession-dpop-singpass-developer-docs) - [3. Userinfo Endpoint | Singpass Developer Docs](#3-userinfo-endpoint-singpass-developer-docs) - [Myinfo (v3) apps | Singpass Developer Docs](#myinfo-v3-apps-singpass-developer-docs) - [Education and Employment | Singpass Developer Docs](#education-and-employment-singpass-developer-docs) - [Client JWK Requirements | Singpass Developer Docs](#client-jwk-requirements-singpass-developer-docs) - [Property | Singpass Developer Docs](#property-singpass-developer-docs) - [Obtaining Access to the Singpass Developer Portal (SDP) | Singpass Developer Docs](#obtaining-access-to-the-singpass-developer-portal-sdp-singpass-developer-docs) - [Create Staging Test Account | Singpass Developer Docs](#create-staging-test-account-singpass-developer-docs) - [Toggling Between Staging and Production | Singpass Developer Docs](#toggling-between-staging-and-production-singpass-developer-docs) - [Logging in to the Singpass Developer Portal (SDP) | Singpass Developer Docs](#logging-in-to-the-singpass-developer-portal-sdp-singpass-developer-docs) - [User Guide | Singpass Developer Docs](#user-guide-singpass-developer-docs) - [How to View Entity Transactions | Singpass Developer Docs](#how-to-view-entity-transactions-singpass-developer-docs) - [Finance | Singpass Developer Docs](#finance-singpass-developer-docs) - [1. The Authorization Request | Singpass Developer Docs](#1-the-authorization-request-singpass-developer-docs) - [How to View Production App Transactions | Singpass Developer Docs](#how-to-view-production-app-transactions-singpass-developer-docs) - [Create Staging App | Singpass Developer Docs](#create-staging-app-singpass-developer-docs) - [View Singpass Service Agreement | Singpass Developer Docs](#view-singpass-service-agreement-singpass-developer-docs) - [How to View or Download Your Invoice | Singpass Developer Docs](#how-to-view-or-download-your-invoice-singpass-developer-docs) - [Activate Production App | Singpass Developer Docs](#activate-production-app-singpass-developer-docs) - [Personal | Singpass Developer Docs](#personal-singpass-developer-docs) - [Consent to Singpass Service Agreement | Singpass Developer Docs](#consent-to-singpass-service-agreement-singpass-developer-docs) - [Updating Billing Contact Information | Singpass Developer Docs](#updating-billing-contact-information-singpass-developer-docs) - [Edit Staging App | Singpass Developer Docs](#edit-staging-app-singpass-developer-docs) - [Deactivate Production App | Singpass Developer Docs](#deactivate-production-app-singpass-developer-docs) - [Create Production App | Singpass Developer Docs](#create-production-app-singpass-developer-docs) - [Edit Production App | Singpass Developer Docs](#edit-production-app-singpass-developer-docs) - [Authorization Code Grant | Singpass Developer Docs](#authorization-code-grant-singpass-developer-docs) --- # Singpass APIs Documentation | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ### [hashtag](https://docs.developer.singpass.gov.sg/docs#what-you-can-do-here) 🚀 What You Can Do Here #### [hashtag](https://docs.developer.singpass.gov.sg/docs#for-business-users) For Business Users * Learn about our Singpass product offerings: * [Singpass Login](https://docs.developer.singpass.gov.sg/docs/products/singpass-login) * [Myinfo](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo) * Understand the [onboarding process](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start) and required [pre-requisites](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding) * Learn how to [navigate and use the Singpass Developer Portal (SDP)](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide) #### [hashtag](https://docs.developer.singpass.gov.sg/docs#for-developers) For Developers * Access our [integration guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api) for Singpass Login and Myinfo (v5) * Use [common test profiles](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) to test Myinfo (v5) integrations * Understand the [fundamentals of OIDC](https://docs.developer.singpass.gov.sg/docs/introduction/overview-of-singpass) and authentication flows ### [hashtag](https://docs.developer.singpass.gov.sg/docs#latest-updates) 🔥 Latest Updates #### [hashtag](https://docs.developer.singpass.gov.sg/docs#finalised-fapi-2.0-documentation-is-now-available) 📢 Finalised FAPI 2.0 Documentation Is Now Available All FAPI 2.0 specifications, technical concepts, and migration guides are now published. #### [hashtag](https://docs.developer.singpass.gov.sg/docs#mandatory-deadline-31-december-2026) ⚠️ Mandatory Deadline: **31 December 2026** All Singpass APIs must be fully compliant with FAPI 2.0 by 31 Dec 2026. Start reviewing the updated documents and plan your migration early. [NextQuick Startchevron-right](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start) Last updated 2 months ago Was this helpful? --- # Quick Start | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#ciba-onboarding-guide) CIBA Onboarding Guide -------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#overview) Overview CIBA (Client-Initiated Backchannel Authentication) onboarding is currently available only to **Government agencies** and is assessed on a case-by-case basis. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#typical-ciba-flow) Typical CIBA Flow For a call-centre use case: 1. A call-centre agent verifies the caller’s identity 2. The agent initiates a CIBA request via Singpass 3. A push notification is sent to the user’s Singpass app 4. The user reviews and approves the request 5. The transaction proceeds upon successful authentication ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#onboarding-steps) Onboarding Steps #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#id-1.-create-a-staging-app) 1\. Create a Staging App Create a staging app via the Singpass Developer Portal (SDP): https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-app Configuration: * Select openid as the only scope * Use dummy values for fields not applicable (e.g. Site URL, Redirect URL) * Configure your JWKS endpoint #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#id-2.-submit-use-case-for-assessment) 2\. Submit Use Case for Assessment Share the following details via Partner Support: * Description of your CIBA use case * When is CIBA triggered? * Why is CIBA required? * Expected monthly transaction volume * Systems that will integrate with Singpass #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#id-3.-evaluation-by-singpass) 3\. Evaluation by Singpass The Singpass Product and Security teams will assess: * Alignment with CIBA policy * Authentication assurance requirements * User journey and risk controls * Availability of fallback flows > We may follow up with clarifications during this stage. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#id-4.-whitelisting-and-testing) 4\. Whitelisting & Testing If the use case is approved: * Your use case will be whitelisted * Your team can proceed with testing in staging #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba#id-5.-production-setup) 5\. Production Setup Once testing is complete: 1. Submit a Production App Request via SDP 2. Indicate that the app is for CIBA 3. Include your User Journey (UJ) 4. Singpass will whitelist your client ID for CIBA usage [NextStep-up Authentication using Push Notificationschevron-right](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications) Last updated 1 month ago Was this helpful? --- # Step-up Authentication using Push Notifications | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-exclamation Onboarding for CIBA is only for Government agencies and on a case-by-case basis. [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications#introduction) Introduction -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This guide illustrates the Step-up Authentication (Push Notifications) Flow and the APIs that Relying Parties (RP) need to integrate with. The Step-up authentication feature can be employed in use-cases where RPs require their users to perform an additional layer of authentication before proceeding on with a **high-risk transaction**. This kind of authentication is done by triggering a push notification to the user’s Singpass Mobile Application. RPs who are looking to opt-in for Step-up Authentication are required to integrate with Singpass operating in the **Client-initiated Backchannel Authentication (CIBA) Poll Mode** (see [CIBA specsarrow-up-right](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7) ). Refer to this diagram for an overview of the CIBA authentication flow between an RP, Singpass and its dependencies. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F4204905545-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FE7FCbKTvZEx7uI8INZXT%252Fuploads%252FAjF2OPRhkzjBzKHje75F%252Fimage.png%3Falt%3Dmedia%26token%3D994c3461-0d5d-463e-9f59-c4d87a2e8bf5&width=768&dpr=3&quality=100&sign=a63acaa1&sv=2) CIBA Authentication Flow between RP, Singpass and its dependencies [PreviousQuick Startchevron-left](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba) [NextBackchannel Authentication Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint) Last updated 1 month ago Was this helpful? Was this helpful? --- # Backchannel Authentication Endpoint | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close As mentioned previously, the Step-up Authentication (Push Notifications) flow is implemented over the CIBA Poll mode flow. This endpoint allows RPs to make an authentication request to begin a CIBA session with Singpass for a given user identifier. When initiation is successful, the RP will receive an auth session identifier which should be used for the subsequent CIBA steps. Details about the user identifier is detailed in the `login_hint` field under the [Request Parameters](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#form-parameters) section below. [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#client_authentication) Client Authentication -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To initiate the CIBA flow, RPs must authenticate itself with Singpass using client assertion JWT. Refer to [this section](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client-authentication-client-assertion-jwt) for the structure of assertion JWT. [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#backchannel_authentication_request_and_response) Backchannel Authentication Request and Response ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#curl-request) **Curl request** Copy $ curl 'https://stg-id.singpass.gov.sg/bc-auth' -i -X POST \ -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' \ -d 'client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJjbGllbnRJZCJ9.9STntUMUIaSSqe9fSET28n5szfM7VjD98ElfpVQtEhl5S8bnwKm2GpCsvMGhhzCifEP8uJyyjylFGhXOra2EderNpp3yrVHePlhIiB1nhVcXPYL1wng0iWJ85kk-PcZb&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&scope=openid&login_hint=178478de-fed7-4c03-a75e-e68c44d0d5f0' ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#form-parameters) **Form parameters** Parameter Description `client_assertion` The jwt used for authorization `client_assertion_type` The type of grant being requested. This MUST be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` `login_hint` A hint to the OpenID Provider regarding the end-user for whom authentication is being requested. Must be in upper case NRIC format or lower case UUID format. `scope` Supported value is `openid`. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#http-request) **HTTP request** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#http-response) **HTTP response** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#httpie-request) **HTTPie request** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#request-body) **Request body** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#response-body) **Response body** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#response-fields) **Response fields** Path Type Description `auth_req_id` `String` ID given in the start of the OIDC CIBA flow that should be used to reference this authentication session. `expires_in` `Number` A JSON number with a positive integer value indicating the expiration time of the "auth\_req\_id" in seconds since the authentication request was received. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#error-responses) **Error Responses** The table below shows the list of common error codes that may be returned for this endpoint. Error Code Description `unknown_user_id` No active valid Singpass App (mobile) user available for given login\_hint. `access_denied` End-user is an SFA user and is not authorised to authenticate into this RP. `invalid_client` RP failed client assertion authentication. `invalid_request` Invalid request parameters. `invalid_scope` The scope requested is not valid. [PreviousStep-up Authentication using Push Notificationschevron-left](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications) [NextToken Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint) Last updated 1 year ago Was this helpful? * [Client Authentication](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#client_authentication) * [Backchannel Authentication Request and Response](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#backchannel_authentication_request_and_response) * [Curl request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#curl-request) * [Form parameters](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#form-parameters) * [HTTP request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#http-request) * [HTTP response](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#http-response) * [HTTPie request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#httpie-request) * [Request body](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#request-body) * [Response body](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#response-body) * [Response fields](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#response-fields) * [Error Responses](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint#error-responses) Was this helpful? Copy POST /bc-auth HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1 Host: stg-id.singpass.gov.sg Content-Length: 355 client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJjbGllbnRJZCJ9.9STntUMUIaSSqe9fSET28n5szfM7VjD98ElfpVQtEhl5S8bnwKm2GpCsvMGhhzCifEP8uJyyjylFGhXOra2EderNpp3yrVHePlhIiB1nhVcXPYL1wng0iWJ85kk-PcZb&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&scope=openid&login_hint=178478de-fed7-4c03-a75e-e68c44d0d5f0 Copy HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate X-XSS-Protection: 0 X-Frame-Options: DENY Date: Fri, 14 Feb 2025 01:38:24 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Transfer-Encoding: chunked Content-Type: application/json Content-Length: 82 { "auth_req_id" : "a167061f-1dfc-47a4-9537-eb7a4247619e", "expires_in" : 300 } Copy $ http --form POST 'https://stg-id.singpass.gov.sg/bc-auth' \ 'client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJjbGllbnRJZCJ9.9STntUMUIaSSqe9fSET28n5szfM7VjD98ElfpVQtEhl5S8bnwKm2GpCsvMGhhzCifEP8uJyyjylFGhXOra2EderNpp3yrVHePlhIiB1nhVcXPYL1wng0iWJ85kk-PcZb' \ 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \ 'scope=openid' \ 'login_hint=178478de-fed7-4c03-a75e-e68c44d0d5f0' Copy client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJjbGllbnRJZCJ9.9STntUMUIaSSqe9fSET28n5szfM7VjD98ElfpVQtEhl5S8bnwKm2GpCsvMGhhzCifEP8uJyyjylFGhXOra2EderNpp3yrVHePlhIiB1nhVcXPYL1wng0iWJ85kk-PcZb&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&scope=openid&login_hint=178478de-fed7-4c03-a75e-e68c44d0d5f0 Copy { "auth_req_id" : "a167061f-1dfc-47a4-9537-eb7a4247619e", "expires_in" : 300 } --- # Staging and Production Endpoints | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Endpoint Access Mechanism Staging Production [Backchannel Authentication Endpointarrow-up-right](https://stg-id.singpass.gov.sg/docs/step-up-auth-ciba/api#_backchannel_authentication_endpoint) Public TLS w/ Client Assertions [https://stg-id.singpass.gov.sg/bc-autharrow-up-right](https://stg-id.singpass.gov.sg/bc-auth) [https://id.singpass.gov.sg/bc-autharrow-up-right](https://id.singpass.gov.sg/bc-auth) [Token Endpointarrow-up-right](https://stg-id.singpass.gov.sg/docs/step-up-auth-ciba/api#_token_endpoint) Public TLS w/ Client Assertions [https://stg-id.singpass.gov.sg/tokenarrow-up-right](https://stg-id.singpass.gov.sg/token) [https://id.singpass.gov.sg/tokenarrow-up-right](https://id.singpass.gov.sg/token) [JWKS endpointarrow-up-right](https://stg-id.singpass.gov.sg/docs/step-up-auth-ciba/api#_jwks_endpoint) Public TLS [https://stg-id.singpass.gov.sg/.well-known/keysarrow-up-right](https://stg-id.singpass.gov.sg/.well-known/keys) [https://id.singpass.gov.sg/.well-known/keysarrow-up-right](https://id.singpass.gov.sg/.well-known/keys) triangle-exclamation RPs must not do "cert pinning" or create any form of dependency to the TLS certificates of the above domains. Singpass reserves the right to rotate its TLS certificates without prior notice to RPs. [Previous.well-known Endpointschevron-left](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints) [NextError Responsechevron-right](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/error-response) Last updated 1 year ago Was this helpful? Was this helpful? --- # Error Response | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Singpass APIs are RESTful in design and communicate classes of errors based on the **HTTP status code**. The status code should be used to determine if the error is caused by consumer or provider. Consumers should log the HTTP status code along with the `id` and/or `trace_id` of the error. Example: Invalid Request Parameters Copy HTTP/1.1 400 Bad Request Connection: keep-alive Cache-Control: no-cache, no-store, must-revalidate Transfer-Encoding: chunked Content-Type: application/json Date: Fri, 14 Feb 2025 01:37:57 GMT Content-Length: 190 { "id" : "bcba4bc3-534e-4891-bfa2-e872b4502d80", "error" : "CLIENT_SIDE_ERROR", "error_description" : "This is an invalid request.", "trace_id" : "67ae9e7585c905b608ca205f42270eff" } Example: Server Error Copy HTTP/1.1 500 Internal Server Error Cache-Control: no-cache, no-store, must-revalidate X-XSS-Protection: 0 X-Frame-Options: DENY Date: Fri, 14 Feb 2025 01:37:57 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Transfer-Encoding: chunked Content-Type: application/json Content-Length: 192 { "id" : "bcba4bc3-534e-4891-bfa2-e872b4502d80", "error" : "SERVER_SIDE_ERROR", "error_description" : "An unexpected error occurred.", "trace_id" : "67ae9e75bce5bd9bef0c2a4128d71c7f" } Path Type Description `id` `String` The unique identifier for this error/request. Please log this identifier for support and debugging purposes. `trace_id` `String InstanceOfAssertFactory` (Optional) An auxiliary id for request correlation across services. Please also log this identifier for operational support and debugging purposes. `error` `String` Error code representing broad class of error; likely to be one of CLIENT\_SIDE\_ERROR, ARGUMENTS\_NOT\_VALID, SERVER\_SIDE\_ERROR, TOO\_MANY\_REQUESTS. However, specific error codes can be returned for some endpoints, in which case you may find more details in the documentation for that endpoint. `error_description` `String` Returns human readable general information about the reason for the error. Note that due to security reasons; detailed information is unlikely to be available in this message. [PreviousStaging and Production Endpointschevron-left](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/staging-and-production-endpoints) Last updated 1 year ago Was this helpful? Was this helpful? --- # Token Endpoint | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Endpoint to obtain an ID token. The ID token is a signed JWT that contains user information in the sub claim, and is signed by Singpass Auth. RPs will be able to verify the ID token’s JWT signature with our JWKS endpoint. For the Step-up authentication flow, only the following grant(s) is supported: * `urn:openid:params:grant-type:ciba` In the below sections, we are going to describe the API contract. [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client_initiated_backchannel_authentication_ciba_grant) Client-Initiated Backchannel Authentication (CIBA) Grant ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This grant type allows the RP to obtain an ID token for the user indicated by the `login_hint` parameter that was provided during initiation. This is only allowed for `confidential` RPs. Currently, Singpass only supports **Poll** mode, which means that RPs need to poll the token endpoint at regular intervals until they receive an ID token or receive certain error codes (see [Error Responses](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#error-responses) ). Important RPs should **NOT** send two overlapping token requests with the same `auth_req_id`. RPs should always wait until receiving the response to the previous request before sending out the next request. Note It is recommended for RPs to wait for at least **30s** for a response before trying again. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client-authentication-client-assertion-jwt) **Client Authentication - Client Assertion JWT** RPs must authenticate themselves using **Client Assertion JWT**. In this authentication mechanism, the RP is required to present an assertion JWT in the request body. Singpass will then verify this JWT against a JWK provided by the RP during onboarding. This method of authentication relies on PKI and eradicates the need to keep and transfer secrets. You may refer to [this RFC spec documentationarrow-up-right](https://tools.ietf.org/html/rfc7523#section-2.2) for more details. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#assertion-jwt-structure) **Assertion JWT Structure** The RP is required to generate an assertion JWT that has the following header and claims, and is signed with the JWK that was provided during onboarding. **JWT Header** The header **must include** `**alg**` **and** `**typ**`. The supported `alg` types are: * `ES256` * `ES384` * `ES512`. This must match the `alg` value in the signing key used to sign the assertion (if the signing JWK specifies `alg` explicitly). The header should also include `kid` of the signing key to help identify which of the RP’s signing keys was used, though this is not mandatory. If omitted, we will test against all known signing keys when attempting to verify the signature. example **JWT Claims** Path Type Description `sub` `String` This should be `client_id` of the registered client. `aud` `String` The recipient that the JWT is intended for. This must match the `issuer` field in the response of the OpenID discovery endpoint ([https://id.singpass.gov.sg/.well-known/openid-configurationarrow-up-right](https://id.singpass.gov.sg/.well-known/openid-configuration) ). e.g. [https://id.singpass.gov.sgarrow-up-right](https://id.singpass.gov.sg/) `iss` `String` This should be `client_id` of the registered client. `iat` `Number` The time at which the JWT was issued. [https://tools.ietf.org/html/rfc7519#section-4.1.6arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.6) `exp` `Number` The expiration time on or after which the JWT MUST NOT be accepted by Singpass for processing. Additionally, Singpass will not accept tokens with an `exp` longer than 2 minutes since `iat`. [https://tools.ietf.org/html/rfc7519#section-4.1.4arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.4) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#request-response-structure) **Request / Response Structure** #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#curl-request) **Curl request** #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#form-parameters) **Form parameters** Parameter Description `auth_req_id` Authentication request id. `grant_type` The type of grant being requested. This must be set to `urn:openid:params:grant-type:ciba`. `client_assertion_type` This MUST be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` `client_assertion` A JWT identifying the client. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#http-request) **HTTP request** #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#http-response) **HTTP response** #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#request-body) **Request body** #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#response-body) **Response body** #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#response-fields) **Response fields** Path Type Description `token_type` `String` The type of token being requested, Bearer only so far. `id_token` `String` The ID token with relevant claims in JWT format signed by the ASP. Note that the example response body shows a JWS (3-part structure separated by dots), but the format will differ for a JWS in JWE (5-part structure). See below for more details about the ID token structure. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#error-responses) **Error Responses** The table below shows the list of common error codes that may be returned for this endpoint. RPs must take note to only re-poll the token endpoint for scenarios as specified below. Important Note that only the `error` field in the JSON response should be used to determine the error scenario. Do NOT use the `error_description` field to determine the error scenario. Singpass reserves the right to change the content of the `error_description` field without prior notice to RPs. Error code (returned in `error` field) Error scenario Can perform re-poll? `authorization_pending` The session is still pending as the end-user has not authenticated yet. **Yes** `access_denied` End-user rejected the authentication via SP mobile app. No `expired_token` The authentication session has expired or is not found. No `unauthorized_client` RP is not authorized to perform this flow. No `invalid_client` RP failed client assertion authentication. No `invalid_grant` \- No `invalid_request` \- No `server_error` \- No ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#id-token-structure) **ID Token Structure** The format and structure of the issued ID Token will vary depending on the client’s profile as specified in this table below: Client Profile `sub` Claim Content ID token format `direct` UUID only (eg. `u=32af8b7d-ad1d-4c25-8dc7-0a981b533000`) JWS `direct_pii_allowed` **Regular NRIC holders**: NRIC and UUID (eg. `s=S1234567A,u=32af8b7d-ad1d-4c25-8dc7-0a981b533000`) **Singpass Foreign Account (SFA) holders**: Singpass User ID (UID), Foreigner ID (FID), Country-of-Issuance (COI) and UUID (eg. `s=Y7613265T,fid=G730Z-H5P96,coi=DE,u=e2af740e-25b4-4b19-b527-494670952cb0`) This class of users were previously known as "Foreign Unique Account" or "Singpass Foreign Unique Account" users. Only designated relying parties are able to have SFA users authenticate & complete token exchange. JWS in JWE (encrypted with client’s JWK) See section below for more details about the JWE format. `bridge` (special case internal use only) NRIC and UUID (eg. `s=S1234567A,u=32af8b7d-ad1d-4c25-8dc7-0a981b533000`) JWS #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#overview-of-a-jws-in-jwe) **Overview of a JWS in JWE** An encrypted ID token will returned from the `/token` endpoint is a JWS in JWE that is in compact serialization form. It has the following structure: * JWE Header * Encrypted Key * Initialization Vector * Encrypted Payload (if decrypted, this would be the Base64 encoded form of a [JWS ID Token](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#overview-of-a-jws) ) * Authentication Tag See [https://datatracker.ietf.org/doc/html/rfc7516#section-3.1arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7516#section-3.1) for more details. **JWE Header** The JWE will contain these standard headers. Refer to [https://tools.ietf.org/html/rfc7515#section-4arrow-up-right](https://tools.ietf.org/html/rfc7515#section-4) for more information about each header. Note: Relying parties should use the `kid` field in the header to determine which key Singpass used for encryption. example #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#overview-of-a-jws) **Overview of a JWS** The [JWSarrow-up-right](https://tools.ietf.org/html/rfc7515) ID token returned from the `/token` endpoint is in compact serialization form. A JWS has the following structure. * JWS Header * Payload (containing claims) * Signature **JWS Header** The JWS ID token will contain these standard headers. Refer to [https://tools.ietf.org/html/rfc7515#section-4arrow-up-right](https://tools.ietf.org/html/rfc7515#section-4) for more information about each header. example **JWT Claims** The JWS ID token will contain the following claims. example Path Type Description `sub` `String` The principal that is the subject of the JWT. Contains a comma-separated, key=value mapping that identifies the user; possibly including multiple alternate IDs representing the user. The keys included vary by the profile of the OIDC client, and the user type, however the minimal format is `u=` where UUID represents the user’s globally unique identifier. [https://tools.ietf.org/html/rfc7519#section-4.1.2arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.2) `aud` `String` The client\_id of the relying party. [https://tools.ietf.org/html/rfc7519#section-4.1.3arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.3) `iss` `String` The principal that issued the JWT. [https://tools.ietf.org/html/rfc7519#section-4.1.1arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.1) `iat` `Number` The time at which the JWT was issued. [https://tools.ietf.org/html/rfc7519#section-4.1.6arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.6) `exp` `Number` The expiration time on or after which the JWT MUST NOT be accepted for processing. Defaults to 10 minutes since "iat". [https://tools.ietf.org/html/rfc7519#section-4.1.4arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.4) `amr` `Array` Authentication method references. Example values are `["face"]`, `["fv"]`, `["fv-alt"]`, `["otp"]`, `["pwd","fv"]`, `["pwd","otp-email"]`, `["pwd","sms"]`, `["pwd","swk"]`, `["pwd"]`, `["sso"]`. Note that this list is non-exhaustive, and Singpass reserves the right to introduce new values without prior notice to RPs. [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client_jwk_requirements) Client JWK Requirements --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Clients are expected to provide public keys to Singpass in the [JWKarrow-up-right](https://tools.ietf.org/html/rfc7517) format. These public keys will be used in the following (non-exhaustive) scenarios: * Signature JWK used to verify the signature of the [client assertion JWT](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client-authentication-client-assertion-jwt) presented during token request. * Encryption JWK used to [encrypt an ID token](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#id-token-structure) which contains the user’s PII. The client must provide the public key(s) during onboarding, and they can do so only via **ONE** of the following forms: * Provide a JWKS in a JSON format. * Host the JWKS on a publicly accessible URL. This endpoint must be compatible with Singpass' [service level expectations](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwks-url-service-level-expectations) . Signing key is always required for both `direct` and `direct_pii_allowed` clients. Encryption key is only required for `direct_pii_allowed` clients. `direct_pii_allowed` clients must ensure that the provided JWKS or the resource returned by the JWKS URL contains both the signing and encryption keys. Tip [mkjwk.orgarrow-up-right](https://mkjwk.org/) is a useful open-source tool to generate different types of JWK for signing and encryption; compliant with Singpass' broad requirements on structure. While we **DO NOT** suggest this as a secure way to generate your _real_ keypair (including private key); this can be a useful tool to understand how JWK works; and how it is represented for signing and encryption purposes; while you are reviewing against our supported algorithms below. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwk-for-signing) **JWK for signing** The signing JWK will be used to verify the [client assertion JWT](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client-authentication-client-assertion-jwt) provided during `/token` request, thereby authenticating the client. Clients are allowed to provide multiple signature keys in the JWKS / hosted on the JWKS url provided during client creation. The signature JWK should have the following attributes: * Must have key `use` of value `sig` per [rfc7517#section-4.2arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.2) * Must contain a key ID in the standard `kid` field per [rfc7517#section-4.5arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.5) * Will be used by Singpass to select the relevant key to verify the client assertion * Must be an EC key, with curves: `P-256`, `P-384` or `P-521` _(NIST curves, aka_ `_secp256r1_`_,_ `_secp384r1_`_,_ `_secp521r1_` _respectively)_ Example EC signing key using P-256 and a timestamped key Id #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#key-rotation) **Key Rotation** Relying parties can **rotate** their signing keys in a self-driven manner. To do this with **zero downtime** the Relying party must * support use of **JWKS URLs** and be onboarded as such * ensure their replacement signing key has a different key ID (`kid`) to the original key * ensure their replacement signing key matches the other cryptographic key requirements To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new signing key pair (`K2`) supported for signing. T0 Relying party **adds** public key `K2` to its JWKS endpoint (and leaves `K1` on the endpoint) T0 - T+1 hour Singpass' cache will expire, and re-retrieves the relying party’s published keys from their JWKS endpoint which now includes `K2` \> T+1 hour Relying party changes their system to start signing client assertions using the new signing key `K2` Clean Up Post-validation, relying party can remove key `K1` from their JWKS endpoint when they are comfortable their new signing key is working ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwk-for-encryption) **JWK for encryption** The encryption JWK will be used to [encrypt ID tokens](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#id-token-structure) requested from the `/token` endpoint. Singpass will select the strongest available, supported encryption key from either a **local JWKS**, or **JWKS URL** to encrypt returned ID tokens for those relying parties who require any PII in the ID token. The encryption JWK must have the following attributes: * Must have key `use` of value `enc` per [rfc7517#section-4.2arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.2) * Must contain a key ID in the standard `kid` field per [rfc7517#section-4.5arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.5) * The key ID will be specified in the returned JWE header so that clients can pick the right key for decryption * Must have key type (`kty`) of `EC` * Must specify the appropriate key encryption `alg` the relying party wants Singpass to use, consistent with the key type/curve (`kty`), and meet the requirements below on allowed `alg`/`curve`/key sizes, consistent with [RFC7518 - JSON Web Algorithm specificationarrow-up-right](https://tools.ietf.org/html/rfc7518#section-4.1) Key Type (`kty`) EC Status **Required** for new Relying Parties Key encryption algorithm (`alg`) ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW Curve (`crv`) P-256 _(NIST, aka secp256r1)_ P-384 _(NIST, aka secp384r1)_ P-521 _(NIST, aka secp521r1)_ Example EC encryption key using P-256 and a timestamped key Id; asking us to encrypt the CEK using ECDH-ES+A128KW #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#key-preference) **Key Preference** If the relying party exposes _multiple supported encryption keys_, Singpass will select the key to use for encrypting tokens based on the following logic: 1. prefer any EC key (`kty`) matching the above requirements 2. prefer EC keys with stronger `crv` (curve) _above_ EC keys with weaker curve 3. prefer EC keys with stronger `alg` key wrapping _above_ weaker ones 4. otherwise pick the first compatible key we find #### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#key-rotation-1) **Key Rotation** Relying parties can **rotate** their encryption keys in a self-driven manner. To do this with **zero downtime** the Relying party must * support use of **JWKS URLs** and be onboarded as such * have the ability to decrypt tokens produced with either **one of two** different encryption keys based on either * selecting the correct decryption key by its key ID (`kid`) * trial-and-error decryption against multiple keys in a collection * ensure their replacement key matches the other cryptographic key requirements noted above To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new encryption key pair (`K2`) supported for decryption. The existing key pair (`K1`) is still available for decryption of ID tokens T0 Relying party **removes** public key `K1` and **adds** public key `K2` on its JWKS endpoint T0 - T+1 hour Singpass' caches will expire at any (indeterminate) time within this period, and start encrypting tokens with new encryption key `K2`. T0 - T+1 hour Relying party may be receiving tokens encrypted with either `K1` or `K2` keys throughout this period; and must be able to decrypt either. \> T+1 hour Relying party can remove support for decrypting with the previous `K1` key ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwks-url-service-level-expectations) **JWKS URL Service Level Expectations** Singpass requires that any JWKS is published on an endpoint that * is served behind HTTPS on port `443` using a TLS server certificate issued by a standard _publicly verifiable CA issuer_ (no private CAs), with _complete cert chain_ presented by the server * is publicly accessible (no IP whitelisting, mTLS or other custom HTTP header requirements outside standard HTTP headers such as `Content-Type`, `Accept`) * is able to respond in a timely fashion with respect to the below configuration Per try timeout 3s Max attempts 3 Cache duration for retrieved JWKS 1h Note While the above is a technical requirement; the user experience of your users may be affected if we are unable to retrieve your JWKS in a timely fashion upon our cache expiry due to slower token exchanges with your backend. We recommend aiming for this response to be as fast as possible based on an in-memory cache; or simple static asset retrieval. If Singpass fails to retrieve a valid JWKS from the provided URL after cache expiry, the relying party’s token exchange will fail with an OAuth2/OIDC `invalid_client` error in these circumstances: * if _client assertions_ are used, and we are unable to validate the relying party’s assertion using their signing key * if _encryption of returned ID tokens_ is required, and we are unable to retrieve the relying party’s preferred encryption key [PreviousBackchannel Authentication Endpointchevron-left](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/backchannel-authentication-endpoint) [Next.well-known Endpointschevron-right](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints) Last updated 1 year ago Was this helpful? * [Client-Initiated Backchannel Authentication (CIBA) Grant](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client_initiated_backchannel_authentication_ciba_grant) * [Client Authentication - Client Assertion JWT](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client-authentication-client-assertion-jwt) * [Request / Response Structure](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#request-response-structure) * [ID Token Structure](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#id-token-structure) * [Client JWK Requirements](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#client_jwk_requirements) * [JWK for signing](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwk-for-signing) * [JWK for encryption](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwk-for-encryption) * [JWKS URL Service Level Expectations](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint#jwks-url-service-level-expectations) Was this helpful? Copy { "typ" : "JWT", "alg" : "ES256", "kid" : "rp_key_01" } Copy $ curl 'https://stg-id.singpass.gov.sg/token' -i -X POST \ -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' \ -d 'client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&auth_req_id=9f7e4f01-45cc-4eed-84c2-f7f58233f7fa&client_assertion=eyJraWQiOiJzaWdJZCIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJpTUJ3MlhkR2VHanRYRVl4TURoT1RxUnN5a000dHRaZiIsInN1YiI6ImlNQncyWGRHZUdqdFhFWXhNRGhPVHFSc3lrTTR0dFpmIiwiYXVkIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnIiwiZXhwIjoxNzM5NDk3MjY4LCJpYXQiOjE3Mzk0OTcxNDh9.8LhU6OSaZhZqJ90T2i6S1ay-Ir_mbw_PXOvjI49BhtR--3A2F3WgLoiNesDHFVCSzz7uv4NoiQqGWxn5C0hdWA&grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba' Copy POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1 Host: stg-id.singpass.gov.sg Content-Length: 557 client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&auth_req_id=9f7e4f01-45cc-4eed-84c2-f7f58233f7fa&client_assertion=eyJraWQiOiJzaWdJZCIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJpTUJ3MlhkR2VHanRYRVl4TURoT1RxUnN5a000dHRaZiIsInN1YiI6ImlNQncyWGRHZUdqdFhFWXhNRGhPVHFSc3lrTTR0dFpmIiwiYXVkIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnIiwiZXhwIjoxNzM5NDk3MjY4LCJpYXQiOjE3Mzk0OTcxNDh9.8LhU6OSaZhZqJ90T2i6S1ay-Ir_mbw_PXOvjI49BhtR--3A2F3WgLoiNesDHFVCSzz7uv4NoiQqGWxn5C0hdWA&grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba Copy HTTP/1.1 200 OK Expires: 0 Cache-Control: no-cache, no-store, max-age=0, must-revalidate X-XSS-Protection: 0 Pragma: no-cache X-Frame-Options: DENY Date: Fri, 14 Feb 2025 01:39:09 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Transfer-Encoding: chunked Content-Type: application/json Content-Length: 446 {"token_type":"Bearer","id_token":"eyJraWQiOiJuZGlfc3RnXzAxIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJpTUJ3MlhkR2VHanRYRVl4TURoT1RxUnN5a000dHRaZiIsInN1YiI6InM9Uzg4MjkzMTRCLHU9MWMwY2VlMzgtM2E4Zi00ZjhhLTgzYmMtN2EwZTRjNTlkNmE5IiwiYW1yIjpbInB3ZCIsInN3ayJdLCJpc3MiOiJodHRwczovL3N0Zy1pZC5zaW5ncGFzcy5nb3Yuc2ciLCJleHAiOjE3Mzk0OTc3NDgsImlhdCI6MTczOTQ5NzE0OH0.BxXLysNFj7TKZBydqXICOCzLzQyylt_Gde18_lSLq4ZcWNz8TY3ZGT_DXU5dWkBEJ4OSaDcEfpxpwNdd-MeEDA"} Copy client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&auth_req_id=9f7e4f01-45cc-4eed-84c2-f7f58233f7fa&client_assertion=eyJraWQiOiJzaWdJZCIsInR5cCI6IkpXVCIsImFsZyI6IkVTMjU2In0.eyJpc3MiOiJpTUJ3MlhkR2VHanRYRVl4TURoT1RxUnN5a000dHRaZiIsInN1YiI6ImlNQncyWGRHZUdqdFhFWXhNRGhPVHFSc3lrTTR0dFpmIiwiYXVkIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnIiwiZXhwIjoxNzM5NDk3MjY4LCJpYXQiOjE3Mzk0OTcxNDh9.8LhU6OSaZhZqJ90T2i6S1ay-Ir_mbw_PXOvjI49BhtR--3A2F3WgLoiNesDHFVCSzz7uv4NoiQqGWxn5C0hdWA&grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba Copy {"token_type":"Bearer","id_token":"eyJraWQiOiJuZGlfc3RnXzAxIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJpTUJ3MlhkR2VHanRYRVl4TURoT1RxUnN5a000dHRaZiIsInN1YiI6InM9Uzg4MjkzMTRCLHU9MWMwY2VlMzgtM2E4Zi00ZjhhLTgzYmMtN2EwZTRjNTlkNmE5IiwiYW1yIjpbInB3ZCIsInN3ayJdLCJpc3MiOiJodHRwczovL3N0Zy1pZC5zaW5ncGFzcy5nb3Yuc2ciLCJleHAiOjE3Mzk0OTc3NDgsImlhdCI6MTczOTQ5NzE0OH0.BxXLysNFj7TKZBydqXICOCzLzQyylt_Gde18_lSLq4ZcWNz8TY3ZGT_DXU5dWkBEJ4OSaDcEfpxpwNdd-MeEDA"} Copy { "kid": "client_01", "cty": "JWT", "enc": "A256CBC-HS512", "alg": "ECDH-ES+A256KW" } Copy { "kid" : "ndi_stg_01", "typ" : "JWT", "alg" : "ES256" } Copy { "aud" : "iMBw2XdGeGjtXEYxMDhOTqRsykM4ttZf", "sub" : "s=S8829314B,u=1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9", "amr" : [ "pwd", "swk" ], "iss" : "https://stg-id.singpass.gov.sg", "exp" : 1739497748, "iat" : 1739497148 } Copy { "kty": "EC", "use": "sig", "kid": "sig-2021-01-15T12:09:06Z", "crv": "P-256", "x": "Tjm2thouQXSUJSrKDyMfVGe6ZQRWqCr0UgeSbNKiNi8", "y": "8BuGGu519a5xczbArHq1_iVJjGGBSlV5m_FGBJmiFtE" } Copy { "kty": "EC", "use": "enc", "kid": "enc-2021-01-15T12:09:06Z", "crv": "P-256", "x": "xom6kD54yfXRPvMFVYFlVjUKzmNhz7wf0DP_2h9kXtY", "y": "lrh8C9c8-SBJTm1FcfqLkj2AnHtaxpnB1qsN6PiFFJE", "alg": "ECDH-ES+A128KW" } --- # Key Principles | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles#id-1.-requesting-for-data) 1\. Requesting for Data ------------------------------------------------------------------------------------------------------------------------------------------ **Request only what you need** * Do not over-collect data, where this is not required for business purposes or legal reasons. **PDPA & Applicable Regulations/Legislation** * Protect, retain, transfer and dispose of data retrieved according to the rules of the Personal Data Protection Act (PDPA), relevant industry regulations and applicable legislation. * For collection of National Identification Numbers, refer to the advisory guidelines from PDPC [here.arrow-up-right](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf) **Use for lawful purposes** * Use the data items retrieved for lawful purposes only. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles#id-2.-designing-your-user-journey) 2\. Designing your User Journey ---------------------------------------------------------------------------------------------------------------------------------------------------------- **Display As-Is** * Data items retrieved from our APIs should be displayed as-is on digital forms (exception of Mobile Number and Email Address) so as to assure users that the correct data items have been retrieved. * This minimises clarifications on the data retrieved and encourage users to update the relevant Government data source agency if any information is outdated. **Store only if submitted** * Data should be purged if form is not successfully submitted. * If ‘Save-as-draft’ feature is available, unsubmitted data should be purged periodically. **Provide non-Verify alternative** * Partners are encouraged to support customers who prefer to use a non-Verify alternative. **Showing customers the benefits of using Verify** * Indicate that Verify service is available for your service and clearly state the target users (e.g. for SC/PR and/or Foreigners). * Present the benefits of using Verify option (e.g. time saving, does not require ID cards or documents). **Remove collection and retention of physical NRIC or other identification documents.** * Data from Government sources which are uneditable on your form should be assessed as an alternative to collection and retention of identification documents for verification (e.g. NRIC, Work Pass (EP, PEP, EntrePass, S-Pass), Dependent Pass, Visit Pass (LTVP, LTVP+), selected Work Permit, driver's licence, and passport). **Display & Technical Requirements** * Design your application according to our [technical requirementsarrow-up-right](https://api.singpass.gov.sg/library/verify/developers/implementation-technical-requirements) . * * * ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles#id-3.-possible-enhancements) 3\. Possible Enhancements **Visitor Registration and Access** * Use Verify data items to replace collection and retention of physical NRIC or other identification document. **Customer Acquisition** * Use Verify QR scanning to speed up customer acquisition in the roadshows or seminars. **Scenarios where Collection of NRIC Numbers is Not Required by Law** * Use Verify Partial NRIC/FIN for use cases, such as redemption of free parking or signing up for retail membership and lucky draw. [PreviousOverviewchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify) [NextVerify API Data Catalogchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog) Last updated 1 year ago Was this helpful? * [1\. Requesting for Data](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles#id-1.-requesting-for-data) * [2\. Designing your User Journey](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles#id-2.-designing-your-user-journey) * [3\. Possible Enhancements](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles#id-3.-possible-enhancements) Was this helpful? --- # FAQ | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q1.-what-should-i-do-when-a-users-data-in-the-business-conflicts-with-the-users-data-retrieved-from) Q1. What should I do when a user’s data in the business conflicts with the user’s data retrieved from Verify APIs? ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You should assess which dataset takes precedence, based on business or regulatory requirements, and also factor in the following: 1. Whether the data is retrieved from government sources 2. Time-stamp of the data retrieved, to determine which is more recent * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q2.-can-i-request-for-more-data-items-than-what-i-need-for-my-digital-service) Q2. Can I request for more data items than what I need for my digital service? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ No. You should only request for the data items that you need for your digital service. This is aligned with the guidelines of the Personal Data Protection Act, which instructs the collection of personal data in an appropriate manner for the circumstances. Each request will be reviewed prior to approval. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q3.-i-would-like-to-linkup-multiple-digital-services-with-verify-apis.-do-i-submit-a-single-request) Q3. I would like to linkup multiple digital services with Verify APIs. Do I submit a single request for all my digital services or one request each for each digital service? --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- A new request must be submitted for digital services with different use cases/user journeys. If in doubt, please submit a request for each digital service. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q4.-i-would-like-to-develop-my-digital-service-to-solely-depend-on-verify-apis-to-populate-user-data) Q4. I would like to develop my digital service to solely depend on Verify APIs to populate user data. Is this a recommended approach? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ As a general guideline, it is useful for digital services to consider the possible user journeys for their target audience. For example, users could fill up a digital form manually if they: 1. Do not wish to use Verify; 2. If the user is a foreigner who does not have Verify; or 3. If the Verify service is temporarily unavailable (e.g. system maintenance). * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q5.-how-should-my-digital-service-handle-scenarios-where-the-user-finds-that-the-data-retrieved-from) Q5. How should my digital service handle scenarios where the user finds that the data retrieved from Verify is out-of-date? (e.g. user has not updated ICA about his/her change of registered address) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Businesses may allow users to fill out the form manually with the correct data. In this case, data previously retrieved from Verify should not be saved. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q6.-are-the-registered-addresses-of-users-restricted-to-singapore-addresses) Q6. Are the registered addresses of users restricted to Singapore addresses? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- No, the registered address field can contain overseas addresses. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q7.-is-there-any-guideline-to-display-the-qr-code) Q7. Is there any guideline to display the QR Code? ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Digital services should adhere to the Display Guidelines when displaying the QR Code. Please see Verify [Display Guidelines](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources) . * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q8.-i-have-some-issues-uploading-my-x.509-public-key-with-my-ios-device.-how-can-i-upload-my-x.509-p) Q8. I have some issues uploading my X.509 public key with my iOS device. How can I upload my X.509 public key? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- It is recommended to upload your X.509 public key using compatible browsers (e.g. Safari, Chrome, Firefox) on your desktop. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q9.-can-foreigners-use-verify-to-transact-with-digital-services) Q9. Can foreigners use Verify to transact with digital services? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Foreigners who have a valid Singpass account, will have a Myinfo profile, and can use Verify service * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q10.-who-do-i-contact-if-i-require-more-details) Q10. Who do I contact if I require more details? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ If you have any other query, please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) . [PreviousBrand Guidelines and Resourceschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources) [NextVerify APIchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api) Last updated 1 year ago Was this helpful? * [Q1. What should I do when a user’s data in the business conflicts with the user’s data retrieved from Verify APIs?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q1.-what-should-i-do-when-a-users-data-in-the-business-conflicts-with-the-users-data-retrieved-from) * [Q2. Can I request for more data items than what I need for my digital service?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q2.-can-i-request-for-more-data-items-than-what-i-need-for-my-digital-service) * [Q3. I would like to linkup multiple digital services with Verify APIs. Do I submit a single request for all my digital services or one request each for each digital service?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q3.-i-would-like-to-linkup-multiple-digital-services-with-verify-apis.-do-i-submit-a-single-request) * [Q4. I would like to develop my digital service to solely depend on Verify APIs to populate user data. Is this a recommended approach?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q4.-i-would-like-to-develop-my-digital-service-to-solely-depend-on-verify-apis-to-populate-user-data) * [Q5. How should my digital service handle scenarios where the user finds that the data retrieved from Verify is out-of-date? (e.g. user has not updated ICA about his/her change of registered address)](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q5.-how-should-my-digital-service-handle-scenarios-where-the-user-finds-that-the-data-retrieved-from) * [Q6. Are the registered addresses of users restricted to Singapore addresses?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q6.-are-the-registered-addresses-of-users-restricted-to-singapore-addresses) * [Q7. Is there any guideline to display the QR Code?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q7.-is-there-any-guideline-to-display-the-qr-code) * [Q8. I have some issues uploading my X.509 public key with my iOS device. How can I upload my X.509 public key?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q8.-i-have-some-issues-uploading-my-x.509-public-key-with-my-ios-device.-how-can-i-upload-my-x.509-p) * [Q9. Can foreigners use Verify to transact with digital services?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q9.-can-foreigners-use-verify-to-transact-with-digital-services) * [Q10. Who do I contact if I require more details?](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq#q10.-who-do-i-contact-if-i-require-more-details) Was this helpful? --- # Brand Guidelines and Resources | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources#brand-guidelines-and-assets) Brand Guidelines & Assets The Singpass brand is more than just a name. It's a set of values, attributes, and design principles that reflects the spirit of our brand. Using it consistently will reinforce our passion and commitment to give all Singapore residents a National Digital Identity that empowers them to live confidently in a Smart Nation. Please help us protect our brand, and present your work in the most appropriate way, by following these guidelines and only using approved brand assets from this site (any logos or images found elsewhere on the web are not approved for use). **When to use Singpass brand:** * Product Page * Digital Surface * Kiosks file-archive 63KB [Verify-QR-code-placement-template.zip](https://2818768107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrwG6ATZg7k01ReAAuMFx%2Fuploads%2F6mRhQJx5MsK1LPuCBjJd%2FVerify-QR-code-placement-template.zip?alt=media&token=ef71ca72-7ce4-4247-a20f-dd2bd0ee362b) archive downloadDownload[arrow-up-right-from-squareOpen](https://2818768107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrwG6ATZg7k01ReAAuMFx%2Fuploads%2F6mRhQJx5MsK1LPuCBjJd%2FVerify-QR-code-placement-template.zip?alt=media&token=ef71ca72-7ce4-4247-a20f-dd2bd0ee362b) file-archive 3KB [i-key-figure-icon.zip](https://2818768107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrwG6ATZg7k01ReAAuMFx%2Fuploads%2F07z6mMb3xlJiwjSKvusJ%2Fi-key-figure-icon.zip?alt=media&token=8f59b71f-bf13-4f21-8f13-d4fee068c953) archive downloadDownload[arrow-up-right-from-squareOpen](https://2818768107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrwG6ATZg7k01ReAAuMFx%2Fuploads%2F07z6mMb3xlJiwjSKvusJ%2Fi-key-figure-icon.zip?alt=media&token=8f59b71f-bf13-4f21-8f13-d4fee068c953) file-archive 287KB [Singpass-logo.zip](https://2818768107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrwG6ATZg7k01ReAAuMFx%2Fuploads%2FJf9OIm6SA4PSmHDw4Rgf%2FSingpass-logo.zip?alt=media&token=ca9c0d54-39c9-4339-91ae-ceedf3a224a9) archive downloadDownload[arrow-up-right-from-squareOpen](https://2818768107-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrwG6ATZg7k01ReAAuMFx%2Fuploads%2FJf9OIm6SA4PSmHDw4Rgf%2FSingpass-logo.zip?alt=media&token=ca9c0d54-39c9-4339-91ae-ceedf3a224a9) Examples ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252F10HaEgZcl9EPQzIJNMGt%252Fimage.png%3Falt%3Dmedia%26token%3Daa3f69e3-c145-4c24-ae25-5f929b45e01d&width=768&dpr=3&quality=100&sign=82606ef1&sv=2) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252F5eXXhoGiz4JuHlTfQ5mt%252Fimage.png%3Falt%3Dmedia%26token%3D299fd425-cee0-42b7-94b2-77eeaf47ffe1&width=768&dpr=3&quality=100&sign=2f2e84d2&sv=2) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources#logo-and-qr-code-usage) Logo and QR Code Usage ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FBGrTxIt6l30xRBSsuoyc%252Fimage.png%3Falt%3Dmedia%26token%3D75d90622-0838-4d1a-8410-551cf8109211&width=768&dpr=3&quality=100&sign=17560aaf&sv=2) Example of the logo placement ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FFCROMnacJpFZvHNXo0XB%252Fimage.png%3Falt%3Dmedia%26token%3D64c8465e-7712-48df-807c-d821e5b2fa78&width=768&dpr=3&quality=100&sign=5000b414&sv=2) Examples of Singpass Logo with Text Placement **Minimum Size** Minimum sizes of the Singpass logo: * Digital: 80 pixels wide * Print: 18mm wide ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FVODyQ3Sg2Derf6tu4e3F%252Fimage.png%3Falt%3Dmedia%26token%3D7c18437e-a11a-4f48-98a5-e170c55372cb&width=768&dpr=3&quality=100&sign=f4e44ac5&sv=2) Example of 80px/18mm wide, approximate **Usage on Backgrounds** Whenever possible, it is recommended to use the full colour Singpass logo. It should be used on only either white or light grey background only. The single colour logos should only be used on either Singapore red or black background. For photograph backgrounds, the single colour logo in reverse white should be used. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FqkGeJxVDVyyDch2yFN2E%252Fimage.png%3Falt%3Dmedia%26token%3D52d51c7f-0db5-48cc-a5a9-93525a2a2b26&width=768&dpr=3&quality=100&sign=86f16d62&sv=2) Example of Singpass logo with background **Singpass Logo Don’ts** Don't combine the Singpass name or logos, or any portion of any of them, with other logo, company name, mark or generic terms. Don't edit, modify, distort, rotate or re-colour the logo. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252F2Jmq9uR6tsgZvw9WNWMp%252Fimage.png%3Falt%3Dmedia%26token%3D5f58f1af-5949-4478-8a7d-99704d38a968&width=768&dpr=3&quality=100&sign=89ef2dd6&sv=2) Examples of Don'ts **Singpass Key Figure Don’ts** Don't combine the Singpass key figure name or logos, or any portion of any of them, with other logo, company name, mark or generic terms. Don't edit, modify, distort, rotate or re-colour the logo. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FaCJx72JXOmLdN4l981Ih%252Fimage.png%3Falt%3Dmedia%26token%3D5144070c-57dc-48b0-83ea-acf24ea85444&width=768&dpr=3&quality=100&sign=e88f4aa8&sv=2) Examples of Don'ts **QR Code Dos** * Ensure that the QR code is **at least 500px wide.** * Ensure that the QR code is, **high-quality and sharp** not blur or pixelated. * Ensure that the **aspect ratio of the template remain unchanged.** * Ensure that the QR code is a **black filled colour on a white background** for high contrast. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FHzmfUwAtBWK9dK3VIzJc%252Fimage.png%3Falt%3Dmedia%26token%3D57de793f-54d4-4519-b35a-853a4022789b&width=768&dpr=3&quality=100&sign=143fe92e&sv=2) Examples of Don'ts * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources#naming-usage) Naming Usage Never modify or abbreviate the name 'Singpass'. The 'S' in Singpass is always capitalised. Keep 'Singpass' as a single word. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources#contact-us) Contact Us Please submit a request at [partnersupport.singpass.gov.sgarrow-up-right](https://partnersupport.singpass.gov.sg/) if you have any questions on the usage of the Singpass logo with Verify service. [PreviousVerify API Data Catalogchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog) [NextFAQchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq) Last updated 1 year ago Was this helpful? Was this helpful? --- # Overview | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation Verify API is no longer supporting new onboarding. Please consider onboarding to [Singpass](https://docs.developer.singpass.gov.sg/docs/) instead **Verify** enables secure in-person identity verification and data transfer.Verify enables residents to perform secure in-person identity verification and data sharing through scanning QR codes.This service provides businesses a digital alternative for visitor registration and access, customer acquisition at roadshows, or other use cases that require user identification. [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify#how-verify-api-can-enhance-your-digital-service) How Verify API can enhance your digital service ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Align with [PDPC's NRIC Advisory Guidelinesarrow-up-right](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf) Businesses can verify users digitally without collecting or retaining physical NRICs, FIN cards and NRIC/FIN numbers. Verify is a recommended alternative means to conduct identity verification. Please refer to PDPC’s Technical Guide [herearrow-up-right](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Technical-Guide-to-Advisory-Guidelines-on-NRIC-Numbers---260819.pdf) . * Scan and Go, Less Form Filling Users can share their relevant data quickly by scanning a QR code and providing consent via [Singpass Mobilearrow-up-right](https://app.singpass.gov.sg/) . [NextKey Principleschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles) Last updated 1 year ago Was this helpful? Was this helpful? --- # Verify API | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-info [For Verify API Specifications v2arrow-up-right](https://public.cloud.myinfo.gov.sg/sg-verify/v2/sgverify2-oauth-specs.html) circle-info [For Verify Webhook Specifications v1arrow-up-right](https://public.cloud.myinfo.gov.sg/sg-verify/sgverify-webhook-specs.html) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FqAEhHlg1cnckGrTYM034%252Fimage.png%3Falt%3Dmedia%26token%3D658a453f-9be6-4146-9f2a-8c90f6b40c9e&width=768&dpr=3&quality=100&sign=21c41a91&sv=2) Logical Architecture Overview The diagram shows how a user consents to sharing of his personal information to your application via Verify: 1\. The user scans a Verify QR code pertaining to your application e.g. at a kiosk with Singpass Mobile 2\. The user authenticates himself on Singpass Mobile, and provides consent to share requested personal information with your application. 3\. Singpass mobile relays an authorisation code to your application's via registered callback URL. 4\. Your application then make a series of calls to Verify in order to obtain the user's data. 5\. User verifies his particulars displayed by your application before continuing the transaction. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#understanding-oauth2.0-flow-for-verify-apis) Understanding OAuth2.0 flow for Verify APIs ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Verify is built on the OAuth 2.0 framework which is the web standard for obtaining user's authorisation in order to access user-owned resources. The flow involves invocation of 3 APIs: authorise, token and person (resource API). ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#id-1.-authorise) 1\. Authorise This API is embedded in the QR code that your application needs to generate (Learn more at [Verify QR Codearrow-up-right](https://api.singpass.gov.sg/library/verify/developers/generateqrcode) ). Upon scanning the QR code using Singpass Mobile, it will trigger the /authorise API. After authentication on SPM, a consent page is displayed requesting the user's explicit consent to allow his/her personal details to be released. At the end of this process, Verify will return a short-lived "authorisation code" to your application's callback URL. circle-info Note: Your application will need to provide a callback URL (API) in order to receive the "authorisation code". ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#id-2.-token) 2\. Token This API is invoked by your application to obtain an "access token", which can be used to call the person API for the actual data. A valid "authorisation code" from the authorise API will be required in order to exchange for the "access token". The "access token" will be valid for 30 minutes. circle-info Note:This API is a server-to-server call (does not go through browser) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#id-3.-person) 3\. Person This API returns a JSON response with the personal data that was requested. Your application needs to provide a valid "access token" in order to exchange for the JSON data. Once your application receives this JSON data, it should then display the user's information for verification. circle-info Note:This API is a server-to-server call (does not go through browser) The diagram below shows the sequence diagram for all 3 APIs: ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2818768107-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FrwG6ATZg7k01ReAAuMFx%252Fuploads%252FUE0KEOTWGXfLBOA7PmiN%252Fimage.png%3Falt%3Dmedia%26token%3Dde8b04da-b6d6-499e-ac0d-60921b7c8663&width=768&dpr=3&quality=100&sign=c7d570af&sv=2) [PreviousFAQchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/faq) [NextTechnical Requirementschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements) Last updated 1 year ago Was this helpful? * [Understanding OAuth2.0 flow for Verify APIs](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#understanding-oauth2.0-flow-for-verify-apis) * [1\. Authorise](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#id-1.-authorise) * [2\. Token](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#id-2.-token) * [3\. Person](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api#id-3.-person) Was this helpful? --- # Verify API Data Catalog | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#data-available) Data Available ------------------------------------------------------------------------------------------------------------------------------- Verify leverages Myinfo profile, and provides the following data: ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#basic-identity-data) **Basic Identity Data** * This refers to data reflected in identification documents such as NRIC, Work Pass (EP, PEP, EntrePass, S-Pass), Dependent Pass, Visit Pass (LTVP, LTVP+), selected Work Permit, Driver’s Licence, and Passport. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#additional-data) **Additional Data** * This additional data provides businesses with alternative identifiers such as partial NRIC/FIN or UUID and contact details such as mobile number and email address. [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#data-catalog) Data Catalog --------------------------------------------------------------------------------------------------------------------------- id name description Data Available Source uinfin NRIC/FIN NRIC number or FIN of user. NRIC number is the unique identifier given to every Singapore Citizens (SC) and Permanent Residents (PR), while FIN is the unique identifier for Foreigners. SC,PR,FIN ICA/MOM partialuinfin Partial NRIC/FIN Last 3 numerical digits and checksum of the NRIC/FIN number, prefixed with '\*\*\*\*\*' (e.g. "\*\*\*\*\*567A" from the full NRIC number of "S1234567A"). SC,PR,FIN \- name Principal Name Full name of user printed on NRIC or FIN card. Includes Surname if any. SC,PR,FIN ICA/MOM aliasname Alias Name Refers to an alternate/additional name of the user that is legally recognised. SC,PR ICA hanyupinyinname Hanyu Pinyin Name Refers to the officially romanised Chinese name of the user. SC,PR ICA hanyupinyinaliasname Hanyu Pinyin Alias Name Refers to the legally-recognised alternate officially romanised Chinese name of the user. SC,PR ICA marriedname Married Name Refers to the family name or surname adopted by the user upon marriage. SC,PR ICA sex Sex Gender of the user. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (SexCode) for list of possible values. SC,PR,FIN ICA/MOM race Race Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (RaceCode) for list of possible values SC,PR,FIN ICA/MOM secondaryrace Secondary Race Refers to secondary racial category of the Person, if any. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (RaceCode) for list of possible values SC,PR ICA dialect Dialect Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (DialectCode) for list of possible values SC,PR ICA dob Date of Birth SC,PR,FIN ICA/MOM residentialstatus Residential Status Indicate if the user is a Citizen, PR or others. Blank value will be returned for FIN holder. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (ResidentialCode) for list of possible values SC,PR ICA nationality Nationality/Citizenship Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (NationalityCitizenshipCode) for list of possible values SC,PR,FIN ICA/MOM birthcountry Country/Place of Birth Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (CountryPlaceCode) for list of possible values SC,PR,FIN ICA/MOM passportnumber Passport Number SC ICA passportexpirydate Passport Expiry Date SC ICA passtype Pass Type This refers to the pass type of a FIN holder. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (PassTypeCode) for list of possible values. Note that this only applies to a FIN holder with a valid pass issued by ICA/MOM. FIN ICA/MOM passstatus Pass Status This refers to the pass status of a FIN holder. Note that this only applies to a FIN holder with a valid pass issued by ICA/MOM. FIN ICA/MOM passexpirydate Pass Expiry Date This refers to the pass expiry date of a FIN holder. Note that this only applies to a FIN holder with a valid pass issued by ICA/MOM. FIN ICA/MOM employmentsector Employment Sector This refers to the employment sector of a FIN holder. Note that this only applies to a FIN holder with a valid pass issued by MOM. FIN MOM mobileno Mobile Number Mobile number must be made editable at digital services even though data source is Singpass. SC,PR,FIN Singpass email Email Address Email address must be made editable at digital services even though data source is Singpass. SC,PR,FIN Singpass regadd Registered Address For SC/PR - Registered address is the address that is printed on the NRIC card. For FIN - Registered address is applicable for foreigners under the following Pass Types: **ICA-issued Passes** - Long Term Visit Pass / Long Term Visit Pass + - Student Pass - Immigration Exemption Order **MOM-issued Passes** - S Pass - Employment Pass - Personalised Employment Pass - EntrePass - Dependent Pass SC,PR,FIN ICA/MOM [PreviousKey Principleschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/key-principles) [NextBrand Guidelines and Resourceschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/brand-guidelines-and-resources) Last updated 1 year ago Was this helpful? * [Data Available](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#data-available) * [Basic Identity Data](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#basic-identity-data) * [Additional Data](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#additional-data) * [Data Catalog](https://docs.developer.singpass.gov.sg/docs/legacy-verify/verify-api-data-catalog#data-catalog) Was this helpful? --- # Data Catalog | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Please see link to see latest data catalog for both private sector and public agencies. [Data Catalog (Myinfo)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data) [PreviousLegacy Myinfo v3/v4chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4) [NextKey Principleschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/key-principles) Last updated 1 year ago Was this helpful? Was this helpful? --- # Legacy Myinfo v3/v4 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation Onboarding for Myinfo v3/v4 is discontinued. Please use [new Singpass](https://docs.developer.singpass.gov.sg/docs/) Myinfo enables citizens and residents to manage the use of their personal data for simpler online transactions.All Singpass users are automatically provisioned with a Myinfo profile. Users are able to view their personal data and access records of past usage via the [Singpass apparrow-up-right](https://app.singpass.gov.sg/) . [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4#how-myinfo-api-can-enhance-your-digital-service) How Myinfo API can enhance your digital service ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Less form filling, higher data quality** * Users can share their data by providing consent via Singpass and organisations no longer have to deal with manual data management. **Data from government sources** * With data from participating government sources, this allows the provisioning of products instantly, where applicable. [NextData Catalogchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/data-catalog) Last updated 1 year ago Was this helpful? Was this helpful? --- # Key Principles | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Please see link to see [latest key principles](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/key-principles) for both private sector and public agencies. [arrow-up-right](https://app.gitbook.com/o/oIOKcTCZC2fptOuInlww/s/k67iNluSpweCPqhbIY5t/) [PreviousData Catalogchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/data-catalog) [NextMyinfo v4chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4) Last updated 1 year ago Was this helpful? Was this helpful? --- # .well-known Endpoints | CIBA | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#openid_discovery_endpoint) OpenID discovery endpoint -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Responses from this endpoint can and should be cached for at least 1 hour, and NOT retrieved for each OIDC/OAuth2 operation. Cache-Control headers on the response indicate a possible policy. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#curl-request) **Curl request** Copy $ curl 'https://stg-id.singpass.gov.sg/.well-known/openid-configuration' -i -X GET \ -H 'Accept: application/json' ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-request) **HTTP request** Copy GET /.well-known/openid-configuration HTTP/1.1 Accept: application/json Host: stg-id.singpass.gov.sg ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-response) **HTTP response** Copy HTTP/1.1 200 OK Cache-Control: max-age=21600, must-revalidate, no-transform, public X-XSS-Protection: 0 X-Frame-Options: DENY Date: Fri, 14 Feb 2025 01:38:28 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Transfer-Encoding: chunked Content-Type: application/json Content-Length: 1349 { "issuer" : "https://stg-id.singpass.gov.sg", "authorization_endpoint" : "https://stg-id.singpass.gov.sg/auth", "jwks_uri" : "https://stg-id.singpass.gov.sg/.well-known/keys", "response_types_supported" : [ "code" ], "scopes_supported" : [ "openid" ], "subject_types_supported" : [ "public" ], "claims_supported" : [ "nonce", "aud", "iss", "sub", "exp", "iat" ], "grant_types_supported" : [ "authorization_code", "urn:openid:params:grant-type:ciba" ], "token_endpoint" : "https://stg-id.singpass.gov.sg/token", "token_endpoint_auth_methods_supported" : [ "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported" : [ "ES256", "ES384", "ES512" ], "id_token_signing_alg_values_supported" : [ "ES256" ], "id_token_encryption_alg_values_supported" : [ "ECDH-ES+A256KW", "ECDH-ES+A192KW", "ECDH-ES+A128KW" ], "id_token_encryption_enc_values_supported" : [ "A256CBC-HS512" ], "backchannel_authentication_endpoint" : "https://stg-id.singpass.gov.sg/bc-auth", "backchannel_token_delivery_modes_supported" : [ "poll" ], "userinfo_endpoint" : "https://stg-id.singpass.gov.sg/userinfo", "userinfo_signing_alg_values_supported" : [ "ES256" ], "userinfo_encryption_alg_values_supported" : [ "ECDH-ES+A256KW", "ECDH-ES+A192KW", "ECDH-ES+A128KW" ], "userinfo_encryption_enc_values_supported" : [ "A256GCM" ] } ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#httpie-request) **HTTPie request** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#request-body) **Request body** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#response-body) **Response body** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#response-fields) **Response fields** Path Type Description `issuer` `String` URL (identity) of the issuer `authorization_endpoint` `String` URL of the OP’s OAuth 2.0 Authorization Endpoint `jwks_uri` `String` URL of the OP’s JSON Web Key Set `response_types_supported` `Array` JSON array containing a list of the OAuth 2.0 response\_type values that OP supports `scopes_supported` `Array` JSON array containing a list of the OAuth 2.0 scope values that OP supports `subject_types_supported` `Array` JSON array containing a list of the Subject Identifier types that this OP supports `claims_supported` `Array` JSON array containing a list of the Claim Names of the Claims that the OpenID Provider MAY be able to supply values for `grant_types_supported` `Array` JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. `token_endpoint` `String` URL of the OP’s OAuth 2.0 Token Endpoint. This contains the signing key(s) the RP uses to validate signatures from the OP. `token_endpoint_auth_methods_supported` `Array` JSON array containing a list of Client Authentication methods supported by this Token Endpoint. `token_endpoint_auth_signing_alg_values_supported` `Array` JSON array containing a list of the JWS signing algorithms (alg values) supported by the Token Endpoint for the signature on the JWT used to authenticate the Client at the Token Endpoint for the private\_key\_jwt authentication methods `id_token_signing_alg_values_supported` `Array` JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. `id_token_encryption_alg_values_supported` `Array` JSON array containing a list of the JWE encryption algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. `id_token_encryption_enc_values_supported` `Array` JSON array containing a list of the JWE encryption algorithms (enc values) supported by the OP for the ID Token to encode the Claims in a JWT. `backchannel_token_delivery_modes_supported` `Array` JSON array containing supported backchannel delivery modes `backchannel_authentication_endpoint` `String` URL of the OP’s Backchannel Authentication Endpoint `userinfo_endpoint` `String` URL of the OP’s UserInfo Endpoint `userinfo_signing_alg_values_supported` `Array` JSON array containing a list of the JWS signing algorithms (alg values) supported by the UserInfo Endpoint to encode the Claims in a JWT. `userinfo_encryption_alg_values_supported` `Array` JSON array containing a list of the JWE encryption algorithms (alg values) supported by the UserInfo Endpoint to encode the Claims in a JWT. `userinfo_encryption_enc_values_supported` `Array` JSON array containing a list of the JWE encryption algorithms (enc values) supported by the UserInfo Endpoint to encode the Claims in a JWT. [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#jwks_endpoint) JWKS endpoint -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- NDI signs all JWTs issued during the authentication process using its ASP signing key. Integrating parties can validate the JWT signatures by acquiring the signing public key from a **JSON Web Key Set (JWKS)** endpoint. This endpoint will return one or more public keys in [JSON Web Key (JWK)arrow-up-right](https://tools.ietf.org/html/rfc7517) form. The correct JWK to use for signature validation will have its `use` attribute as `sig` (to indicate that it is a signing key), and its `kid` value should match the one found in the JWT under validation. Public keys returned from this endpoint could be in random sequence or rotated for security enhancement. For more information, please refer to [Caching and key rotation](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#caching-and-key-rotation) section. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#curl-request-1) **Curl request** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-request-1) **HTTP request** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-response-1) **HTTP response** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#httpie-request-1) **HTTPie request** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#request-body-1) **Request body** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#response-body-1) **Response body** ### [hashtag](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#caching-and-key-rotation) **Caching and key rotation** Important Responses from this endpoint, or individual keys from inside the JWKS can and should be cached for at least 1 hour, and NOT retrieved for each JWT validation. Cache-Control headers on the response indicate a possible policy. For varying reasons, keys used for signing can and will be rotated/changed with no defined schedule, and at the full discretion of NDI. When a key rotation happens, the new key will be available from the JWKS endpoint and will have a different `kid` value. The new `kid` value will be reflected in all the new JWTs signed by NDI. In such cases, cached copies of NDI public keys must be refreshed by re-invoking the JWKS endpoint. If the validation of the NDI signature fails, re-fetch from the JWKS endpoint once for that validation. Please read through the list of **DON’Ts** below: * Do not assume the position of a signing key among the list of the returned keys. * Do not validate NDI signatures using a hardcoded public key OR `kid`. Always determine the correct key (for signature verification) by inspecting the `kid` from the JWS header, and use it to retrieve the public key from our JWKS endpoint. * Do not cache only 1 key. Caching should be done for the entire JWKS. [PreviousToken Endpointchevron-left](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/token-endpoint) [NextStaging and Production Endpointschevron-right](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/staging-and-production-endpoints) Last updated 1 year ago Was this helpful? * [OpenID discovery endpoint](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#openid_discovery_endpoint) * [Curl request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#curl-request) * [HTTP request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-request) * [HTTP response](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-response) * [HTTPie request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#httpie-request) * [Request body](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#request-body) * [Response body](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#response-body) * [Response fields](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#response-fields) * [JWKS endpoint](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#jwks_endpoint) * [Curl request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#curl-request-1) * [HTTP request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-request-1) * [HTTP response](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#http-response-1) * [HTTPie request](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#httpie-request-1) * [Request body](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#request-body-1) * [Response body](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#response-body-1) * [Caching and key rotation](https://docs.developer.singpass.gov.sg/docs/client-initiated-backchannel-authentication-ciba/step-up-authentication-using-push-notifications/.well-known-endpoints#caching-and-key-rotation) Was this helpful? Copy $ http GET 'https://stg-id.singpass.gov.sg/.well-known/openid-configuration' \ 'Accept:application/json' Copy Copy { "issuer" : "https://stg-id.singpass.gov.sg", "authorization_endpoint" : "https://stg-id.singpass.gov.sg/auth", "jwks_uri" : "https://stg-id.singpass.gov.sg/.well-known/keys", "response_types_supported" : [ "code" ], "scopes_supported" : [ "openid" ], "subject_types_supported" : [ "public" ], "claims_supported" : [ "nonce", "aud", "iss", "sub", "exp", "iat" ], "grant_types_supported" : [ "authorization_code", "urn:openid:params:grant-type:ciba" ], "token_endpoint" : "https://stg-id.singpass.gov.sg/token", "token_endpoint_auth_methods_supported" : [ "private_key_jwt" ], "token_endpoint_auth_signing_alg_values_supported" : [ "ES256", "ES384", "ES512" ], "id_token_signing_alg_values_supported" : [ "ES256" ], "id_token_encryption_alg_values_supported" : [ "ECDH-ES+A256KW", "ECDH-ES+A192KW", "ECDH-ES+A128KW" ], "id_token_encryption_enc_values_supported" : [ "A256CBC-HS512" ], "backchannel_authentication_endpoint" : "https://stg-id.singpass.gov.sg/bc-auth", "backchannel_token_delivery_modes_supported" : [ "poll" ], "userinfo_endpoint" : "https://stg-id.singpass.gov.sg/userinfo", "userinfo_signing_alg_values_supported" : [ "ES256" ], "userinfo_encryption_alg_values_supported" : [ "ECDH-ES+A256KW", "ECDH-ES+A192KW", "ECDH-ES+A128KW" ], "userinfo_encryption_enc_values_supported" : [ "A256GCM" ] } Copy $ curl 'https://stg-id.singpass.gov.sg/.well-known/keys' -i -X GET \ -H 'Accept: application/json' Copy GET /.well-known/keys HTTP/1.1 Accept: application/json Host: stg-id.singpass.gov.sg Copy HTTP/1.1 200 OK Cache-Control: max-age=21600, must-revalidate, no-transform, public X-XSS-Protection: 0 X-Frame-Options: DENY Date: Fri, 14 Feb 2025 01:38:28 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Content-Type: application/json Content-Length: 697 { "keys" : [ {\ "kty" : "EC",\ "use" : "sig",\ "crv" : "P-256",\ "kid" : "eckey-test",\ "x" : "Nf4-Nc2_hC5pg1Pr274P6YN1cZNZHZRUm8sccBYQBFU",\ "y" : "I2whYvPaxHocMfJ5ob67Ow9uk_TksTCQQ_x-DN9oMeo"\ }, {\ "kty" : "EC",\ "use" : "sig",\ "crv" : "P-256",\ "kid" : "eckey-test-secondary",\ "x" : "qfdyc_f2hxS_4-76Z9WH9itB_S49Q3vsoJTxOBJpXmQ",\ "y" : "gSdCGVcqx4_l8hgKh_nJAOn2F52tDKyvQPLfDZoi1bI"\ }, {\ "kty" : "EC",\ "use" : "sig",\ "crv" : "P-256",\ "kid" : "alias/test-sp-auth-api-id-token-signing-key-kms-asymmetric-key-alias",\ "x" : "1TsrYH0vsifCBY2ZzeXHm-e53jndsoRzaiBRuAyMd8o",\ "y" : "sdMKEjilloz3eUH8dBI_d_gF07TSJzhr3tYa_qLdLqw"\ } ] } Copy $ http GET 'https://stg-id.singpass.gov.sg/.well-known/keys' \ 'Accept:application/json' Copy Copy { "keys" : [ {\ "kty" : "EC",\ "use" : "sig",\ "crv" : "P-256",\ "kid" : "eckey-test",\ "x" : "Nf4-Nc2_hC5pg1Pr274P6YN1cZNZHZRUm8sccBYQBFU",\ "y" : "I2whYvPaxHocMfJ5ob67Ow9uk_TksTCQQ_x-DN9oMeo"\ }, {\ "kty" : "EC",\ "use" : "sig",\ "crv" : "P-256",\ "kid" : "eckey-test-secondary",\ "x" : "qfdyc_f2hxS_4-76Z9WH9itB_S49Q3vsoJTxOBJpXmQ",\ "y" : "gSdCGVcqx4_l8hgKh_nJAOn2F52tDKyvQPLfDZoi1bI"\ }, {\ "kty" : "EC",\ "use" : "sig",\ "crv" : "P-256",\ "kid" : "alias/test-sp-auth-api-id-token-signing-key-kms-asymmetric-key-alias",\ "x" : "1TsrYH0vsifCBY2ZzeXHm-e53jndsoRzaiBRuAyMd8o",\ "y" : "sdMKEjilloz3eUH8dBI_d_gF07TSJzhr3tYa_qLdLqw"\ } ] } --- # Testing with Test Personas | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Please refer to [test personas](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) for testing purpose [PreviousTechnical Requirementschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements) [NextError Codechevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/error-code) Last updated 1 year ago Was this helpful? Was this helpful? --- # Error Code | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Error Code API Reason 400 Token Same authcode in the body is being re-used. Authcode error - missing, invalid, expired, revoked. 401 Token No security header given Invalid App ID used. Digital service is not registered with Verify The timestamp of server is not synchronised. Check timestamp of server. The value of the nonce in the authorisation header was deemed to be repeated. Check that the nonce is not re-used Ensure HTTP 'Authorization' header to be 'PKI\_SIGN' Person No security header given (HTTP 'Authorization' header) Invalid App ID used. Digital service is not registered with Verify The timestamp of server is not synchronised. Check timestamp of server. The value of the nonce in the authorisation header was deemed to be repeated. Check that the nonce is not re-used Ensure HTTP 'Authorization' header to be 'PKI\_SIGN' The requested UIN/FIN does not match the UIN/FIN of the person who logged in Requested attributes do not match the attributes consented by person 403 Token Incorrect API URL used. Person Incorrect API URL used. Digital service is not registered with Verify. Request contains attributes not allowable for the digital service. 404 Person Missing Myinfo profile. 500 Token Unexpected error. Check response body for actual error. Person Unexpected error. Check response body for actual error. [PreviousTesting with Test Personaschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/testing-with-test-personas) Last updated 1 year ago Was this helpful? Was this helpful? --- # Technical Requirements | (Legacy) Verify | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-1.-transaction-log) 1\. Transaction Log ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Digital services which have integrated with Verify should track and store user transactions for potential issue management. The following are some of the suggested minimum fields for tracking: * State/ Transaction No. from the Verify request body * Fields requested from Verify * Time Stamp In the event of user feedback or contact, these transaction logs may be requested by us to reconcile and resolve issues raised by the user. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-2.-x.509-public-key) 2\. X.509 Public Key --------------------------------------------------------------------------------------------------------------------------------------------------------------------- To implement RS256 (RSA Signature with SHA-256) Digital Signature for Verify APIs in your apps, please use a X.509 Public Key Certificate with RSA key size of 2048 bits or larger from one of the following compatible Certificate Authority (CA): * Comodo/Sectigo * digiCert * GeoTrust * GlobalSign * [Netrustarrow-up-right](https://www.netrust.net/netrust-singpass-myinfo-certificates/) \* * Thawte * VeriSign \*Certificate must be issued by Netrust. Entrust-issued certs are not accepted. circle-exclamation ECC and ECDSA Public Key Certificates are currently NOT supported. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-3.-tls-and-cipher-suites) 3\. TLS & Cipher Suites ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- circle-info **IMPORTANT:** In line with contemporary industry best practices, Verify supports TLS 1.2 and above. The list of supported strong cipher suites include: * TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-4.-webhook-urls-applicable-to-version-1-only) 4\. Webhook URLs (applicable to version 1 only) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For security reasons: * Different Webhook URLs should be used for staging and production environments * Fully Qualified Domain Name (FQDN) of staging and production environments should be used (i.e. instead of IP address) * Webhook URLs should not contain Hash (#) or Wildcard (\*) characters [PreviousVerify APIchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/verify-api) [NextTesting with Test Personaschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-verify/testing-with-test-personas) Last updated 1 year ago Was this helpful? * [1\. Transaction Log](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-1.-transaction-log) * [2\. X.509 Public Key](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-2.-x.509-public-key) * [3\. TLS & Cipher Suites](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-3.-tls-and-cipher-suites) * [4\. Webhook URLs (applicable to version 1 only)](https://docs.developer.singpass.gov.sg/docs/legacy-verify/technical-specifications/technical-requirements#id-4.-webhook-urls-applicable-to-version-1-only) Was this helpful? --- # Tutorials | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [Tutorial 1: Myinfo Person sample Datachevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data) [Tutorial 2: End-to-end Integration with Myinfo v4 APIschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis) [PreviousAPI Specificationschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/api-specifications) [NextTutorial 1: Myinfo Person sample Datachevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data) Was this helpful? Was this helpful? --- # Resources | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [Myinfo Connectorschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/myinfo-connectors) [Error Codeschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes) [PreviousTutorial 2: End-to-end Integration with Myinfo v4 APIschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis) [NextMyinfo Connectorschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/myinfo-connectors) Was this helpful? Was this helpful? --- # Myinfo v4 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FTE0gPPvxZel3w6eu16nQ%252Fimage.png%3Falt%3Dmedia%26token%3Df2999415-bfd2-4d5f-a164-ffa4ef5fe003&width=768&dpr=3&quality=100&sign=87f51344&sv=2) Logical overview of Myinfo v4 Integrating with Myinfo requires your application to invoke 3 different APIs as part of the OAuth2.1 authorization code flow: [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4#id-1.-authorize-api) **1\. Authorize API** ------------------------------------------------------------------------------------------------------------------------------------------------------------ This API triggers the Singpass authentication process, followed by presenting a consent page to the user to obtain explicit consent from the user to allow his/her personal details to be released to your application. Our system will return a short-lived "authorization code(authcode)" at the end of this process. circle-info This API is triggered over the browser via the 302 redirect. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4#id-2.-token-api) **2\. Token API** ---------------------------------------------------------------------------------------------------------------------------------------------------- Your application server invokes this API to obtain an access\_token, which can be used to call the /person API for the actual data. Your application needs to provide a valid authorization code(authcode) from the /authorize API in exchange for the access\_token. The access\_token will be valid for 30 minutes. circle-info This API is a server-to-server call (does not go through the browser) * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4#id-3.-person-api) **3\. Person API** ------------------------------------------------------------------------------------------------------------------------------------------------------ This API returns a JSON response with the personal data that was requested. Your application must provide a valid access\_token from the /token API in exchange for the person data. Once your application receives the person data, you can use this data to populate the online form on your application. circle-info This API is a server-to-server call (does not go through the browser) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fapi.singpass.gov.sg%2Fassets%2Fapi-lib%2Fmyinfo%2Fimg%2Fv4%2Fmyinfo-v4-flow.png&width=300&dpr=3&quality=100&sign=f3c68dec&sv=2) [PreviousKey Principleschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/key-principles) [NextDifference between v3 and v4chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/difference-between-v3-and-v4) Last updated 1 year ago Was this helpful? * [1\. Authorize API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4#id-1.-authorize-api) * [2\. Token API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4#id-2.-token-api) * [3\. Person API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4#id-3.-person-api) Was this helpful? --- # Latest X.509 Public Key Certificate | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Our last public key certificate has expired on 07 Nov 2024 Please download the latest Public Key Certificate here file-download 2KB [pub.new.consent.myinfo.gov.sg.cer](https://1982108655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fk67iNluSpweCPqhbIY5t%2Fuploads%2FAkRx1bQMtekxk9sIRXR2%2Fpub.new.consent.myinfo.gov.sg.cer?alt=media&token=8ba45b45-a734-47db-a57e-2a46b394a4fd) downloadDownload[arrow-up-right-from-squareOpen](https://1982108655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fk67iNluSpweCPqhbIY5t%2Fuploads%2FAkRx1bQMtekxk9sIRXR2%2Fpub.new.consent.myinfo.gov.sg.cer?alt=media&token=8ba45b45-a734-47db-a57e-2a46b394a4fd) Once you are ready to deploy, follow the following steps (screenshot has been attached below) 1. Login to SDP 2. Edit affected application 3. Select "Renewed certificate" 4. Select Update ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FjZdwd2EtKARuARId6CLX%252Fimage.png%3Falt%3Dmedia%26token%3D0c35f8a2-423a-4adc-be20-3768f76337ba&width=768&dpr=3&quality=100&sign=44a4f70e&sv=2) Certificate selection on Application Configuration page [PreviousAPI Specificationschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications) [NextTutorialschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials) Last updated 1 year ago Was this helpful? Was this helpful? --- # Technical Concepts | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [OAuth 2.1 Conceptschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts) [Proof of Key Code Exchange (PKCE)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/proof-of-key-code-exchange-pkce) [JSON Web Token (JWT)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt) [Client Assertionschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/client-assertions) [JSON Web Key Store (JWKS)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks) [Demonstration of Proof-of-Possession (DPoP)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop) [PreviousTechnical Guidelineschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines) [NextOAuth 2.1 Conceptschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts) Was this helpful? Was this helpful? --- # Difference between v3 and v4 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The diagram below highlights the end to end flow of v4 APIs with key changes: ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fapi.singpass.gov.sg%2Fassets%2Fapi-lib%2Fmyinfo%2Fimg%2Fv4%2Fmyinfo-v4-flow.png&width=300&dpr=3&quality=100&sign=f3c68dec&sv=2) Myinfo v4 APIs bring about improved security posture, standards and features. For the comprehensive list of changes, refer to our [API Specs Release notesarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.html) . v3 v4 Justification \- Proof of Key Code Exchange (PKCE) (Reference : [PKCEarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/pkce) ) Improve security posture between /authorize and /token by protecting against authcode injection X.509 Certificate public keys JSON Web Key Store (JWKS) (Reference : [JWKSarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/jwks) ) Enable minimal disruption on key rotations PKI Base string signing Client Assertions (Reference : [Client Assertionsarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/clientassertion) ) Alignment to international standards \- Demonstration of Proof-of-Possesion (DPoP) (Reference : [DPoParrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/dpop) ) Improve security posture between /token and /person by proving legitimacy of possession for access token before data can be released [PreviousMyinfo v4chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4) [NextTechnical Guidelineschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines) Last updated 1 year ago Was this helpful? Was this helpful? --- # Myinfo Connectors | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Partners can refer to the following connectors to help your integration with Myinfo V3. As onboarding for Myinfo v3/v4 is discontinued., we are no longer providing updates for these connectors. Language Github Link Requirements NodeJS [https://github.com/singpass/myinfo-connector-nodejsarrow-up-right](https://github.com/singpass/myinfo-connector-nodejs) Java [https://github.com/singpass/myinfo-connector-javaarrow-up-right](https://github.com/singpass/myinfo-connector-java) Java 1.7 or later .NET [https://github.com/singpass/myinfo-connector-dotnetarrow-up-right](https://github.com/singpass/myinfo-connector-dotnet) .NET Framework 4.8 [PreviousResourceschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources) [NextError Codeschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/error-codes) Last updated 1 year ago Was this helpful? Was this helpful? --- # Technical Guidelines | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-1.-transaction-log) 1\. Transaction Log --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Digital services which have integrated with Myinfo should track and store user transactions for potential issue management. The following are some of the suggested minimum fields for tracking: * UUID, Partial NRIC/FIN or NRIC/FIN (as relevant to usage under PDPA guidelines) * Fields requested from Myinfo * Time Stamp * Transaction ID In the event of user feedback or contact, these transaction logs may be requested by Myinfo to reconcile and resolve issues raised by the user. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-2.-json-web-key-store-jwks) 2\. JSON Web Key Store (JWKS) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The relying party is expected to provide public keys to Myinfo in the JWK format. These public keys will be used in the following (non-exhaustive) scenarios: * **Signature JWK** used to verify the signature of the `client_assertion JWT` presented during `/token` request. * **Encryption JWK** used to encrypt the retrieved user's data in `/person` request. The relying party is expected to host the **JWKS** with below specifications: * is served behind HTTPS on port 443 using a TLS server certificate issued by a standard publicly verifiable CA issuer (no private CAs), with complete cert chain presented by the server * is publicly accessible (no IP whitelisting, mTLS or other custom HTTP header requirements outside standard HTTP headers such as Content-Type, Accept) * is able to respond in a timely fashion * Contains at least 1 `sig` key with `alg ES256` * Contains at least 1 `enc` key with `alg ECDH-ES+A256KW` The Relying party is expected to follow below key rotation and caching policies * Retrieval of **Myinfo JWKS** should be cached for at least `one hour` and not retrieved for every JWT validation. * For varying reasons, keys used for signing can and will be **rotated/changed with no defined schedule**, and at the full discretion of Myinfo. When a key rotation happens, the new key will be available from the JWKS endpoint and will have a different kid value. The new kid value will be reflected in all the new JWTs signed by Myinfo. In such cases, cached copies of Myinfo public keys must be refreshed by re-invoking the JWKS endpoint. * **All Key pairs** are recommended to be rotated every `2 years` with the old key pairs removed once rotation is sucessful. * Keying materials e.g shared secrets, seeds shall be destroyed immediately or as soon as possible when no longer requried. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-3.-tls-and-cipher-suites) 3\. TLS & Cipher Suites ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **IMPORTANT:** In line with contemporary industry best practices, Myinfo supports TLS 1.2. The list of supported strong cipher suites include: * TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 **Recommendation on Myinfo Certificate pinning** RPs must not do "cert pinning" or create any form of dependency to the TLS certificates to Myinfo domains. **Myinfo reserves the right to rotate its TLS certificates without prior notice to RPs.** Should your application architecture require cert pinning, we recommend that your application trust / pin against the [root certificatesarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/amazonrootcas.zip) instead. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-4.-callback-urls) 4\. Callback URLs ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For security reasons: * Different callback URLs should be used for staging and production environments * Fully Qualified Domain Name (FQDN) of staging and production environments should be used (i.e. instead of IP address) * Callback URLs should not contain Hash (#) or Wildcard (\*) characters * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-5.-mobile-app-integration) 5\. Mobile App integration ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Myinfo offers integration via browser redirections. Native application integration is not supported. * Integration should be done via in-app browser (not WebViews) or external browser. * For services integrating on Android, setDomStorageEnable should be enabled. * Camera permissions for your app must be enabled to support cases where additional security verification with Singpass Face Verification is required. [PreviousDifference between v3 and v4chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/difference-between-v3-and-v4) [NextTechnical Conceptschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts) Last updated 1 year ago Was this helpful? * [1\. Transaction Log](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-1.-transaction-log) * [2\. JSON Web Key Store (JWKS)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-2.-json-web-key-store-jwks) * [3\. TLS & Cipher Suites](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-3.-tls-and-cipher-suites) * [4\. Callback URLs](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-4.-callback-urls) * [5\. Mobile App integration](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-guidelines#id-5.-mobile-app-integration) Was this helpful? --- # Proof of Key Code Exchange (PKCE) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Proof Key for Code Exchange(PKCE) is an extension to the Authorization Code flow to prevent Cross Site Request Forgery(CSRF) and Authorization code injection attacks. (Refer to [https://datatracker.ietf.org/doc/html/rfc7636arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7636) ) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fapi.singpass.gov.sg%2Fassets%2Fapi-lib%2Fmyinfo%2Fimg%2Fv4%2Fpkce.png&width=300&dpr=3&quality=100&sign=3b7b45e3&sv=2) 1. User access to the client application. 2. Client application creates a cryptographically random string as a secret key (code\_verifier) that only it knows and creates a base64url encoded hash of the secret key(code\_challenge). 3. Client application returns the code\_challenge and creates a frontend session to the user's browser. 4. Browser calls /authorize API with the code\_challenge. 5. The AuthZ server returns the authcode. 6. Client application calls /token API with the code\_verifier and authcode. 7. The AuthZ server will ensure that the code\_verifier has the same hash as the code\_challenge before issuing the access\_token. **i) Create code\_verifier** * * * Create a code\_verifier, which is the cryptographically random string that will eventually be sent to Token API to request for access\_token.Copy to clipboard Copy // Dependency: Node.js crypto module (https://nodejs.org/api/crypto.html#crypto_crypto)   function base64URLEncode(str) { return str.toString('base64') .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); }   // The client generates a random string of bytes and saved into a persistent session store let codeVerifier = base64URLEncode(crypto.randomBytes(32)); **i) Create code\_challenge** * * * Using the code\_verifier, generate a code\_challenge that will be sent in the /authorize API. Copy to clipboard code\_challenge should be generated from the raw bytes of the code\_verifier and not the hex encoded string. Example: 'helloworld' code\_verifier should produce 'k2oYXKqiZrucvpgengXLeM1zKwsygOuURBK7b4-PB68' as code\_challenge [PreviousOAuth 2.1 Conceptschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts) [NextJSON Web Token (JWT)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt) Last updated 1 year ago Was this helpful? Was this helpful? Copy // Dependency: Node.js crypto module (https://nodejs.org/api/crypto.html#crypto_crypto)   function base64URLEncode(str) { return str.toString('base64') .replace(/\+/g, '-') .replace(/\//g, '_') .replace(/=/g, ''); }   // The client hashes these bytes and encodes them for use in a url let codeChallenge = base64URLEncode(crypto.createHash('sha256').update(codeVerifier).digest()); --- # Resources | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [Myinfo Connectorschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/myinfo-connectors) [Error Codeschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/error-codes) [PreviousTutorial 3: Implementing PKI Digital Signaturechevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature) [NextMyinfo Connectorschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/myinfo-connectors) Was this helpful? Was this helpful? --- # Myinfo v3 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FRZv6EqPB2HaAsJaOfkyY%252Fimage.png%3Falt%3Dmedia%26token%3D843751d4-a5bf-43ee-a95d-5d6115e1f34c&width=768&dpr=3&quality=100&sign=c062910&sv=2) Logical overview of Myinfo v3 [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#understanding-oauth-2.0-flow-for-myinfo-apis) Understanding OAuth 2.0 flow for Myinfo APIs ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Integrating with Myinfo requires your application to invoke 3 different APIs as part of the OAuth2.0 authorisation code flow: ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#id-1.-authorise) 1\. Authorise This API triggers the Singpass authentication process, followed by presenting a consent page to the user to obtain explicit consent from the user to allow his/her personal details to be released to your application. At the end of this process, our system will return to you a short-lived "authorisation code". circle-info This API is triggered over the browser via 302 redirect. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#id-2.-token) 2\. Token This API is invoked by your application server to obtain an "access token", which can be used to call the person API for the actual data. Your application needs to provide a valid "authorisation code" from the authorise API in exchange for the "access token". The "access token" will be valid for 30 minutes. circle-info This API is a server-to-server call (does not go through browser) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#id-3.-person) 3\. Person This API returns a JSON response with the personal data that was requested. Your application needs to provide a valid "access token" in exchange for the JSON data. Once your application receives this JSON data, you can use this data to populate the online form on your application. circle-info This API is a server-to-server call (does not go through browser) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FHClkFMhccHgr3nGhIHZV%252Fimage.png%3Falt%3Dmedia%26token%3D9fbd5621-efa5-4f46-8a4f-8c8d793d63ee&width=768&dpr=3&quality=100&sign=6c26383d&sv=2) End-to-end Myinfo sequence diagram [PreviousFAQchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq) [NextTechnical Guidelineschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines) Last updated 1 year ago Was this helpful? * [Understanding OAuth 2.0 flow for Myinfo APIs](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#understanding-oauth-2.0-flow-for-myinfo-apis) * [1\. Authorise](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#id-1.-authorise) * [2\. Token](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#id-2.-token) * [3\. Person](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3#id-3.-person) Was this helpful? --- # OAuth 2.1 Concepts | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close MyInfo APIs use [OAuth2.1arrow-up-right](https://oauth.net/2.1/) - Authorization code flow to perform authentication & authorization; it allows mobile and web clients to obtain tokens securely. The code flow comprises 2 main parts: 1. Authorization flow that runs in the browser 2. Token flow that is a server-to-server call * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts#id-1.-authorization-flow) 1\. Authorization Flow -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FqGSFvfW10qoD9SuBAmRS%252Fimage.png%3Falt%3Dmedia%26token%3D14eb42ae-4664-444b-9858-00e914b8bcfe&width=768&dpr=3&quality=100&sign=7a62be60&sv=2) 1. Browser redirects to the /authorize endpoint of the AuthZ server. 2. The AuthZ server redirects to the Singpass, the AuthN server. 3. The User authenticates and redirects back to the AuthZ server. 4. The AuthZ server redirects to the consent page for user consent. 5. The User consents. 6. The AuthZ server redirects back to the client application callback URL with a one-time token called Authorization Code(authcode) [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts#id-2.-token-flow) 2\. Token Flow ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FokMF84Zq5czeOEfF1I05%252Fimage.png%3Falt%3Dmedia%26token%3D3d24a0fc-a7ab-49b0-a13d-c5134b95566c&width=768&dpr=3&quality=100&sign=9ca5094e&sv=2) 1. The client application makes a post request to the /token API endpoint with the Authorization code (authcode) and client\_assertion. 2. The AuthZ Server validates the authcode and client\_assertion before issuing the access\_token. [PreviousTechnical Conceptschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts) [NextProof of Key Code Exchange (PKCE)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/proof-of-key-code-exchange-pkce) Last updated 1 year ago Was this helpful? * [1\. Authorization Flow](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts#id-1.-authorization-flow) * [2\. Token Flow](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/oauth-2.1-concepts#id-2.-token-flow) Was this helpful? --- # Tutorials | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [Tutorial 1: Basic Person APIchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api) [Tutorial 2: Using OAuth2chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2) [Tutorial 3: Implementing PKI Digital Signaturechevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature) [PreviousLatest X.509 Public Key Certificatechevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/latest-x.509-public-key-certificate) [NextTutorial 1: Basic Person APIchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api) Last updated 1 year ago Was this helpful? Was this helpful? --- # Technical Guidelines | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-1.-transaction-log) 1\. Transaction Log --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Digital services which have integrated with Myinfo should track and store user transactions for potential issue management. The following are some of the suggested minimum fields for tracking: * UUID, Partial NRIC/FIN or NRIC/FIN (as relevant to usage under PDPA guidelines) * Fields requested from Myinfo * Time Stamp In the event of user feedback or contact, these transaction logs may be requested by Myinfo to reconcile and resolve issues raised by the user. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-2.-x.509-public-key) 2\. X.509 Public Key ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To implement RS256 (RSA Signature with SHA-256) Digital Signature for Myinfo APIs in your apps, please use a X.509 Public Key Certificate with RSA key size of 2048 bits or larger from one of the following compatible Certificate Authority (CA): * Comodo/Sectigo * digiCert * GeoTrust * GlobalSign * [Netrustarrow-up-right](https://www.netrust.net/netrust-singpass-myinfo-certificates) \* * Thawte * VeriSign \*Certificate must be issued by Netrust. Entrust-issued certs are not accepted. triangle-exclamation ECC and ECDSA Public Key Certificates are currently NOT supported. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-3.-tls-and-cipher-suites) 3\. TLS & Cipher Suites ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **IMPORTANT:** In line with contemporary industry best practices, Myinfo supports TLS 1.2. The list of supported strong cipher suites include: * TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 * TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 * TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-4.-callback-urls) 4\. Callback URLs ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For security reasons: * Different callback URLs should be used for staging and production environments * Fully Qualified Domain Name (FQDN) of staging and production environments should be used (i.e. instead of IP address) * Callback URLs should not contain Hash (#) or Wildcard (\*) characters * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-5.-mobile-app-integration) 5\. Mobile App integration ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Myinfo offers integration via browser redirections. Native application integration is not supported. * Integration should be done via in-app browser (not WebViews) or external browser. * For services integrating on Android, setDomStorageEnable should be enabled. * Camera permissions for your app must be enabled to support cases where additional security verification with Singpass Face Verification is required. [PreviousMyinfo v3chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3) [NextAPI Specificationschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications) Last updated 1 year ago Was this helpful? * [1\. Transaction Log](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-1.-transaction-log) * [2\. X.509 Public Key](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-2.-x.509-public-key) * [3\. TLS & Cipher Suites](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-3.-tls-and-cipher-suites) * [4\. Callback URLs](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-4.-callback-urls) * [5\. Mobile App integration](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines#id-5.-mobile-app-integration) Was this helpful? --- # Tutorial 1: Basic Person API | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close In this tutorial we will try to call a basic API to get a sample Person JSON response. You can then use this JSON object in your application to pre-fill your online application form. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#id-1.-invoke-the-sandbox-person-api) 1\. Invoke the Sandbox Person API ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Open another browser window and type in the following URL: Copy https://sandbox.api.myinfo.gov.sg/com/v3/person-sample/S9812381D This will call our sandbox API using HTTPS GET. `S9812381D` is the _UINFIN_ (NRIC or FIN) parameter which refers to the ID of the person you wish to get the data of. For this sample API, the following _UINFIN_ are supported: * S9812381D * S9812382B * S9812385G * S9812387C * S9912363Z * S9912366D * S9912369I * S9912370B * S9912372I * S9912374E * S6005053H * S6005055D * S9812379B * F1612347K * G1612348Q * G1612349N * G1612350T * G1612352N * G1612353L Please refer to our [API specificationsarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v3.2.html) for this tutorial. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#id-2.-verify-the-json-response) 2\. Verify the JSON response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You should get a response JSON file which looks like this: **Sample JSON for Person data** * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#id-3.-using-the-json-object) 3\. Using the JSON Object -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Try using the JSON object in your own application to prefill your forms! * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#summary) Summary ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ You've successfully called a basic Person API and gotten a sample JSON response from Myinfo. Before trying out Tutorial 2, you will need to understand the OAuth Process. [PreviousTutorialschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials) [NextTutorial 2: Using OAuth2chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2) Last updated 1 year ago Was this helpful? * [1\. Invoke the Sandbox Person API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#id-1.-invoke-the-sandbox-person-api) * [2\. Verify the JSON response](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#id-2.-verify-the-json-response) * [3\. Using the JSON Object](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#id-3.-using-the-json-object) * [Summary](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api#summary) Was this helpful? Copy { "uinfin": { "lastupdated": "2019-03-26", "source": "1", "classification": "C", "value": "S9812381D" }, "name": { "value": "TAN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hanyupinyinname": { "value": "CHEN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "aliasname": { "value": "TRICIA TAN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hanyupinyinaliasname": { "value": "TRICIA CHEN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "marriedname": { "value": "", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "sex": { "code": "F", "desc": "Female", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "race": { "code": "CN", "desc": "CHINESE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "secondaryrace": { "code": "EU", "desc": "EURASIAN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "dialect": { "code": "SG", "desc": "SWISS GERMAN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "nationality": { "code": "SG", "desc": "SINGAPORE CITIZEN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "dob": { "value": "1958-05-17", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "birthcountry": { "code": "SG", "desc": "SINGAPORE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "residentialstatus": { "code": "C", "desc": "Citizen", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passportnumber": { "value": "E35463874W", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passportexpirydate": { "value": "2020-01-01", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "regadd": { "type": "SG", "block": { "value": "548" }, "building": { "value": "" }, "floor": { "value": "09" }, "unit": { "value": "128" }, "street": { "value": "BEDOK NORTH AVENUE 1" }, "postal": { "value": "460548" }, "country": { "code": "SG", "desc": "SINGAPORE" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, ... } --- # Myinfo Connectors | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Partners can refer to the following connectors to help your integration with Myinfo V4. As onboarding for Myinfo v3/v4 is discontinued., we are no longer providing updates for these connectors. Language Github Link Requirements NodeJS [https://github.com/singpass/myinfo-connector-v4-nodejsarrow-up-right](https://github.com/singpass/myinfo-connector-v4-nodejs) Java [https://github.com/singpass/myinfo-connector-v4-javaarrow-up-right](https://github.com/singpass/myinfo-connector-v4-java) Java 1.8 or later [PreviousResourceschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources) [NextError Codeschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes) Last updated 1 year ago Was this helpful? Was this helpful? --- # Client Assertions | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close A client assertion is a JWT directly produced by a client application using a cryptographic key and presented as proof of the client's identity. (Refer to [https://datatracker.ietf.org/doc/html/rfc7521arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7521) ) Client Assertions provide a strong method of authenticating clients before returning an access\_token for them to access the data. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252F8DDy98VX6BGQ5QmJg9S4%252Fimage.png%3Falt%3Dmedia%26token%3D805380bc-0e5d-4bba-aa47-360efd4a9689&width=768&dpr=3&quality=100&sign=dc7ec97c&sv=2) 1. Client application invoke the Token API with a JWT client\_assertion. 2. AuthZ server will retrieve the client's trusted public key (JWK) from the client's onboarded JWKS URI. (As the JWKS endpoint only exposes public information, it does not need securing) 3. AuthZ server will verify the signature of the client\_assertion by extracting the matching public key from the client's JWKS with reference to the kid field in the client\_assertion JWT header. 4. AuthZ server returns the JWT access\_token. 5. Client application will retrieve AuthZ's trusted public key (JWK) from AuthZ's JWKS URI. 6. Client application will verify the signature of the access\_token by extracting the matching public key from AuthZ's JWKS with reference to the kid field in the access\_token JWT header. circle-info JSON Web Key (JWK) is a JSON object that represents a cryptographic public key that can be used to validate the signature of a signed JSON Web Token (JWT). JSON Web Key Set (JWKS) is composed of 1 or more JSON Web Keys (JWK) in an array format. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/client-assertions#generate-client-assertion) **Generate Client Assertion** --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- An example JWT client assertion is shown below. The claims (Refer to [https://www.rfc-editor.org/rfc/rfc7519#section-4.1arrow-up-right](https://www.rfc-editor.org/rfc/rfc7519#section-4.1) ) expected in the signed assertion are: PARAMETER DESCRIPTION sub Subject - client\_id issued by Myinfo upon onboarding jti JWT ID - random unique identifier aud Audience - URL that client application is calling iss Issuer - client\_id issued by Myinfo upon onboarding iat Issued At - current timestamp cnf.jkt JWK Thumbprint - base64url encoding of the JWK SHA-256 Thumbprint of the client's ephemeral public signing key used to sign the DPoP Proof JWT **Sample Code:** The client\_assertion is produced by generating the JSON payload and signing it with a private key. The signing and headers are produced by a JWT security library which uses a private key in JWK format. [PreviousJSON Web Token (JWT)chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt) [NextJSON Web Key Store (JWKS)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks) Last updated 1 year ago Was this helpful? Was this helpful? Copy { "typ": "JWT", "alg": "ES256", "kid": "x0zDLIC9yNRIXu3gW8nTQDOMNe7sKMAjQnZj3AWTW2U" }. { "sub": "PROD2-MYINFO-SELF-TEST", "jti": "jNDZuyLw66gkTjmCNMawzrTJNlhS8wdjpU0DHTzo", "aud": "https://api.myinfo.gov.sg/com/v4/token", "iss": "PROD2-MYINFO-SELF-TEST", "iat": 1662365106, "exp": 1662365406, "cnf":{ "jkt": "G_q8Qv9-xv_9xJo-esolTnvxVSobMER7O0LKGPBlTqY" } }. [signature] Copy // jktThumbprint: base64url encoding of the JWK SHA-256 Thumbprint of the client's ephemeral public signing key used to sign the DPoP Proof JWT   async function generateClientAssertion (url, clientId, privateSigningKey, jktThumbprint) => { let now = Math.floor((Date.now() / 1000));   let payload = { 'sub': clientId, 'jti': generateRandomString(40), 'aud': url, 'iss': clientId, 'iat': now, 'exp': now + 300, 'cnf' : { 'jkt': jktThumbprint } }; let jwsKey = await jose.JWK.asKey(privateSigningKey, 'pem');   let jwtToken = await jose.JWS.createSign({ 'format': 'compact', 'fields': { 'typ': 'JWT' } }, jwsKey).update(JSON.stringify(payload)).final(); return jwtToken; }; --- # Tutorial 1: Myinfo Person sample Data | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This tutorial will call a basic API to get sample Person data in JSON response. You can then use this JSON object to pre-fill your online form in your application. [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data#id-1.-request) 1\. Request ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Open another browser window and type in the following URL: Copy https://sandbox.api.myinfo.gov.sg/com/v4/person-sample/S9812381D This will call our sandbox API using HTTPS GET. `S9812381D` is the _UINFIN_ (NRIC or FIN) parameter which refers to the ID of the person you wish to get the data of. For this sample API, the following _UINFIN_ are supported: * `S9812381D` * `S9812382B` * `S9812385G` * `S9812387C` * `S9912363Z` * `S9912366D` * `S9912369I` * `S9912370B` * `S9912372I` * `S9912374E` * `S6005053H` * `S6005055D` * `S9812379B` * `F1612347K` * `G1612348Q` * `G1612349N` * `G1612350T` * `G1612352N` * `G1612353L` circle-info This API will take in the actual UINFIN as the sub for easier reference, however in the actual implementation UUID of the user will be used instead. Please refer to our [API specificationsarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.html) for this tutorial. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data#id-2.-response) 2\. Response --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You should see a JSON object which looks like this after you access the Person Sample API. **Sample JSON for Person data** Try using the JSON object in your own application to prefill your forms! * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data#summary) Summary --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You've successfully called a basic Person API and gotten a sample JSON response from Myinfo. [PreviousTutorialschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials) [NextTutorial 2: End-to-end Integration with Myinfo v4 APIschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis) Last updated 1 year ago Was this helpful? * [1\. Request](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data#id-1.-request) * [2\. Response](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data#id-2.-response) * [Summary](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data#summary) Was this helpful? Copy { "uinfin": { "lastupdated": "2019-03-26", "source": "1", "classification": "C", "value": "S9812381D" }, "name": { "value": "TAN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hanyupinyinname": { "value": "CHEN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "aliasname": { "value": "TRICIA TAN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hanyupinyinaliasname": { "value": "TRICIA CHEN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "marriedname": { "value": "", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "sex": { "code": "F", "desc": "Female", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "race": { "code": "CN", "desc": "CHINESE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "secondaryrace": { "code": "EU", "desc": "EURASIAN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "dialect": { "code": "SG", "desc": "SWISS GERMAN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "nationality": { "code": "SG", "desc": "SINGAPORE CITIZEN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "dob": { "value": "1958-05-17", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "birthcountry": { "code": "SG", "desc": "SINGAPORE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "residentialstatus": { "code": "C", "desc": "Citizen", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passportnumber": { "value": "E35463874W", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passportexpirydate": { "value": "2020-01-01", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "regadd": { "type": "SG", "block": { "value": "548" }, "building": { "value": "" }, "floor": { "value": "09" }, "unit": { "value": "128" }, "street": { "value": "BEDOK NORTH AVENUE 1" }, "postal": { "value": "460548" }, "country": { "code": "SG", "desc": "SINGAPORE" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, ... } --- # JSON Web Token (JWT) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-1.json-web-token-jwt) 1.JSON Web Token (JWT) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- JSON Web Tokens consist of three parts separated by dots (.), which are: * Header * Payload * Signature Therefore, a JWT typically looks like the following: \`xxxxx.yyyyy.zzzzz\` The header and the payload are Base64Url encoded. The signature is created using these two, a secret and the hashing algorithm being used (as specified in the header: ES256). To parse the JWT, you can use one of the libraries listed in the [JWT Libraries arrow-up-right](https://jwt.io/libraries) for Token Signing/Verification section of [JWT.io arrow-up-right](https://jwt.io/) . [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-2.json-web-signature-jws) 2.JSON Web Signature (JWS) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The decrypted payload is signed in [JWS (JSON Web Signature)arrow-up-right](https://www.rfc-editor.org/rfc/rfc7515) format, similar to the access\_token. * The signature algorithm used is ES256. You may download our Public JWKS from Myinfo JWKS URI for verification, after application is created during onboarding on the application details page upon login. Copy to clipboard Copy module.exports.verifyJWS = async (compactJWS, jwksUrl) => { var jwks = await getJwks(jwksUrl);   try { let keyStore = await jose.JWK.asKeyStore(jwks);   let result = await jose.JWS.createVerify(keyStore).verify(compactJWS); let payload = JSON.parse(Buffer.from(result.payload).toString());   return payload; } catch (error) { console.error("Error with verifying JWS:", error); throw constant.ERROR_VERIFY_JWS; } }; The code example above verify the JWS and return the JSON object, which is the person's data. [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.json-web-encryption-jwe) 3.JSON Web Encryption (JWE) ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * The encryption is done using your application's public key you provided during onboarding. So the payload's decryption should use your corresponding private key. * Current encryption algorithms used: * **ECDH-ES+A256KW** (for content key wrapping) * **AES256GCM** (for content key wrapping) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.1-what-is-the-jwe-json-web-encryption-compact-serialization-format) 3.1 What is the JWE (JSON Web Encryption) Compact Serialization format? The format consists of five parts separated by dots (.), which are: PART DESCRIPTION Header Contains the encryption algorithms used to produce the 1. cipher text(encrypted data) 2. encrypted key (symmetric key encrypted with application's RSA public key) Encrypted Key The encrypted symmetric key that was used to encrypt the data. Initialization Vector Secure random value used together with the symmetric key to encrypt the data. Ciphertext The encrypted data. Tag Value used to ensure integrity of the encrypted data and header. Therefore, a JWE typically looks like the following: aaaaa.bbbbb.ccccc.ddddd.eeeee ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.2-how-can-i-decrypt-the-jwe) 3.2 How can I decrypt the JWE? You will need to use a library that performs JWE decryption to decrypt the Ciphertext. Such libraries are readily available on the internet. For example, in our sample application (using Node.js), we use the jose.jwe.decrypt method from jose library. If the decryption fails, the library will throw an error the application needs to handle. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.3-how-does-jwe-library-decrypt-the-jwe-in-detail) 3.3 How does JWE library decrypt the JWE in detail? Firstly, your JWE library will decrypt the Encrypted Key inside the JWE using your application's corresponding Encryption private key. Once it's decrypted, your library can retrieve the symmetric key that is used to encrypt the Ciphertext in JWE. Next, the JWE library will decrypt the Ciphertext using that symmetric key together with the Initialization Vector, Tag and the encryption algorithm in the ASCII-encoded Header. * * * With reference to myinfo-connector/lib/securityHelper.js sample application connector code: Copy to clipboard The code example above decrypts the JWE and returns the payload signed in JWS; [PreviousProof of Key Code Exchange (PKCE)chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/proof-of-key-code-exchange-pkce) [NextClient Assertionschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/client-assertions) Last updated 1 year ago Was this helpful? * [1.JSON Web Token (JWT)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-1.json-web-token-jwt) * [2.JSON Web Signature (JWS)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-2.json-web-signature-jws) * [3.JSON Web Encryption (JWE)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.json-web-encryption-jwe) * [3.1 What is the JWE (JSON Web Encryption) Compact Serialization format?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.1-what-is-the-jwe-json-web-encryption-compact-serialization-format) * [3.2 How can I decrypt the JWE?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.2-how-can-i-decrypt-the-jwe) * [3.3 How does JWE library decrypt the JWE in detail?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-token-jwt#id-3.3-how-does-jwe-library-decrypt-the-jwe-in-detail) Was this helpful? Copy module.exports.decryptJWEWithKey = async (compactJWE, encryptionPrivateKey) => { try { let keystore = jose.JWK.createKeyStore(); let jweParts = compactJWE.split("."); // header.encryptedKey.iv.ciphertext.tag if (jweParts.length != 5) { throw constant.ERROR_INVALID_DATA_OR_SIGNATURE; }   //Session encryption private key should correspond to the session encryption public key passed in to client assertion let key = await keystore.add(encryptionPrivateKey, "pem");   let data = { "type": "compact", "protected": jweParts[0], "encrypted_key": jweParts[1], "iv": jweParts[2], "ciphertext": jweParts[3], "tag": jweParts[4], "header": JSON.parse(jose.util.base64url.decode(jweParts[0]).toString()) };   let result = await jose.JWE.createDecrypt(key).decrypt(data);   return result.payload.toString(); } catch (error) { throw constant.ERROR_DECRYPT_JWE; } }; --- # JSON Web Key Store (JWKS) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The relying party is expected to provide public keys to Myinfo in the JWK format. These public keys will be used in the following (non-exhaustive) scenarios: * **Signature JWK** used to verify the signature of the client\_assertion JWT presented during /token request. * **Encryption JWK** used to encrypt the retrieved user's data in /person request. The relying party is expected to host the **JWKS** with below specifications: * is served behind HTTPS on port 443 using a TLS server certificate issued by a standard publicly verifiable CA issuer (no private CAs), with complete cert chain presented by the server * is publicly accessible (no IP whitelisting, mTLS or other custom HTTP header requirements outside standard HTTP headers such as Content-Type, Accept) * is able to respond in a timely fashion * Contains at least 1 `sig` key with `alg ES256` * Contains at least 1 `enc` key with `alg ECDH-ES+A256KW` For Staging and Production environments, please ensure * You have a separate JWKS endpoint for each environment * Different keypairs configured in the JWKS endpoints for each environment [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#generation-of-json-web-key-store) Generation of JSON Web Key Store ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **JWKS Endpoint Sample Code** Sample Code to generate a Private/Public Key Pair Copy const jose = require('node-jose'); const crypto = require('crypto'); async function generateKey(){ let key = crypto.generateKeyPairSync('ec', { namedCurve: 'prime256v1', publicKeyEncoding: { type: 'spki', format: 'pem', }, privateKeyEncoding: { type: 'pkcs8', format: 'pem', }, }); let cryptoKey = await jose.JWK.asKey(key.privateKey, 'pem'); return cryptoKey; } Sample Code to generate Signing and Encryption keys and create JWKS from public keys. circle-info For production use, the private key must be generated separately in your production environment and stored directly. The Private Key should not leave your production Environment circle-info Generating the JWK in this manner will set a default kid(Thumbprint of JWK). You may set your own value for kid, but ensure that upon signing with Private key, the correct corresponding kid is reflected in JWT header circle-info Different keys are required to be created for Staging and Production [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#jwks-for-signing) JWKS for signing ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The signing JWK will be used to verify the client\_assertion JWT provided during /token request, thereby authenticating the client. Clients are allowed to provide multiple signature keys in the JWKS hosted on the JWKS url provided during onboarding on DPP. The signature JWK should have the following attributes: * Must have key use of value 'sig' * Must be an EC key, with curves: P-256 (NIST curves, aka secp256r1) * Must have an alg of value 'ES256' **Example EC signing key** [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#signing-key-rotation) Signing key rotation ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Relying parties can rotate their signing keys in a self-driven manner. To do this with zero downtime, the Relying party must * support use of **JWKS URLs** and be onboarded as such * ensure their replacement signing key has a different key ID (`kid`) to the original key * ensure their replacement signing key matches the other cryptographic key requirements To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new signing key pair (K2) supported for signing. T0 Relying party adds public key K2 to its JWKS endpoint (and leaves K1 on the endpoint) T0 - T+1 hour Myinfo’s cache will expire, and re-retrieves the relying party’s published keys from their JWKS endpoint which now includes K2 \> T+1 hour Relying party changes their system to start signing client assertions using the new signing key K2 Clean Up Post-validation, relying party can remove key K1 from their JWKS endpoint when they are comfortable their new signing key is working * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#jwks-for-encryption) JWKS for encryption ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The encryption JWK will be used to encrypt ID user's requested data from the `/person` API. The encryption JWK must have the following attributes: * Must have key use of value 'enc' * The key ID will be specified in the returned JWE header so that clients can pick the right key for decryption * Must have key type (kty) of either EC * Must have alg type of either ECDH-ES+A256KW **Example EC encryption key** In the event of multiple encryption keys found. Myinfo will use the first compatible key. Relying party is expected to be able to choose the correct private key for decryption based on kid. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#encryption-key-rotation) Encryption key rotation ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Relying parties can rotate their encryption keys in a self-driven manner. To do this with zero downtime the Relying party must * support use of JWKS URLs and be onboarded as such * have the ability to decrypt tokens produced with either one of two different encryption keys based on either * selecting the correct decryption key by its key ID (kid) * trial-and-error decryption against multiple keys in a collection * ensure their replacement key matches the other cryptographic key requirements noted above To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new encryption key pair (K2) supported for decryption. The existing key pair (K1) is still available for decryption of ID tokens T0 Relying party removes public key K1 and adds public key K2 on its JWKS endpoint T0 - T+1 hour NDI’s caches will expire at any (indeterminate) time within this period, and start encrypting tokens with new encryption key K2. T0 - T+1 hour Relying party may be receiving tokens encrypted with either K1 or K2 keys throughout this period; and must be able to decrypt either. \> T+1 hour Relying party can remove support for decrypting with the previous K1 key * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#caching-and-key-rotation-policy) Caching and key rotation policy ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Retrieval of Myinfo JWKS should be cached for at least one hour and not retrieved for every JWT validation. * For varying reasons, keys used for signing can and will be rotated/changed with no defined schedule, and at the full discretion of Myinfo. When a key rotation happens, the new key will be available from the JWKS endpoint and will have a different kid value. The new kid value will be reflected in all the new JWTs signed by Myinfo. In such cases, cached copies of Myinfo public keys must be refreshed by re-invoking the JWKS endpoint. * All Key pairs are recommended to be rotated every 2 years with the old key pairs removed once rotation is successful. * Keying materials e.g shared secrets, seeds shall be destroyed immediately or as soon as possible when no longer requried. [PreviousClient Assertionschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/client-assertions) [NextDemonstration of Proof-of-Possession (DPoP)chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop) Last updated 1 year ago Was this helpful? * [Generation of JSON Web Key Store](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#generation-of-json-web-key-store) * [JWKS for signing](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#jwks-for-signing) * [Signing key rotation](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#signing-key-rotation) * [JWKS for encryption](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#jwks-for-encryption) * [Encryption key rotation](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#encryption-key-rotation) * [Caching and key rotation policy](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks#caching-and-key-rotation-policy) Was this helpful? Copy const jose = require('node-jose'); async function generateJwks() { //Creating Signing Key let signingKey = await generateKey(); let publicSigningKeyJSON = signingKey.toJSON();   //Creating Encryption Key let encryptionKey = await generateKey(); let publicEncryptionKeyJSON = encryptionKey.toJSON();   let jwks = { keys: [{...publicSigningKeyJSON,\ ...{use: 'sig'},\ ...{crv: 'P-256'},\ ...{alg: 'ES256'},\ },\ {...publicEncryptionKeyJSON,\ ...{use: 'enc'},\ ...{crv: 'P-256'},\ ...{alg: 'ECDH-ES+A256KW'},\ }]};   console.log(JSON.stringify(jwks)); } Copy { "kty": "EC", "use": "sig", "alg": ES256 "kid": "sig-2021-01-15T12:09:06Z", "crv": "P-256", "x": "Tjm2thouQXSUJSrKDyMfVGe6ZQRWqCr0UgeSbNKiNi8", "y": "8BuGGu519a5xczbArHq1_iVJjGGBSlV5m_FGBJmiFtE" } Copy { "kty": "EC", "use": "enc", "kid": "enc-2021-01-15T12:09:06Z", "crv": "P-256", "x": "xom6kD54yfXRPvMFVYFlVjUKzmNhz7wf0DP_2h9kXtY", "y": "lrh8C9c8-SBJTm1FcfqLkj2AnHtaxpnB1qsN6PiFFJE", "alg": "ECDH-ES+A128KW" } --- # FAQ | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q1.-i-am-currently-using-myinfo-v3.-when-is-the-deadline-to-upgrade-to-myinfo-v4) Q1. I am currently using Myinfo v3. When is the deadline to upgrade to Myinfo v4? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Rps on Myinfov3/v4 will need to migrate to Myinfo v5 by 30 Sept 2025. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q2.-i-encountered-an-error-while-developing-my-digital-service-integrating-with-myinfo-apis-who-can) Q2. I encountered an error while developing my digital service integrating with Myinfo APIs, who can I contact? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ For troubleshooting, you may refer to the [error codes page](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes) with the possible causes. Please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) if you encounter error with the implementation. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q3.-my-enterprise-architecture-design-requires-whitelisting-of-myinfo-apis-ip-address.-what-is-the-i) Q3. My Enterprise Architecture design requires whitelisting of Myinfo APIs IP address. What is the IP address that I should whitelist? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Myinfo APIs does not support IP whitelisting as our API Gateway is using dynamic IPs. Please whitelist the following Fully Qualified Domain Names (FQDN) instead: * test.api.myinfo.gov.sg * api.myinfo.gov.sg * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q4.-how-frequent-does-myinfo-apis-get-updated-how-do-i-get-notified-when-there-is-a-new-version-of-m) Q4. How frequent does Myinfo APIs get updated? How do I get notified when there is a new version of Myinfo APIs? Can I continue to use the older API version even if a newer version is released? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The Government plans to make Myinfo more useful for digital transactions by progressively including other frequently-used profile data. When a new version of APIs is released, there will be a transition period for digital services to migrate to the latest version. The earlier API version is usually deprecated 6 months after the new version is released. Please ensure that your support emails are registered in your app to receive important announcement such as Myinfo new version or new data items release. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q5.-does-myinfo-apis-support-native-mobile-application) Q5. Does Myinfo APIs support native mobile application? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Myinfo APIs currently only support web-based integration. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q6.-is-there-any-requirement-for-the-jwks-can-we-use-the-same-url-endpoint-for-our-staging-and-produ) Q6. Is there any requirement for the JWKS? Can we use the same url endpoint for our staging and production environments?Please ensure that JWKS URL : --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * Is served behind HTTPS on port 443 using a TLS server certificate issued by a standard publicly verifiable CA issuer (no private CAs), with complete cert chain presented by the server * Is publicly accessible (no IP whitelisting, mTLS or other custom HTTP header requirements outside standard HTTP headers such as Content-Type, Accept) * Is able to respond in a timely fashion * Contains at least 1 sig key with alg ES256 * Contains at least 1 enc key with alg ECDH-ES+A256KW Due to security reasons, we recommend that you have a different JWKS URL for both staging and production environment * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q7.-how-can-i-rotate-my-signing-keys) Q7. How can I rotate my Signing Keys? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Relying parties can rotate their signing keys in a self-driven manner. To do this with zero downtime the Relying party must * support use of JWKS URLs and be onboarded as such * ensure their replacement signing key has a different key ID (kid) to the original key * ensure their replacement signing key matches the other cryptographic key requirements To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new signing key pair (K2) supported for signing. T0 Relying party adds public key K2 to its JWKS endpoint (and leaves K1 on the endpoint) T0 - T+1 hour Myinfo’s cache will expire, and re-retrieves the relying party’s published keys from their JWKS endpoint which now includes K2 \> T+1 hour Relying party changes their system to start signing client assertions using the new signing key K2 Clean Up Post-validation, relying party can remove key K1 from their JWKS endpoint when they are comfortable their new signing key is working * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q8-how-can-i-rotate-my-encryption-keys) Q8: How can I rotate my Encryption Keys? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Relying parties can rotate their encryption keys in a self-driven manner. To do this with zero downtime the Relying party must * support use of JWKS URLs and be onboarded as such * have the ability to decrypt tokens produced with either one of two different encryption keys based on either * selecting the correct decryption key by its key ID (kid) * trial-and-error decryption against multiple keys in a collection * ensure their replacement key matches the other cryptographic key requirements noted above To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new encryption key pair (K2) supported for decryption. The existing key pair (K1) is still available for decryption of ID tokens T0 Relying party removes public key K1 and adds public key K2 on its JWKS endpoint T0 - T+1 hour NDI’s caches will expire at any (indeterminate) time within this period, and start encrypting tokens with new encryption key K2. T0 - T+1 hour Relying party may be receiving tokens encrypted with either K1 or K2 keys throughout this period; and must be able to decrypt either. \> T+1 hour Relying party can remove support for decrypting with the previous K1 key * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q9.-i-am-trying-to-decrypt-the-jwe-response-string-returned-from-myinfo-person-api.-however-i-am-get) Q9. I am trying to decrypt the JWE response string returned from Myinfo Person API. However, I am getting the following error message: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The library that you are using to decrypt the response string might not support A256GCM algorithm. Please use a library that supports the algorithm. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q10.-my-architecture-design-requires-trusting-of-myinfo-web-ssl-certificate.-where-can-i-retrieve-th) Q10. My architecture design requires trusting of Myinfo web SSL certificate. Where can I retrieve the certificate? ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- We recommend that your application trust / pin against the [root certificatesarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/amazonrootcas.zip) instead, as the web SSL certificates will be renewed from time to time. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q11.-what-are-the-requirements-for-callback-urls-in-the-app-configurations-submission) Q11. What are the requirements for callback URLs in the app configurations submission? --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Please note the following requirements for callback URLs submission: * Use different callback URLs in staging and production environments. * Use static callback URLs (i.e. dynamic callback URLs are not supported) * Use Fully Qualified Domain Names (FQDN) for both the staging and production callback URLs (i.e. static IP address or port numbers in callback URLs are not supported) * Multiple callback URLs may be submitted for each environment. * Use the default pre-configured [http://localhost:3001/callbackarrow-up-right](http://localhost:3001/callback) as staging callback URL for localhost testing. We do not support other localhost port and http configurations. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q12.-there-is-no-state-parameter-in-authorize.-how-can-i-identify-the-specific-request) Q12. There is no 'state' parameter in /authorize. How can I identify the specific request? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You are required to maintain a session with the user's frontend browser. This can also be used to tie the correct code\_verifier to code\_challenge ([PKCEarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/pkce) ) * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q13.-how-may-i-test-that-my-app-is-able-to-support-cases-where-additional-security-verification-with) Q13. How may I test that my app is able to support cases where additional security verification with Singpass Face Verification is required? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To ensure that SFV works for your Myinfo user journeys, you may verify that camera permissions are enabled through the following methods: 1. Staging: Test additional Singpass Face Verification through the link provided on the Mockpass page 2. Production: Test that SFV works for the Myinfo user journey on different modalities (e.g. mobile/computer browser, native mobile app). You can test SFV through the following steps: a. Initiate the Myinfo user journey in your linked up service with the above App IDs b. Log in with your Singpass ID and password instead of the QR code c. Select Singpass Face Verification as the 2FA method instead of SMS OTP * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q14.-what-are-the-supports-available-for-me-to-conduct-performance-testing) Q14. What are the supports available for me to conduct performance testing? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Performance Testing in Production environment is strictly not allowed. Please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) if you are planning to conduct performance testing in Test environment. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q15.-who-do-i-contact-if-i-require-more-details) Q15. Who do I contact if I require more details? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you have any other query, please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) . [PreviousError Codeschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes) [NextMyinfo v3chevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3) Last updated 9 months ago Was this helpful? * [Q1. I am currently using Myinfo v3. When is the deadline to upgrade to Myinfo v4?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q1.-i-am-currently-using-myinfo-v3.-when-is-the-deadline-to-upgrade-to-myinfo-v4) * [Q2. I encountered an error while developing my digital service integrating with Myinfo APIs, who can I contact?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q2.-i-encountered-an-error-while-developing-my-digital-service-integrating-with-myinfo-apis-who-can) * [Q3. My Enterprise Architecture design requires whitelisting of Myinfo APIs IP address. What is the IP address that I should whitelist?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q3.-my-enterprise-architecture-design-requires-whitelisting-of-myinfo-apis-ip-address.-what-is-the-i) * [Q4. How frequent does Myinfo APIs get updated? How do I get notified when there is a new version of Myinfo APIs? Can I continue to use the older API version even if a newer version is released?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q4.-how-frequent-does-myinfo-apis-get-updated-how-do-i-get-notified-when-there-is-a-new-version-of-m) * [Q5. Does Myinfo APIs support native mobile application?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q5.-does-myinfo-apis-support-native-mobile-application) * [Q6. Is there any requirement for the JWKS? Can we use the same url endpoint for our staging and production environments?Please ensure that JWKS URL :](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q6.-is-there-any-requirement-for-the-jwks-can-we-use-the-same-url-endpoint-for-our-staging-and-produ) * [Q7. How can I rotate my Signing Keys?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q7.-how-can-i-rotate-my-signing-keys) * [Q8: How can I rotate my Encryption Keys?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q8-how-can-i-rotate-my-encryption-keys) * [Q9. I am trying to decrypt the JWE response string returned from Myinfo Person API. However, I am getting the following error message:](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q9.-i-am-trying-to-decrypt-the-jwe-response-string-returned-from-myinfo-person-api.-however-i-am-get) * [Q10. My architecture design requires trusting of Myinfo web SSL certificate. Where can I retrieve the certificate?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q10.-my-architecture-design-requires-trusting-of-myinfo-web-ssl-certificate.-where-can-i-retrieve-th) * [Q11. What are the requirements for callback URLs in the app configurations submission?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q11.-what-are-the-requirements-for-callback-urls-in-the-app-configurations-submission) * [Q12. There is no 'state' parameter in /authorize. How can I identify the specific request?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q12.-there-is-no-state-parameter-in-authorize.-how-can-i-identify-the-specific-request) * [Q13. How may I test that my app is able to support cases where additional security verification with Singpass Face Verification is required?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q13.-how-may-i-test-that-my-app-is-able-to-support-cases-where-additional-security-verification-with) * [Q14. What are the supports available for me to conduct performance testing?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q14.-what-are-the-supports-available-for-me-to-conduct-performance-testing) * [Q15. Who do I contact if I require more details?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq#q15.-who-do-i-contact-if-i-require-more-details) Was this helpful? Copy *A256M is not valid algorithm* --- # Demonstration of Proof-of-Possession (DPoP) | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop#introduction) Introduction --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The Demonstration of Proof-of-Possession(DPoP) is a mechanism to tie an access\_token to the client who gets it. The client will have to provide a proof of possession before the access\_token can be used. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FJe69vANdS0wMDXE1YU5P%252Fimage.png%3Falt%3Dmedia%26token%3D120021f9-9a33-4619-b877-84373d2998b2&width=768&dpr=3&quality=100&sign=c347b367&sv=2) DPoP Mechanism **1\. Client application generates an ephemeral (One time) keypair on each API request.** circle-info Please ensure a new ephemeral keypair is generated on each request to ensure DPoP Proof is always unique per transaction. * Ephemeral public key (JWK) * Ephemeral private key With the following information: * alg: ES256 * use: sig * * * **2\. Client application generates the DPoP Proof JWT(for /token API)** * Embed the DPoP Proof JWTephemeral public key (JWK) into the header of the DPoP Proof JWT DPoP Proof JWT * Sign the DPoP Proof JWT using the DPoP Proof JWT ephemeral private key * * * **3\. Client application appends ephemeral public key (JWK) thumbprint into the payload of the client\_assertion (cnf.jkt)** Refer to Generate [Client Assertion](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/client-assertions) circle-info This step ensures that the identical client application generates the DPoP Proof (for Token API) and client\_assertion. * * * **4\. Client application calls the /token API to request for an access\_token** with the following information: * DPoP Proof (for Token API) * client\_assertion * authcode * * * **5\. AuthZ server validates and embeds the ephemeral public key (JWK) thumbprint of the DPoP Proof JWT (for /token API) into the access\_token (cnf.jkt).** circle-info This step ensures that the access\_token can only be used by the client application. * * * **6\. AuthZ server returns access\_token to the client application with token\_type as DPoP.** * * * **7\. Client application generates another DPoP Proof JWT (for /person API):** circle-info This step ensures that the access\_token can only be used by the client application. * * * **8\. Client application calls the /person API to request for the person data (Resource)** with the following information: * DPoP Proof (for Person API) * access\_token * * * **9\. Resource server validates the payload (ath) and ensures the ephemeral public key (JWK) thumbprint of the DPoP Proof JWT (for /person API) matches the access\_token hash and cnf.jkt.** circle-info This step ensures that the access\_token belongs to the client application that generates the DPoP Proof (Person API). * * * **10\. Resource server response with the person data.** * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop#generate-ephemeral-keys) **Generate Ephemeral keys** ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- **Sample Code:** * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop#generate-dpop-proof-jwt) Generate DPoP Proof JWT ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The claims (Refer to [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#name-dpop-proof-jwt-syntaxarrow-up-right](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#name-dpop-proof-jwt-syntax) ) expected in the DPoP Proof JWT are: PARAMETER DESCRIPTION typ Type - Type (Header), value "dpop+jwt" alg Algorithm (Header) - digital signature algorithm identifier as per RFC7518 (Refer to [https://datatracker.ietf.org/doc/html/rfc7518arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7518) ). MUST NOT be none or an identifier for a symmetric algorithm (MAC), value "ES256" jwk JSON Web Key (Header) - public key chosen by the client. MUST NOT contain the private key. jti JWT ID (Payload) - unique identifier htu HTTP URL (Payload) - HTTP URI used for the request, without query (?) and fragment parts (#) htm HTTP Method (Payload) - HTTP method for the request to which the JWT is attached iat Issued At (Payload) - current timestamp exp Expiry (Payload) - expiry timestamp ath Access token hash (Payload) - The base64url encoded SHA-256 hash of the ASCII encoding of the associated access token's value (Required only for /person call after DPoP-bound access token is issued) **DPoP Proof Sample** **Token API** **Person API** **Sample Code:** [PreviousJSON Web Key Store (JWKS)chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/json-web-key-store-jwks) [NextAPI Specificationschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/api-specifications) Last updated 1 year ago Was this helpful? * [Introduction](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop#introduction) * [Generate Ephemeral keys](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop#generate-ephemeral-keys) * [Generate DPoP Proof JWT](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/technical-concepts/demonstration-of-proof-of-possession-dpop#generate-dpop-proof-jwt) Was this helpful? Copy async function generateEphemeralKeys() { let options = { namedCurve: "P-256", publicKeyEncoding: { type: "spki", format: "pem", }, privateKeyEncoding: { type: "sec1", format: "pem", }, };   let ephemeralKeyPair = crypto.generateKeyPairSync("ec", options);   return ephemeralKeyPair; } Copy { "typ": "dpop+jwt", "jwk": { "kty": "EC", "kid": "M2OJVTdfiUw9C1HQkO1vTijLXGOypcFuT5wd4-5WdzE", "crv": "P-256", "x": "n92tLt2RNoBgB3jbOkq61wl_33USS08tS-GR7de0Mf0", "y": "3riG1jcEY8BLZdR8fseAkXA-RoIov_x9C_bG3JXVUq4", "use": "sig", "alg": "ES256" }, "alg": "ES256" }. { "htu": "https://sit.api.myinfo.gov.sg/com/v4/token", "htm": "POST", "jti": "bWDY6aTCnAGKWtCUjYLVIVmoEmB4XarepsBD85GC", "iat": 1662714998, "exp": 1662715118 }. [signature] Copy { "typ": "dpop+jwt", "jwk": { "kty": "EC", "kid": "M2OJVTdfiUw9C1HQkO1vTijLXGOypcFuT5wd4-5WdzE", "crv": "P-256", "x": "n92tLt2RNoBgB3jbOkq61wl_33USS08tS-GR7de0Mf0", "y": "3riG1jcEY8BLZdR8fseAkXA-RoIov_x9C_bG3JXVUq4", "use": "sig", "alg": "ES256" }, "alg": "ES256" }. { "htu": "https://sit.api.myinfo.gov.sg/com/v4/person/915267f0-5939-0230-78e7-b8cdbaab8518", "htm": "GET", "jti": "XFj7vBWCOlpI2Qyuxi4R7l2BTwFWDwZu1lWDT47p", "iat": 1662715005, "exp": 1662715125, "ath": "Eh9xM2CDQyrI3OMLJJJDhtmQeakdYYTDckNtklRQOVw" }. [signature] Copy // ath: Base64urlencoded Hash of the access_token   async function generateDpop(url, ath, method, ephemeralKeyPair) { let now = Math.floor(Date.now() / 1000); let payload = { htu: url, htm: method, jti: generateRandomString(40), iat: now, exp: now + 120, };   if (ath) { payload.ath = ath; }   let privateKey = await jose.JWK.asKey(ephemeralKeyPair.privateKey, "pem"); let jwk = (await jose.JWK.asKey(ephemeralKeyPair.publicKey, "pem")).toJSON(true); jwk.use = "sig"; jwk.alg = "ES256"; let DPoP = await jose.JWS.createSign( { format: "compact", fields: { typ: "dpop+jwt", jwk: jwk } }, { key: privateKey, reference: false } ) .update(JSON.stringify(payload)) .final(); return DPoP; } --- # FAQ | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q1.-can-i-change-the-callback-url-in-the-sample-app-what-should-i-do) Q1. Can I change the callback URL in the sample app, what should I do? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ If your digital service has not onboarded with Myinfo, please use [http://localhost:3001/callbackarrow-up-right](http://localhost:3001/callback) while you are prototyping. If your digital service has onboarded with Myinfo, please use the callback URLs that have been configured for you. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q2.-i-encountered-an-error-while-developing-my-digital-service-integrating-with-myinfo-apis-who-can) Q2. I encountered an error while developing my digital service integrating with Myinfo APIs, who can I contact? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ For troubleshooting, you may refer to the [error codes page](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/error-codes) with the possible causes. Please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) if you encounter error with the implementation. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q3.-my-enterprise-architecture-design-requires-whitelisting-of-myinfo-apis-ip-address.-what-is-the-i) Q3. My Enterprise Architecture design requires whitelisting of Myinfo APIs IP address. What is the IP address that I should whitelist? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Myinfo APIs does not support IP whitelisting as our API Gateway is using dynamic IPs. Please whitelist the following Fully Qualified Domain Names (FQDN) instead: * test.api.myinfo.gov.sg * api.myinfo.gov.sg * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q4.-how-frequent-does-myinfo-apis-get-updated-how-do-i-get-notified-when-there-is-a-new-version-of-m) Q4. How frequent does Myinfo APIs get updated? How do I get notified when there is a new version of Myinfo APIs? Can I continue to use the older API version even if a newer version is released? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The Government plans to make Myinfo more useful for digital transactions by progressively including other frequently-used profile data. When a new version of APIs is released, there will be a transition period for digital services to migrate to the latest version. The earlier API version is usually deprecated 6 months after the new version is released. Please ensure that your support emails are registered in your app to receive important announcement such as Myinfo new version or new data items release. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q5.-does-myinfo-apis-support-native-mobile-application) Q5. Does Myinfo APIs support native mobile application? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Myinfo APIs currently only support web-based integration. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q6.-is-there-any-requirement-for-the-x.509-public-key-can-we-use-the-same-x.509-certificate-for-our) Q6. Is there any requirement for the X.509 public key? Can we use the same X.509 certificate for our staging and production environments? -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Due to security reasons, please use: * Keys that are from a compatible CA (i.e. self-signed keys are not supported) * Different keys for staging and production environments You may use the same X.509 public key for different products/services that integrate with Myinfo, as long as different keys are used for staging and production environments. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q7-what-type-of-digital-certificate-should-i-obtain-for-integrating-with-myinfo) Q7: What type of digital certificate should I obtain for integrating with Myinfo? ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Integration with Myinfo requires X.509 certificate that can produce RS256 digital signature for the purpose of server to server communication. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q8-can-i-use-a-web-ssl-certificate-for-integrating-with-myinfo) Q8: Can I use a Web SSL certificate for integrating with Myinfo? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Web SSL certificate proves the authenticity of a domain. As integration with Myinfo is a server to server, the certificate should be issued to your company and not to a domain. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q9.-i-am-trying-to-decrypt-the-jwe-response-string-returned-from-myinfo-person-api.-however-i-am-get) Q9. I am trying to decrypt the JWE response string returned from Myinfo Person API. However, I am getting the following error message: ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The library that you are using to decrypt the response string might not support A256GCM algorithm. Please use a library that supports the algorithm. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q10.-my-architecture-design-requires-trusting-of-myinfo-web-ssl-certificate.-where-can-i-retrieve-th) Q10. My architecture design requires trusting of Myinfo web SSL certificate. Where can I retrieve the certificate? ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- We recommend that your application trust / pin against the [root certificatesarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/amazonrootcas.zip) instead, as the web SSL certificates will be renewed from time to time. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q11.-what-are-the-requirements-for-callback-urls-in-the-app-configurations-submission) Q11. What are the requirements for callback URLs in the app configurations submission? --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Please note the following requirements for callback URLs submission: * Use different callback URLs in staging and production environments. * Use static callback URLs (i.e. dynamic callback URLs are not supported) * Use Fully Qualified Domain Names (FQDN) for both the staging and production callback URLs (i.e. static IP address or port numbers in callback URLs are not supported) * Multiple callback URLs may be submitted for each environment. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q12.-how-may-i-test-that-my-app-is-able-to-support-cases-where-additional-security-verification-with) Q12. How may I test that my app is able to support cases where additional security verification with Singpass Face Verification is required? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ To ensure that SFV works for your Myinfo user journeys, you may verify that camera permissions are enabled through the following methods: 1. Staging: Test additional Singpass Face Verification through the link provided on the Mockpass page 2. Production: Test that SFV works for the Myinfo user journey on different modalities (e.g. mobile/computer browser, native mobile app). You can test SFV through the following steps: a. Initiate the Myinfo user journey in your linked up service with the above App IDs b. Log in with your Singpass ID and password instead of the QR code c. Select Singpass Face Verification as the 2FA method instead of SMS OTP * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q13.-what-are-the-supports-available-for-me-to-conduct-performance-testing) Q13. What are the supports available for me to conduct performance testing? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Performance Testing in Production environment is strictly not allowed. Please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) if you are planning to conduct performance testing in Test environment. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q14.-what-is-the-myinfo-v3-certificate-change-about) Q14. What is the Myinfo v3 certificate change about? ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The last Myinfo v3 X.509 Public Key Certificate have expired on 7th Nov 2024. 1. Please [download the new certificate](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/latest-x.509-public-key-certificate) and integrate the new certificate with your digital service. 2. After the new certificate is integrated with your digital service, return to App Details page in Singpass Developer Portal and toggle to switch to the new certificate. Please take note that Step 2 is to be performed immediately after Step 1 is completed. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q15.-who-do-i-contact-if-i-require-more-details) Q15. Who do I contact if I require more details? ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you have any other query, please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) . [PreviousError Codeschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/error-codes) Last updated 1 year ago Was this helpful? * [Q1. Can I change the callback URL in the sample app, what should I do?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q1.-can-i-change-the-callback-url-in-the-sample-app-what-should-i-do) * [Q2. I encountered an error while developing my digital service integrating with Myinfo APIs, who can I contact?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q2.-i-encountered-an-error-while-developing-my-digital-service-integrating-with-myinfo-apis-who-can) * [Q3. My Enterprise Architecture design requires whitelisting of Myinfo APIs IP address. What is the IP address that I should whitelist?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q3.-my-enterprise-architecture-design-requires-whitelisting-of-myinfo-apis-ip-address.-what-is-the-i) * [Q4. How frequent does Myinfo APIs get updated? How do I get notified when there is a new version of Myinfo APIs? Can I continue to use the older API version even if a newer version is released?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q4.-how-frequent-does-myinfo-apis-get-updated-how-do-i-get-notified-when-there-is-a-new-version-of-m) * [Q5. Does Myinfo APIs support native mobile application?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q5.-does-myinfo-apis-support-native-mobile-application) * [Q6. Is there any requirement for the X.509 public key? Can we use the same X.509 certificate for our staging and production environments?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q6.-is-there-any-requirement-for-the-x.509-public-key-can-we-use-the-same-x.509-certificate-for-our) * [Q7: What type of digital certificate should I obtain for integrating with Myinfo?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q7-what-type-of-digital-certificate-should-i-obtain-for-integrating-with-myinfo) * [Q8: Can I use a Web SSL certificate for integrating with Myinfo?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q8-can-i-use-a-web-ssl-certificate-for-integrating-with-myinfo) * [Q9. I am trying to decrypt the JWE response string returned from Myinfo Person API. However, I am getting the following error message:](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q9.-i-am-trying-to-decrypt-the-jwe-response-string-returned-from-myinfo-person-api.-however-i-am-get) * [Q10. My architecture design requires trusting of Myinfo web SSL certificate. Where can I retrieve the certificate?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q10.-my-architecture-design-requires-trusting-of-myinfo-web-ssl-certificate.-where-can-i-retrieve-th) * [Q11. What are the requirements for callback URLs in the app configurations submission?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q11.-what-are-the-requirements-for-callback-urls-in-the-app-configurations-submission) * [Q12. How may I test that my app is able to support cases where additional security verification with Singpass Face Verification is required?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q12.-how-may-i-test-that-my-app-is-able-to-support-cases-where-additional-security-verification-with) * [Q13. What are the supports available for me to conduct performance testing?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q13.-what-are-the-supports-available-for-me-to-conduct-performance-testing) * [Q14. What is the Myinfo v3 certificate change about?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q14.-what-is-the-myinfo-v3-certificate-change-about) * [Q15. Who do I contact if I require more details?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq#q15.-who-do-i-contact-if-i-require-more-details) Was this helpful? Copy *A256M is not valid algorithm* --- # Error Codes | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Here are some of the error codes you might encounter: Error Code API Reason 302 Authorise Possible to have the following error codes in the 'error' attribute. * 500: Unknown or other server side errors * 503: Myinfo under maintenance * access\_denied: When user did not give consent 400 Token Same authcode in the body is being re-used. Authcode error - missing, invalid, expired, revoked. 401 Token No security header given Invalid App ID used. Digital service is not registered with Myinfo The timestamp of server is not synchronised. Check timestamp of server The value of the nonce in the authorisation header was deemed to be repeated. Check that the nonce is not re-used Ensure HTTP 'Authorization' header to be 'PKI\_SIGN' Person No security header given Invalid App ID used. Digital service is not registered with Myinfo The timestamp of server is not synchronised. Check timestamp of server The value of the nonce in the authorisation header was deemed to be repeated. Check that the nonce is not re-used Ensure HTTP 'Authorization' header to be 'PKI\_SIGN' The requested UIN/FIN does not match the UIN/FIN of the person who logged in Requested attributes do not match the attributes consented by person 403 Person Requested attributes does not match the attributes consented by person. This happens if the list of attributes in your request are different from the attributes specified when calling the token API. Incorrect API URL used Digital service is not registered with Myinfo Request contains attributes not allowable for the digital service 404 Token Incorrect API URL used. Same authcode in the body is being re-used. Person Incorrect API URL used. UIN/FIN has a Singpass account, but does not have a Myinfo profile 500 Token Unexpected error. Check response body for actual error. Person Unexpected error. Check response body for actual error. [PreviousMyinfo Connectorschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources/myinfo-connectors) [NextFAQchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/faq) Last updated 1 year ago Was this helpful? Was this helpful? --- # Error Codes | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close During implementation, you may encounter various errors with Myinfo API. This can be caused by various reasons such as implementation issues, wrong input or environmental differences. All Myinfo APIs will return a standard HTTP error code together with an error message. The error code/message may change from time to time but it can be used for debugging. Troubleshooting and debugging of the APIs can be done in the following steps. 1. Identification of which API is not working and an error is being returned from Myinfo Servers (e.g /authorize, /token, /person) Errors cound also occur due to * Connectivity errors (ensure there is no firewall blocking) * Incorrect urls and path parameters 2. Once an error is returned from Myinfo API, note down the error message and status code and utilise below table to debug 3. If issue persists or unable to resolve the issue, please submit a request at [partnersupport.singpass.gov.sg arrow-up-right](https://partnersupport.singpass.gov.sg/) * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes#authorize-api) Authorize API -------------------------------------------------------------------------------------------------------------------------------------------------------------------- Error Code Error Message Reason Remediation 302 Possible to have the following error codes in the 'error' attribute. * invalid\_scope : Invalid scope was requested in authorize URL * access\_denied: When user did not give consent 400 Invalid parameters sent in authorize URL Verify querystring parameters are correct as per specifications([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/getauthorizearrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/getauthorize) ) 404 Invalid client\_id sent in authorize URL Verify if client\_id used has been set to live in DPP and correct client\_id was passed in url 440 You are not logged in, or your previous session has expired. Verify session is still valid, expiry of 2mins and also verify that browser is passing session cookie during redirect 500 Unexpected error. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes#token-api) Token API ------------------------------------------------------------------------------------------------------------------------------------------------------------ Error Code Error Message Reason Remediation 400 No body found for POST request Body was not sent in request Verify body was sent in request * Invalid client\_assertion * Missing jti in client\_assertion * Missing sub in client\_assertion * Invalid sub in client\_assertion * Missing aud in client\_assertion * Missing iat in client\_assertion * Missing exp in client\_assertion * Invalid exp in client\_assertion * Duplicate client\_assertion Format of client\_assertion is incorrect Verify client\_assertion format are correct as per specifications([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Client-Assertionarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Client-Assertion) ) Utilize client\_assertion [Generator/Verifierarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/client-assertion-verifier) Ensure client\_assertion is signature is correct (Need to be signed with private key corresponding to sign key configured in JWKS) Ensure client\_assertion is used only once per transactiont Invalid client\_assertion\_type Invalid client\_assertion\_type value passed in Verify value is "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" Error Retrieving JWKS Error retrieving JWKS from Myinfo Servers Ensure correct JWKS endpoint is configured onto DPP and is a public URL * Invalid JWKS * Missing valid sig key in JWKS * Missing valid enc key in JWKS JWKS format is incorrect Ensure JWKS is returned as a JSON object with this format ([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Enhancements-in-v4arrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Enhancements-in-v4) ) Ensure JWKS has at least 1 sign key with alg = 'ES256' and use = 'sig Ensure JWKS has at least 1 encryption key with alg = 'ECDH-ES +A256KW' and use = 'enc' Utilize [JWKS verifierarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/jwks-verifier) Missing DPoP Proof DPoP Proof JWT is missing in headers Ensure DPoP Proof JWT is passed in correctly in HTTP headers Missing {param} from headers Missing mandatory param in the HTTP header Verify specified mandatory param is passed in the HTTP header as per specifications ([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/gettokenarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/gettoken) ) Missing {param} from body Missing mandatory param in the HTTP body Verify specified mandatory param is passed in the HTTP header as per specifications ([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/gettokenarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/gettoken) ) 401 Unauthorized. App does not have access to this API Ensure App is configured correctly and is live on DPP * Invalid DPoP Proof * Missing jkt in DPoP Proof * Invalid jkt in DPoP Proof * Missing htm in DPoP Proof * Invalid htm in DPoP Proof * Missing htu in DPoP Proof * Invalid htu in DPoP Proof Invalid DPoP Proof JWT format Verify DPoP Token format is correct as per specifications([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Demonstration-of-Proof-of-Possesion-(DPoP)arrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Demonstration-of-Proof-of-Possesion-(DPoP)) Utilize [DPoP verifierarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/dpop-verifier) Ensure DPoP is signature is correct (Need to be signed with private key corresponding to public key embedded in JWT header) Invalid JWS Verification Signature of DPoP or client\_assertion is invalid * Verify private key used to sign client\_assertion matches the sig key in JWKS * Verify kid in client\_assertion header matches the corresponding kid in JWKS * Verify JWK in DPoP Proof header is the correct public key to verify the private key Utilize [DPoP verifierarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/dpop-verifier) Ensure DPoP is signature is correct (Need to be signed with private key corresponding to public key embedded in JWT header) 404 Not found. Invalid client\_id passed to API Verify App is configured correctly on DPP and correct client\_id(ensure correct id is used in the correct environment) is used 500 Internal server error. Unexpected error. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes#person-api) Person API -------------------------------------------------------------------------------------------------------------------------------------------------------------- Error Code Error Message Reason Remediation 400 Invalid Encyption key Encryption key is of an Invalid format Ensure JWKS has at least 1 encryption key with alg = 'ECDH-ES +A256KW' and use = 'enc' Missing DPoP Proof DPoP Proof JWT is missing in headers Ensure DPoP Token is passed in correctly in HTTP headers Duplicated DPoP-bound access\_token access\_token has already been used access\_token is a one time use, ensure a new access\_token is retrieved for every API call Missing {param} from query parameters Missing mandatory param in the query parameters Verify specified mandatory param is passed in the query parameters as per specifications ([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/getpersonarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/getperson) ) Missing {param} from headers Missing mandatory param in the HTTP headers Verify specified mandatory param is passed in the query parameters as per specifications ([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/getpersonarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#operation/getperson) ) 401 * Invalid DPoP Proof * Missing ath in DPoP Proof * Invalid ath in DPoP Proof * Missing jkt in DPoP Proof * Invalid jkt in DPoP Proof * Missing htm in DPoP Proof * Invalid htm in DPoP Proof * Missing htu in DPoP Proof * Invalid htu in DPoP Proof Invalid DPoP Proof JWT format Verify DPoP Token format is correct as per specifications([https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Demonstration-of-Proof-of-Possesion-(DPoP)arrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.0.html#section/Security/Demonstration-of-Proof-of-Possesion-(DPoP)) Utilize [DPoP verifierarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/dpop-verifier) Ensure DPoP is signature is correct (Need to be signed with private key corresponding to public key embedded in JWT header) Ensure DPoP is signed with the same private key used to create DPoP in /token call. 403 DPoP-bound access\_token aud doesn't match with requested url access\_token aud does not match resource being called Verify correct access\_token matching service being called is used DPoP-bound access\_token realm doesn't match with requested realm access\_token realm does not match resource being called Verify correct access\_token matching service being called is used DPoP-bound access\_token subject doesn't match with requested sub access\_token sub does not match uuid being requested in API Verify the same uuid is requested as provided in access\_token DPoP-bound access\_token scope doesn't match with requested attributes access\_token scope does not match scope being requested in API Verify the same scope is requested as provided in access\_token DPoP-bound access\_token invalid access\_token is of an invalid format Verify the access\_token passed in API request is correct and from /token response 404 Requested sub's data may not be available Verify the access\_token passed in API request is correct and from /token response 500 Internal server error. Unexpected error. [PreviousMyinfo Connectorschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/myinfo-connectors) [NextFAQchevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/faq) Last updated 1 year ago Was this helpful? * [Authorize API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes#authorize-api) * [Token API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes#token-api) * [Person API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources/error-codes#person-api) Was this helpful? --- # User Device & Software Requirement | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close If you are enabling users to access your digital service on non-personal devices (e.g. kiosks or shared terminals), you should ensure that the device meets the following requirements to support Singpass authentication. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#internet-connectivity) Internet Connectivity A stable Internet connection is required. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#supported-browsers) Supported Browsers You may find the supported browsers at this [AskGovarrow-up-right](https://ask.gov.sg/singpass/questions/clul3am5x003wo12th5witu9z) page. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#secure-in-app-browsers) Secure In-App Browsers Webview embedded browsers are not supported. Please refer to the following help center for additional information. * [How to identify Webview browser?arrow-up-right](https://partnersupport.singpass.gov.sg/hc/en-sg/articles/39909135503129--8-Nov-2024-Discontinuation-of-WebView-Support-for-Singpass-in-Mobile-Apps) * What should I do? * [For iOSarrow-up-right](https://github.com/singpass/iOS-Singpass-in-app-browser-login-demo?tab=readme-ov-file#migrating-away-from-webview-for-ios-mobile-app-singpass-logins) * [For Androidarrow-up-right](https://github.com/singpass/Android-Singpass-in-app-browser-login-demo?tab=readme-ov-file#migrating-away-from-webview-for-android-mobile-app-singpass-logins) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#camera-requirement) Camera Requirement The device that your user is using to access your digital service must have a working front camera, as Singpass Face Verification (SFV) may be triggered for higher-risk transactions carrying a greater chance of fraud or account takeover. Find out more [herearrow-up-right](https://ask.gov.sg/singpass/questions/cmbjbxmnv01rs4ds4cbi6izvj) . [PreviousPre-requisites for onboardingchevron-left](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding) [NextUser Journeychevron-right](https://docs.developer.singpass.gov.sg/docs/getting-started/user-journey) Last updated 2 months ago Was this helpful? * [Internet Connectivity](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#internet-connectivity) * [Supported Browsers](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#supported-browsers) * [Camera Requirement](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement#camera-requirement) Was this helpful? --- # Pre-requisites for onboarding | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Please ensure your organisation and use case meet the requirements below before submitting your onboarding request. * * * ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding#id-1.-organisation-requirements) 1\. Organisation Requirements * Your organisation must be a Singapore-registered entity (government or private sector). * If you operate in a regulated industry, you must provide your relevant licences or permits 👉 What you need to do: * Prepare your ACRA registration details (or equivalent). * Prepare your regulatory licence/permit, if applicable. * * * ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding#id-2.-use-case-requirements) 2\. Use Case Requirements * Only request data that is directly needed for your service. * All data scopes must be justified based on your use case. * Users must be able to see the exact Myinfo data retrieved and who it is shared with. * Users must have full control at every step of the consent process. 👉 What you need to do: * Prepare your [user journey](https://docs.developer.singpass.gov.sg/docs/getting-started/user-journey) and list the exact data needed. * Prepare a short justification for each scope you intend to request. * Ensure your UI displays all retrieved data clearly back to the user. * * * ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding#id-3.-user-choice-requirements) 3\. User Choice Requirements * Singpass cannot be the only form-filling or authentication option. * You must provide a manual or alternative method for users who prefer not to use Singpass APIs 👉 What you need to do: * Include at least one non-Singpass option (e.g., manual entry, document upload, alternative login). [PreviousQuick Startchevron-left](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start) [NextUser Device & Software Requirementchevron-right](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement) Last updated 2 months ago Was this helpful? * [1\. Organisation Requirements](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding#id-1.-organisation-requirements) * [2\. Use Case Requirements](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding#id-2.-use-case-requirements) * [3\. User Choice Requirements](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding#id-3.-user-choice-requirements) Was this helpful? --- # User Journey | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close As part of your app creation in the **production** environment, you are required to submit a User Journey that illustrates how your digital service will use the Myinfo and/or Singpass APIs. Please download and complete the User Journey template that is relevant to your use case: Use Case Options: 1. **Myinfo API** - Use this API to retrieve user information for **form filling** or **registration** purposes. file-download 2MB [Myinfo user journey template \[Updated 2025\]\_Sept 2025.pptx](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FZps2b4UVIGbGTf31GJXh%2FMyinfo%20user%20journey%20template%20%5BUpdated%202025%5D_Sept%202025.pptx?alt=media&token=0148302b-c14e-4606-bb60-3046775f1799) downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FZps2b4UVIGbGTf31GJXh%2FMyinfo%20user%20journey%20template%20%5BUpdated%202025%5D_Sept%202025.pptx?alt=media&token=0148302b-c14e-4606-bb60-3046775f1799) 1. **Login API** - Use this API as a secure alternative login method to your existing authentication or verification flow. file-download 6MB [Singpass login user journey template \[Updated Mar 2026\].pptx](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FUnsD5qpiujqYFf0Z7SM4%2FSingpass%20login%20user%20journey%20template%20%5BUpdated%20Mar%202026%5D.pptx?alt=media&token=5fabcd5a-5e13-4497-be90-20d993c8c146) downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FUnsD5qpiujqYFf0Z7SM4%2FSingpass%20login%20user%20journey%20template%20%5BUpdated%20Mar%202026%5D.pptx?alt=media&token=5fabcd5a-5e13-4497-be90-20d993c8c146) Once you’ve completed the User Journey, please submit it via the [portalarrow-up-right](https://developer.singpass.gov.sg/) . Your submission will then be routed for approval. 1. **Login with Mandatory Face Verification API** - This is reserved for high-risk use cases only (e.g. Digital Token setup for banking apps). It allows you to enhance the login process with Face Verification after Singpass login. Submit your request here - [https://partnersupport.singpass.gov.sg/hc/en-sg/requests/newarrow-up-right](https://partnersupport.singpass.gov.sg/hc/en-sg/requests/new) . Your request will be subjected to approval. [PreviousUser Device & Software Requirementchevron-left](https://docs.developer.singpass.gov.sg/docs/getting-started/user-device-and-software-requirement) [NextDemo App & Sample Codechevron-right](https://docs.developer.singpass.gov.sg/docs/getting-started/demo-app-and-sample-codes) Last updated 1 month ago Was this helpful? Was this helpful? --- # Demo App & Sample Code | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close There are various OIDC libraries that make integrating your apps with Singpass effortless. You may find code samples in different languages [here in our Githubarrow-up-right](https://github.com/singpass/demo-app) . #### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/demo-app-and-sample-codes#for-mobile-developers) **For Mobile Developers** Description Android IOS Sample codes implementing FAPI 2.0 for Singpass logins [https://github.com/singpass/Android-Singpass-in-app-browser-login-demoarrow-up-right](https://github.com/singpass/Android-Singpass-in-app-browser-login-demo) TBD [PreviousUser Journeychevron-left](https://docs.developer.singpass.gov.sg/docs/getting-started/user-journey) [NextSingpass Loginchevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-login) Last updated 1 month ago Was this helpful? Was this helpful? --- # Singpass Login | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login#what-is-singpass-login-api) What is Singpass Login API? ------------------------------------------------------------------------------------------------------------------------------------------ The Singpass Login API enables residents' easy access to government and private sector digital services. Using the Singpass app, residents can securely log in to digital services without passwords. This service provides businesses with an accessible and established authentication gateway for all their digital services. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login#use-case-sign-in-with-your-singpass-app) Use Case: Sign in with your Singpass App Singpass Login lets users access your service without creating or remembering passwords. Instead, they authenticate through the Singpass app using biometrics, passcode, or SMS OTP. This provides a faster, more secure, and password free login experience. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FgFxv2m9MTADatJwjOaUA%252FScreen%2520Recording%25202025-11-20%2520at%25203.48.11%2520PM.gif%3Falt%3Dmedia%26token%3D0dc3b660-97e4-4b79-9557-dbdf90abb390&width=768&dpr=3&quality=100&sign=f73e94e9&sv=2) Use Singpass as an alternative login method to provide your users with a seamless and secure login experience. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login#how-login-can-enhance-your-digital-service) How Login can enhance your digital service 1. **Tap on an established and secure authentication gateway for all your digital services** Businesses can easily launch an authentication gateway with the instructions provided. 2. **Get access to 4 million Singpass users** Ready pool of users familiar with authentication gateway and Singpass app. [PreviousDemo App & Sample Codechevron-left](https://docs.developer.singpass.gov.sg/docs/getting-started/demo-app-and-sample-codes) [NextKey Principleschevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/key-principles) Last updated 2 months ago Was this helpful? * [What is Singpass Login API?](https://docs.developer.singpass.gov.sg/docs/products/singpass-login#what-is-singpass-login-api) * [Use Case: Sign in with your Singpass App](https://docs.developer.singpass.gov.sg/docs/products/singpass-login#use-case-sign-in-with-your-singpass-app) Was this helpful? --- # Tutorial 2: Using OAuth2 | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-info Note: Make sure that you have completed Tutorial 1 and familiarised yourself with the Person JSON schema, and that you have understood the OAuth Process first. For this tutorial, you will need to call the APIs from your server-based (or running from localhost) application. Myinfo uses [OAuth2.0arrow-up-right](https://oauth.net/2/) for our Authentication and Authorisation flow. Please refer to our [API specificationsarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v3.2.html) for this tutorial. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.-download-our-sample-client-application) 1\. Download our Sample Client Application -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- For the purposes of the tutorial, please download our sample client application from [Github.arrow-up-right](https://github.com/singpass/myinfo-demo-app) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.1-install-node.js-and-npm) **1.1 Install Node.js and NPM** In order for the demo application to run, you will need to Install Node.js and NPM. Follow the instructions given by the links below depending on your OS. * [Install Node.js and NPM for Windowsarrow-up-right](http://blog.teamtreehouse.com/install-node-js-npm-windows) * [Install Node.js and NPM for Linuxarrow-up-right](http://blog.teamtreehouse.com/install-node-js-npm-linux) * [Install Node.js and NPM for Macarrow-up-right](http://blog.teamtreehouse.com/install-node-js-npm-mac) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.2-run-npm-install) **1.2 Run NPM install** Run the following command in the folder you unzipped the application: Copy npm install ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.3-start-the-application) **1.3 Start the Application** **For Linux/MacOS** Execute the following command to start the application: **For Windows** Execute the following command to start the application: **Access the Application on Your Browser** You should be able to access the sample application via the following URL: * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.-trigger-mockpass-login-and-consent-authorise-api) 2\. Trigger MockPass Login and Consent (authorise API) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The authorise endpoint triggers the MockPass login and shows the consent page after successful login. Click on the "Retrieve Myinfo" button on the sample application. This calls the URL below (with some additional parameters): This calls the URL below (with some additional parameters): PARAMETER DESCRIPTION client\_id unique ID for your application. For our sample application, this is `STG2-MYINFO-SELF-TEST` attributes comma separated list of attributes requested. Possible attributes are listed in the Person object definition in the API specifications. purpose state the purpose of requesting the data. This will be shown to the Person when requesting for his consent state identifier to reconcile query and response. This will be sent back to you via the callback URL. Use a unique system generated number for each and every call. redirect\_uri your callback URL for Myinfo to return with the authorisation code. For our sample application this is `http://localhost:3001/callback` Look at the file `views/html/index.html` in the sample application and look for the following lines of code: The `index.html` file is the frontend (client side) code. This code triggers the authorise API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.1-login-with-mockpass) **2.1 Login with MockPass** Select this test ID and login using MockPass: NRIC: `S9812381D` You may also use test personas found in the Personas Page when testing Tutorial 2. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.2-consent-page) **2.2 Consent Page** Once you have successfully logged into MockPass, a consent page similar to the one below will be shown: ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fapi.singpass.gov.sg%2Fassets%2Fapi-lib%2Fmyinfo%2Fimg%2Fhome-revamp%2Fconsent-page-screenshot.png&width=768&dpr=3&quality=100&sign=8d4a7228&sv=2) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.3-get-the-authorisation-code) **2.3 Get the Authorisation Code** If you have followed the steps above correctly, the Consent Platform should return you an authorisation code by invoking your callback URL. You should now see something like this in your browser URL dialog: Notice the parameter `code` is the authorisation code that your application will need to invoke the next API (token). In the example above, the authorisation code is `e2369168-52da-421a-b70f-03f64e779c4b`. We will use this authorisation code in the next token API call. The **token** and **person** API calls will follow automatically once you have finished the consent page. We will look at the code for these 2 APIs in the following sections. [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-3.-call-the-token-api-with-the-authorisation-code) 3\. Call the Token API (with the authorisation code) -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now that you have the authorisation code, you can invoke the token API to get the access token. circle-info Note: This API must be called from a server-side component. It cannot be called from the browser or mobile native client application due to security reasons (there is no secure place to store your private key). Look at the code in the file `routes/index.js` in our sample client application and search for the following: `index.js` is the backend (server side) code. The code is creating the request to call the following API: circle-info Note: This API is using HTTPS POST. The parameters in the POST body are as follows: PARAMETER DESCRIPTION grant\_type grant type for getting token (default "authorization\_code") code the authcode given by the authorise API. redirect\_uri your callback URL for Myinfo to validate. For our sample application this is `http://localhost:3001/callback` client\_id unique ID for your application. For our sample application, this is `STG2-MYINFO-SELF-TEST` client\_secret secret key given to your application during onboarding. For our sample application, this is `44d953c796cccebcec9bdc826852857ab412fbe2` The sample application will then send the constructed request to the API Gateway, and you should see the following response from the onscreen logs: Notice the response contains an "access\_token", which is in the JWT\_ \_ (JSON Web Token) format. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-3.1-what-is-the-json-web-token-structure) **3.1 What is the JSON Web Token structure?** JSON Web Tokens consist of three parts separated by dots (.), which are: * Header * Payload * Signature Therefore, a JWT typically looks like the following: `xxxxx.yyyyy.zzzzz` The header and the payload are Base64Url encoded. The signature is created using these two, a secret and the hashing algorithm being used (as specified in the header: HMAC, SHA256 or RSA). ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-3.2-how-can-i-parse-the-jwt) **3.2 How can I parse the JWT?** In order to parse the JWT you can use one of the libraries listed in the Libraries for Token Signing/Verification section of `JWT.io.`\_ \_ For example, in our sample application, which is implemented with Node.js, we use the `node-jsonwebtoken` library, and we call the `jwt.verify()` method. If the parsing fails then the library will return a JsonWebTokenError error with the message jwt malformed. circle-info Note: Many web frameworks (such as ASP.NET Core for example) have JWT middleware that handle the token validation. Most of the times this will be a better route to take, rather that resorting to use a third-party library, as the middleware typically integrates well with the framework's overall authentication mechanisms. Look at the code in the file `lib/security/security.js` and search for the following code snippet: This calls the library to parse the JWT and return the decoded JSON object, which is the **access token.** You should see the decoded access token in the onscreen logs that looks like this: This access token is a representation of the permissions that was given by the user when he/she clicked on "I Agree" on the consent page. Note:It is very important for your application to validate the signature of the JWT to ensure the response has not been changed in transit. Notice the `sub` attribute in the JSON token. That is the **identifier** of the person who logged in via MockPass. We will use this identifier for the Person API call next. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-4.-call-the-person-api-with-the-access-token) 4\. Call the Person API (with the access token) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now that you have the access token, you can invoke the person API to get the Person data. Note:This API must be called from a server-side component. It cannot be called from the browser or mobile native client application due to security reasons (there is no secure place to store your private key). This API call is essentially the same as the one you tried in Tutorial 1, except that here you will need to provide a valid access token or your API call will be rejected. Look at the code in the file `routes/index.js` in our sample client application and search for the following: `index.js` is the backend (server side) code. The code is creating the request to call the following API: **Note that this API is called using HTTPS** `**GET**`**.** The additional query parameters are as follows: PARAMETER DESCRIPTION client\_id unique ID for your application. For our sample application, this is `STG2-MYINFO-SELF-TEST` attributes comma separated list of attributes requested. Possible attributes are listed in the Person object definition in the API specifications. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-4.1-providing-the-access-token-in-the-request-header) **4.1 Providing the Access Token in the Request Header** The access token should be provided in the _header_ of your API call under "Bearer". You should see something like this in the onscreen logs: Once this is done, you should see the person JSON in the onscreen logs that looks like this: * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-5.-use-the-json-object-to-prefill-form) 5\. Use the JSON object to Prefill Form -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If you have followed the steps above correctly, you should have gotten the Person JSON object. Now you can use this JSON object to prefill the form values in your application. Look at the code in our sample client application and you will see it is using the response JSON to prefill the values on the application form. Once this is done, the user just needs to submit the form and your application can save the values into your database for subsequent processing. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#summary) Summary -------------------------------------------------------------------------------------------------------------------------------------------------------------------- You've successfully used the OAuth2 process to get the Person data from Myinfo sandbox environment. [PreviousTutorial 1: Basic Person APIchevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-1-basic-person-api) [NextTutorial 3: Implementing PKI Digital Signaturechevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature) Last updated 1 year ago Was this helpful? * [1\. Download our Sample Client Application](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.-download-our-sample-client-application) * [1.1 Install Node.js and NPM](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.1-install-node.js-and-npm) * [1.2 Run NPM install](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.2-run-npm-install) * [1.3 Start the Application](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-1.3-start-the-application) * [2\. Trigger MockPass Login and Consent (authorise API)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.-trigger-mockpass-login-and-consent-authorise-api) * [2.1 Login with MockPass](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.1-login-with-mockpass) * [2.2 Consent Page](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.2-consent-page) * [2.3 Get the Authorisation Code](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-2.3-get-the-authorisation-code) * [3\. Call the Token API (with the authorisation code)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-3.-call-the-token-api-with-the-authorisation-code) * [3.1 What is the JSON Web Token structure?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-3.1-what-is-the-json-web-token-structure) * [3.2 How can I parse the JWT?](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-3.2-how-can-i-parse-the-jwt) * [4\. Call the Person API (with the access token)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-4.-call-the-person-api-with-the-access-token) * [4.1 Providing the Access Token in the Request Header](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-4.1-providing-the-access-token-in-the-request-header) * [5\. Use the JSON object to Prefill Form](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#id-5.-use-the-json-object-to-prefill-form) * [Summary](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2#summary) Was this helpful? Copy ./start.sh Copy .\start.bat Copy http://localhost:3001 Copy http://sandbox.api.myinfo.gov.sg/com/v3/authorise Copy function callAuthoriseApi() { var authoriseUrl = authApiUrl + "?client_id=" + clientId + "&attributes=" + attributes + "&purpose=" + purpose + "&state=" + state + "&redirect_uri=" + redirectUrl;   window.location = authoriseUrl; } Copy http://localhost:3001/callback?code=e2369168-52da-421a-b70f-03f64e779c4b&state=123 Copy // function to prepare request for TOKEN API function createTokenRequest(code) { var cacheCtl = "no-cache"; var contentType = "application/x-www-form-urlencoded"; var method = "POST"; var request = null;   // preparing the request with header and parameters // assemble params for Token API var strParams = "grant_type=authorization_code" + "&code=" + code + "&redirect_uri=" + _redirectUrl + "&client_id=" + _clientId + "&client_secret=" + _clientSecret; var params = querystring.parse(strParams);     // assemble headers for Token API var strHeaders = "Content-Type=" + contentType + "&Cache-Control=" + cacheCtl; var headers = querystring.parse(strHeaders);   // Sign request and add Authorization Headers var authHeaders = generateAuthorizationHeader( _tokenApiUrl, params, method, contentType, _authLevel, _clientId, _privateKeyContent, _clientSecret );   if (!_.isEmpty(authHeaders)) { _.set(headers, "Authorization", authHeaders); }   var request = restClient.post(_tokenApiUrl);   // Set headers if (!_.isUndefined(headers) && !_.isEmpty(headers)) request.set(headers);   // Set Params if (!_.isUndefined(params) && !_.isEmpty(params)) request.send(params);   return request; } Copy https://sandbox.api.myinfo.gov.sg/com/v3/token Copy Response from Token API:{"access_token":"eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIj oiRWtnWkZDeG5taXY2T2JDZ3B4blRIRUkyK3FVPSIsImFsZyI6IlJTMjU2I n0.eyJzdWIiOiJTOTgxMjM4MUQiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNT X0d SQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiYzNjOT U1MjUtNzEwYS00ZjU3LWFhZTMtMzEzMjUwZDkxOWE3LTEzOTc3NiIsImlzc yI6Imh0dHBzOi8vY29uc2VudC5jbG91ZC5teWluZm8uZ292LnNnL2NvbnNl bnQvb2F1dGgyL3JlYWxtcy9yb290L3JlYWxtcy9teWluZm8tY29tIiwidG9 rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlci IsImF1dGhHcmFudElkIjoiZDVzZ3RWZHl1UFNOc0haTHJkYVUyMTAwTV9zI iwiYXVkIjoibXlpbmZvIiwibmJmIjoxNTUzNTk0OTc4LCJncmFudF90eXBl IjoiYXV0aG9yaXphdGlvbl9jb2RlIiwic2NvcGUiOlsiZWR1bGV2ZWwiLCJ tb2JpbGVubyIsImFzc2Vzc2FibGVpbmNvbWUiLCJvd25lcnByaXZhdGUiLC JuYXRpb25hbGl0eSIsImRvYiIsImNwZmNvbnRyaWJ1dGlvbnMiLCJlbWFpb CIsInNleCIsImhvdXNpbmd0eXBlIiwiY3BmYmFsYW5jZXMiLCJuYW1lIiwi cmVnYWRkIiwicmFjZSIsImhkYnR5cGUiLCJtYXJpdGFsIiwiYXNzZXNzeWV hciJdLCJhdXRoX3RpbWUiOjE1NTM1OTQ3NzIsInJlYWxtIjoiL215aW5mby 1jb20iLCJleHAiOjE1NTM1OTY3NzgsImlhdCI6MTU1MzU5NDk3OCwiZXhwa XJlc19pbiI6MTgwMCwianRpIjoieGRIN1QwSjI0TmFHS1FpWWVnNjcyREJf ZGdrIn0.jbdjui3WLe-cwPRDCCR09ya5fK4UUntx31Y87PosGV_FTnKTmiy _cYOeaVT pjLmPx4ebo0fLooPHpKH_5_4lFPVaNdQkOGjvScV1fl04DR1UW0uutQubkI alYW-WgmIDhQz4ZddXyLswUnGc7-eURR47VDzjiMr-ptcn0uSfrI1RNgnc8 kY12slOAE4bGxxmYE_PlBLQuZiCdORD9JKKjEKAptKVyQF7p9o6EAg2TQe4 cpwcDLXYUkwjLcaoEdCXmX16QICFm9RsVFaW_PRl29fY9ErxcN27UrRnj4m qfbYUuRnN-W2e6DSnMfkZwMRKOlmPgD7fflfh5dnuNwGAXQ", "scope":"edulevel mobileno assessableincome ownerprivate nationality dob cpfcontributions email sex housingtype cpfbalances name regadd race hdbtype marital assessyear", "token_type":"Bearer","expires_in":1799} Copy // Verify & Decode JWS or JWT security.verifyJWS = function verifyJWS(jws, publicCert) { // verify token // ignore notbefore check because it gives errors sometimes if the call is too fast. var decoded = jwt.verify(jws, publicCert, { algorithms: ['RS256'], ignoreNotBefore: true }); return decoded; } Copy Decoded Access Token: {"sub":"9E9B2260-47B8-455B-89B5-C48F4DB98322","cts":"OAUTH2_STATELESS_GRANT","auth_level":0,"auditTrackingId":"c3c95525-710a-4f57-aae3-C48F4DB98322","iss":"https://consent.cloud.myinfo.gov.sg/consent/oauth2/realms/root/realms/myinfo-com","tokenName":"access_token","token_type":"Bearer","authGrantId":"d5sgtVdyuPSNsHZLrdaU2100M_s","aud":"myinfo","nbf":1553594978,"grant_type":"authorization_code","scope":["edulevel","mobileno","assessableincome","ownerprivate","nationality","dob","cpfcontributions","email","sex","housingtype","cpfbalances","name","regadd","race","hdbtype","marital","assessyear"],"auth_time":1553594772,"realm":"/myinfo-com","exp":1553596778,"iat":1553594978,"expires_in":1800,"jti":"xdH7T0J24NaGKQiYeg672DB_dgk"} Copy // function to prepare request for PERSON API function createPersonRequest(sub, validToken) { var url = _personApiUrl + "/" + sub + "/"; var cacheCtl = "no-cache"; var method = "GET"; var request = null; // assemble params for Person API var strParams = "client_id=" + _clientId + "&attributes=" + _attributes; var params = querystring.parse(strParams);   // assemble headers for Person API var strHeaders = "Cache-Control=" + cacheCtl; var headers = querystring.parse(strHeaders); var authHeaders;   // Sign request and add Authorization Headers authHeaders = generateAuthorizationHeader( url, params, method, "", // no content type needed for GET _authLevel, _clientId, _privateKeyContent, _clientSecret );   if (!_.isEmpty(authHeaders)) { _.set(headers, "Authorization", authHeaders + ",Bearer " + validToken); } else { // NOTE: include access token in Authorization header as "Bearer " (with space behind) _.set(headers, "Authorization", "Bearer " + validToken); }   // invoke token API var request = restClient.get(url);   // Set headers if (!_.isUndefined(headers) && !_.isEmpty(headers)) request.set(headers);   // Set Params if (!_.isUndefined(params) && !_.isEmpty(params)) request.query(params);   return request; } Copy https://sandbox.api.myinfo.gov.sg/com/v3/person/9E9B2260-47B8-455B-89B5-C48F4DB98322/?client_id=STG2-MYINFO-SELF-TEST&attributes=name%2Csex%2Crace%2Cnationality%2Cdob%2Cemail%2Cmobileno%2Cregadd%2Chousingtype%2Chdbtype%2Cmarital%2Cedulevel%2Cassessableincome%2Chanyupinyinname%2Caliasname%2Chanyupinyinaliasname%2Cmarriedname%2Ccpfcontributions%2Ccpfbalances Copy headers:{"Cache-Control":"no-cache","Authorization":"Bearer eyJ0eXAiOiJKV1QiLCJ6aXAiOiJOT05FIiwia2lkIjoiRWtnWkZDeG5taXY2T2JDZ3B4blRIRUkyK3FVPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJTOTgxMjM4MUQiLCJjdHMiOiJPQVVUSDJfU1RBVEVMRVNTX0dSQU5UIiwiYXV0aF9sZXZlbCI6MCwiYXVkaXRUcmFja2luZ0lkIjoiYzNjOTU1MjUtNzEwYS00ZjU3LWFhZTMtMzEzMjUwZDkxOWE3LTEzOTc3NiIsImlzcyI6Imh0dHBzOi8vY29uc2VudC5jbG91ZC5teWluZm8uZ292LnNnL2NvbnNlbnQvb2F1dGgyL3JlYWxtcy9yb290L3JlYWxtcy9teWluZm8tY29tIiwidG9rZW5OYW1lIjoiYWNjZXNzX3Rva2VuIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImF1dGhHcmFudElkIjoiZDVzZ3RWZHl1UFNOc0haTHJkYVUyMTAwTV9zIiwiYXVkIjoibXlpbmZvIiwibmJmIjoxNTUzNTk0OTc4LCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwic2NvcGUiOlsiZWR1bGV2ZWwiLCJtb2JpbGVubyIsImFzc2Vzc2FibGVpbmNvbWUiLCJvd25lcnByaXZhdGUiLCJuYXRpb25hbGl0eSIsImRvYiIsImNwZmNvbnRyaWJ1dGlvbnMiLCJlbWFpbCIsInNleCIsImhvdXNpbmd0eXBlIiwiY3BmYmFsYW5jZXMiLCJuYW1lIiwicmVnYWRkIiwicmFjZSIsImhkYnR5cGUiLCJtYXJpdGFsIiwiYXNzZXNzeWVhciJdLCJhdXRoX3RpbWUiOjE1NTM1OTQ3NzIsInJlYWxtIjoiL215aW5mby1jb20iLCJleHAiOjE1NTM1OTY3NzgsImlhdCI6MTU1MzU5NDk3OCwiZXhwaXJlc19pbiI6MTgwMCwianRpIjoieGRIN1QwSjI0TmFHS1FpWWVnNjcyREJfZGdrIn0.jbdjui3WLe-cwPRDCCR09ya5fK4UUntx31Y87PosGV_FTnKTmiy_cYOeaVTpjLmPx4ebo0fLooPHpKH_5_4lFPVaNdQkOGjvScV1fl04DR1UW0uutQubkIalYW-WgmIDhQz4ZddXyLswUnGc7-eURR47VDzjiMr-ptcn0uSfrI1RNgnc8kY12slOAE4bGxxmYE_PlBLQuZiCdORD9JKKjEKAptKVyQF7p9o6EAg2TQe4cpwcDLXYUkwjLcaoEdCXmX16QICFm9RsVFaW_PRl29fY9ErxcN27UrRnj4mqfbYUuRnN-W2e6DSnMfkZwMRKOlmPgD7fflfh5dnuNwGAXQ"} Copy Person Data (Decoded): {"name":{"lastupdated":"2019-03-26","source":"1","classification":"C","value":"TAN XIAO HUI"},"sex":{"lastupdated":"2019-03-26","code":"F","source":"1","classification":"C","desc":"FEMALE"},"race":{"lastupdated":"2019-03-26","code":"CN","source":"1","classification":"C","desc":"CHINESE"},"nationality":{"lastupdated":"2019-03-26","code":"SG","source":"1","classification":"C","desc":"SINGAPORE CITIZEN"},"dob":{"lastupdated":"2019-03-26","source":"1","classification":"C","value":"1998-06-06"},"email":{"lastupdated":"2019-03-26","source":"2","classification":"C","value":"[email protected]"},"mobileno":{"lastupdated":"2019-03-26","source":"2","classification":"C","areacode":{"value":"65"},"prefix":{"value":"+"},"nbr":{"value":"97399245"}},"regadd":{"country":{"code":"SG","desc":"SINGAPORE"},"unit":{"value":"128"},"street":{"value":"BEDOK NORTH AVENUE 4"},"lastupdated":"2019-03-26","block":{"value":"102"},"source":"1","postal":{"value":"460102"},"classification":"C","floor":{"value":"09"},"type":"SG","building":{"value":"PEARL GARDEN"}},"housingtype":{"lastupdated":"2019-03-26","code":"","source":"1","classification":"C","desc":""},"hdbtype":{"lastupdated":"2019-03-26","code":"113","source":"1","classification":"C","desc":"3-ROOM FLAT (HDB)"},"marital":{"lastupdated":"2019-03-26","code":"2","source":"1","classification":"C","desc":"MARRIED"},"edulevel":{"lastupdated":"2019-03-26","code":"3","source":"2","classification":"C","desc":"SECONDARY"},"ownerprivate":{"lastupdated":"2019-03-26","source":"1","classification":"C","value":false},"cpfcontributions":{"lastupdated":"2019-03-26","source":"1","history":[{"date":{"value":"2018-02-18"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2018-01"}},{"date":{"value":"2018-03-18"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2018-02"}},{"date":{"value":"2018-04-18"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2018-03"}},{"date":{"value":"2018-05-18"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2018-04"}},{"date":{"value":"2018-05-27"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2018-05"}},{"date":{"value":"2018-07-15"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-01"}},{"date":{"value":"2017-02-01"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-01"}},{"date":{"value":"2017-02-12"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-02"}},{"date":{"value":"2017-02-21"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-02"}},{"date":{"value":"2017-03-01"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-02"}},{"date":{"value":"2017-03-12"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-03"}},{"date":{"value":"2017-03-21"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-03"}},{"date":{"value":"2017-04-01"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-03"}},{"date":{"value":"2017-04-12"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-04"}},{"date":{"value":"2017-04-21"},"employer":{"value":"Crystal Horse Invest Pte Ltd"},"amount":{"value":500},"month":{"value":"2017-04"}}],"classification":"C"},"cpfbalances":{"oa":{"value":1581.48},"ma":{"value":11470.7},"lastupdated":"2019-03-26","source":"1","classification":"C","sa":{"value":21967.09},"ra":{"value":0}},"uinfin": {"lastupdated": "2019-03-26","source": "1","classification": "C","value": "S9812381D" }} --- # Key Principles | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close * * * **Use Login as an authentication service** * Option 1: NRIC/FIN and UUID * Option 2: UUID only **UUID** * Instead of NRIC/FIN, digital services of businesses can use the Universally Unique Identifier (UUID) to uniquely identify a person **Provide non-Singpass alternative** * Provide support to customers who prefer to use a non-Singpass alternative **PDPA & Applicable Regulations/Legislation** * Protect, retain and transfer data retrieved according to the rules of the Personal Data Protection Act (PDPA), relevant industry regulations and applicable legislation * For collection of National Identification Numbers, refer to the advisory guidelines from PDPC [herearrow-up-right](https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-for-NRIC-Numbers---310818.pdf) **Use for lawful purposes** * Use of user credentials for lawful purposes only [PreviousSingpass Loginchevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-login) [NextSingpass Button Guidelines (For developers and designers)chevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/singpass-button-guidelines-for-developers-and-designers) Last updated 2 months ago Was this helpful? Was this helpful? --- # Tutorial 3: Implementing PKI Digital Signature | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-info Note: Make sure that you have completed Tutorial 1 and 2, and that you have understood the OAuth Process first. Now that you have successfully used the OAuth2 process to get Myinfo Person data, the final step is to implement PKI digital signature in your server-to-server calls to Myinfo APIs. Please refer to our [API specificationsarrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v3.2.html) for this tutorial. You may use test personas found in the [Personas Pagearrow-up-right](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) when testing Tutorial 3. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#importance-of-security) Importance of Security Security is of utmost importance for Myinfo. To enhance security, Myinfo APIs requires your application to implement PKI digital signature when calling our server-to-server APIs, namely, the **token** and **person** APIs. Using PKI digital signature, we can ensure the following: * The _caller_ (your application) and the _receiver_ (Our API Gateway) are both valid and trusted identities; i.e. they are who they say they are. * The _request_ (from your application) and the _response_ (from Our API Gateway) has not been changed in transit. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#what-is-pki-digital-signature) What is PKI Digital Signature? Digital signatures are like electronic “fingerprints.” In the form of a coded message, the digital signature securely associates a signer with a document in a recorded transaction. Digital signatures use a standard, accepted format, called Public Key Infrastructure (PKI), to provide the highest levels of security and universal acceptance. They are a specific signature technology implementation of electronic signature (eSignature). * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#public-key-infrastructure-pki) **Public Key Infrastructure – PKI** A cryptographic system that uses two keys, a public key known to everyone and a private key, the private key has full control to the key owner, and has to keep in secured environment. A unique element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#generating-a-public-private-keypair) Generating a Public/Private Keypair The first step is to generate the public/private keypair for your app, based on your CA cert. Please refer to your CA certificate vendor for instructions on how to do so. Once this is complete, you should have the files similar to the list shown below: FILE NAME KEY TYPE COMMENTS privatekey.key private key Make sure you save a copy of the private key in a safe place. If you lose this key you will need to generate a new key pair. You will sign your request using the private key. mycert.cer X.509 cert (public key) Important:Submit this file in the Deploy step of your onboarding process upon approval of your linkup request. The API uses this file for signature verification on your app’s API calls. circle-info Note: Our sample application has a private key installed in it. This is only used for demo purposes. Your application will need its own private key. For implementation on your own application, please make sure that your business user/partner has submitted your public key to Myinfo as part of the onboarding process. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-1.-enable-pki-digital-signature-on-our-sample-application) 1\. Enable PKI digital signature on our Sample application -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-1.1-modify-configuration) **1.1 Modify configuration** Modify the configuration in the sample application you downloaded in Tutorial 2. For Linux/MacOSFor Windows * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-2.-trigger-mockpass-login-and-consent-authorise-api) 2\. Trigger MockPass Login and Consent (authorise API) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now access the sample application via your browser at `http://localhost:3001` and click on the **Retrieve Myinfo** button on the application and go through the MockPass login and on the consent page, click on **I Agree**. Note:The process for this is exactly the same as in Tutorial 2. The **token** and **person** API calls will follow automatically once you have finished the consent page. We will look at the code for these 2 APIs in the following sections. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.-call-the-token-api) 3\. Call the Token API -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Look at the code in the file `routes/index.js` in the sample application. You should see the following code: You will notice that the code is calling `securityHelper.generateAuthorizationHeader()` before sending out the request. This function is found in `lib/security/security.js` and generates the security headers for calling Our API Gateway. Here's the code for this function: ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.1-signing-your-requests) **3.1 Signing Your Requests** Let's have a closer look at the `generateAuthorizationHeader()` function in the `lib/security/security.js` file. To sign your request, a few steps are required: A. Constructing the Authorisation Token B. Forming the Signature Base String C. Signing the Base String to get the Digital Signature D. Assembling the Header You can see the different steps involved in the code below: The following sections explain in detail each of the steps and how to do it for your own application. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#a.-constructing-the-authorisation-token) **A. Constructing the Authorisation Token** In order for the platform to recognize your app, you must construct a token and send it with the request message. This token is sent in the header of your request. NAME DESCRIPTION app\_id The AppID assigned to your application. For our sample application, this is `STG2-MYINFO-SELF-TEST` nonce A random string, uniquely generated for each request. The nonce allows the server to verify that a request has never been made before and helps prevent replay attacks when requests are made over a non-secure-channel. For more information, see Generating a Nonce Value. signature\_method A value indicating the signature method. Value = **RS256** signature The signature value. For information on how the signature value is calculated, see later sections. timestamp The timestamp of the request, expressed as the number of milliseconds since January 1, 1970 00:00:00 GMT. The timestamp must be a positive integer and must be greater than or equal to the timestamp used in previous requests. For more information, see _Generating the Timestamp._ #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#a.1-generating-a-nonce-value) **A.1 Generating a Nonce Value** A nonce is a random string that is uniquely generated for each request. The nonce allows the API providers to verify that a request has never been made before. A nonce is sent in the message header for both Shared Secret and PKI security mechanisms. In the Shared Secret mechanism, the same nonce value sent in the message header is also used in creating the Secret Digest. The way you create the nonce will depend on your development environment. Most programming languages include a method for creating a nonce. Below is an example of generating a nonce value in Java: #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#a.2-generating-the-timestamp) **A.2 Generating the Timestamp** The timestamp of the request is sent in the message header. The timestamp must be in Unix epoch time, expressed as the number of milliseconds since January 1, 1970 00:00:00 GMT. The timestamp must be a positive integer and must be greater than or equal to the timestamp used in previous requests. In most implementations, the timestamp is taken from the host server. It's important that the timestamp in the message is accurate; if the timestamp is off, the message might be rejected. For more information on Unix epoch time, and examples of implementation of the timestamp in different programming languages, see [Epoch Converterarrow-up-right](http://www.epochconverter.com/) .\_ \_ A Java example of generating the timestamp is shown below. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#b.-forming-the-signature-base-string) **B. Forming the Signature Base String** The **basestring** is a string constructed to represent the contents of your request, which is then signed to create the digital signature of your request. This ensures that the contents of your request can be verified to ensure it has not been changed in transit. **Base String Examples:** Below is an example of the Signature Base String that you will see in the onscreen logs of our demo application when calling the **token** API. Likewise, the Base String for the **person** API looks like this: The process of constructing the Signature Base String consists of three steps: chevron-rightStep 1: Normalize request parameters[hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#step-1-normalize-request-parameters) Collect the request parameters, sort them, and concatenate them into a normalized string. Parameters to include: * All parameters in the HTTP Authorization header except the _signature_ parameters which must be excluded. * Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded). * HTTP GET parameters added to the URLs in the query part. Normalize the parameters into a single string following the steps below: * Sort by parameter name, using lexicographical byte value ordering. If two or more parameters share the same name, sort by value. For example: * When parameters are sorted, concatenate them into a single string. For each parameter, separate the name from the corresponding value by an equals (=) character (ASCII code 61), even if the value is empty. Each name-value pair is separated by an ampersand (&) character (ASCII code 38). * For example: a=1&c=hi%20there&f=25&f=50&f=a&z=p&z=t chevron-rightStep 2: Construct request URL[hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#step-2-construct-request-url) The Signature Base String includes the absolute URL for the request, tying the signature to a specific endpoint. The URL used in the Signature Base String: * Must include the scheme, authority, and path. * Must exclude the query and fragment. URL scheme and authority must be **lowercase** and must include the port number (except port 80 or 443). circle-info Note: HTTP default port 80 and HTTPS default port 443 must be excluded. For example, this person GET request: Would be included in the Signature Base String as: chevron-rightStep 3: Concatenate request elements[hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#step-3-concatenate-request-elements) The following items must be concatenated in order into a single Signature Base string. Each item is encoded and separated by an ampersand (`&`) character (ASCII code 38), even if empty. * The HTTP request method used to send the request. Value must be uppercase, for example: POST, GET, PUT. * The request URL. * The normalized request parameters string. Note that the signature parameter, scheme are excluded. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#c.-signing-the-base-string-to-get-the-digital-signature) **C. Signing the Base String to get the Digital Signature** Once the Signature Base String is constructed, the next step is signing: 1. Use the SHA-2 algorithm to generate the hash of the Signature Base String. 2. Sign the hashed value using the private key of the app. 3. Base64-encode the signature value. circle-info Note: Base64 encoding should not include the CRLF (carriage return/line feed) every 72 characters which is part of strict Base64 encoding. Instead, the whole Base64 encoded string should be without line breaks. 1. Set the string as the value for the _signature_ parameter. Example code in Java below: Example code in NodeJS below: #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#d.-assembling-the-header) **D. Assembling the Header** Now that you have gotten the digital signature, you are ready to assemble the final header for your request. Make sure you include the following parameters in the header: * app\_id * nonce * signature\_method * signature * timestamp **Sample header with authorization parameters** Below is an example of an Authorization header for the sample application. Make sure you list the parameters in the sequence shown below. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.2-sending-the-request) **3.2 Sending the Request** Once the header is assembled, you are ready to send out your request. If you have done the steps correctly, Our API Gateway should recognize your request to be valid and send back a valid response, similar to the one you saw in Tutorial 2. circle-info Note: Verify that the request URL remains as e.g. https://api.myinfo.gov.sg/com/v3/\* ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.3-validating-the-response) **3.3 Validating the Response** Validate the JWT response sent back to you in the way that we went through in Tutorial 2. circle-info Note: It is very important for your application to validate the signature of the JWT to ensure the response has not been changed in transit. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-4.-call-the-person-api) 4\. Call the Person API ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-4.1-send-request) **4.1 Send Request** Now that you have the _JWT access token_, you can call the **person** API in the same way as the **token** API. circle-info Note: Remember to construct the header and digital signature of your request in the same way as the token API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-4.2-decrypt-and-verify-the-person-response) **4.2 Decrypt & Verify the Person Response** The response payload for the **Person** API (for test and production environments) is first signed, then encrypted: * Signing is done using [**JWS (JSON Web Signature)**arrow-up-right](https://tools.ietf.org/html/rfc7515) format * Encryption is done using [**JWE (JSON Web Encryption) Compact Serialization**arrow-up-right](https://tools.ietf.org/html/rfc7516) format Encryption protects the data at rest while a signed payload means, if necessary, you will be able to pass this signed payload to a 3rd party where they can verify the payload's integrity with our public certificate. In order to read the payload, you have to perform the following steps in order: 1. Decrypt the payload with your application's private key. 2. Validate the decrypted payload signature with our public key. After doing the above steps, your application will be able to extract the payload in JSON format. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#step-1-decryption) **STEP 1: Decryption** * Encryption is done using your application's public key that you provided during onboarding. Decryption of the payload should be using the private key of that key-pair. * Current encryption algorithms used: * **RSA-OAEP** (for content key wrapping) * **AES256GCM** (for content encrytion) **What is the JSON Web Encryption Compact Serialization format?** The format consist of five parts separated by dots (.), which are: PART DESCRIPTION Header Contains the encryption algorithms used to produce the 1. cipher text (encrypted data) and 2. encrypted key (symmetric key encrypted with application's RSA public key) Encrypted Key The encrypted symmetric key that was used to encrypt the data. Initialization Vector Secure random value used together with the symmetric key to encrypt the data. Cipher Text The encrypted data. Tag Value used to ensure integrity of the encrypted data and header. Therefore, a JWE typically looks like the following: `aaaaa.bbbbb.ccccc.ddddd.eeeee` **How can I decrypt the JWE?** You will need to use a library that performs JWE decryption in order to decrypt the cipher text. Such libraries are readily available on the internet. For example, in our sample application, which is implemented with Node.js, we use the `jose` library, and we call the `jose.jwe.decrypt` method. If the decryption fails then the library will throw an error which the application needs to handle. Firstly, the `Encrypted Key` is decrypted using your application's RSA private key with the "alg" algorithm specified in the `Header` to produce the symmetric key. Next, the JWE decryption library is used to decrypt the `Cipher Text` using the symmetric key, `Initialization Vector`, `Tag` and ascii-encoded `Header`, with the "enc" algorithm in the `Header`. Look at the code in the file `lib/security/security.js` and search for the following code snippet: This calls the library to decrypt the JWE and return the decrypted JSON object, which is the **signed person's data**. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#step-2-verification-of-signature) **STEP 2: Verification of Signature** The decrypted payload is signed according to [**JWS (JSON Web Signature)**arrow-up-right](https://tools.ietf.org/html/rfc7515) format, similar to the access token. * signature algorithm used is `RS256`. You may download Myinfo X.509 Public Key Certificate used for verification, after application is created during onboarding in the application details page upon login. **Sample Code in** `**NodeJS**` * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-5.-use-the-json-object-to-prefill-form) 5\. Use the JSON object to Prefill Form ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Once you have decrypted the JWE and verified the JWS, you will get the Person JSON data format which we saw in Tutorial 1 and 2. Use this data to prefill your application form. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#summary) Summary ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ You've successfully used the OAuth2 process and PKI digital signature to get the Person data from Myinfo sandbox environment. You are now ready to use the same method to integrate your own application to our Staging and Production APIs circle-info Note: For Staging and Production APIs, please ensure you have separate pairs of (private key+public cert) for each environment. Your business user/partner should submit these as part of the onboarding process. [PreviousTutorial 2: Using OAuth2chevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-2-using-oauth2) [NextResourceschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/resources) Last updated 1 year ago Was this helpful? * [1\. Enable PKI digital signature on our Sample application](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-1.-enable-pki-digital-signature-on-our-sample-application) * [1.1 Modify configuration](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-1.1-modify-configuration) * [2\. Trigger MockPass Login and Consent (authorise API)](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-2.-trigger-mockpass-login-and-consent-authorise-api) * [3\. Call the Token API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.-call-the-token-api) * [3.1 Signing Your Requests](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.1-signing-your-requests) * [3.2 Sending the Request](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.2-sending-the-request) * [3.3 Validating the Response](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-3.3-validating-the-response) * [4\. Call the Person API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-4.-call-the-person-api) * [4.1 Send Request](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-4.1-send-request) * [4.2 Decrypt & Verify the Person Response](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-4.2-decrypt-and-verify-the-person-response) * [5\. Use the JSON object to Prefill Form](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#id-5.-use-the-json-object-to-prefill-form) * [Summary](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/tutorials/tutorial-3-implementing-pki-digital-signature#summary) Was this helpful? Copy // function to prepare request for TOKEN API function createTokenRequest(code) { var cacheCtl = "no-cache"; var contentType = "application/x-www-form-urlencoded"; var method = "POST"; var request = null;   // preparing the request with header and parameters // assemble params for Token API var strParams = "grant_type=authorization_code" + "&code=" + code + "&redirect_uri=" + _redirectUrl + "&client_id=" + _clientId + "&client_secret=" + _clientSecret; var params = querystring.parse(strParams);     // assemble headers for Token API var strHeaders = "Content-Type=" + contentType + "&Cache-Control=" + cacheCtl; var headers = querystring.parse(strHeaders);   // Sign request and add Authorization Headers var authHeaders = generateAuthorizationHeader( _tokenApiUrl, params, method, contentType, _authLevel, _clientId, _privateKeyContent, _clientSecret );   if (!_.isEmpty(authHeaders)) { _.set(headers, "Authorization", authHeaders); }   var request = restClient.post(_tokenApiUrl);   // Set headers if (!_.isUndefined(headers) && !_.isEmpty(headers)) request.set(headers);   // Set Params if (!_.isUndefined(params) && !_.isEmpty(params)) request.send(params);   return request; } Copy // generates the security headers for calling API gateway function generateAuthorizationHeader(url, params, method, strContentType, authType, appId, keyCertContent, passphrase) {   if (authType == "L2") { return generateRS256Header(url, params, method, strContentType, appId, keyCertContent, passphrase); } else { return ""; } }; Copy // Signing Your Requests function generateRS256Header(url, params, method, strContentType, appId, keyCertContent, keyCertPassphrase) { var nonceValue = nonce(); var timestamp = (new Date).getTime();   // A) Construct the Authorisation Token Parameters var defaultAuthHeaders = { "app_id": appId, // App ID assigned to your application "nonce": nonceValue, // secure random number "signature_method": "RS256", "timestamp": timestamp // Unix epoch time };   // B) Forming the Base String // Base String is a representation of the entire request (ensures message integrity)   // i) Normalize request parameters var baseParams = sortJSON(_.merge(defaultAuthHeaders, params));   var baseParamsStr = qs.stringify(baseParams); baseParamsStr = qs.unescape(baseParamsStr); // url safe   // ii) concatenate request elements (HTTP method + url + base string parameters) var baseString = method.toUpperCase() + "&" + url + "&" + baseParamsStr;   // C) Signing Base String to get Digital Signature var signWith = { key: fs.readFileSync(keyCertContent, "utf8") }; // Provides private key   // Load pem file containing the x509 cert & private key & sign the base string with it to produce the Digital Signature var signature = crypto.createSign("RSA-SHA256") .update(baseString) .sign(signWith, "base64");   // D) Assembling the Authorization Header var strAuthHeader = "PKI_SIGN app_id=\"" + appId + // Defaults to 1st part of incoming request hostname "\",timestamp=\"" + timestamp + "\",nonce=\"" + nonceValue + "\",signature_method=\"RS256\"" + ",signature=\"" + signature + "\"";   return strAuthHeader; }; Copy // Generate the nonce value Import java.security.SecureRandom: Random rand = SecureRandom.getInstance ("SHA1PRNG"); long nonce = rand.nextLong(); Copy // Get the timestamp in milliseconds long timestamp = System.currentTimeMillis(); Copy baseString: POST&https://test.api.myinfo.gov.sg/com/v3/token&app_id=STG2-MYINFO-SELF-TEST& client_id=STG2-MYINFO-SELF-TEST&client_secret=44d953c796cccebcec9bdc826852857a b412fbe2&code=13a2f7db-1665-4c4e-9baa-b8ec464b9aad&grant_type=authorization_co de&nonce=150589435358500&redirect_uri=http://localhost:3001/callback&signature _method=RS256×tamp=1505894353585 Copy baseString: GET&https://test.api.myinfo.gov.sg/com/v3/person/9E9B2260-47B8-455B-89B5-C48F4 DB98322/&app_id=STG2-MYINFO-SELF-TEST&attributes=name,sex,race,nationality,dob ,email,mobileno,regadd,housingtype,hdbtype,marital,edulevel,assessableincome,h anyupinyinname,aliasname,hanyupinyinaliasname,marriedname,cpfcontributions,cpf balances&client_id=STG2-MYINFO-SELF-TEST&nonce=150589435395700&signature_metho d=RS256×tamp=1505894353957 Copy a=1, c=hi%20there, f=25, f=50, f=a, z=p, z=t Copy https://test.api.myinfo.gov.sg:443/com/v3/person/ 9E9B2260-47B8-455B-89B5-C48F4DB98322/?attributes=name,sex,race, nationality,dob,email,mobileno,regadd,housingtype,hdbtype,marital, edulevel,assessableincome,hanyupinyinname,aliasname, hanyupinyinaliasname,marriedname,cpfcontributions, cpfbalances&client_id=STG2-MYINFO-SELF-TEST Copy https://test.api.myinfo.gov.sg/com/v3/person/9E9B2260-47B8-455B-89B5-C48F4DB98322/ Copy String baseString = "Constructed base string"; Signature sig = Signature.getInstance("RSA-SHA256"); sig.initSign(privateKey); // Get private key from keystore sig.update(baseString.getBytes()); byte[] signedData = sig.sign(); String finalStr = Base64.getEncoder().encodeToString(signedData); Copy var signature = crypto.createSign('RSA-SHA256') .update(baseString) .sign(signWith, 'base64'); Copy Authorization: PKI_SIGN timestamp="1505900210349", nonce="150590021034800", app_id="STG2-MYINFO-SELF-TEST", signature_method="RS256", signature="EEm+HEcNQajb5FkVd82zjojk+daYZXxSGPCO R2GHZeoyjZY1PK+aFMzHfWu7eJZYMa5WaEwWxdOdq5hjNbl 8kHD7bMaOks7FgEPdjE++TNomfv7 SMktDnIvZmPYAxhjb/C9POU2KT6tSlZT/Si/qMgD1cryaPw SeMoM59UZa1GzY mqlkveba7rma58uGwb3wZFH0n57UnouR6LYX DOOLkqi8uMZBuvRUvSJRXETAj2N0hT+4QJiN96Ct6IEQh/w oZh0o74K5Ol9Pp DSM08qC7Lj6N/k694J+hbBQVVviGn7/6mDkfbwdMDuoKs4t 7NpqmAnwT+xaQS IZcexfrAVQYA==" Copy // Decrypt JWE using private key security.decryptJWE = function decryptJWE(header, encryptedKey, iv, cipherText, tag, privateKey) { console.log("Decrypting JWE".green + " (Format: " + "header".red + "." + "encryptedKey".cyan + "." + "iv".green + "." + "cipherText".magenta + "." + "tag".yellow + ")"); console.log(header.red + "." + encryptedKey.cyan + "." + iv.green + "." + cipherText.magenta + "." + tag.yellow); return new Promise((resolve, reject) => {   var keystore = jose.JWK.createKeyStore();   console.log((new Buffer(header,"base64")).toString("ascii"));   var data = { "type": "compact", "ciphertext": cipherText, "protected": header, "encrypted_key": encryptedKey, "tag": tag, "iv": iv, "header": JSON.parse(jose.util.base64url.decode(header).toString()) }; keystore.add(fs.readFileSync(privateKey, "utf8"), "pem") .then(function(jweKey) { // {result} is a jose.JWK.Key jose.JWE.createDecrypt(jweKey) .decrypt(data) .then(function(result) { resolve(JSON.parse(result.payload.toString())); }) .catch(function(error) { reject(error); }); });   }) .catch (error => { console.error("Error with decrypting JWE: %s".red, error); throw "Error with decrypting JWE"; }) } Copy // Sample Code for Verifying & Decoding JWS or JWT function verifyJWS(jws, publicCert) { // verify payload // ignore notbefore check because it gives errors sometimes if the call is too fast. try { var jwspayload = jwt.verify(jws, fs.readFileSync(publicCert, "utf8"), { algorithms: ["RS256"], ignoreNotBefore: true }); return jwspayload; } catch(error) { throw("Error with verifying and decoding JWS"); } } --- # FAQ | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q1.-what-are-the-identifiers-returned-to-us-after-the-authentication-process-nric-fin-numbers-or-use) Q1. What are the identifiers returned to us after the authentication process? NRIC/FIN numbers or User’s Universally Unique Identifier (UUID). Please assess which identifier is appropriate for your use case taking into account applicable laws, regulations, guidelines, and industry circulars or notices. This includes the Advisory Guidelines on the Personal Data Protection Act for NRIC and Other National Identifiers (see [herearrow-up-right](https://www.pdpc.gov.sg/guidelines-and-consultation/2020/02/advisory-guidelines-on-the-personal-data-protection-act-for-nric-and-other-national-identification-numbers) ). * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q2.-what-is-a-uuid) Q2. What is a UUID? A Universally Unique Identifier (UUID) is a 128 bits-long identifier to uniquely identify a Singpass user. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q3.-can-i-allow-my-users-to-log-in-with-their-singpass-usernames-and-passwords-if-they-do-not-have-t) Q3. Can I allow my users to log in with their Singpass usernames and passwords if they do not have the Singpass app? No, as part of national scam-prevention efforts, new Singpass Login/Myinfo apps will only support QR Login. Password/SMS OTP login will no longer be offered. Password/OTP logins on mobile browsers are much easier for scammers to exploit, especially when a device is infected or remotely controlled. QR Login is far more secure because the user must verify the login within the Singpass app, which has stronger protections. Your end users/customers who prefer not to use QR login can still rely on the alternative login or form-filling options provided by your e-service. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q4.-can-foreigners-use-login-to-transact-with-digital-services) Q4. Can foreigners use Login to transact with digital services? Foreigners must be at least 15 years old and are either Permanent Residents (PRs) or Foreign Identification Number (FIN) holders with a valid Singpass account to use Login. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q5.-what-are-the-charges-fees-for-using-login-api) Q5. What are the charges/fees for using Login API? Singpass Login API adopts a pay-per-transaction tiered pricing structure. You may log into the Singpass API Portal to view details of the price plan. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q6.-i-am-a-financial-institution.-is-utilisation-of-singpass-api-services-subject-to-mas-expectation) Q6. I am a financial institution. Is utilisation of Singpass API services subject to MAS’ expectations under the Guidelines on Outsourcing? The Monetary Authority of Singapore (MAS) has issued a circular guidance to all financial institutions in June 2020 (see [herearrow-up-right](https://www.mas.gov.sg/-/media/mas/regulations-and-financial-stability/regulations-guidance-and-licensing/insurance/regulations-guidance-and-licensing/circulars/circular---id-26_20.pdf) ). For outsourcing arrangements involving services which are wholly provided by the Government Technology Agency (GovTech) or agents appointed by GovTech, they will not be subject to the MAS Guidelines on Outsourcing. Please refer to the list of services [here](https://docs.developer.singpass.gov.sg/docs/products/singpass-login) . * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq#q7-who-do-i-contact-if-i-require-more-details) Q7: Who do I contact if I require more details? If you have any other query, please submit a request at [partnersupport.singpass.gov.sgarrow-up-right](https://partnersupport.singpass.gov.sg/) . * * * [PreviousSingpass Button Guidelines (For developers and designers)chevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/singpass-button-guidelines-for-developers-and-designers) [NextSingpass Myinfochevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo) Last updated 2 months ago Was this helpful? Was this helpful? --- # Singpass Myinfo | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Myinfo enables citizens and residents to manage the use of their personal data for simpler online transactions. All Singpass users are automatically provisioned with a Myinfo profile. Users are able to view their personal data and access records of past usage via the Singpass app. * * * **How Myinfo API can enhance your digital service** 1. **Less form filling, higher data quality** Users can share their data by providing consent via Singpass and organisations no longer have to deal with manual data management. 2. **Data from government sources** With data from participating government sources, this allows the provisioning of products instantly, where applicable. [PreviousFAQchevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq) [NextKey Principleschevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/key-principles) Last updated 2 months ago Was this helpful? Was this helpful? --- # Tutorial 2: End-to-end Integration with Myinfo v4 APIs | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This tutorial will call the APIs from your server-based (or running from localhost) application. Myinfo uses [OAuth 2.1arrow-up-right](https://oauth.net/2.1/) for our Authentication and Authorisation flow. For a brief overview of the end to end flow, please refer to our [Overview](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4) * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.-download-and-setup-sample-client-application) 1\. Download & Setup Sample Client Application ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.1-install-node.js-and-npm) **1.1 Install Node.js and NPM** In order for the demo application to run, you will need to Install Node.js and NPM. Follow the instructions given by the links below depending on your OS. * [Install Node.js and NPM for Windowsarrow-up-right](http://blog.teamtreehouse.com/install-node-js-npm-windows) * [Install Node.js and NPM for Linuxarrow-up-right](http://blog.teamtreehouse.com/install-node-js-npm-linux) * [Install Node.js and NPM for Macarrow-up-right](http://blog.teamtreehouse.com/install-node-js-npm-mac) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.2-download-the-sample-client-application) **1.2 Download the sample client application** Please download the sample client application from our [Githubarrow-up-right](https://github.com/singpass/myinfo-demo-app-v4) . ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.3-run-npm-install) **1.3 Run NPM install** Run the following command in the folder where you unzipped the application: Copy npm install ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.4-start-the-application) **1.4 Start the Application** Execute the following command to start the application: ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.5-access-the-application-on-your-browser) **1.5 Access the Application on Your Browser** You should be able to access the sample application via the following URL: * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.-authorize-api) 2\. Authorize API ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Click on the "**Retrieve Myinfo**" button on the sample application. This calls the /authorize API below (with some additional parameters): PARAMETER DESCRIPTION client\_id unique ID for your application. For our sample application, this is STG2-MYINFO-SELF-TEST scope space separated list of attributes requested. Possible attributes are listed in the Person object definition in the API specifications. purpose\_id purpose\_id should have a corresponding pre-registered purpose(s) description as part of the setup. Purpose description refers to what the user will see in the consent page code\_challenge Value resulting from performing Base64 encoding of a SHA256 hash of code\_verifier (cryptographic random value generate on server side.) Refer to the section on Proof Key for Code Exchange (PKCE) for more information (Reference : [PKCEarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/pkce) ) code\_challenge\_method Hashing method used in producing code\_challenge. Only supports 'S256' redirect\_uri your callback URL for Myinfo to return with the authorisation code. For our sample application the callback url is [http://localhost:3001/callbackarrow-up-right](http://localhost:3001/callback) response\_type Response type for authorisation code flow - must be "code". ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.1-code-example-for-authorize-api) **2.1 Code Example for Authorize API** With reference to views/html/index.html in the [sample applicationarrow-up-right](https://github.com/singpass/myinfo-demo-app-v4) code: The index.html is the frontend(client side) code. This code example above triggers the /authorize API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.2-login-with-mockpass-select-the-test-id-and-login-using-mockpass) **2.2 Login with MockPass** Select the test ID and login using MockPass: NRIC: 60050408A You may also use test personas found in the [Personasarrow-up-right](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) . The `/authorize` API endpoint triggers the MockPass login and shows the consent page after successful login. circle-info Mockpass is a mock Singpass/Corppass login page for testing in development consistently ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.3-consent-page) **2.3 Consent Page** Once you have successfully logged into MockPass, a consent page similar to the one below will be shown: ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F1982108655-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fk67iNluSpweCPqhbIY5t%252Fuploads%252FyuB0HC1aGJhAXVaVe5rP%252Fimage.png%3Falt%3Dmedia%26token%3D3318543c-835b-4765-918a-62acfc0b3f11&width=768&dpr=3&quality=100&sign=b096141&sv=2) Consent Screen ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.4-retrieve-authorization-code) **2.4 Retrieve Authorization Code** If you have followed the steps above correctly, our system should return you an authorization code by invoking your callback URL. You should now see something like this in your browser URL dialog: Notice that the query string parameter value of code above is the **authorization code(authcode)**. We will use this **authorization code(authcode)** in the next `/token` API call. In the example above, the **authorization code(authcode)** is e2369168-52da-421a-b70f-03f64e779c4b. The `/token` API and `/person` API calls should be invoked automatically by the sample app once you have finished the consent page. We will look at the code for these 2 APIs in the following sections. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-3.-token-api) 3\. Token API ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now that you have the `authcode`, you can invoke the `/token` API to get the `access_token`. circle-info The Token API must be called from a server-side component. It cannot be called from the browser or mobile native client application due to security reasons (there is no secure place to store your private key). ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-3.1-request) 3.1 Request **Request Parameters:** * Method: POST * Content-Type: application/x-www-form-urlencoded * Agent: HTTP client * Response Type: json **i) Headers:** PARAMETER DESCRIPTION DPoP DPoP Proof (JWT) containing the client's ephemeral public signing key that can be used to prove legit possession of the access\_token issued. (Reference: DPoP flow) Sample header of the Token API request: PARAMETER DESCRIPTION code The authcode given by the Authorize API. (Reference: [Authorizearrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/tutorial2#authorize) ) grant\_type Default: "authorization\_code" Grant type for getting token (default "authorization\_code") client\_id Unique ID for your application. redirect\_uri Application's callback URL. client\_assertion The assertion being used to authenticate the client. (Reference: [Client Assertionarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/clientassertion) ) client\_assertion\_type Default: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" The format of the assertion, which is defined to be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' code\_verifier Cryptographic random string generated and kept secret on server-side, it's corresponding to code\_challenge sent in the Authorize API (Reference: [PKCEarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/pkce) ) Sample body of the /token API request in application/x-www-form-urlencoded: Copy to clipboard The sample application will then send the constructed request to the /token API **Sample Code:** With reference to myinfo-connector/index.js in our sample [sample client application connectorarrow-up-right](https://github.com/singpass/myinfo-demo-app-v4) index.js is the backend (server side) code. The code example above creates the request to call the /token API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-3.2-response) 3.2 Response * Response Type: application/json PARAMETER DESCRIPTION access\_token The resulting access token for the code flow token\_type Describes how the token can be used. (e.g. DPoP) expires\_in Expiry of access token (in seconds) refresh\_token Refresh token that can be used to exchange for another access token. Only available if client is configured to receive refresh token. client\_assertion The assertion being used to authenticate the client. (Reference: [Client Assertionarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/clientassertion) ) scope Scopes requested, separated by space Sample response from Token API in application/json: Copy to clipboard Notice the response contains an access\_token, which is in the JWT (JSON Web Token) format. (Reference: [JWTarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/jwt) ) The access\_token can be verified using Myinfo JWK URI and decoded.(Reference: [JWSarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/jwt) ) You should see the decoded access\_token in the onscreen logs that looks like this: Copy to clipboard This access\_token is a representation of the permissions that was given by the user when he/she clicked on "I Agree" on the consent page. circle-info Your application must validate the signature of the JWT to ensure the JWT was not modified in transit - intentionally or unintentionally. Notice the sub attribute in the JSON token is the identifier of the person who logged in via MockPass. We will use this identifier for the /person API call next. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-4.-person-api) 4\. Person API ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Now that you have the access\_token, you can invoke the /person API to get the Person data. circle-info The Person API must be called from a server-side component. It cannot be called from the browser or mobile native client application due to security reasons (there is no secure place to store your private key). This API call is essentially the same as the one in our Tutorial 1, except that you will need to provide a valid access\_token, or else we will reject your API request call. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-4.1-request) 4.1 Request **Request Parameters:** * Method: GET * Agent: HTTP client * Response Type: json **i) Header:** PARAMETER DESCRIPTION Authorization Include the access\_token (JWT) from /Token API in this header prefixed with 'DPoP'. DPoP Include the generated Demonstration of Proof of Possession token. (Reference: [DPoParrow-up-right](https://api.singpass.gov.sg/library/myinfo/developers/dpop) ) **ii) Path Parameters:** PARAMETER DESCRIPTION sub Identifier of user obtained from 'sub' attribute in access\_token. **iii) Query parameters:** PARAMETER DESCRIPTION scope Space separated list of scopes requested. **iii) Sample Code:** With reference to myinfo-connector/index.js in our sample client application connector code: Copy to clipboard The code example above creates the request to call the /person API: Copy to clipboard **4.1.1 Providing the Access Token in the Request Header** **STEP 1**: The access\_token should be provided in the header of your /person API request under "Authorization" with Prefix "DPoP" Copy to clipboard **STEP 2** The DPoP proof JWT should be provided in the header of your /person API request under "DPoP" Copy to clipboard **STEP 3** Combine both "Authorization" and "DPoP" into the header of your /person API request, and you should see something like this in the onscreen logs: Copy to clipboard Once this is ready, you may call our /person API and receive the JWE response of the data, which requires decoding and decrypting in the next step. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-4.2-response) 4.2 Response * Response Type: application/json Copy to clipboard The response payload from our /person API (for test and production environments) is first signed, then encrypted: * Signing is done using the JWS (JSON Web Signature) format * Encryption is done using the JWE (JSON Web Encryption) Compact Serialization format Encryption protects the data at rest, while a signed payload means, if necessary, you can pass this signed payload to a 3rd party where they can verify the payload's integrity with our public JWKS. **4.2.1 Decrypt & Verify the Person Response** To read the payload, you have to perform the following steps in order: * **STEP 1**: Decrypt the payload with your application's private key (Reference: [JWEarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developer/technical-concepts/jwt) ) * **STEP 2**: Validate the decrypted payload signature with Myinfo public key (JWKS URI) (Reference: [JWSarrow-up-right](https://api.singpass.gov.sg/library/myinfo/developer/technical-concepts/jwt) ) After the above steps, your application can extract the payload in JSON format. After which, you should see the response as below in the logs. Copy to clipboard Once you have decrypted the JWE and verified the JWS, you will get the Person JSON data format and use this data to pre-fill your application form. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#summary) Summary -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You've successfully used the OAuth2.1 process to get the Person data from the Myinfo test environment. You are now ready to use the same method to integrate your application with Myinfo Production APIs. circle-info For Staging and Production APIs, please ensure you have different keypairs and different JWKS endpoints configured for each environment. Your business user/partner should submit these as part of the onboarding process. [PreviousTutorial 1: Myinfo Person sample Datachevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-1-myinfo-person-sample-data) [NextResourceschevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/resources) Last updated 1 year ago Was this helpful? * [1\. Download & Setup Sample Client Application](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.-download-and-setup-sample-client-application) * [1.1 Install Node.js and NPM](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.1-install-node.js-and-npm) * [1.2 Download the sample client application](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.2-download-the-sample-client-application) * [1.3 Run NPM install](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.3-run-npm-install) * [1.4 Start the Application](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.4-start-the-application) * [1.5 Access the Application on Your Browser](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-1.5-access-the-application-on-your-browser) * [2\. Authorize API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.-authorize-api) * [2.1 Code Example for Authorize API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.1-code-example-for-authorize-api) * [2.2 Login with MockPass Select the test ID and login using MockPass:](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.2-login-with-mockpass-select-the-test-id-and-login-using-mockpass) * [2.3 Consent Page](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.3-consent-page) * [2.4 Retrieve Authorization Code](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-2.4-retrieve-authorization-code) * [3\. Token API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-3.-token-api) * [3.1 Request](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-3.1-request) * [3.2 Response](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-3.2-response) * [4\. Person API](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-4.-person-api) * [4.1 Request](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-4.1-request) * [4.2 Response](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#id-4.2-response) * [Summary](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v4/tutorials/tutorial-2-end-to-end-integration-with-myinfo-v4-apis#summary) Was this helpful? Copy npm start Copy http://localhost:3001 Copy function callAuthorizeApi() { //Call backend server to generate code challenge $.ajax({ url: "/generateCodeChallenge", data: {}, type: "POST", success: function (code_challenge) { //Redirect to authorize url after generating code challenge var authorizeUrl = authApiUrl + "?client_id=" + clientId + "&scope=" + scope + "&purpose_id=" + purpose_id + "&code_challenge=" + code_challenge + "&code_challenge_method=" + method + "&response_type=code" + "&redirect_uri=" + redirectUrl;   window.location = authorizeUrl; }, error: function (result) { alert("ERROR:" + JSON.stringify(result.responseJSON.error)); } }); } Copy http://localhost:3001/callback?code=e2369168-52da-421a-b70f-03f64e779c4b Copy POST https://test.api.myinfo.gov.sg/com/v4/token HTTP 1.1 Accept: application/json Content-Type: application/x-www-form-urlencoded DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImp3ayI6eyJrdHkiOiJFQyIsImtpZCI6Ik0yT0pWVGRmaVV3OUMxSFFrTzF2VGlqTFhHT3lwY0Z1VDV3ZDQtNVdkekUiLCJjcnYiOiJQLTI1NiIsIngiOiJuOTJ0THQyUk5vQmdCM2piT2txNjF3bF8zM1VTUzA4dFMtR1I3ZGUwTWYwIiwieSI6IjNyaUcxamNFWThCTFpkUjhmc2VBa1hBLVJvSW92X3g5Q19iRzNKWFZVcTQiLCJ1c2UiOiJzaWciLCJhbGciOiJFUzI1NiJ9LCJhbGciOiJFUzI1NiJ9.eyJodHUiOiJodHRwczovL3NpdC5hcGkubXlpbmZvLmdvdi5zZy9jb20vdjQvdG9rZW4iLCJodG0iOiJQT1NUIiwianRpIjoiYldEWTZhVENuQUdLV3RDVWpZTFZJVm1vRW1CNFhhcmVwc0JEODVHQyIsImlhdCI6MTY2MjcxNDk5OCwiZXhwIjoxNjYyNzE1MTE4fQ.yOsoD-q7DPlgI_cnRVmjXcBraSxD5riCVmc8kaEoxGstTipFdTZIvnMs6EYs8oSFUYv4OVWcYm5MKLrJNLdtew Copy body : 'code=KhtDB67e2DrPgB3wpLjUsDfppHsBB42A9Crsx2b0 &grant_type=authorization_code &redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback &client_id=STG2-MYINFO-SELF-TEST &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6ImFRUHlaNzJOTTA0M0U0S0Vpb2FIV3ppeHQwb3dWOTlnQzlrUkszODhXb1EifQ.eyJzdWIiOiJTVEcyLU1ZSU5GTy1TRUxGLVRFU1QiLCJqdGkiOiJtZzBNcFl0dkcyQTRUOWFRZkxON0o3OEY3dVltUmZJVmVyRUhIUFpaIiwiYXVkIjoiaHR0cHM6Ly9zaXQuYXBpLm15aW5mby5nb3Yuc2cvY29tL3Y0L3Rva2VuIiwiaXNzIjoiU1RHMi1NWUlORk8tU0VMRi1URVNUIiwiaWF0IjoxNjYyNzE0OTk4LCJleHAiOjE2NjI3MTUyOTgsImNuZiI6eyJqa3QiOiJNMk9KVlRkZmlVdzlDMUhRa08xdlRpakxYR095cGNGdVQ1d2Q0LTVXZHpFIn19.OlluOi2RkwAavibqhGrDL4m6m91IlM_vnfu-4CY0pmkSbUDcKS_NBlggNrTNcc_wnbFBSqMYNo2V4Geh9Ucc6g &code_verifier=Av6ktmeC1UsjHY677P-zf5Vk2x94W38Zu4pl4qhbeok' Copy callTokenAPI = async function (authCode, privateSigningKey, codeVerifier, sessionPopKeyPair) {   let cacheCtl = "no-cache"; let contentType = "application/x-www-form-urlencoded"; let method = constant.HTTP_METHOD.POST; let clientAssertionType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"; let jktThumbprint = await this.securityHelper.generateJwkThumbprint(sessionPopKeyPair.publicKey) let strParams; // assemble params for Token API strParams = `grant_type=authorization_code` + "&code=" + authCode + "&redirect_uri=" + CONFIG.REDIRECT_URL + "&client_id=" + CONFIG.CLIENT_ID + "&code_verifier=" + codeVerifier + "&client_assertion_type=" + clientAssertionType + "&client_assertion=" + await this.securityHelper.generateClientAssertion(CONFIG.TOKEN_URL, CONFIG.CLIENT_ID, privateSigningKey, jktThumbprint);   let params = querystring.parse(strParams); let dPoP= await this.securityHelper.generateDpop(CONFIG.TOKEN_URL, null, null,constant.HTTP_METHOD.POST, sessionPopKeyPair);   // assemble headers for Token API let strHeaders = `Content-Type=${contentType}&Cache-Control=${cacheCtl}&DPoP=${dPoP}`; let headers = querystring.parse(strHeaders);   // invoke Token API let tokenURL = (CONFIG.USE_PROXY && CONFIG.USE_PROXY == "Y") ? CONFIG.PROXY_TOKEN_URL : CONFIG.TOKEN_URL; let parsedTokenUrl = urlParser.parse(tokenURL); let tokenDomain = parsedTokenUrl.hostname; let tokenRequestPath = parsedTokenUrl.path;   let accessToken = await requestHandler.getHttpsResponse(tokenDomain, tokenRequestPath, headers, method, params); return accessToken; }; Copy [HTTP POST] https://test.api.myinfo.gov.sg/com/v4/token Copy { "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkFGTW5uS1JXVGFCWUVoTmZFQjZpUTVFckMxeXFHVnlaY2hIOEE3bmxfeU0ifQ.eyJzdWIiOiI5MTUyNjdmMC01OTM5LTAyMzAtNzhlNy1iOGNkYmFhYjg1MTgiLCJqdGkiOiJvMkZaVUpmSFZWVjA3aFpLTFZrc2Yxd0RBYnNUUUtWblFXM3RjZDI5Iiwic2NvcGUiOiJ1aW5maW4gbmFtZSBzZXggcmFjZSBuYXRpb25hbGl0eSBkb2IgZW1haWwgbW9iaWxlbm8gcmVnYWRkIGhvdXNpbmd0eXBlIGhkYnR5cGUiLCJleHBpcmVzX2luIjoxODAwLCJhdWQiOiJodHRwczovL3Rlc3QuYXBpLm15aW5mby5nb3Yuc2cvY29tL3Y0L3BlcnNvbiIsInJlYWxtIjoibXlpbmZvLWNvbSIsImlzcyI6Imh0dHBzOi8vdGVzdC5hcGkubXlpbmZvLmdvdi5zZy9zZXJ2aWNlYXV0aC9teWluZm8tY29tIiwiY2xpZW50Ijp7ImNsaWVudF9pZCI6IlNURzItTVlJTkZPLVNFTEYtVEVTVCIsImNsaWVudF9uYW1lIjoiTXlJbmZvIFNlbGYgVGVzdCBBcHAgR0NDIiwiZW50aXR5X3VlbiI6IlQxNkdCMDAwMkciLCJlbnRpdHlfbmFtZSI6IkdvdlRlY2gifSwiY25mIjp7ImprdCI6ImhHdHN1S3h3UmFMOE1NeDVqVjVUYUluSWpqOFNLS3N3VEVOOGcxaU9FY1EifSwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ1c2UiOiJlbmMiLCJraWQiOiI3VGt5TWFqV0JYUlo3aVpmZ3lQUGZmMmdMMzloMlh0ZkpEemNzNXRjZXJNIiwieCI6Ik5mSXhKdWRCTzFfWEQ0RG5oa1ZLUG9uSHV4MExHMTJPM0QtWjJOZnN1RUUiLCJ5IjoiMkhHNmV5SmNFRUJWWlVwMVlsRjU3TFdNbEFJbXlTdU41d1FjZUVybW85OCIsImFsZyI6IkVDREgtRVMrQTI1NktXIn0sImlhdCI6MTY2NzIwMTY4OCwibmJmIjoxNjY3MjAxNjg4LCJleHAiOjE2NjcyMDM0ODh9.0CMpP4Whxk11XTMxg1fz6Srw2HkPiY-t2Tydb8ouQVpCwMNe6DW3Mu6KBdOo00ipa7Nlhw375zwmWAIT-8-3CQ", "token_type": "DPoP", "expires_in": 1799, "refresh_token": "bsAJGkONZJJjs0cR11ZQzGHzxLKwDoEwaApy0krW", "scope": "uinfin name sex race nationality dob email mobileno regadd housingtype hdbtype" } Copy { "sub": "915267f0-5939-0230-78e7-b8cdbaab8518", "jti": "o2FZUJfHVVV07hZKLVksf1wDAbsTQKVnQW3tcd29", "scope": "uinfin name sex race nationality dob email mobileno regadd housingtype hdbtype", "expires_in": 1800, "aud": "https://test.api.myinfo.gov.sg/com/v4/person", "realm": "myinfo-com", "iss": "https://test.api.myinfo.gov.sg/serviceauth/myinfo-com", "client": { "client_id": "STG2-MYINFO-SELF-TEST", "client_name": "MyInfo Self Test App GCC", "entity_uen": "T16GB0002G", "entity_name": "GovTech" }, "cnf": { "jkt": "hGtsuKxwRaL8MMx5jV5TaInIjj8SKKswTEN8g1iOEcQ" }, "epk": { "kty": "EC", "crv": "P-256", "use": "enc", "kid": "7TkyMajWBXRZ7iZfgyPPff2gL39h2XtfJDzcs5tcerM", "x": "NfIxJudBO1_XD4DnhkVKPonHux0LG12O3D-Z2NfsuEE", "y": "2HG6eyJcEEBVZUp1YlF57LWMlAImySuN5wQceErmo98", "alg": "ECDH-ES+A256KW" }, "iat": 1667201688, "nbf": 1667201688, "exp": 1667203488 } Copy Example: 915267f0-5939-0230-78e7-b8cdbaab8518  Copy Example: scope=name nationality Copy callPersonAPI = async function (sub, accessToken, sessionPopKeyPair) { let urlLink;   urlLink = CONFIG.PERSON_URL + "/" + sub; let cacheCtl = "no-cache"; let method = constant.HTTP_METHOD.GET;   // assemble params for Person API let strParams ="scope=" + encodeURIComponent(CONFIG.SCOPE);   // assemble headers for Person API let strHeaders = "Cache-Control=" + cacheCtl; let headers = querystring.parse(strHeaders);   let decodedToken = await this.securityHelper.verifyJWS(accessToken, CONFIG.AUTHORIZE_JWKS_URL); let ath = this.securityHelper.base64URLEncode(this.securityHelper.sha256(accessToken)) let dpopToken = await this.securityHelper.generateDpopProof(urlLink, method, sessionPopKeyPair, ath); headers["dpop"] = dpopToken;   headers["Authorization"] = "DPoP " + accessToken;   logger.info("Authorization Header for MyInfo Person API: ", JSON.stringify(headers));   // invoke person API let personURL = (CONFIG.USE_PROXY && CONFIG.USE_PROXY == "Y") ? CONFIG.PROXY_PERSON_URL : CONFIG.PERSON_URL; let parsedUrl = urlParser.parse(personURL); let domain = parsedUrl.hostname; let requestPath = parsedUrl.path + "/" + sub + "?" + strParams; //invoking https to do GET call let personData = await requestHandler.getHttpsResponse(domain, requestPath, headers, method, null);   return personData; }; Copy [HTTP GET] https://test.api.myinfo.gov.sg/com/v4/person/915267f0-5939-0230-78e7-b8cdbaab8518?scope=uinfin%20name%20sex%20race%20nationality%20dob%20email%20mobileno%20regadd%20housingtype%20hdbtype Copy { "Authorization": "DPoP eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkFGTW5uS1JXVGFCWUVoTmZFQjZpUTVFckMxeXFHVnlaY2hIOEE3bmxfeU0ifQ.eyJzdWIiOiI5MTUyNjdmMC01OTM5LTAyMzAtNzhlNy1iOGNkYmFhYjg1MTgiLCJqdGkiOiJvMkZaVUpmSFZWVjA3aFpLTFZrc2Yxd0RBYnNUUUtWblFXM3RjZDI5Iiwic2NvcGUiOiJ1aW5maW4gbmFtZSBzZXggcmFjZSBuYXRpb25hbGl0eSBkb2IgZW1haWwgbW9iaWxlbm8gcmVnYWRkIGhvdXNpbmd0eXBlIGhkYnR5cGUiLCJleHBpcmVzX2luIjoxODAwLCJhdWQiOiJodHRwczovL3Rlc3QuYXBpLm15aW5mby5nb3Yuc2cvY29tL3Y0L3BlcnNvbiIsInJlYWxtIjoibXlpbmZvLWNvbSIsImlzcyI6Imh0dHBzOi8vdGVzdC5hcGkubXlpbmZvLmdvdi5zZy9zZXJ2aWNlYXV0aC9teWluZm8tY29tIiwiY2xpZW50Ijp7ImNsaWVudF9pZCI6IlNURzItTVlJTkZPLVNFTEYtVEVTVCIsImNsaWVudF9uYW1lIjoiTXlJbmZvIFNlbGYgVGVzdCBBcHAgR0NDIiwiZW50aXR5X3VlbiI6IlQxNkdCMDAwMkciLCJlbnRpdHlfbmFtZSI6IkdvdlRlY2gifSwiY25mIjp7ImprdCI6ImhHdHN1S3h3UmFMOE1NeDVqVjVUYUluSWpqOFNLS3N3VEVOOGcxaU9FY1EifSwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ1c2UiOiJlbmMiLCJraWQiOiI3VGt5TWFqV0JYUlo3aVpmZ3lQUGZmMmdMMzloMlh0ZkpEemNzNXRjZXJNIiwieCI6Ik5mSXhKdWRCTzFfWEQ0RG5oa1ZLUG9uSHV4MExHMTJPM0QtWjJOZnN1RUUiLCJ5IjoiMkhHNmV5SmNFRUJWWlVwMVlsRjU3TFdNbEFJbXlTdU41d1FjZUVybW85OCIsImFsZyI6IkVDREgtRVMrQTI1NktXIn0sImlhdCI6MTY2NzIwMTY4OCwibmJmIjoxNjY3MjAxNjg4LCJleHAiOjE2NjcyMDM0ODh9.0CMpP4Whxk11XTMxg1fz6Srw2HkPiY-t2Tydb8ouQVpCwMNe6DW3Mu6KBdOo00ipa7Nlhw375zwmWAIT-8-3CQ" } Copy { "DPoP": "eyJ0eXAiOiJkcG9wK2p3dCIsImp3ayI6eyJrdHkiOiJFQyIsImtpZCI6ImhHdHN1S3h3UmFMOE1NeDVqVjVUYUluSWpqOFNLS3N3VEVOOGcxaU9FY1EiLCJjcnYiOiJQLTI1NiIsIngiOiJMX0F3SklGeDZWUEk1RklIZFBwSnppLVZFNGdkUlhCU3Zld3ktTmhySFFFIiwieSI6IjF0czFnZENpTWhjUHI1WkJPSjNaSHdBY0YtUkJPVVd6MjJGX296SGRjbk0iLCJ1c2UiOiJzaWciLCJhbGciOiJFUzI1NiJ9LCJhbGciOiJFUzI1NiJ9.eyJodHUiOiJodHRwczovL3Rlc3QuYXBpLm15aW5mby5nb3Yuc2cvY29tL3Y0L3BlcnNvbi85MTUyNjdmMC01OTM5LTAyMzAtNzhlNy1iOGNkYmFhYjg1MTgiLCJodG0iOiJHRVQiLCJqdGkiOiJxc21vU21BVzF6WmtCTHNBUEZUWU8xNFQ1Ukl3eWxHQXFueHdCb3ViIiwiaWF0IjoxNjY3MjAxNjg5LCJleHAiOjE2NjcyMDE4MDksImF0aCI6InNGdjVQYnhGbXJKQ3BFY1pQYzA0aXNfWTdfOXJUMkk3Z2ZMVlNtMHI4djAifQ.MoMtWxT7igolVcGPY7qe15kyi5DxAz1XaJKlvip3b4H0E7RzwL38UE9u6nv3afMgGxQkOhWHU8tZigxlfk3lg" } Copy { "Cache-Control": "no-cache",   "Authorization": "DPoP eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IkFGTW5uS1JXVGFCWUVoTmZFQjZpUTVFckMxeXFHVnlaY2hIOEE3bmxfeU0ifQ.eyJzdWIiOiI5MTUyNjdmMC01OTM5LTAyMzAtNzhlNy1iOGNkYmFhYjg1MTgiLCJqdGkiOiJvMkZaVUpmSFZWVjA3aFpLTFZrc2Yxd0RBYnNUUUtWblFXM3RjZDI5Iiwic2NvcGUiOiJ1aW5maW4gbmFtZSBzZXggcmFjZSBuYXRpb25hbGl0eSBkb2IgZW1haWwgbW9iaWxlbm8gcmVnYWRkIGhvdXNpbmd0eXBlIGhkYnR5cGUiLCJleHBpcmVzX2luIjoxODAwLCJhdWQiOiJodHRwczovL3Rlc3QuYXBpLm15aW5mby5nb3Yuc2cvY29tL3Y0L3BlcnNvbiIsInJlYWxtIjoibXlpbmZvLWNvbSIsImlzcyI6Imh0dHBzOi8vdGVzdC5hcGkubXlpbmZvLmdvdi5zZy9zZXJ2aWNlYXV0aC9teWluZm8tY29tIiwiY2xpZW50Ijp7ImNsaWVudF9pZCI6IlNURzItTVlJTkZPLVNFTEYtVEVTVCIsImNsaWVudF9uYW1lIjoiTXlJbmZvIFNlbGYgVGVzdCBBcHAgR0NDIiwiZW50aXR5X3VlbiI6IlQxNkdCMDAwMkciLCJlbnRpdHlfbmFtZSI6IkdvdlRlY2gifSwiY25mIjp7ImprdCI6ImhHdHN1S3h3UmFMOE1NeDVqVjVUYUluSWpqOFNLS3N3VEVOOGcxaU9FY1EifSwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ1c2UiOiJlbmMiLCJraWQiOiI3VGt5TWFqV0JYUlo3aVpmZ3lQUGZmMmdMMzloMlh0ZkpEemNzNXRjZXJNIiwieCI6Ik5mSXhKdWRCTzFfWEQ0RG5oa1ZLUG9uSHV4MExHMTJPM0QtWjJOZnN1RUUiLCJ5IjoiMkhHNmV5SmNFRUJWWlVwMVlsRjU3TFdNbEFJbXlTdU41d1FjZUVybW85OCIsImFsZyI6IkVDREgtRVMrQTI1NktXIn0sImlhdCI6MTY2NzIwMTY4OCwibmJmIjoxNjY3MjAxNjg4LCJleHAiOjE2NjcyMDM0ODh9.0CMpP4Whxk11XTMxg1fz6Srw2HkPiY-t2Tydb8ouQVpCwMNe6DW3Mu6KBdOo00ipa7Nlhw375zwmWAIT-8-3CQ",   "DPoP": "eyJ0eXAiOiJkcG9wK2p3dCIsImp3ayI6eyJrdHkiOiJFQyIsImtpZCI6ImhHdHN1S3h3UmFMOE1NeDVqVjVUYUluSWpqOFNLS3N3VEVOOGcxaU9FY1EiLCJjcnYiOiJQLTI1NiIsIngiOiJMX0F3SklGeDZWUEk1RklIZFBwSnppLVZFNGdkUlhCU3Zld3ktTmhySFFFIiwieSI6IjF0czFnZENpTWhjUHI1WkJPSjNaSHdBY0YtUkJPVVd6MjJGX296SGRjbk0iLCJ1c2UiOiJzaWciLCJhbGciOiJFUzI1NiJ9LCJhbGciOiJFUzI1NiJ9.eyJodHUiOiJodHRwczovL3Rlc3QuYXBpLm15aW5mby5nb3Yuc2cvY29tL3Y0L3BlcnNvbi85MTUyNjdmMC01OTM5LTAyMzAtNzhlNy1iOGNkYmFhYjg1MTgiLCJodG0iOiJHRVQiLCJqdGkiOiJxc21vU21BVzF6WmtCTHNBUEZUWU8xNFQ1Ukl3eWxHQXFueHdCb3ViIiwiaWF0IjoxNjY3MjAxNjg5LCJleHAiOjE2NjcyMDE4MDksImF0aCI6InNGdjVQYnhGbXJKQ3BFY1pQYzA0aXNfWTdfOXJUMkk3Z2ZMVlNtMHI4djAifQ.MoMtWxT7igolVcGPY7qe15kyi5DxAz1XaJKlvip3b4H0E7RzwL38UE9u6nv3afMgGxQkOhWHU8tZigxlfk3lg" } Copy eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJraWQiOiI3VGt5TWFqV0JYUlo3aVpmZ3lQUGZmMmdMMzloMlh0ZkpEemNzNXRjZXJNIiwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoibUVaMHhpRmQ4SV9nbERTVDRYWHZaUTgwN2E4X1lpN0ZaYkxmdnhZUEtJZyIsInkiOiJoNEEtOV9tYndJeVQ3UlVnVzNBVV9fQjg2TFYyWUhTWFlZN1l6ekEtX2NjIn19.-tkyW9doM-nvfi5iLIX30livPwFb4Ocpj_sH9lf3EBT_665a4obEiQ.YInOs5ZA_wA0kfAA.ESz3K9C-K7BUtifjT-sLlam7sddzAmpfW0QeF5oDrDYOLJXwgwCYbZCwXP7BBkI0TbccTdatQja76Vs2Y-OWsSDS-AOvg46HWUmUkSnzQAREJ_fxPGhDhDLvmBwLl4Y64zVOHDwZFC9dfnJAH8_2ezM03kqatw1gjs5gmipaicdoGZNA3doy33J6W2uAnjl6eunw47ABlu1PKdizumYnISZjPYWxIGLI3BMSfQSo9arvXT9R7sodhmVMb_KlRG9tnbqazvXwjafRs4B9moT7a2pTNts2hVKZ72Oknl-YpED4pkmx7IoV8CUHU0JIrtAnD_fkZlAl1zUSYtJgy7EXJ11T-UktkBWGzXswQQm913YV0ZYiwBkK80exOoGq-40YTDcFnhAqAJQW3N7Ro2nX4Mk4ujBxtxB-j25rtYmIG1-lU0MPepTzFrTLupzrslkPHyfW8a5LystczDLPH7ryCYUAKw1ex87Wbf784mmkd62QfxLjAhvK3fHh0MA_naOBoIzX89o7B2EjAZ015YJvsIKRPb2JM-Y1_Ll5mFmxttMk17ItjDfcxCqQE9dU_4_X3Z8A6LW0HOSMjrIop-9WvmWKCK3DzpgWw_x4H7dlbTPsOKM7cVnP8_LqNMSmmxjskJeBZ4XMOG9G273RvrZbgA8POS0zESTvkrwULTwPFr4fsfDP8t82WWBzsuwuXXNqE_BE-McfoyZJZ-a6iWbMyp8b3CSrLj5neCYHQSGJ14ZJagfOoz8BgTzqJxUoeQdg6K14bdP2Wdwu32q207al7riw35tFU45WFy8lUuIKURsznadUeyG1GzBJ6Rl7zjVmFmtGReawCbGrFLZDxkHl6520YbDVHqnjHbBX4vnneoISdx3YhSHdd08rHNSOPPOrbpv22bWsLCr-6PKZzzM9XG4J4oloDxwMZgwJ-fmExlCwRml9aywlEArbs0UqLdjC9mtngNb4Sw1kNhUleVzXRD3qkKZj1Zzzei-oHN-LEz9hWVMtAdy-bpuq8eVYt437Td2IQnCMQ-f3hA8FqaASLVlfjrbNm0GwRQpki3s6hA2FlUEXlE3RGyOYB9Z9jyf8AB1WQ9QfWpOPUNKlf8pmqS7f-Ym0EVabTFtTT-QNHXWo5CAQ1RZ7K_sxmiLSiMsE-V6V7DFjq0b7bXPiCFbKAyJW21gC_t_G8Shg7nzXtxKY2YEOCFMOjn-RsnQAWYlJZ9sCpiL3PoueLdK2ouAq9KebqpP-syM8jlwTh6ZrL8k_InYCSZAWvCRdqf85hu4qoKxTFd7biVpeJQ1fQb9sLGHihSMx3_kOOsS-OUctuVy_nElcuFaVy4vGk6bjDetED8egwwQZn3oRtbrQeye0filIYw_hcJyXzwNzGKUox7C8aIV6-Mi4x0fJTQPPJrJyEU4fSJC9auGOi75CWPQOf-Kd8GOpr8vLQ8FULaPB3S1zVfhXN7q08Qcp_MolotPPFfBhn7VMM7ai5JG4vhB-oti3gsih4xaIDiYK98Nitqp_OnY34keiEjzxWL8PQJugTyXiGuM6Gft-Xu07OrOzYC-CqtX7QOUhLSSQefP1HhyvuSAocCvgWQ2Q7EydphmlCJAgzlIwXtePcQ-YKqM_bbJ5TZmD_of4T9-Ab-VwNdgcor_Ro1rq3c6zbzTsKxaJ1SeHRSzIfyfz854TbZd4PiJwERYp4dSt-I-sPW21h90CJXCujS--2QzgVeOkSHlUI94dkl54-ahiKd8UlnU_N24_uVsiVYpqkh2Ouce8uy9FRQAL6ZRh5bOC78GWKQEyMvMDWEZl8myrlSiKWm4OFH65hiBZx6uoNIramaMKQNVZOMFLiTUCOoqJc_Xk-LrNzh7FNdfzP9NgbqfPdwKwVeuy4lWLttYOq2UHXVIU_u4aHEjkUuGVO0O2Fz_Ig_pIyTSIQGkhTC7MQjzWfMTuUCPphh4x7bO74VzqprsN35TxxOVvD9iTpDZ-kg5fJ53j2f5G413q8JmCMHhf3rqX7N8bPTHXlkvHoeCMwc7TMyU4ugJOzxQgMqoO78iWHhr4PxriotwB3vvnvzMsg4fVPRzwUWiD_adBhWB_ZZOnoxQHftb9fmcIP6DGyNne11_4VsuIPmifdSDixBVV6AOk39hkQDbBMQctGPat2TXVo8kl3vg_sgqkTDobccEWT5YnQ3XRpQCrD7V9Z5P9u64_rSeFxz1dBLFHe39sytwFtJT-NzhDAN_5UWyNln5uS-R5WtNARjP5b7W50oQntUql1smZiH3o-xqittFs-QoPeH94D5qtLUpK-XF1fWFJrNaL_GhVBkH0S56fYGfceDs-JZ73AePN5lNbFBVLVuA55QMzBHM_Y8k7zcu6cWIRa15z3UdariVcGXsaurFfTYpP0ABmKtJPbBotEEBWb-N7gvdXuH25MLpEXtqjh6GLXcuRMwIUeQ9mcQKFjh2tJF0jf4kEnMsVs9XtK8pO47owp0TAR1iLre80ryuLcbaSoj_Cm4T5IJORuURKftjfQsoC9NMpPLV8dJrBT0hjv2QgZrQmjyZ1lZwZa1cjVy2_o72epuJsdSgf_aSJ1Pq7ucHnr9WnOmvlwU0IWQ.bjsOSR3XIMI6WMNkJ2gCqg Copy { "uinfin": { "lastupdated": "2022-10-27", "source": "1", "classification": "C", "value": "S6005048A" }, "name": { "lastupdated": "2022-10-27", "source": "1", "classification": "C", "value": "ANDY LAU" }, "sex": { "lastupdated": "2022-10-27", "code": "M", "source": "1", "classification": "C", "desc": "MALE" }, "race": { "lastupdated": "2022-10-27", "code": "CN", "source": "1", "classification": "C", "desc": "CHINESE" }, "nationality": { "lastupdated": "2022-10-27", "code": "SG", "source": "1", "classification": "C", "desc": "SINGAPORE CITIZEN" }, "dob": { "lastupdated": "2022-10-27", "source": "1", "classification": "C", "value": "1988-10-06" }, "email": { "lastupdated": "2022-10-27", "source": "4", "classification": "C", "value": "" }, "mobileno": { "lastupdated": "2022-10-27", "source": "4", "classification": "C", "areacode": { "value": "" }, "prefix": { "value": "" }, "nbr": { "value": "" } }, "regadd": { "country": { "code": "SG", "desc": "SINGAPORE" }, "unit": { "value": "10" }, "street": { "value": "ANCHORVALE DRIVE" }, "lastupdated": "2022-10-27", "block": { "value": "319" }, "source": "1", "postal": { "value": "542319" }, "classification": "C", "floor": { "value": "38" }, "type": "SG", "building": { "value": "" } }, "housingtype": { "lastupdated": "2022-10-27", "code": "", "source": "1", "classification": "C", "desc": "" }, "hdbtype": { "lastupdated": "2022-10-27", "code": "115", "source": "1", "classification": "C", "desc": "5-ROOM FLAT (HDB)" } } --- # Integration Guide | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This section will walk you through how to set up your Singpass Login or Myinfo (v5) integration. As Singpass' authentication API is fully compliant with **OIDC** and the **FAPI 2.0 Security Profile**, we suggest that you use any one of these [OpenID-certified relying party librariesarrow-up-right](https://openid.net/developers/certified-openid-connect-implementations/) to streamline your integration. Kindly refer to our [demo apparrow-up-right](https://github.com/singpass/demo-app) for an example of how such libraries may be used. Whether you choose to use an off-the-shelf client library, or use your own custom integration, you may refer to the subsequent pages to learn more about the Singpass authentication API. [PreviousChangelogchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog) [Next1\. The Authorization Requestchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request) Last updated 2 months ago Was this helpful? Was this helpful? --- # Overview of Singpass | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Singpass is Singapore's national digital identity authentication provider using the [OpenID Connect 1.0arrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html) protocol. It stores users' identity information and authenticates them for transactions with government agencies and private organizations online. [hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/overview-of-singpass#how-singpass-oidc-works) How Singpass OIDC Works? ---------------------------------------------------------------------------------------------------------------------------------------------- circle-info **OpenID Provider (OP)** is the party that issues the ID token. In this case, Singpass serves as the OpenID provider. circle-info **Relying Party (RP)** is the party that requests the ID token from Singpass, which in this context refers to your mobile or web application. [OpenID Connect 1.0arrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html) offers various authentication flows for integrating an OpenID Provider (OP) and a Relying Party (RP). Singpass as the OpenID Provider supports only the **authorization code flow**. This flow is the most widely used OpenID Connect authentication method, ideal for web applications and native applications that employ a client/server architecture. In this more secure and confidential flow, instead of returning the ID and access tokens directly to the Relying Party, an authorization code is provided. The Relying Party can then exchange the code for the necessary tokens to complete the authentication flow. The token will be used for information exchange if user info is required. The relying Party is required to manage the parsing of JWT used in JWT assertion. [PreviousFAQchevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq) [NextUnderstanding the basics of OIDCchevron-right](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc) Last updated 2 months ago Was this helpful? Was this helpful? --- # Quick Start | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#getting-started) Getting started Before you can begin integrating with Singpass Login or Myinfo, you’ll need access to the [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) . 👉 [How to get access to developer.singpass.gov.sg](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/obtaining-access-to-the-singpass-developer-portal-sdp) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#create-a-staging-app) Create a Staging App Once you have access to SDP, your first step is to create a **Staging application.** The Staging environment lets you configure your app, test your flows, and validate your setup safely before going live. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Ft2AAGEYnof1BBDbsAQTh%252Fscreen-1763522210887.gif%3Falt%3Dmedia%26token%3D40fd48fb-d0da-409f-91a9-cc1250dc7d76&width=768&dpr=3&quality=100&sign=445e4b9&sv=2) > _Create your first Singpass application in under a few minutes using the app setup wizard._ You’ll choose whether you want to integrate: * Singpass Login – for authentication * Myinfo – for verified personal data retrieval 👉 Learn about [Singpass Login](https://docs.developer.singpass.gov.sg/docs/products/singpass-login) & [Singpass Myinfo](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo) and their requirements 👉 [How to create a Staging app](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-app) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#set-up-your-test-environment) Set up your test environment Now that your app is created, you can begin testing. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#test-singpass-login) Test Singpass Login Create or use a staging Singpass account to test the login journey. 👉 [How to set up a Staging Singpass account](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-test-account) 👉 [How to download the Singpass Staging app](https://docs.developer.singpass.gov.sg/docs/testing/testing-with-singpass-app) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#test-singpass-myinfo) Test Singpass Myinfo Use our ready made test personas to simulate Myinfo responses. 👉 [Myinfo Common Test Profiles](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#begin-your-integration) Begin your integration With your Staging test accounts ready, you can start building your Singpass Integration: 👉 [Integration guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) 👉 [Demo app](https://docs.developer.singpass.gov.sg/docs/getting-started/demo-app-and-sample-codes) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#review-services-agreement-and-pricing-plan) Review Services agreement and pricing plan Before moving to Production, make sure you understand the: * Responsibilities under the Singpass Services Agreement * Pricing Plan 👉 [Where to review the Services Agreement & Pricing](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/view-singpass-service-agreement) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#prepare-for-production) Prepare for Production: Before creating your Production app, ensure you have completed the following: 1. Agree to the Singpass Services Agreement 2. Update your billing contact details in SDP 3. Prepare your user journey * Login → follow branding guidelines * Myinfo → follow data principles & scope justification 👉 [User Journey Guidelines](https://docs.developer.singpass.gov.sg/docs/getting-started/user-journey) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#create-your-production-app) Create your Production app Once all prerequisites are met: 1. Create your Production app in SDP 2. Configure your Production redirect URIs, JWKS endpoints, Scopes 3. Start testing using your Production credentials > ⏳ Note: Production App approval may take up to 2 weeks. Please plan your rollout timeline accordingly. 👉 [How to Create a Production App](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-production-app) [PreviousSingpass APIs Documentationchevron-left](https://docs.developer.singpass.gov.sg/docs) [NextPre-requisites for onboardingchevron-right](https://docs.developer.singpass.gov.sg/docs/getting-started/pre-requisites-for-onboarding) Last updated 2 months ago Was this helpful? * [Getting started](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#getting-started) * [Create a Staging App](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#create-a-staging-app) * [Set up your test environment](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#set-up-your-test-environment) * [Begin your integration](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#begin-your-integration) * [Review Services agreement and pricing plan](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#review-services-agreement-and-pricing-plan) * [Prepare for Production:](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#prepare-for-production) * [Create your Production app](https://docs.developer.singpass.gov.sg/docs/getting-started/quick-start#create-your-production-app) Was this helpful? --- # Data Display Guidelines | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The following provides a set of display guidelines for businesses with digital services consuming CPF, Principal Name and Notice of Assessment (Detailed) data to adhere to, in order to present the respective data in an accurate and consistent manner. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/data-display-guidelines#cpf-account-balances) CPF Account Balances * * * There are 4 types of CPF accounts and their respective balances are available via Myinfo: * Ordinary Account (OA) * Special Account (SA) * Medisave Account (MA) * Retirement Account (RA) CPF data are retrieved real-time (as at the point of retrieval). Organizations whose digital services are obtaining CPF balances via Myinfo, will need to take note of the following points when designing the display of CPF balances in their digital services. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FXjnoe4WI2RZUlrTU4ptI%252Fimage.png%3Falt%3Dmedia%26token%3D375890e0-079c-4bf1-813f-ad84283603ac&width=768&dpr=3&quality=100&sign=67af67c0&sv=2) Example 1: CPF member has OA, SA and MA only ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FIIFZswx8pGSNNYjDp40N%252Fimage.png%3Falt%3Dmedia%26token%3D26cb353b-4a5a-4bdb-bd80-bd00a358fd6b&width=768&dpr=3&quality=100&sign=579286a4&sv=2) Example 2: CPF member with OA, SA, MA and RA ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FalJDBtFj9nKtagqp8T24%252Fimage.png%3Falt%3Dmedia%26token%3Df3cc5de4-44f8-4966-8700-f5a414d02c14&width=768&dpr=3&quality=100&sign=d8e93351&sv=2) * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/data-display-guidelines#employment-related-cpf-contribution-history) Employment Related CPF Contribution History Organisations whose digital services are consuming employment related CPF Contribution History via Myinfo, will need to take note of the following points when designing the display of CPF contributions in their digital services. CPF data are retrieved real-time (as at the point of retrieval). ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FRFnOL3fek3VQ4PtkXWg2%252Fimage.png%3Falt%3Dmedia%26token%3Dddeadd24-21b9-4d16-bcb6-a1af0bd5d38b&width=768&dpr=3&quality=100&sign=e3657c71&sv=2) Please take note that: * The contribution entries are to be sorted by "Paid on" followed by "For Month", in ascending values. * Myinfo service covers commonly required CPF contribution, i.e. employment related contributions. Non-employment related contribution (e.g. government top-up, self-employed contributions) are not available in Myinfo. Example 1: CPF member has OA, SA and MA only ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fw5GfSkFYOIhczAccqK4W%252Fimage.png%3Falt%3Dmedia%26token%3Dd930164d-2a60-4108-a2ca-5207cc126ca5&width=768&dpr=3&quality=100&sign=8146e9be&sv=2) * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/data-display-guidelines#principal-name) Principal Name Businesses that are capturing customer's name in multiple fields (e.g. First, Middle and Last Name) must take note of the following points: * Principal Name field must still be displayed in non-editable mode. * Multiple name fields (e.g. First, Middle, and Last Name) will be displayed in editable mode. * It is in businesses interest that the final submitted multiple name fields does not substantially differ with the Principal Name. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/data-display-guidelines#notice-of-assessment-detailed) Notice of Assessment (Detailed) Businesses with digital services consuming Notice of Assessment (Detailed, Last Year) or Notice of Assessment (Detailed, Last 2 Years) must take note of the following points: * All detailed fields in the Notice of Assessment should be displayed. * Year of Assessment, Type and Tax Clearance (if applicable), Assessable Income and Income Breakdown must be displayed clearly. * When Tax Clearance = Y, the word 'Clearance' must be displayed after the Type field. Businesses must adhere to the guideline in order to present the respective Notice of Assessment data in an accurate and consistent manner to Tax Payer. Examples of Notice of Assessment (Detailed, Last 2 Years) display: ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F6yShCJm6lpEs76JUBj4f%252Fimage.png%3Falt%3Dmedia%26token%3D40ef1d3d-1f13-401b-b679-994ce8e39a82&width=768&dpr=3&quality=100&sign=e8049220&sv=2) [PreviousLogo Download and Brand Guidelineschevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines) [NextScheduled Downtimeschevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/scheduled-downtimes) Last updated 2 months ago Was this helpful? Was this helpful? --- # Logo Download and Brand Guidelines | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines#brand-guidelines-and-assets) **Brand Guidelines and Assets:** ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The Singpass brand is more than just a name. It's a set of values, attributes, and design principles that reflects the spirit of our brand. Using it consistently will reinforce our passion and commitment to give all Singapore residents a National Digital Identity that empowers them to live confidently in a Smart Nation. Please help us protect our brand, and present your work in the most appropriate way, by following these guidelines and only using approved brand assets from this site (any logos or images found elsewhere on the web are not approved for use). **When to use Singpass brand:** * Product page * Consent page **Singpass asset downloads** You can use either of these buttons for your application: file-archive 287KB [Singpass-logos.zip](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FJGwoA4mDGd1sDpX1EDnJ%2FSingpass-logos.zip?alt=media&token=d1dedcbc-84b0-4b7c-81f7-c5bf822db148) archive downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FJGwoA4mDGd1sDpX1EDnJ%2FSingpass-logos.zip?alt=media&token=d1dedcbc-84b0-4b7c-81f7-c5bf822db148) Singpass Logos file-archive 96KB [Retrieve-Singpass-btn-inline.zip](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FWJ7ToOKoWtIGIAeS7Sh5%2FRetrieve-Singpass-btn-inline.zip?alt=media&token=36808ee4-43c0-435e-8dc6-fc95713c7b95) archive downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FWJ7ToOKoWtIGIAeS7Sh5%2FRetrieve-Singpass-btn-inline.zip?alt=media&token=36808ee4-43c0-435e-8dc6-fc95713c7b95) Myinfo Button (Inline Version) file-archive 81KB [Retrieve-Singpass-btn-stacked.zip](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FkBvrLjlccPoekgVMbtIX%2FRetrieve-Singpass-btn-stacked.zip?alt=media&token=c6a7c2d3-021a-4bf1-8341-db3696f9b11e) archive downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FkBvrLjlccPoekgVMbtIX%2FRetrieve-Singpass-btn-stacked.zip?alt=media&token=c6a7c2d3-021a-4bf1-8341-db3696f9b11e) Myinfo Button (Stacked Version) * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines#myinfo-consent-page) Myinfo Consent Page --------------------------------------------------------------------------------------------------------------------------------------------------------------- **The consent page includes important information:** 1. Your display app name, as viewed by your customers 2. Your entity name, which will be populated in the system 3. Purpose of the use of the data 4. List of data items The value specified in the 'purpose' parameter when invoking the Authorise API will be displayed on this page when retrieving Singpass. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fj8RK0XRM87Sfgq6xakI2%252FConsent%2520form.png%3Falt%3Dmedia%26token%3D5e07e531-20aa-4b35-a624-bae347bf117b&width=768&dpr=3&quality=100&sign=e2b91a43&sv=2) 1. Your digital service/transaction application. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FfI7SbjztMhmODE5ibq7j%252FNote%2520Banner.png%3Falt%3Dmedia%26token%3D64afaf4f-e03b-461a-b06a-fa22edd44be4&width=768&dpr=3&quality=100&sign=3ed8a24&sv=2) 1. Your entity name which will be populated in SDP. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FkRqtZmMeRSniMqP2PrNx%252FNote%2520Banner%25202.png%3Falt%3Dmedia%26token%3D9ae90f59-7c5e-43df-af04-c4344348d16b&width=768&dpr=3&quality=100&sign=70c187fd&sv=2) 1. Align to the objective of the digital service/transaction. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FwH0TH1slFod8f5ikwCbr%252FNote%2520Banner%25203.png%3Falt%3Dmedia%26token%3D82ac9e19-d1ff-4a99-a6c9-b655610f99be&width=768&dpr=3&quality=100&sign=e5fddbd7&sv=2) Please proof-read your sentence structure and ensure that the objective is clear and unambigious. * * * [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines#logo-usage) **Logo Usage** ------------------------------------------------------------------------------------------------------------------------------------------------- **Logo Placement for Collaborative Partnership** For collaborative brand partnerships, the Singpass logo will come first, followed by respective brand partner logo(s). * Both logos should be similarly proportioned. We recommend that you first start by matching the height or width of partner logo(s) to the Singpass logo. * Both logos should be scaled to the same optical size for visual balance. * Clear space should be used between the logos, denoted by the x-height of the ‘i’. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fc1zRWDfVCxkp1swogvDv%252Flogin%2520placement.png%3Falt%3Dmedia%26token%3D5e677235-5948-440a-827d-da48141bcdb6&width=768&dpr=3&quality=100&sign=7495deb5&sv=2) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fet9X95zTnL6x1uNseai3%252FLogo%2520text%2520placement.png%3Falt%3Dmedia%26token%3D00316c2d-ed74-4908-8978-68138aa69c39&width=768&dpr=3&quality=100&sign=8cc47e7a&sv=2) **Minimum size** Minimum sizes of the Singpass logo: * Digital: **80 pixels wide** * Print: **18mm wide** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FvtBeDyYgo8Rv1tiwuMuZ%252Fsingpass%2520logo.png%3Falt%3Dmedia%26token%3Dadbb9343-c4c5-460f-a7e7-54a03e8500df&width=768&dpr=3&quality=100&sign=98ad02f5&sv=2) **Usage on Backgrounds** Whenever possible, it is recommended to use the full colour Singpass logo. It should be used on only either white or light grey background only. The single colour logos should only be used on either Singapore red or black background. For photograph backgrounds, the single colour logo in reverse white should be used. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FmtWobsw3k6sgkcsVtcOP%252Fwidth%2520example.png%3Falt%3Dmedia%26token%3D285596e6-943a-41fb-8002-0683b5d939fd&width=768&dpr=3&quality=100&sign=610dc596&sv=2) **Singpass Logo Don’ts** Don't combine the Singpass name or logos, or any portion of any of them, with other logo, company name, mark or generic terms. Don't edit, modify, distort, rotate or re-colour the logo. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FtJJ8sG4u51OOh05ZFZEM%252Fsingpass-donts.png%3Falt%3Dmedia%26token%3D23f50e2e-375a-4e89-b0fe-814562c90e4f&width=768&dpr=3&quality=100&sign=e862bc77&sv=2) **Naming Usage** Never modify or abbreviate the name 'Singpass'. The 'S' in Singpass is always capitalised. Keep 'Singpass' as a single word. [PreviousKey Principleschevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/key-principles) [NextData Display Guidelineschevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/data-display-guidelines) Last updated 2 months ago Was this helpful? * [Brand Guidelines and Assets:](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines#brand-guidelines-and-assets) * [Myinfo Consent Page](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines#myinfo-consent-page) * [Logo Usage](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines#logo-usage) Was this helpful? --- # Singpass Button Guidelines (For developers and designers) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close **Singpass logo download:** You can use the following logo for your online and print materials file-archive 287KB [Singpass-logos.zip](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FJGwoA4mDGd1sDpX1EDnJ%2FSingpass-logos.zip?alt=media&token=d1dedcbc-84b0-4b7c-81f7-c5bf822db148) archive downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FJGwoA4mDGd1sDpX1EDnJ%2FSingpass-logos.zip?alt=media&token=d1dedcbc-84b0-4b7c-81f7-c5bf822db148) **Singpass button types** By default, use the white fill button to pair it with your service’s interface. Alternatively, you may use the red fill button if it’s suitable. * White-filled button: **#FFFFFF** * Red-filled button: **#F4333D** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FlbOX8cB199uDjMZcWGok%252FButton%2520usage.png%3Falt%3Dmedia%26token%3D33123552-402c-4f98-abea-af6dba9d6bab&width=768&dpr=3&quality=100&sign=13543917&sv=2) **Font usage for button label** By default, please use **Poppins at 16px** size. Alternatively, you may use your brand’s typeface. San serif is highly recommended for this button to better match the Singpass logo. Download Poppins Bold on [Google fontsarrow-up-right](https://fonts.google.com/specimen/Poppins) . ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FKtlADenE2JflOwi0Eu6V%252Flogin-label.png%3Falt%3Dmedia%26token%3D85c73385-5d1b-4d2c-8e48-fab7402c4935&width=768&dpr=3&quality=100&sign=7395da93&sv=2) **Label** If you are using the label ‘**Log in**’ must be kept as two words. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FMtIcOnwDylw4GfIQhRWv%252Flabel.png%3Falt%3Dmedia%26token%3D724c80dc-b2f7-4447-9d6a-bc52305bb74f&width=768&dpr=3&quality=100&sign=e2532451&sv=2) **Accessibility: Aria labels for screen readers** Please ensure that the **Singpass logo has a aria-label** to ensure that screen readers will read it as “Sing pass” to avoid it reading out the entire word as ‘S-i-n-g-p-a-s-s’. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FMc5Ai8NvBw4a78nSGfc0%252Faccessibility.png%3Falt%3Dmedia%26token%3D47d69d90-ed44-41ff-bd90-e305a9d3ba34&width=768&dpr=3&quality=100&sign=87cc92e3&sv=2) **Singpass logo size** **Match the x-height of the label** as close as possible to ensure visual balance and proportion. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FBTzDIvikDXQunBmgT2yv%252Fsinpass%2520logo%2520size.png%3Falt%3Dmedia%26token%3D85273b68-f70c-45e7-8216-ba9c67a06102&width=768&dpr=3&quality=100&sign=65eda38a&sv=2) **Button colour** To ensure brand recognition and consistency, use the **white-filled** or **red-filled** buttons as stated below. Avoid using colours other than white-filled or red-filled buttons. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F0OJzDYYI57dJQgG1LMvH%252Fsinpass-buttoncolour.png%3Falt%3Dmedia%26token%3Deabd5ee4-ac09-454e-bb6f-8deb358f6a3a&width=768&dpr=3&quality=100&sign=3c1788f1&sv=2) **Border stroke** When using the white-filled button, please ensure to adhere to the specs stated below. * Border colour: **#C8C9CC** * Border width: **1px** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FIa0VaUD8HODKuJOZuqIN%252Fborder-stroke.png%3Falt%3Dmedia%26token%3D286d2710-020f-403f-84a3-289b9a3f6be3&width=768&dpr=3&quality=100&sign=c64efc91&sv=2) **Border radius** Ensure that the border radius of Singpass button matches your button. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FrnGbhMdFVLLivAvp3KBc%252Fborder-radius.png%3Falt%3Dmedia%26token%3D9d89682c-4092-4e45-9bc4-99986a1c0bf1&width=768&dpr=3&quality=100&sign=a0a2e543&sv=2) **Hover state** Please adhere to the following colours, and avoid using another hover state styling. * White-filled button hover colour: **#F5F5F7** * Red-filled button hover colour: **#B0262D** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FP0RrlJS6H5tw4odWZwi9%252Fhover%2520state.png%3Falt%3Dmedia%26token%3D74907618-2a5c-4e8f-87c8-37e2b3841ab6&width=768&dpr=3&quality=100&sign=aece86a2&sv=2) **Width and height** Please ensure that the Singpass button visually matches your primary button with the following: * Width: **Fill to match your primary button width** * Height: **Match your button height** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FhPy5R2XbDfwWolM6xISp%252Fwidth%2520and%2520height.png%3Falt%3Dmedia%26token%3D8552c502-0e21-4338-a388-5ed2d7594865&width=768&dpr=3&quality=100&sign=16646096&sv=2) [PreviousKey Principleschevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/key-principles) [NextFAQchevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-login/faq) Last updated 2 months ago Was this helpful? Was this helpful? --- # Scheduled Downtimes | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Due to the scheduled downtimes of Myinfo upstream systems, financial data from CPF Board and IRAS, and FIN user data from MOM are unavailable via Myinfo, Myinfo business, Verify and SGFinDex API at the following times: * **CPFB** * Every Sunday 0500hrs to 0530hrs * Every 1st Sun of the month from 0000hrs to 0800hrs * Every 4th Sun of the month from 0000hrs to 0800hrs * If the 1st or the 2nd day of the month falls on the 1st Sun, the maintenance will be on the 2nd and 4th Sun instead. * **IRAS** * Every Wed, 0200hrs to 0600hrs * Every Sun, 0200hrs to 0830hrs * **MOM** * Every 4th Sun of the month from 0000hrs to 0600hrs * * * ### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/scheduled-downtimes#what-to-expect-during-downtime) What to Expect During Downtime During these maintenance periods, users will encounter an error response when attempting to retrieve the affected data. No data will be returned. The specific error response that partners will receive will differ depending on their client version. The error response for Myinfo v3/v4 clients is: Copy { "statusCode": 500, "message": "Internal server error - 540" } For Myinfo v5 clients, you will receive an error of status code 502, with the following response body: Partners are expected to handle the above error responses in their internal systems and display a corresponding user-friendly error message to their end-users. This ensures a smooth user experience even during downtimes. Please note that Myinfo, Myinfo Business, and Verify APIs will remain available for all other data items not affected by the maintenance. Similarly, SGFinDex services will be unable to retrieve government-related data (from CPF and IRAS) during these times. However, SGFinDex will still be available for non-government data from financial institutions. [PreviousData Display Guidelineschevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/data-display-guidelines) [NextFAQchevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq) Last updated 2 months ago Was this helpful? Was this helpful? Copy { "id":"872527df-1c6b-4d65-be27-b2b9642a8c92", "error":"upstream_dependency_error", "error_description":"An error has occurred.", "trace_id":"1-68c39359-03322d4443ca5f0c353c7beb" } --- # Key Principles | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close **Requesting for Data** 1. **Request only what you need** * Do not over-collect data, where this is not required for business purposes or legal reasons. * Each request must support only a single purpose. 1. **PDPA & Applicable Regulations/Legislation** * Protect, retain, transfer and dispose of data retrieved according to the rules of the Personal Data Protection Act (PDPA), relevant industry regulations and applicable legislation. * Use data in a manner consistent with the purpose of user’s consent. 1. **Use for lawful purposes** * Use the data items retrieved for lawful purposes only. * * * **Designing your User Journey (UJ)** 1. **Display As-Is** * Data items retrieved from our APIs should be displayed as-is on digital forms, so as to assure users that the correct data items have been retrieved. * This minimises clarifications on the data retrieved and encourage users to update the relevant Government data source agency if any information is outdated. 1. **Store only if submitted** * Data should be purged if form is not successfully submitted. * If ‘Save-as-draft’ feature is available, unsubmitted data should be purged periodically. 1. **Provide non-Myinfo alternative** * Partners are encouraged to support customers who prefer to use a non-Myinfo alternative. 1. **Showing customers the benefits of using Myinfo** * Indicate that Myinfo service is available for your application and clearly state the target users (e.g. for SC/PR and/or Foreigners). * Present the benefits of using Myinfo option (e.g. time saving, less document uploads or instant provisioning). 1. **Reduce supporting document upload** * Data from Government sources which are un-editable on your form should be assessed for suitability as an alternative to collecting documents for verification (e.g. NRIC, CPF Contribution History, Notice of Assessment). * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/key-principles#using-myinfo-personal-data) **Using Myinfo Personal Data** 1. **Display all retrieved personal data** * All Myinfo Personal data retrieved shall be displayed as-is on your digital forms. * Government-originated data on digital service forms should be un-editable, to preserve data integrity for verification. * User-provided data should remain editable. [PreviousSingpass Myinfochevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo) [NextLogo Download and Brand Guidelineschevron-right](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/logo-download-and-brand-guidelines) Last updated 2 months ago Was this helpful? Was this helpful? --- # Understanding the basics of OIDC | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [OpenID Connect 1.0arrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html) (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. It: * Allows clients to verify the identity of the end user based on the authentication performed by an Authorization Server * Allows clients to obtain basic profile information about the end user in an interoperable and REST-like manner * Allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users [hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc#oidc-actors) OIDC Actors --------------------------------------------------------------------------------------------------------------------------------- There are several actors involved in the Open ID Connect protocol. The following sections will detail each actor involved in the communication. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fcontent.gitbook.com%2Fcontent%2FW3T7d7fy7OGYkZf4zVKU%2Fblobs%2FdMYOKCGMG24UsGAp0vZ1%2Factors.png&width=768&dpr=3&quality=100&sign=2535c12c&sv=2) OIDC Actors Flowchart chevron-right**OIDC Provider (OP)**[hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc#oidc-provider-op) Singpass is an OpenID provider and it is the “vouch for” party in an identity federation. That is, it gives assurances of the identity of the user to the other party. The OpenID provider is responsible for: * Managing users and their identities * Issuing tokens * Handling user administration * Authenticating the user * Vouching for the user's identity with the relying party * Revoking user’s authenticated sessions and tokens chevron-right**Client or Relying Party (RP)**[hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc#client-or-relying-party-rp) The business entity will implement the relying party (also client or consumer) which will be the “validating party” in a transaction. The relying party or client is responsible for: * Controlling access to services * Validating the various tokens issued by OpenID Provider * Validating the asserted identity information from the OpenID provider (typically by way of verifying a digital signature) * Providing access based on asserted identity * Managing only locally relevant user attributes, not an entire user profile * Each client must be registered with an OpenID provider. The clients registered with Singpass OP must be confidential clients, which means every client must be registered with Singpass OP with their `Client ID` and `JWT Assertion`. chevron-right**User Agent**[hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc#user-agent) The user agent is a web browser or mobile browser or mobile application via which the user (resource owner) will initiate the communication with the OpenID Provider and Relying Party: * Serves static or dynamic pages * Handles redirections * May store cookies, user, and session information * Should not be used to store confidential data like user identity or tokens chevron-right**Resource Owner**[hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc#resource-owner) The resource owner could be an end-user or an entity capable of granting access to protected resources. In most cases, it would be the user accessing agency applications. chevron-right**Resource Server**[hashtag](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc#resource-server) The resource server will be hosted on the agencies' perimeter. It is the server that is hosting the applications protected by the relying party. Agencies' relying party will communicate with Singpass OP before granting access to protected resources hosted on the resource server. Here are some additional resources for learning more about OAuth 2.0 and OIDC: [PreviousOverview of Singpasschevron-left](https://docs.developer.singpass.gov.sg/docs/introduction/overview-of-singpass) [NextChangelogchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog) Last updated 2 months ago Was this helpful? Was this helpful? --- # Migration Guides | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This section contains guides to help you migrate your existing integrations to be compliant with the new Authentication API. If you are unsure about the type of your app, you may log in to the [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) . The app types of each of your apps will be visible on the dashboard page, once you log in. [PreviousOpenID Provider Configurationchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) [NextLogin / Myinfo (v5) appschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) Last updated 2 months ago Was this helpful? Was this helpful? --- # Technical Concepts | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This section provides information about important technical concepts that will be helpful for your integration with Singpass. [Previous5\. The Userinfo Requestchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo) [NextJSON Web Key Sets (JWKS)chevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks) Last updated 2 months ago Was this helpful? Was this helpful? --- # 2. Handling the Redirect | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Once the user has completed authentication on Singpass, we will redirect the user to the `redirect_uri` that you have specified in your authorization request. Depending on whether the authentication was successful or not, the query parameters attached to the URL will be different. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#failed-authentication) Failed Authentication --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If the user failed to authenticate, or if an error occurred, we may return an Authentication Error Response, as specified in [section 3.1.2.6 of the OIDC specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) . The URL will contain the following query parameters: Parameter Description Data type `error` An error code identifying the type of error that has occurred. This will be an enum value. The possible values are detailed [below](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#possible-error-values) . `error_description` A human-readable text description of the error. String. This is optional. `error_uri` URI of a web page that includes additional information about the error URL. This is optional. `state` This will be the same state parameter passed in the authorization request. A string with a maximum length of 255 characters. It must match the regular expression pattern `[A-Za-z0-9/+_-=.]+` chevron-rightSample URL for Authentication Error Response[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#sample-url-for-authentication-error-response) Copy https://partner.gov.sg/redirect?error=invalid_request_uri&error_description=The%20request_uri%20provided%20is%20invalid&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f If you receive an Authentication Error Response, you should display an error page to your users. You may also display different content on your error pages depending on the `error` parameter. However, you should not display `error` or `error_description` verbatim on your web page in order to prevent [content spoofingarrow-up-right](https://owasp.org/www-community/attacks/Content_Spoofing) attacks. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#possible-error-values) Possible error values The table below lists the possible values of the `error` query parameter that we may return. error What this error indicates `server_error` The server has encountered an unexpected error. You should guide the user to perform a retry. `temporarily_unavailable` The server is temporarily unavailable to handle the request. You should guide users to alternative authentication methods, or to guide them to try again some time later. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#successful-authentication) Successful Authentication ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As per the OIDC specification, when the authentication is successful, the URL that the user is redirected to will contain two additional query parameters: Parameter Description Data type `code` The authorization code. This will be used in a later step to obtain the user's ID token and access token. A base64url-encoded string. `state` This will be the same state parameter passed in the authorization request. A string with a maximum length of 255 characters. It must match the regular expression pattern `[A-Za-z0-9/+_-=.]+` chevron-rightSample URL for successful authentication[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#sample-url-for-successful-authentication) Upon redirect, your application's backend should check the `state` parameter provided and ensure that it is the same as the `state` which you have sent in the Pushed Authorization Request. This is an important measure to guard against CSRF attacks. circle-info If you are using a [certified OIDC Relying Party libraryarrow-up-right](https://openid.net/developers/certified-openid-connect-implementations/) , this check will be automatically performed by the library if you have configured it to do so. Once you have completed this check, you may proceed to perform token exchange to obtain the ID token and access token. [Previous1\. The Authorization Requestchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request) [Next3\. The Token Requestchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) Last updated 2 months ago Was this helpful? * [Failed Authentication](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#failed-authentication) * [Successful Authentication](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#successful-authentication) Was this helpful? Copy https://partner.gov.sg/redirect?code=XcyzlSeX1hIyJFlstxsSF_UeXC5DtiYkFgJ8VVx52mg&state=e32b9f28-5d34-4c0f-8b0e-6b670566c97f --- # CPF Contribution History (up to 15 months) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. For each contribution record, the 4 fields (Paid for Month, Paid On, Employer Name, Contribution Total) will be provided. Only Contribution(s) related to employment will be provided. Other contributions, such as self-employed or government top-ups, are presently excluded. CPF will return the contributions received (or paid on) in the past 15 months up to the preceding month. Note that a member could have multiple contributions per month from the same employer. 1. Example 1: If the query is made in Mar-24, contribution provided will be for contribution received in the period from Jan-23 to March-24 (inclusive). This is provided that Mar-24 contribution had been received, else contribution provided will be Jan-23 to Feb-24. 2. Example 2: Assuming a member has a late CPF contribution for work done in Nov-22 (beyond Jan-23 to Mar-24) that was credited only in Jan-23. If the query is made in Mar-24, contribution provided will include the late contribution as it was received in the period from Jan-23 to Mar-24. The contribution period range of Jan-23 to Mar-24 (inclusive) remains. [PreviousLocal Registered Birth Records and Sponsored Child Recordschevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/local-registered-birth-records-and-sponsored-child-records) [NextNotice of Assessment (Basic)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/notice-of-assessment-basic) Last updated 1 year ago Was this helpful? Was this helpful? --- # OpenID Provider Configuration | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Singpass' authorization server exposes an endpoint from which you can retrieve metadata about how Singpass is configured as an OpenID Provider: Environment Discovery Endpoint Staging [https://stg-id.singpass.gov.sg/fapi/.well-known/openid-configurationarrow-up-right](https://stg-id.singpass.gov.sg/fapi/.well-known/openid-configuration) Production [https://id.singpass.gov.sg/fapi/.well-known/openid-configurationarrow-up-right](https://id.singpass.gov.sg/fapi/.well-known/openid-configuration) The metadata hosted at this endpoint is crucial for your integration. It tells you things like: * The various endpoints and URIs that you will need, and * Supported scopes, response types, and encryption/signing algorithms Because [OpenID Connect Discoveryarrow-up-right](https://openid.net/specs/openid-connect-discovery-1_0.html) is part of the OIDC spec, if you are using an OpenID-certified relying party library, the library may automatically retrieve metadata from our discovery endpoint for you. In such cases, you may not be aware of this detail. Please be aware, however, that Singpass' OpenID configuration is not static, and you should regularly fetch from our discovery endpoint to ensure freshness. At the same time, you should also avoid fetching from this endpoint too frequently, e.g. for every authentication request. Instead, consider caching responses for at least an hour. [PreviousDemonstrating Proof of Possession (DPoP)chevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) [NextMigration Guideschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides) Last updated 2 months ago Was this helpful? Was this helpful? --- # 5. The Userinfo Request | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-info This step is applicable only to Myinfo (v5) apps. The final step in the Singpass authentication flow is the userinfo request. This involves making a GET request to our `userinfo_endpoint` (as defined in our [OpenID configuration](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) ) to retrieve user information. To do this, you will need an access token (obtained from a successful token request) The endpoint will only return information based on the scopes that you have requested when making the authorization request. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#request) Request ------------------------------------------------------------------------------------------------------------------------------------------------- Just like the authorization request and token request, you will need to include the [DPoP header](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) when making the `/userinfo` request. You will also need to include your access token in the `Authorization` header. The access token should be prefixed with `DPoP` , as shown in the sample request below. No query parameters are required for this request. chevron-rightSample request[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-request) Copy GET /userinfo HTTP/1.1 Host: id.singpass.gov.sg Authorization: DPoP eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyLWphbmUtZG9lIiwiYXVkIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20vZGF0YSIsImV4cCI6MTc1NjczMDM4MCwiaWF0IjoxNzI1MTk0MzgwLCJqdGkiOiJ0eC0xMjMtYWJjIiwiY25mIjp7ImprdCI6Ik93SWlGaVl2T0NXRkpiV1hlbUdUZzRtU1NYQkNwZk9NaFhRV21XOTBVSEEifX0.dGhpcy1pcy1hLXBsYWNlaG9sZGVyLXNpZ25hdHVyZS1hcy1pdC1yZXF1aXJlcy1hLXByaXZhdGUta2V5 DPoP: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiQXNWakh4elZ4MURaNnNKcEpzUnM2ek5YYXFmcFR3UmNfcXV0bWw0aEFJQSIsInkiOiI0SkhwVVZDRE5DaXhOTW9OclIzSElodFRzTWNfMF9NcmdpMzJxR3VoUkQ4In19.eyJqdGkiOiIyZmM3Y2Q4ZC0xN2IzLTRlYTUtYTg4ZC1lZWM0NTY5M2JhZDQiLCJodG0iOiJHRVQiLCJodHUiOiJodHRwczovL2lkLnNpbmdwYXNzLmdvdi5zZy91c2VyaW5mbyIsImlhdCI6MTc1NjcwODI0N30.wBYjFQRzY2o5aG82LjR1X8qT9bZ-jK3c7hI5fE0gP9vR_7sU6tW5xV4yZ3aB2cE1dF0eG9hI8jJ7kL6mN5oP4qR [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#response) Response --------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#successful-response) Successful Response The response body of a successful response will contain a JSON Web Signature (JWS), which is also encrypted via JSON Web Encryption (JWE), represented in compact seralization form. This is the same encryption and signature scheme that was used in our ID token encryption, so you can decrypt and verify the response in exactly the same manner. The decrypted (and decoded) response is a JSON object with the following fields: Field Description Data Type `person_info` The personal data of the user. The information returned in this field depends on the scopes that were requested in your authorization request. A JSON object that follows the [Myinfo Get Person responsearrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v4.0.html#operation/getperson) . You can also download the OpenAPI specifications for this property below. `iss` The issuer identifier of our authorization server. This is identical to the `iss` returned in the ID token. String `iat` The unix timestamp at which we issued this JWT. String `sub` The principal that is the subject of the JWT. Contains a globally unique identifier for the user. This is identical to the `sub` returned in the ID token. String `aud` The client ID of your registered client, provided by Singpass during app onboarding. A 32-character case-sensitive alphanumeric string. The specifications for the `person_info` property is also available in OpenAPI format: file-download 154KB [person\_info\_openapi.yml](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FTu4AGW0HQbNBt3uFAkQl%2Fperson_info_openapi.yml?alt=media&token=d093cc3c-3c2b-4a15-9c3d-f163f4ced2bf) downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2FTu4AGW0HQbNBt3uFAkQl%2Fperson_info_openapi.yml?alt=media&token=d093cc3c-3c2b-4a15-9c3d-f163f4ced2bf) The examples below show how the response would look like if `openid uinfin name` were the requested scopes. chevron-rightSample encrypted response (this is a JWE)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-encrypted-response-this-is-a-jwe) chevron-rightSample decrypted response (this is a JWS)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-decrypted-response-this-is-a-jws) chevron-rightSample decoded response payload[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-decoded-response-payload) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#error-response) Error Response If there was an error with the request, we will instead return a response body in `application/json` format with the following parameters: `error` An error code identifying the type of error that has occurred. This will be an enum value. The possible values are detailed below. `error_description` A human-readable text description of the error. String. This is optional. These parameters will also be returned in the `WWW-Authenticate` header if the `error` is `invalid_request`, `invalid_token`, or `invalid_dpop_proof`. chevron-rightSample error response body[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-error-response-body) chevron-rightSample WWW-Authenticate header[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-www-authenticate-header) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#possible-error-values) Possible error values The table below lists the possible values of `error` that we may return: error What this error indicates `invalid_token` The access token is invalid or has expired. Note that the access token has a lifetime of 30 minutes. `invalid_dpop_proof` The `DPoP` header which you have provided is invalid, expired, or malformed. Read our [DPoP guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) and ensure that your implementation follows the instructions in the guide. `invalid_request` This could be due to one of the following: * Your JWKS endpoint is not reachable, or the JWKS being returned is malformed., Read our guide on [JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#requirements-for-jwks) and ensure that you follow the requirements. * You are trying to retrieve Myinfo data for a Singpass Foreign Account user, which is not possible. `server_error` `upstream_depedency_error` The server encountered an unexpected error. You should check `error_description` to understand what was the cause of the error. When you encounter this error, you may perform up to 3 retries using an exponential backoff strategy. If the request still fails, you should guide users to alternative form-filling methods. [Previous4\. Parsing the ID Tokenchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) [NextTechnical Conceptschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts) Last updated 2 months ago Was this helpful? * [Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#request) * [Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#response) * [Successful Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#successful-response) * [Error Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#error-response) Was this helpful? Copy eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJraWQiOiJ0ZXN0LXJwLWtleS0wMSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ik1RVTBWRnlfUWFUYktzTmJrVTdMZkFnUjJ2Y1FQYW94UzBXM2RLRm9yOU0iLCJ5IjoibkdRam5PRlZ4emdzRERjMUJqQ3otZi1KeUY4VC14WW0xQVp4NjFtZWVCOCJ9fQ.gDvjBmkLqQ42hbNM2ULPwaskGPBlLvslPAqr0XcN2a-OYqOHXKfwvoUUOuoibTfzg_l8rr-WalvY8FY_a8yfHOaL2GLt6ZWj.O_tgtrTbPRbL_p0Y2rvnCQ.38npNWj1nL1AQxS2A3JrxokxHms6GPYT2OFhaFghI7N0QkR48gPuUvKi-m7wPbESTYA-9O-bSHEX9fUXD4FtlztrhjRTpGmdfppooVMn9_bHcLLyHbHnS3_yW5JaybqHNfD6zXCB1pw24vvHfGmRJ7C86CeBgosuYslMk7y7m_rIT6YhVnotN_kRBOppVW9eC3g0upRxXQJ3O10__pR-QcBb_eXKqwm6tcpeTEqBPl0Dbedk6DDoq6KSRV5LzyFLMutAjInQpKGdWYa7FCgfHL3FWNfcwyPq27s3d14ArZJVkIJsOW_VTI_lrnSBzCcdJpbGj9wPe0e2SfslliZlSxYTTpECyV5AZZgwxz0pMaE85Ob7KzrJjMdbZqZZC53HnZmq6pS8RiUce4950IwvsfF0xDUDaZuMxKnISoPcuUX2jHr8FG0SytO8Pr6m3DyOYbQnSkUFdjCRSHiKRqDxlqM15hSkle3jtd9qf-EzuGeHNqaJCjD7XWeviwJgD70fUZDM8lDvCp5mTfl0pcy7mlGEWjVmfR3MB1ohGwkZLeq3H_KrCyhn_FJ-DRPiE4oIaO8oSsFOhRocND4RDlliOIRK_B1XRmw1YpJFBRpn04N2ytnJrxCJ4cZeTEa4QCYkKaJHPqWkN_qvdgxywkwELLB5Tb1sgdKcq3Kh77uHWl7AfZF9iE1L-kgg4hT5KaJSp4qEYz-nbb4TqmrsnZiPbjnzSFrOGZ778OpDWnXhbb5VcXk9ZjejEdBtoqnIJ_vubEWTw-ZeMI4fCmNuiZ4HnY130VKfnU2f19GSNYaeL7GX7bVQWVS_H01mbll6_GUe.g7la6rSFevvuUrEoqVb41SQB1dk4JuTkrl8zwE0fzG4 Copy eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFsaWFzL3N0Zy1zcC1hdXRoLWFwaS1pZC10b2tlbi1zaWduaW5nLWtleS1rbXMtYXN5bW1ldHJpYy1rZXktYWxpYXMifQ.eyJwZXJzb25faW5mbyI6eyJ1aW5maW4iOnsibGFzdHVwZGF0ZWQiOiIyMDI0LTA5LTI2Iiwic291cmNlIjoiMSIsImNsYXNzaWZpY2F0aW9uIjoiQyIsInZhbHVlIjoiUzkwMDAwMDFCIn0sIm5hbWUiOnsibGFzdHVwZGF0ZWQiOiIyMDI0LTA5LTI2Iiwic291cmNlIjoiMSIsImNsYXNzaWZpY2F0aW9uIjoiQyIsInZhbHVlIjoiU09IIEhBTyBGRU5HIn19LCJpc3MiOiJodHRwczovL2lkLnNpbmdwYXNzLmdvdi5zZy9mYXBpIiwic3ViIjoiZDQ1ZDhmMjEtNjE3OC00NzEzLWI5NjItODYzNWVkMmE5NDVhIiwiYXVkIjoiVDVzTTVhNTNZYXczVVJ5REV2Mnk5MTI5Q2JFbENOMkYiLCJpYXQiOjE3NDY2NzgwODl9.Tmvh5V_BN0fMBgqa2-Z4vG_Ayp_OoeWfyQrWMZjG9y9NBFwyRnjMpwDK_qFzkn_0D7AjOX-np6p3Nk5KFwvKiA Copy { "person_info": { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" } }, // above scopes are returned in the same format as the Myinfo Get Person response "iss": "https://id.singpass.gov.sg/fapi", "sub": "d45d8f21-6178-4713-b962-8635ed2a945a", "aud": "T5sM5a53Yaw3URyDEv2y9129CbElCN2F", "iat": 1746678089 } Copy { "error": "invalid_dpop_proof", "error_description": "Failed to verify DPoP proof JWT" } Copy HTTP/1.1 401 Unauthorized WWW-Authenticate: DPoP error="invalid_dpop_proof", error_description="Failed to verify DPoP proof JWT" --- # Proof Key for Code Exchange (PKCE) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#overview) Overview ---------------------------------------------------------------------------------------------------------------------------------------------------------- Proof Key for Code Exchange (PKCE) is a security mechanism specified in [RFC 7636arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7636) . It ensures that only you, the requester of the authorization code, can use the authorization code during [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) . PKCE works in tandem with [client assertions](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) and [DPoP](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) in order to prevent authorization code interception attacks, which is a type of attack where attackers gain access to the authorization code (e.g. via malware installed on the user's device) and use it to obtain a user's access token. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#how-to-implement-pkce) How To Implement PKCE ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ PKCE is used in two parts of the flow: the [Pushed Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) and the Token Exchange. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#authorization-request) Authorization Request PKCE requires you to send two additional parameters in the Pushed Authorization Request: the `code_challenge` and `code_challenge_method`. You should follow the steps below to understand how to send these parameters. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#id-1.-generate-a-code-verifier) 1\. Generate a code verifier You should generate a **high-entropy random string** between 43-128 characters long, containing only alphanumeric characters, dashes, and underscores. This string **must** be different for every request. chevron-rightExample code verifier[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#example-code-verifier) `6I9tQd5tKn7Uy9ZfwEqd-YC71gSVfzcfVcyXLc34vQo` #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#id-2.-generate-a-code-challenge-from-the-code-verifier) 2\. Generate a code challenge from the code verifier The code challenge is generated by hashing the code verifier using the SHA-256 algorithm, then encoding the result using base64url encoding. Take note that base64url encoding is not the same as base64 encoding. chevron-rightExample code challenge[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#example-code-challenge) `hu0mAmPq8n91vRqudsGmriiG7blJDJS0bsDeOmEt17M` #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#id-3.-send-the-code-challenge-and-code-challenge-method-in-the-pushed-authorization-request) 3\. Send the code challenge and code challenge method in the Pushed Authorization Request When you send the Pushed Authorization Request, you must include the code challenge generated in step 2 as the `code_challenge` parameter, and also send the `code_challenge_method` with the value of `S256`. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#id-4.-store-the-code-verifier-in-session-storage) 4\. Store the code verifier in session storage You must store the code verifier in your backend and associate it with the user's session, as you will need it later during Token Exchange. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#token-exchange) Token Exchange During token exchange, you must pass the code verifier that you had used to generate the code challenge for this authentication request as the `code_verifier` parameter in the request body. This serves as proof that you were the original generator of the `code_challenge`. [PreviousGeneration Of Client Assertionchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) [NextDemonstrating Proof of Possession (DPoP)chevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) Last updated 2 months ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#overview) * [How To Implement PKCE](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#how-to-implement-pkce) * [Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#authorization-request) * [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce#token-exchange) Was this helpful? --- # Local Registered Birth Records and Sponsored Child Records | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Local Registered Birth Records and Sponsored Child Records are available via Myinfo. Details available in [Myinfo data cataloguearrow-up-right](https://docs.developer.singpass.gov.sg/singpass-developer-docs/data-catalog-myinfo/catalog) . Note that the records are only based on ICA's electronic birth certificate records from 1985 onwards. If the children or sponsored children are 21 and above, only the Birth Cert Number or NRIC/FIN will be displayed. Local Registered Birth Records refer to local Singapore registered birth records. Children birth records are available in both parents' Myinfo data. Sponsored Child Records refer to children born outside Singapore. Sponsored children records are only available in the sponsoring parent's Myinfo data based on ICA's record. You can derive son, daughter or guardian relationship using children birth or sponsored children records. Spouse records are not available via Myinfo. If the marriage is registered in Singapore, Marriage Certificate Number and Marriage Date is available via Myinfo. We have observed partners retrieving both husband and wife's Marriage details to verify spouse relationship. [PreviousUnderstanding the Datachevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data) [NextCPF Contribution History (up to 15 months)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/cpf-contribution-history-up-to-15-months) Last updated 11 months ago Was this helpful? Was this helpful? --- # Understanding the Data | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [Local Registered Birth Records and Sponsored Child Recordschevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/local-registered-birth-records-and-sponsored-child-records) [CPF Contribution History (up to 15 months)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/cpf-contribution-history-up-to-15-months) [Notice of Assessment (Basic)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/notice-of-assessment-basic) [Notice of Assessment (Detailed)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/notice-of-assessment-detailed) [PreviousPricingchevron-left](https://docs.developer.singpass.gov.sg/docs/pricing/pricing) [NextLocal Registered Birth Records and Sponsored Child Recordschevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/local-registered-birth-records-and-sponsored-child-records) Last updated 2 months ago Was this helpful? Was this helpful? --- # API Specifications | (Legacy) Myinfo (v3/v4) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Please see [API Specification v3.2arrow-up-right](https://public.cloud.myinfo.gov.sg/myinfo/api/myinfo-kyc-v3.2.html) for indepth specification ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#get-com-v3-authorise) Authorise get https://sandbox.api.myinfo.gov.sgSandboxchevron-down https://sandbox.api.myinfo.gov.sghttps://test.api.myinfo.gov.sghttps://api.myinfo.gov.sg /com/v3/authorisecopy This API triggers SingPass login and obtain consent for the user to retrieve user's data from MyInfo. Once the user has authenticated and consented, an authorisation code (authcode) will be returned together with the state for verification via the callback URL defined. The authcode can then be used to retrieve an access token via the Token API. **Note:** This API is public and should be implemented as a link or button on your online webpage. **Note:** For partners integrating via android mobile application, please ensure that the "setDomStorageEnable" attribute is enabled. Query parameters authmodestring · enumOptional Mode of authentication used to obtain user consent. Default is "SINGPASS". Default: `SINGPASS`Possible values: `SINGPASS``MOBILEID` purposestringRequired State the purpose for requesting the data. This will be shown to the user for his consent. response\_typestringOptional Response type for authorisation code flow - must be "code". Default: `code` attributesstring\[\]Required Comma separated list of attributes requested. Possible attributes are listed in the scopes of the OAuth2 Security Schema above. Example: `name,hanyupinyinname` statestringRequired Identifier that represents the user's session/transaction with the client for reconciling query and response. The same value will be sent back via the callback URL. Use a unique system generated number for each user/transaction. redirect\_uristringRequired Your callback URL for MyInfo to return with the authorisation code. client\_idstringRequired Unique ID for your application. Example: `STG-180099999K-TEST01` login\_typestring · enumOptional Pilot for SingPass-QR-only-login using SingPass Mobile. SingPass-QR-only-login is enabled by specifying this parameter with value set to `QR`. Note that this only applies to digital service on-boarded to perform SingPass-QR-only-login. Default: `SINGPASS`Possible values: `SINGPASS``QR` appLaunchURLstringOptional Url scheme to launch back your mobile app after successful authentication using SingPass mobile. Responses chevron-right 302 Service will redirect all responses to 'redirect\_uri' with additional parameters added as response results. Expected parameters include: * **code**: this is the authorisation code you will use when calling the token endpoint * **state**: this should be the same state passed in your initial URL. * **error**: if there are any errors encountered, the error code will be given in this parameter. * **'500'** - Unknown or other server side errors. * **'503'** - MyInfo under maintenance. Error description will also be given in error\_description parameter. * **'access\_denied'** - When user did not give consent, refer to error\_description parameter for the reason. * **error\_description**: if error is 'access\_denied' i.e. user did not give consent, the description will be 'Resource Owner did not authorize the request'. **Note:** If user closes the browser window prematurely, there will be no callback to the 'redirect\_uri'. Therefore it is important for you to check the 'state' to verify that the transaction is the same. No content get /com/v3/authorise JavaScript Test it 302 Service will redirect all responses to 'redirect\_uri' with additional parameters added as response results. Expected parameters include: * **code**: this is the authorisation code you will use when calling the token endpoint * **state**: this should be the same state passed in your initial URL. * **error**: if there are any errors encountered, the error code will be given in this parameter. * **'500'** - Unknown or other server side errors. * **'503'** - MyInfo under maintenance. Error description will also be given in error\_description parameter. * **'access\_denied'** - When user did not give consent, refer to error\_description parameter for the reason. * **error\_description**: if error is 'access\_denied' i.e. user did not give consent, the description will be 'Resource Owner did not authorize the request'. **Note:** If user closes the browser window prematurely, there will be no callback to the 'redirect\_uri'. Therefore it is important for you to check the 'state' to verify that the transaction is the same. No content ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#post-com-v3-token) Token post https://sandbox.api.myinfo.gov.sgSandboxchevron-down https://sandbox.api.myinfo.gov.sghttps://test.api.myinfo.gov.sghttps://api.myinfo.gov.sg /com/v3/tokencopy This API generates an access token when presented with a valid authcode obtained from the Authorise API. This token can then be used to request for the user's data that were consented. Authorizations PKISignchevron-down PKISign HTTPRequired PKI digital signature for server to server calls. See [Request Signing](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#section/Security/Request-Signing) for more details. Header parameters AuthorizationstringRequired Add authorization token constructed containing the RSA digital signature of the base string. Refer to [https://api.singpass.gov.sg/library/myinfo/developers/tutorial3](https://api.singpass.gov.sg/library/myinfo/developers/tutorial3) on how this token should be generated. **Note:** This header is not required when calling Sandbox API. Body application/x-www-form-urlencodedchevron-down application/x-www-form-urlencoded codestringRequired The authcode given by the authorise API. grant\_typestringOptional Grant type for getting token (default "authorization\_code") Default: `authorization_code` client\_secretstringRequired Secret key given to your application during onboarding. client\_idstringRequired Unique ID for your application. redirect\_uristringRequired Application's callback URL. statestringOptional Identifier that represents the user's session with the client, provided earlier during the authorise API call. Responses chevron-right 200 OK. Returning a JSON object which contains the authorization access token (JWT) that will be used to retrieve the data from MyInfo. application/json chevron-right 400 Possible scenarios: * Same authcode in the body is being re-used. We do not allow same authcode being used in multiple calls. Ensure that authcode is not repeated. * AuthCode error - missing, invalid, expired, revoked application/json chevron-right 401 Unauthorized. Possible scenarios: * No security header given (HTTP 'Authorization' header) * Invalid App ID used. Digital service is not registered with MyInfo * Invalid client secret used. * The timestamp of server is not synchronised. Check timestamp of server. * The value of the nonce in the authorisation header was deemed to be repeated. Check that the nonce is not re-used * Ensure HTTP 'Authorization' header to be 'PKI\_SIGN' * Signature incorrect - Verify your signature by using our signature verifier tool and ensure correct key is used to sign the base string. * Ensure that base string contains all parameters required * Ensure attributes in base string are separate by comma(,), and not %2C * Ensure that correct key is used to sign the base string * Ensure that HTTP call is made with the same query/body parameters used to formulate the base string. * Ensure the base string contains the following: 1. HTTP GET method(in uppercase) 2. API (e.g. https://..) 3. These parameters: \* app\_id \* nonce \* signature \* signature\_method \* timestamp application/json chevron-right 403 Forbidden Possible scenarios: * Incorrect API URL used. Refer to tutorial for the correct API URL(test/production) application/json chevron-right 500 Unexpected error. Check response body for actual error. application/json post /com/v3/token NodeJS Test it 200 OK. Returning a JSON object which contains the authorization access token (JWT) that will be used to retrieve the data from MyInfo. chevron-down ### [hashtag](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#get-com-v3-person-sub) Person get https://sandbox.api.myinfo.gov.sgSandboxchevron-down https://sandbox.api.myinfo.gov.sghttps://test.api.myinfo.gov.sghttps://api.myinfo.gov.sg /com/v3/person/{sub}/copy This API returns user's data from MyInfo when presented with a valid access token obtained from the Token API. **Note:** Null value indicates that an attribute is unavailable. Authorizations OAuth2 & PKISignchevron-down OAuth2 & PKISign OAuth2authorizationCodeRequired The following are the available OAuth2 scopes for MyInfo APIs Authorization URL: /com/v3/authoriseToken URL: /com/v3/token HTTPRequired PKI digital signature for server to server calls. See [Request Signing](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#section/Security/Request-Signing) for more details. Path parameters substringRequired Identifier of user obtained from 'sub' attribute in access token. May be UINFIN or UUID. Example: `9E9B2260-47B8-455B-89B5-C48F4DB98322` Query parameters txnNostringOptional Transaction ID from requesting digital services for cross referencing. attributesstring\[\]Required Comma separated list of attributes requested. Possible attributes are listed in the scopes of the OAuth2 Security Schema above. Example: `name,hanyupinyinname` client\_idstringRequired Unique ID for your application. Example: `STG-180099999K-TEST01` subentitystringOptional UEN of SaaS partner's client that will be receiving the person data. Example: `180099736H` Header parameters AuthorizationanyRequired Add authorization token constructed containing the RSA digital signature of the base string. Refer to [https://api.singpass.gov.sg/library/myinfo/developers/tutorial3](https://api.singpass.gov.sg/library/myinfo/developers/tutorial3) on how this token should be generated. Also include the access token (JWT) from /token API in your header prefixed with 'Bearer'. **Note:** Only the Bearer token is required when calling Sandbox API. Responses chevron-right 200 OK. **Note:** * Response Content-Type will be 'application/jose', which is a JSON object conforming to the JWE standard ([https://tools.ietf.org/html/rfc7516](https://tools.ietf.org/html/rfc7516) ). * Response contents are first signed, then encrypted. In order to access the data, your application should do the following steps in order: 1. Decrypt the payload with your application's private key. 2. Validate the decrypted payload signature with our public key. * After doing the above steps, your application will be able to extract the payload in JSON format. application/json chevron-right 401 Unauthorized. Possible scenarios: * No security header given (HTTP 'Authorization' header) * Invalid App ID used. Digital service is not registered with MyInfo * The timestamp of server is not synchronised. Check timestamp of server. * The value of the nonce in the authorisation header was deemed to be repeated. Check that the nonce is not re-used * Ensure HTTP 'Authorization' header to be 'PKI\_SIGN' * Signature incorrect - Verify your signature by using our signature verifier tool and ensure correct key is used to sign the base string. * Ensure that base string contains all parameters required * Ensure attributes in base string are separate by comma(,), and not %2C * Ensure that correct key is used to sign the base string * Ensure that HTTP call is made with the same query/body parameters used to formulate the base string. * Ensure the base string contains the following: 1. HTTP GET method(in uppercase) 2. API (e.g. https://..) 3. These parameters: \* app\_id \* nonce \* signature \* signature\_method \* timestamp * The requested 'sub' does not match the identifier of the person who logged in * Requested attributes do not match the attributes consented by person. This happens if the list of attributes in your request are different from the attributes specified when calling the token API. Details will be given in the error object returned. application/json chevron-right 403 Forbidden Possible scenarios: * Incorrect API URL used. Refer to tutorial for the correct API URL(test/production) * Request contains attributes not allowable for the digital service. application/json chevron-right 404 Not Found. Possible scenarios. * Missing MyInfo profile due to UIN/FIN accessing his MyInfo account less than a day after SingPass account activation. application/json chevron-right 500 Unexpected error. Check response body for actual error. application/json get /com/v3/person/{sub}/ NodeJS Test it 200 OK. **Note:** * Response Content-Type will be 'application/jose', which is a JSON object conforming to the JWE standard ([https://tools.ietf.org/html/rfc7516](https://tools.ietf.org/html/rfc7516) ). * Response contents are first signed, then encrypted. In order to access the data, your application should do the following steps in order: 1. Decrypt the payload with your application's private key. 2. Validate the decrypted payload signature with our public key. * After doing the above steps, your application will be able to extract the payload in JSON format. chevron-down [PreviousTechnical Guidelineschevron-left](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/technical-guidelines) [NextLatest X.509 Public Key Certificatechevron-right](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/latest-x.509-public-key-certificate) Last updated 1 year ago Was this helpful? * [GETAuthorise](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#get-com-v3-authorise) * [POSTToken](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#post-com-v3-token) * [GETPerson](https://docs.developer.singpass.gov.sg/docs/legacy-myinfo-v3-v4/technical-specifications/myinfo-v3/api-specifications#get-com-v3-person-sub) Was this helpful? Copy function callAuthoriseApi() { var authoriseUrl = authApiUrl + "?client_id=" + clientId + "&attributes=" + attributes + "&purpose=" + purpose + "&state=" + state + "&redirect_uri=" + redirectUrl; window.location = authoriseUrl; } Copy // function to prepare request for TOKEN API function createTokenRequest(code) { var cacheCtl = "no-cache"; var contentType = "application/x-www-form-urlencoded"; var method = "POST"; var request = null; // preparing the request with header and parameters // assemble params for Token API var strParams = "grant_type=authorization_code" + "&code=" + code + "&redirect_uri=" + _redirectUrl + "&client_id=" + _clientId + "&client_secret=" + _clientSecret; var params = querystring.parse(strParams); // assemble headers for Token API var strHeaders = "Content-Type=" + contentType + "&Cache-Control=" + cacheCtl; var headers = querystring.parse(strHeaders); // Sign request and add Authorization Headers var authHeaders = generateAuthorizationHeader( _tokenApiUrl, params, method, contentType, _authLevel, _clientId, _privateKeyContent, _clientSecret ); if (!_.isEmpty(authHeaders)) { _.set(headers, "Authorization", authHeaders); } var request = restClient.post(_tokenApiUrl); // Set headers if (!_.isUndefined(headers) && !_.isEmpty(headers)) request.set(headers); // Set Params if (!_.isUndefined(params) && !_.isEmpty(params)) request.send(params); return request; } Copy { "access_token": { "sub": "text", "scope": "text", "nbf": "text", "iss": "text", "txnid": "text", "client": { "client_id": "STG2-MYINFO-SELF-TEST", "client_name": "Myinfo Self Test App", "entity_uen": "T16GB0002G", "entity_name": "GovTech" }, "subentity": { "subclient_id": "text", "subclient_name": "text", "entity_name": "text", "entity_uen": "text", "whitelist": true }, "expires_in": "text", "iat": "text", "exp": "text", "realm": "text", "aud": "text", "jti": "text", "cnf": { "jkt": "text" }, "jku": "text", "epk": { "use": "enc", "alg": "ECDH-ES+A256KW", "kty": "EC", "kid": "M-JXqh0gh1GGUUdzNue3IUDyUiagqjHathnscUk2nS8", "crv": "P-256", "x": "qrR8PAUO6fDouV-6mVdix5IyrVMtu0PVS0nOqWBZosA", "y": "6xSbySYW6ke2V727TCgSOPiH4XSDgxFCUrAAMSbl9tI" } }, "token_type": "Bearer", "expires_in": 1, "scope": "text" } Copy // function to prepare request for PERSON API function createPersonRequest(sub, validToken) { var url = _personApiUrl + "/" + sub + "/"; var cacheCtl = "no-cache"; var method = "GET"; var request = null; // assemble params for Person API var strParams = "client_id=" + _clientId + "&attributes=" + _attributes; var params = querystring.parse(strParams); // assemble headers for Person API var strHeaders = "Cache-Control=" + cacheCtl; var headers = querystring.parse(strHeaders); var authHeaders; // Sign request and add Authorization Headers authHeaders = generateAuthorizationHeader( url, params, method, "", // no content type needed for GET _authLevel, _clientId, _privateKeyContent, _clientSecret ); if (!_.isEmpty(authHeaders)) { _.set(headers, "Authorization", authHeaders + ",Bearer " + validToken); } else { // NOTE: include access token in Authorization header as "Bearer " (with space behind) _.set(headers, "Authorization", "Bearer " + validToken); } // invoke person API var request = restClient.get(url); // Set headers if (!_.isUndefined(headers) && !_.isEmpty(headers)) request.set(headers); // Set Params if (!_.isUndefined(params) && !_.isEmpty(params)) request.query(params); return request; } Copy { "partialuinfin": { "value": "*****111D", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "uinfin": { "value": "S1111111D", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "name": { "value": "TAN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hanyupinyinname": { "value": "CHEN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "aliasname": { "value": "TRICIA TAN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hanyupinyinaliasname": { "value": "TRICIA CHEN XIAO HUI", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "marriedname": { "value": "", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "sex": { "code": "F", "desc": "FEMALE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "race": { "code": "CN", "desc": "CHINESE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "secondaryrace": { "code": "EU", "desc": "EURASIAN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "dialect": { "code": "SG", "desc": "SWISS GERMAN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "nationality": { "code": "SG", "desc": "SINGAPORE CITIZEN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "dob": { "value": "1958-05-17", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "birthcountry": { "code": "SG", "desc": "SINGAPORE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "residentialstatus": { "code": "C", "desc": "CITIZEN", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passportnumber": { "value": "E35463874W", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passportexpirydate": { "value": "2020-01-01", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "regadd": { "type": "SG", "block": { "value": "548" }, "building": { "value": "" }, "floor": { "value": "09" }, "unit": { "value": "128" }, "street": { "value": "BEDOK NORTH AVENUE 1" }, "postal": { "value": "460548" }, "country": { "code": "SG", "desc": "SINGAPORE" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "housingtype": { "code": "123", "desc": "TERRACE HOUSE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hdbtype": { "code": "112", "desc": "2-ROOM FLAT (HDB)", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "hdbownership": [\ {\ "noofowners": {\ "value": 2\ },\ "address": {\ "type": "SG",\ "block": {\ "value": "548"\ },\ "building": {\ "value": ""\ },\ "floor": {\ "value": "09"\ },\ "unit": {\ "value": "128"\ },\ "street": {\ "value": "BEDOK NORTH AVENUE 1"\ },\ "postal": {\ "value": "460548"\ },\ "country": {\ "code": "SG",\ "desc": "SINGAPORE"\ }\ },\ "hdbtype": {\ "code": "112",\ "desc": "2-ROOM FLAT (HDB)"\ },\ "leasecommencementdate": {\ "value": "2008-06-13"\ },\ "termoflease": {\ "value": 99\ },\ "dateofpurchase": {\ "value": "2008-06-13"\ },\ "dateofownershiptransfer": {\ "value": "2018-06-13"\ },\ "loangranted": {\ "value": 310000.01\ },\ "originalloanrepayment": {\ "value": 25\ },\ "balanceloanrepayment": {\ "years": {\ "value": 2\ },\ "months": {\ "value": 6\ }\ },\ "outstandingloanbalance": {\ "value": 50000.01\ },\ "monthlyloaninstalment": {\ "value": 1000.01\ },\ "outstandinginstalment": {\ "value": 1000.01\ },\ "purchaseprice": {\ "value": 1000.01\ },\ "classification": "C",\ "source": "1",\ "lastupdated": "2019-03-26"\ }\ ], "ownerprivate": { "value": false, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "email": { "value": "[email protected]", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "mobileno": { "prefix": { "value": "+" }, "areacode": { "value": "65" }, "nbr": { "value": "66132665" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "marital": { "code": "2", "desc": "MARRIED", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "marriagecertno": { "value": "123456789012345", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "countryofmarriage": { "code": "SG", "desc": "SINGAPORE", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "marriagedate": { "value": "2007-01-01", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "divorcedate": { "value": "", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "childrenbirthrecords": [\ {\ "birthcertno": {\ "value": "S5562882C"\ },\ "name": {\ "value": "Jo Tan Pei Ni"\ },\ "hanyupinyinname": {\ "value": "Cheng Pei Ni"\ },\ "aliasname": {\ "value": ""\ },\ "hanyupinyinaliasname": {\ "value": ""\ },\ "marriedname": {\ "value": ""\ },\ "sex": {\ "code": "F",\ "desc": "FEMALE"\ },\ "race": {\ "code": "CN",\ "desc": "CHINESE"\ },\ "secondaryrace": {\ "code": "",\ "desc": ""\ },\ "dialect": {\ "code": "HK",\ "desc": "HOKKIEN"\ },\ "lifestatus": {\ "code": "D",\ "desc": "DECEASED"\ },\ "dob": {\ "value": "2011-09-10"\ },\ "tob": {\ "value": "0901"\ },\ "vaccinationrequirements": [\ {\ "requirement": {\ "code": "1M3D",\ "desc": "MINIMUM VACCINATION REQUIREMENT FOR PRESCHOOL"\ },\ "fulfilled": {\ "value": true\ }\ }\ ],\ "sgcitizenatbirthind": {\ "value": "Y"\ },\ "classification": "C",\ "source": "1",\ "lastupdated": "2019-03-26"\ }\ ], "sponsoredchildrenrecords": [\ {\ "nric": {\ "value": "S5562882C"\ },\ "name": {\ "value": "Jo Tan Pei Ni"\ },\ "hanyupinyinname": {\ "value": "Cheng Pei Ni"\ },\ "aliasname": {\ "value": ""\ },\ "hanyupinyinaliasname": {\ "value": ""\ },\ "marriedname": {\ "value": ""\ },\ "sex": {\ "code": "F",\ "desc": "FEMALE"\ },\ "race": {\ "code": "CN",\ "desc": "CHINESE"\ },\ "secondaryrace": {\ "code": "",\ "desc": ""\ },\ "dialect": {\ "code": "HK",\ "desc": "HOKKIEN"\ },\ "dob": {\ "value": "2011-09-10"\ },\ "birthcountry": {\ "code": "SG",\ "desc": "SINGAPORE"\ },\ "lifestatus": {\ "code": "A",\ "desc": "ALIVE"\ },\ "residentialstatus": {\ "code": "C",\ "desc": "Citizen"\ },\ "nationality": {\ "code": "SG",\ "desc": "SINGAPORE CITIZEN"\ },\ "scprgrantdate": {\ "value": "2015-06-13"\ },\ "vaccinationrequirements": [\ {\ "requirement": {\ "code": "1M3D",\ "desc": "MINIMUM VACCINATION REQUIREMENT FOR PRESCHOOL"\ },\ "fulfilled": {\ "value": true\ }\ }\ ],\ "classification": "C",\ "source": "1",\ "lastupdated": "2019-03-26"\ }\ ], "occupation": { "value": "", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "employment": { "value": "ALPHA", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passtype": { "code": "RPass", "desc": "Work Permit", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passstatus": { "value": "Live", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "passexpirydate": { "value": "2022-12-31", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "employmentsector": { "value": "MANUFACTURING", "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "vehicles": { "0": { "classification": "C", "source": "1", "lastupdated": "2019-03-26" } }, "drivinglicence": { "comstatus": { "code": "Y", "desc": "ELIGIBLE" }, "totaldemeritpoints": { "value": 0 }, "suspension": { "startdate": { "value": "" }, "enddate": { "value": "" } }, "disqualification": { "startdate": { "value": "" }, "enddate": { "value": "" } }, "revocation": { "startdate": { "value": "" }, "enddate": { "value": "" } }, "pdl": { "validity": { "code": "V", "desc": "VALID" }, "expirydate": { "value": "2020-06-15" }, "classes": [\ {\ "class": {\ "value": "2A"\ }\ },\ {\ "class": {\ "value": "3A"\ }\ }\ ] }, "qdl": { "validity": { "code": "V", "desc": "VALID" }, "expirydate": { "value": "2020-06-15" }, "classes": [\ {\ "class": {\ "value": "2A"\ },\ "issuedate": {\ "value": "2018-06-06"\ }\ },\ {\ "class": {\ "value": "3A"\ },\ "issuedate": {\ "value": "2018-06-06"\ }\ }\ ] }, "photocardserialno": { "value": "115616" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "academicqualifications": { "transcripts": [\ {\ "name": {\ "value": "SINGAPORE-CAMBRIDGE GENERAL CERTIFICATE OF EDUCATION ORDINARY LEVEL"\ },\ "yearattained": {\ "value": "2018"\ },\ "results": [\ {\ "subject": {\ "value": "English Language"\ },\ "level": {\ "value": "Ordinary"\ },\ "grade": {\ "value": "A"\ },\ "subsubject": {\ "value": "SPECIAL PAPER"\ },\ "subgrade": {\ "value": "One"\ }\ }\ ],\ "explanatorynotes": {\ "value": "text"\ }\ }\ ], "certificates": [\ {\ "name": {\ "value": "nus.opencert"\ },\ "content": {\ "value": "text"\ },\ "opencertificate": {\ "id": {\ "value": 100000000343840\ },\ "primary": {\ "value": true\ }\ },\ "opencertificateindicator": {\ "value": true\ }\ }\ ], "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "merdekagen": { "eligibility": { "value": true }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "pioneergen": { "eligibility": { "value": true }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "noa-basic": { "amount": { "value": 100000.01 }, "yearofassessment": { "value": "2018" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "noa": { "amount": { "value": 100000.01 }, "yearofassessment": { "value": "2018" }, "employment": { "value": 100000.01 }, "trade": { "value": 0 }, "rent": { "value": 0 }, "interest": { "value": 0 }, "taxclearance": { "value": "N" }, "category": { "value": "ORIGINAL" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "noahistory-basic": { "noas": [\ {\ "amount": {\ "value": 100000.01\ },\ "yearofassessment": {\ "value": "2018"\ }\ }\ ], "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "noahistory": { "noas": [\ {\ "amount": {\ "value": 100000.01\ },\ "yearofassessment": {\ "value": "2018"\ },\ "employment": {\ "value": 100000.01\ },\ "trade": {\ "value": 0\ },\ "rent": {\ "value": 0\ },\ "interest": {\ "value": 0\ },\ "taxclearance": {\ "value": "N"\ },\ "category": {\ "value": "ORIGINAL"\ }\ }\ ], "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfcontributions": { "history": [\ {\ "date": {\ "value": "2016-12-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2016-11"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2016-12-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2016-12"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2016-12-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2016-12"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-01-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2016-12"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-01-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-01"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-01-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-01"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-02-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-01"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-02-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-02"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-02-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-02"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-03-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-02"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-03-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-03"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-03-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-03"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-04-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-03"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-04-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-04"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-04-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-04"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-05-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-04"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-05-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-05"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-05-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-05"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-06-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-05"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-06-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-06"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-06-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-06"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-07-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-06"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-07-12"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-07"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-07-21"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-07"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-08-01"\ },\ "amount": {\ "value": 500\ },\ "month": {\ "value": "2017-07"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "date": {\ "value": "2017-08-12"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-08"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-08-21"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-08"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-09-01"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-08"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-09-12"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-09"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-09-21"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-09"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-10-01"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-09"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-10-12"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-10"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-10-21"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-10"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-11-01"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-10"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-11-12"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-11"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-11-21"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-11"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-12-01"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-11"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-12-12"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-12"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2017-12-21"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-12"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2018-01-01"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2017-12"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2018-01-12"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2018-01"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "date": {\ "value": "2018-01-21"\ },\ "amount": {\ "value": 750\ },\ "month": {\ "value": "2018-01"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ }\ ], "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfemployers": { "history": [\ {\ "month": {\ "value": "2016-11"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2016-12"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2016-12"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2016-12"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-01"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-01"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-01"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-02"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-02"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-02"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-03"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-03"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-03"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-04"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-04"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-04"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-05"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-05"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-05"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-06"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-06"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-06"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-07"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-07"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-07"\ },\ "employer": {\ "value": "Crystal Horse Invest Pte Ltd"\ }\ },\ {\ "month": {\ "value": "2017-08"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-08"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-08"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-09"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-09"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-09"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-10"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-10"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-10"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-11"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-11"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-11"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-12"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-12"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2017-12"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2018-01"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ },\ {\ "month": {\ "value": "2018-01"\ },\ "employer": {\ "value": "Delta Marine Consultants PL"\ }\ }\ ], "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfbalances": { "ma": { "value": 11470.71, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "oa": { "value": 1581.48, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "sa": { "value": 21967.09, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "ra": { "value": 0.01, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfhousingwithdrawal": { "withdrawaldetails": [\ {\ "address": {\ "type": "SG",\ "block": {\ "value": "548"\ },\ "building": {\ "value": ""\ },\ "floor": {\ "value": "09"\ },\ "unit": {\ "value": "128"\ },\ "street": {\ "value": "BEDOK NORTH AVENUE 1"\ },\ "postal": {\ "value": "460548"\ },\ "country": {\ "code": "SG",\ "desc": "SINGAPORE"\ }\ },\ "accruedinterestamt": {\ "value": 1581.48\ },\ "monthlyinstalmentamt": {\ "value": 1196.09\ },\ "principalwithdrawalamt": {\ "value": 2897.01\ },\ "totalamountofcpfallowedforproperty": {\ "value": 10000.01\ }\ }\ ], "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfhomeprotectionscheme": { "coverage": { "value": true }, "premium": { "value": 100.01 }, "shareofcover": { "value": 20 }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfdependantprotectionscheme": { "coverage": { "value": true }, "insurercode": { "value": "9GEL" }, "sumassuredamount": { "value": 70000 }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "cpfinvestmentscheme": { "sdsnetshareholdingqty": { "value": 1360, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "account": { "agentbankcode": { "value": "OCBC" }, "invbankacctno": { "value": "098-26644-4" }, "classification": "C", "source": "1", "lastupdated": "2019-03-26" }, "saqparticipationstatus": { "code": "X", "desc": "Participated", "classification": "C", "source": "1", "lastupdated": "2019-03-26" } } } --- # Pricing | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#price-plans) Price Plans --------------------------------------------------------------------------------------------------- #### [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#government-agencies) **Government Agencies** For Government Agencies, please refer to the official government pricing plan shared via WOG intranet here - [https://gccprod.sharepoint.com/sites/GOVTECH-digitalgov/Singpass-and-Corppass/SitePages/Price-Plan.aspxarrow-up-right](https://gccprod.sharepoint.com/sites/GOVTECH-digitalgov/Singpass-and-Corppass/SitePages/Price-Plan.aspx) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#private-organisations) Private Organisations For Private Organisations, pricing details are available on the Singpass Developer Portal. 1. Log in to developer.singpass.gov.sg 2. Navigate to the billing tab - [https://developer.singpass.gov.sg/billingarrow-up-right](https://developer.singpass.gov.sg/billing) 3. Select the Pricing Plan tab to view the applicable pricing details You may also refer to this [guide](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/view-singpass-service-agreement) for step-by-step instructions on how to access the price plan. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#myinfo-pricing-model) Myinfo Pricing Model To reflect economies of scale and the varying value of data provided, Myinfo uses a differentiated pricing model based on the data scopes retrieved by an e-service. **Updated Pricing Structure** To better align cost with data value, Myinfo transactions are categorised into two pricing tiers: #### [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#myinfo-standard) Myinfo Standard Applies to e-services that retrieve personal non-financial profile data scopes. Examples include basic personal particulars and non-financial attributes. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#myinfo-plus) Myinfo Plus Applies to e-services that retrieve personal financial profile data scopes, including the following: **CPF Data** • Ordinary Account • Medisave Account • Retirement Account • Special Account • CPF Contribution History (up to 15 months) • CPF Housing Withdrawal **Income & Property Data** • NOA Basic (Latest Year) • NOA Basic (Last 2 Years) • NOA Detailed (Latest Year) • NOA Detailed (Last 2 Years) • Ownership of Private Residential Property **CPF Investment Scheme** • CPF Investment Scheme Account • Number of Discounted Singtel Shares • Self-Awareness Questionnaire (SAQ) Participation Status #### [hashtag](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#important-notes) Important Notes * Pricing is determined based on the highest-value data scope retrieved by the e-service. * If your e-service retrieves any Myinfo Plus data scope, the transaction will be charged under Myinfo Plus. * Detailed pricing rates are available in the Singpass Developer Portal. [PreviousError Responsechevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/error-response) [NextUnderstanding the Datachevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data) Last updated 2 months ago Was this helpful? * [Price Plans](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#price-plans) * [Myinfo Pricing Model](https://docs.developer.singpass.gov.sg/docs/pricing/pricing#myinfo-pricing-model) Was this helpful? --- # Notice of Assessment (Detailed) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Notice of Assessment (Detailed) data field, includes the following income breakdown: a) Employment b) Trade c) Rent d) Interest Additional details in this data field: a) Tax clearance : Indicator will be 'Y' for scenario where non-Singapore Citizen employee that ceases employment in Singapore, and goes on an overseas posting or plans to leave Singapore for more than three months. Only need to display this field if the value = 'Y'. b) Tax Category : Type of Income Tax Bill. For more details, click [herearrow-up-right](https://www.iras.gov.sg/irashome/Individuals/Locals/Paying-your-taxes-Claiming-refunds/How-to-Read-Your-Tax-Bill/) . [PreviousNotice of Assessment (Basic)chevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/notice-of-assessment-basic) [NextCatalogchevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog) Last updated 11 months ago Was this helpful? Was this helpful? --- # Myinfo Test Personas | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close We provide a set of Myinfo test personas with diverse attributes and metadata to help you simulate different user profiles when testing your Myinfo integration. These test personas are intended solely for Myinfo data retrieval and verification testing. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas#important-usage-notes) ⚠️ Important Usage Notes * **Do not** use these test personas for **Singpass Login** applications. These accounts are not meant to be used to test Singpass Login flows.If you need to populate email addresses or mobile numbers to your [staging accounts](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-test-account) for Login flow testing, please use the following form: https://go.gov.sg/sp-test-acc * Test persona details may change over time. The profile data associated with these personas is valid only at the time of testing. We may update, modify, or refresh persona attributes at any time without prior notice. * Do not hardcode values. Your integration should not rely on fixed persona attributes (e.g. names, emails, addresses) and should handle changes gracefully. [hashtag](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas#singpass-login-credentials) Singpass Login Credentials ---------------------------------------------------------------------------------------------------------------------------------------------- _(For Myinfo testing only)_ > Username: \[UINFIN reflected in first column of file\] Password: `Userinfo@2024` > These credentials are provided to support Myinfo test flows only and should not be used for production or Login app validation. Download the full list of test personas below: file-download 428KB [testprofile\_24FEB2026.csv](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2F2UAWTsALOrYoa2bu2dts%2Ftestprofile_24FEB2026.csv?alt=media&token=2d8de350-9579-490c-9b78-78cca3df5eb8) downloadDownload[arrow-up-right-from-squareOpen](https://2816701917-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FW3T7d7fy7OGYkZf4zVKU%2Fuploads%2F2UAWTsALOrYoa2bu2dts%2Ftestprofile_24FEB2026.csv?alt=media&token=2d8de350-9579-490c-9b78-78cca3df5eb8) Note: We updated the test profiles to reflect latest CPF transactions dates. [PreviousTesting with Singpass Appchevron-left](https://docs.developer.singpass.gov.sg/docs/testing/testing-with-singpass-app) [NextContactchevron-right](https://docs.developer.singpass.gov.sg/docs/more-information/contact) Last updated 1 month ago Was this helpful? * [⚠️ Important Usage Notes](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas#important-usage-notes) * [Singpass Login Credentials](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas#singpass-login-credentials) Was this helpful? --- # Overview of Singpass Flow | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. spinner [Previous(Legacy) Pre-FAPI 2.0 API Specificationschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api) [Next1\. Authorization Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint) Last updated 2 months ago Was this helpful? Was this helpful? --- # 3. The Token Request | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The next step in the Singpass authentication flow is the token request. This involves making a POST request to our `**token_endpoint**` (as defined in our [OpenID configuration](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) ) to exchange an authorization code (obtained from the redirect URL) for an ID token and access token. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#request-body) Request Body -------------------------------------------------------------------------------------------------------------------------------------------------- You should send the request body in `application/x-www-form-urlencoded` format. The [DPoP header](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) containing the DPoP JWT proof should also be included in your request. The request body should have the following parameters: Parameter Description Data type `redirect_uri` The `redirect_uri` which you had used earlier when making the Authorization request. URL `grant_type` The grant being requested. Must be the string `authorization_code`, as mandated by OIDC specifications. `code` The authorization code issued by us, obtained via redirection back to your `redirect_url` in the previous step. A base64url-encoded string. `client_assertion_type` The type of client assertion. Must be the string `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, as mandated by OIDC specifications. `client_assertion` Your client assertion, which is used for authentication. Refer to our [guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) for instructions on how this should be generated. A string containing the signed JWT. `code_verifier` The code verifier which you have generated when constructing your authorization request. This is used as part of [PKCE](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) . String containing only alphanumeric characters, dashes, and underscores, between 43-128 characters long. chevron-rightSample request[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#sample-request) Copy POST /fapi/token HTTP/1.1 Host: stg-id.singpass.gov.sg Content-Type: application/x-www-form-urlencoded DPoP: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7ImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoiRTRhOHp0NTZuMnF3WmE3R1ZPdVV4SHMtUHNQWVIzYnVCNGhtcURyTnV3OCIsInkiOiJWQ3ktckFmN3dMOC1PeWlhdS1kS0dJdmN5THpTMHJULTFlQkxyTGVNM09NIn19.eyJqdGkiOiJiZmM5NWRmOS02NDVjLTQ4OTUtOTM5MS03OWFjMGYzMzI0YWEiLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkvdG9rZW4iLCJpYXQiOjE3NzA4MDU5MzMsImV4cCI6MTc3MDgwNjA1M30.ofhxMZLOme4Q5cQXii7bRyucH5A-xFUNJ0vJMlYSHacsV2oHyZJ2SWBsXXpsB4xHkzdwWamNldqoNZ-90-DYoA grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback&code_verifier=-gMZo7Qjn113fE6Ri_OGnycEV3idiSkvbFcWIaQyQYQ&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhc0M3eTF3dUZtcXdDWHlzNlM1RW5hSUxOY3k0eUpEeCIsInN1YiI6ImFzQzd5MXd1Rm1xd0NYeXM2UzVFbmFJTE5jeTR5SkR4IiwiYXVkIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkiLCJpYXQiOjE3NzA3OTEzMTgsImV4cCI6MTc3MDc5MTQzOCwianRpIjoiODJmMzE2MmYtMjMwNS00ZmRkLTk5MjUtZWJiZGY0ZTgzNjIxIn0.OoUXyRpjT3zismetrSerQwAD7zi5NnODnINDRjDnuYovVof1tOoU3B-JtQ7HqpLBypUfb147gWjwUsSA2F54XA&code=4C0sivAY9mUdYL9C3V6tccx38FdX7-4grP_ZRbhgNCI [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#response-body) Response Body ---------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#successful-response) Successful Response If the request was successful. we will return a response in `application/json` format which includes the following parameters: Parameter Description Data type `access_token` This is an encoded JWT that can be used to obtain user information using the UserInfo endpoint. For Login applications, you should parse the ID token directly instead of using this access token. Refer to the "[4\. Parsing the ID Tokenarrow-up-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) " section for guidance. This access token has a lifetime of 30 minutes. String `id_token` The encrypted ID token in JWT format, signed by us. More information on how to parse this ID token is available in the next page. String `token_type` The type of token being requested. This will always be `DPoP`, as mandated by FAPI 2.0 specifications. chevron-rightSample successful response body[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#sample-successful-response-body) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#error-response) Error Response If there was an error with the request, we will instead return a response body in `application/json` format with the following parameters: Parameter Description Data type `error` An error code identifying the type of error that has occurred. This will be an enum value. The possible values are detailed [below](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#possible-error-values) . `error_description` A human-readable text description of the error. String. This is optional. `error_uri` URI of a web page that includes additional information about the error URL. This is optional. chevron-rightSample error response[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#sample-error-response) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#possible-error-values) Possible error values The table below lists the possible values of `error` that we may return: error What this error indicates `invalid_request` The request had missing or invalid parameters. You should ensure that all the parameters follow the specifications listed above. This error will also be returned if you did not send the `DPoP` header in your request. `unsupported_grant_type` This means that you had passed a `grant_type` value which is not the value `authorization_code`. You should update your implementation to send `grant_type` as `authorization_code`. `invalid_grant` This can be caused by two possible issues: * The authorization code has expired. You should ensure that token exchange happens within 60 seconds of the authorization code being issued. * The `redirect_uri` provided is different from the one which you have sent in the Pushed Authorization Request `invalid_client` The `client_assertion` that you generated was invalid. Read our [guide on client assertions](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) and ensure that your implementation follows the guide. The method to generate the client assertion should be the same as the one used to generate the client assertion for the Pushed Authorization Request. `invalid_dpop_proof` The `DPoP` header which you have provided is invalid, expired, or malformed. Read our [DPoP guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) and ensure that your implementation follows the instructions in the guide. `server_error` The server encountered an unexpected error. You should check `error_description` to understand what was the cause of the error. This error can potentially be caused by your JWKS endpoint not being reachable. Read our guide on [JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#requirements-for-jwks) and ensure that you follow the requirements. In particular, your JWKS endpoint must be publicly accessible and should respond in a timely manner. If the cause was not your JWKS endpoint, you may perform up to 3 retries using an exponential backoff strategy. If the request still fails, you should guide users to alternative authentication methods. `temporarily_unavailable` The server is temporarily unavailable to handle the request. You may perform up to 3 retries using an exponential backoff strategy. If the request still fails, you should guide users to alternative authentication methods, or to guide them to try again some time later. [Previous2\. Handling the Redirectchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect) [Next4\. Parsing the ID Tokenchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) Last updated 1 month ago Was this helpful? * [Request Body](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#request-body) * [Response Body](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#response-body) * [Successful Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#successful-response) * [Error Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#error-response) Was this helpful? Copy { "id_token": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJraWQiOiJlbmMtMjAyNCIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6ImdwM2RVdWc5OWYwYTNoN0xxQzRqZllkQkVBbEtvamlTMkVlQmRXbE1idEUiLCJ5IjoiQlBCaFdkMmFEUjhiSWdaZ0RxQUp5VE96R0hRX2s5cjhqMGtiRFJyNkdRZyJ9fQ.9vW4Y2c4K3bTGGdviOKyCmeU-_akIhBxRYcfE8ZVHAWu_PIcO-wOOqjARbp2pE3nMfvDBK0-1spmIA-LKBWO-I2TMe0_Eijg.7vzyv750dzEXuY2kBCVw6g.bQscx4K2J2WQrRxc--xGP2nAcdPw_bxpdUuAUB7KLZouPNIA70E528ttni7DPbC4ek7zv8ZHZfIgMc6SPQr_b8BvPTcq1Zz4_yc3q4ouVPyra41iMZvPhHf3dB3kdDvLoeLx3HTP-Tilxp2OQGCO1pqC8KDAKEnhJK6E-8XUBlSjsyeSlPwFjK7t4mdQ_hCM19M0C2mAB9lg8vWeGs_Hj55lyKvPXdg9fWIFSBaPrsaYaG9urO_EkswkHrkxVz3LfIRsu2irIx-AtM4Hf_PQAKwhbY55vXoYC3H18vFcK61i_5nyP0t2D_XgfONIZVGJaM_FbEW1DSvs1j8EPMgif8uv9Tdf0lgmMHzu75znKkKkz4bZQg_Srmtr8j3Smz7Tg4X4o0rdrNspeNsx-G1dJENjMLCUJdvejAlql7uFa1AVm13uGsaD8wSaDuvQcFSqlCxOqMLQulbBwNCEr-FRFDFn1sqIDzFS6G25bE_mfQ2aumx7VLAHihRYu9xHGBgLJpKFIoGU5OEV-yOGkGNFVtnR3CubVuCKAFyiJ-jZnE33x56a5xy2cApUK3gZkPZf9ovMnpiu7Lb9wFcFsiO2EzAs3xp7LbUaaEH9VhVXxMHP2qKFr9ww71_xQRvZvGoPajO17ErqfNkss3R1l0BzbFAIA-uN4hdOpE2a-LmTnHAgVmeg5u3u6Y3cXUS0Gpi_QG7sTBMbBhtkCKymlg8brZP8MQzkAFKb8OKlxDr-cHB0iytxA7Q9NtK7tBa9pFYYs46bsrU0_XdoUSSxzFBfyicInGVcZd4Es3i07RzxiDSn2Ku72epLGPxteFipYQeebOiONpf3viN6_mDQpSoUOcG72mNxS7pxk8QIC6BoffFVx2Pn8zjf81BHU4S_v_Gs.AyOBe2pNqOeXMTkjlW3WI3X4UUUOot6tDlcYPoF_Z7w", "access_token": "eyJhbGciOiJFUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImFsaWFzL3N0Zy1zcC1hdXRoLWFwaS1pZC10b2tlbi1zaWduaW5nLWtleS1rbXMtYXN5bW1ldHJpYy1rZXktYWxpYXMifQ.eyJzdWIiOiIwMjdjNDdjMi02ZGM1LTRiMjItYTgwZi1iYmM1MmM1NzUwNjQiLCJjbGllbnRfaWQiOiJkTkdFT1NVanlKalRxeXRieHNzcHlKQXlRSWozdHloYSIsInNjb3BlIjoib3BlbmlkIHVpbmZpbiBuYW1lIGNoaWxkcmVuYmlydGhyZWNvcmRzLmRvYiBjaGlsZHJlbmJpcnRocmVjb3Jkcy50b2IgZGl2b3JjZWRhdGUgZG9iIGRyaXZpbmdsaWNlbmNlLmRpc3F1YWxpZmljYXRpb24uc3RhcnRkYXRlIGRyaXZpbmdsaWNlbmNlLmRpc3F1YWxpZmljYXRpb24uZW5kZGF0ZSBkcml2aW5nbGljZW5jZS5wZGwuZXhwaXJ5ZGF0ZSBkcml2aW5nbGljZW5jZS5xZGwuZXhwaXJ5ZGF0ZSBkcml2aW5nbGljZW5jZS5yZXZvY2F0aW9uLnN0YXJ0ZGF0ZSBkcml2aW5nbGljZW5jZS5yZXZvY2F0aW9uLmVuZGRhdGUgZHJpdmluZ2xpY2VuY2Uuc3VzcGVuc2lvbi5zdGFydGRhdGUgZHJpdmluZ2xpY2VuY2Uuc3VzcGVuc2lvbi5lbmRkYXRlIGhkYm93bmVyc2hpcC5kYXRlb2Zvd25lcnNoaXB0cmFuc2ZlciBoZGJvd25lcnNoaXAuZGF0ZW9mcHVyY2hhc2UgaGRib3duZXJzaGlwLmxlYXNlY29tbWVuY2VtZW50ZGF0ZSBsdGF2b2NhdGlvbmFsbGljZW5jZXMuYmF2bC5leHBpcnlkYXRlIGx0YXZvY2F0aW9uYWxsaWNlbmNlcy5iZHZsLmV4cGlyeWRhdGUgbHRhdm9jYXRpb25hbGxpY2VuY2VzLm9kdmwuZXhwaXJ5ZGF0ZSBsdGF2b2NhdGlvbmFsbGljZW5jZXMucGR2bC5leHBpcnlkYXRlIGx0YXZvY2F0aW9uYWxsaWNlbmNlcy50ZHZsLmV4cGlyeWRhdGUgbWFycmlhZ2VkYXRlIHBhc3NleHBpcnlkYXRlIHBhc3Nwb3J0ZXhwaXJ5ZGF0ZSBzcG9uc29yZWRjaGlsZHJlbnJlY29yZHMuZG9iIHNwb25zb3JlZGNoaWxkcmVucmVjb3Jkcy5zY3ByZ3JhbnRkYXRlIHZlaGljbGVzLmNvZWV4cGlyeWRhdGUgdmVoaWNsZXMuZmlyc3RyZWdpc3RyYXRpb25kYXRlIHZlaGljbGVzLm9yaWdpbmFscmVnaXN0cmF0aW9uZGF0ZSB2ZWhpY2xlcy5yb2FkdGF4ZXhwaXJ5ZGF0ZSB2ZWhpY2xlcy55ZWFyb2ZtYW51ZmFjdHVyZSBjcGZiYWxhbmNlcy5tYSBjcGZiYWxhbmNlcy5vYSBjcGZiYWxhbmNlcy5yYSBjcGZiYWxhbmNlcy5zYSBjcGZjb250cmlidXRpb25zIGNwZmVtcGxveWVycyIsImp0aSI6ImF0LXZhenRZOU5fYy1HYTBFTkx0ekJVajh2bnVlb2tyazVyTTczRmZ0aHNtZ1kiLCJpYXQiOjE3NzA3MDk1MzIsImV4cCI6MTc3MDcxMTMzMiwiYXVkIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkvdXNlcmluZm8iLCJpc3MiOiJodHRwczovL3N0Zy1pZC5zaW5ncGFzcy5nb3Yuc2cvZmFwaSIsImNuZiI6eyJqa3QiOiJySF84UFJkUnZtWHg5dVNBMjVQTGdZSGJmQ3FMdlNJc1M1Yml3S004RmJvIn19.CVV8zLacj6nigOu-VU13DubRZcIyEvMpyOOF3m4KR8p9Zp_XNcPGRiQCx_Je9wNXFEUHcXZiWvhVfYVE7P5AxA", "token_type": "DPoP" } Copy { "error": "invalid_request", "error_description": "The request is missing a required parameter, includes an unsupported value, or is malformed." } --- # Catalog | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [userPersonalchevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/personal) [coinsFinancechevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/finance) [briefcase-blankEducation and Employmentchevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/education-and-employment) [familyFamilychevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/family) [car-rearVehicle and Driving Licencechevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/vehicle-and-driving-licence) [housePropertychevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/property) [building-magnifying-glassGovernment Schemechevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/government-scheme) [PreviousNotice of Assessment (Detailed)chevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/notice-of-assessment-detailed) [NextPersonalchevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/personal) Last updated 2 months ago Was this helpful? Was this helpful? --- # App Description | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This is the description of your digital service/application. Please describe your app's use case and purposes. circle-info The description indicated here will not appear on the consent page. It is for Singpass's administrative purposes. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FFblnB0LaZVrzonbF8sZp%252Fimage.png%3Falt%3Dmedia%26token%3D01de2550-57c9-4b7d-884a-093d6f42a7b0&width=768&dpr=3&quality=100&sign=5326deac&sv=2) Singpass Developer Portal App Config Page - Description field [PreviousApp Namechevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/app-name) [NextSite URLchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/site-url) Last updated 1 year ago Was this helpful? Was this helpful? --- # Notice of Assessment (Basic) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This refers to the taxpayer's total income after deducting allowable expenses and approved donations. Total income includes: (i) Trade (ii) Employment (iii) Rent (iv) Interest This field will only return: (i) 1 yearly assessable income and (ii) the corresponding year value. The yearly assessable income will be the latest available income up to the last 2 Years of Assessments. To note: i. Assessable Income details is only available for finalised assessment. Thus, income information will not be available if the subscriber has a Default Assessment (e.g. taxpayers who have not submitted their tax return). ii. This may not be applicable for foreigners depending on their tax residency. For example, in the case of double tax treaties with other countries, foreigner may not need to pay Singapore tax. [PreviousCPF Contribution History (up to 15 months)chevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/cpf-contribution-history-up-to-15-months) [NextNotice of Assessment (Detailed)chevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/understanding-the-data/notice-of-assessment-detailed) Last updated 2 months ago Was this helpful? Was this helpful? --- # Generation Of Client Assertion | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-info If you are using a [certified OIDC Relying Party libraryarrow-up-right](https://openid.net/developers/certified-openid-connect-implementations/) , the generation of client assertion will be handled by the library, as long as you specify that the `private_key_jwt` method is used for authentication. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#overview) Overview -------------------------------------------------------------------------------------------------------------------------------------------------------- When your backend calls our APIs, you will need to generate a client assertion to authenticate yourself. The generation of this client assertion should be done using the `private_key_jwt` mechanism specified in the [OIDC specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0-final.html#ClientAuthentication) . This mechanism involves you building a client assertion by signing a JWT using one of your signing keys defined in your [JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks) . Client assertions need to be sent in the [Pushed Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) and the [Token Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) . [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#generation-of-jwt) Generation of JWT -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- To reduce complexity, we recommend that you use a JWT library to perform the JWT encoding and signing on your behalf, instead of implementing this on your own. You may refer to [this listarrow-up-right](https://www.jwt.io/libraries?support=sign&algorithm=es256) to look for a suitable library for your programming language. To learn more about JWTs and their structure, you may read [this articlearrow-up-right](https://www.jwt.io/introduction) . The JWT must have the structure outlined below. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#jwt-header) JWT Header The JWT header should contain the following parameters: Parameter Description Data Type `alg` The signature algorithm that you are using to sign this JWT One of the following strings: * `ES256` * `ES384` * `ES512` `typ` The type of this JWT Must be the string `JWT` `kid` The `kid` of the signing key that you are using to sign this JWT header. If this is not provided, we will test against all of the signing keys in your JWKS when attempting to verify the signature. String, optional chevron-rightSample JWT header in JSON form[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#sample-jwt-header-in-json-form) Copy { "typ": "JWT", "alg": "ES256", "kid": "my_key_id_01" } ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#jwt-payload) JWT Payload The JWT payload should contain the following claims: Claim Description Data type `sub` The client ID of your registered client, provided by Singpass during app onboarding. A 32-character case-sensitive alphanumeric string. `aud` This should be the issuer identifier of our authorization server. You can obtain this value from the `issuer` field in the OpenID configuration of our authorization server. String `iss` The client ID of your registered client, provided by Singpass during app onboarding. A 32-character case-sensitive alphanumeric string. `iat` The unix timestamp, in seconds, at which you generated this JWT. Number `exp` The unix timestamp, in seconds, on or after which this JWT **must not** be accepted by us for processing. Note also that this must be less than or equal to 2 minutes after `iat`. Number `jti` A unique identifier for this token. This identifier must only be used once. You should generate a new `jti` value for every request String chevron-rightSample JWT Payload in JSON form[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#sample-jwt-payload-in-json-form) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#overall-jwt-signed-and-encoded) Overall JWT (Signed and Encoded) The JWT should be signed using your private key to form a JSON Web Signature (JWS) in compact serialisation format. This is a format where the three parts of the JWS (the header, the payload, and the signature), are base64url encoded and concatenated together, using a dot (`.`) as the separator. You must publish the public key corresponding to the private key you used to sign this JWT in your [JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks) . chevron-rightSample Signed JWT (in Compact Serialisation Format)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#sample-signed-jwt-in-compact-serialisation-format) [PreviousJSON Web Key Sets (JWKS)chevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks) [NextProof Key for Code Exchange (PKCE)chevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) Last updated 29 days ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#overview) * [Generation of JWT](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#generation-of-jwt) * [JWT Header](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#jwt-header) * [JWT Payload](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#jwt-payload) * [Overall JWT (Signed and Encoded)](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion#overall-jwt-signed-and-encoded) Was this helpful? Copy { "sub": "T5sM5a53Yaw3URyDEv2y9129CbElCN2F", "aud": "https://id.singpass.gov.sg/fapi", "iss": "T5sM5a53Yaw3URyDEv2y9129CbElCN2F", "iat": "1756785377", "exp": "1756785493", "jti": "59e05e3c-9418-4e63-8119-a05157219b74" } Copy eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6Im15X2tleV9pZF8wMSJ9.eyJzdWIiOiJUNXNNNWE1M1lhdzNVUnlERXYyeTkxMjlDYkVsQ04yRiIsImF1ZCI6Imh0dHBzOi8vaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkiLCJpc3MiOiJUNXNNNWE1M1lhdzNVUnlERXYyeTkxMjlDYkVsQ04yRiIsImlhdCI6IjE3NTY3ODUzNzciLCJleHAiOiIxNzU2Nzg1NDkzIiwiY29kZSI6IlhjeXpsU2VYMWhJeUpGbHN0eHNTRl9VZVhDNUR0aVlrRmdKOFZWeDUybWcifQ.fQMHTVNeCsa_mK6pmfjfi0rxERxDtu6eiMFkkpFdQrirc3u9LxP1_-E_7yIalIhmot1NdBQxbA9s_VztlQUhTQ --- # 4. Parsing the ID Token | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The ID token returned during token exchange is a JSON Web Signature (JWS), which is also encrypted using JSON Web Encryption (JWE). The JWE and JWS components are represented using compact serialization form, as specified in [section 3.1 of RFC 7516arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7516#section-3.1) . To reduce complexity, we recommend that you use a JWT parsing library to decrypt the token and to verify the signature, instead of implementing the decryption and signature verification yourself. You may refer to [this listarrow-up-right](https://www.jwt.io/libraries?support=verify&algorithm=es256) to look for a suitable JWT library for your programming language, though you must also ensure that your library of choice supports decryption of JWTs encrypted using JWE. A sample ID token is shown below: chevron-rightSample encrypted ID token (this is a JWE)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#sample-encrypted-id-token-this-is-a-jwe) Copy eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJraWQiOiJteS1lbmMta2V5IiwiZXBrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoidGIza3UwRHNyUTdFdHRkaVplcDVHUGdUOFgxaW5jYmR3M2YwSHB3ZHQ2SSIsInkiOiJEZzRFXzAwaWxGdEliVFhwMGRTcU84YUJTQXJPT3JSVWNOT3hKcFdReFFRIn19.hNnmqs2S9-vYzEXr7-Q9TmrzddUylJx-_n_HLjMWLQgeGECrwnmYPP2P638dQVGnlr_2KhJh6rFrm2wdoofSXv3YQR49zTC9.oEBMccRGsNtmMpbV1Oh6SA.TtYVOpO8cH1FpADKDIf0paepf7U8Rz2I_QYK2zITAk2wtuMuL3A3sUquvAA9a_KSm23F2WQ5vE0lA1qB54m9IYglWmaLT6epUQGw2gpkdQhrQmCuYMll2uvj1G-OV2TZgtLCNZakZY09U5SpSAjS32Sfa3H9iWmzjj8LiMQ_jLKBN-84TJpwiopOHW3b0O4tvEVdIq6bEfzqRjZ9qcqxkeWnyfajOC-NlCeqalXHJ_uRrJmVVRXmMjvMMOi1AEQJgVlyFaxBSvpkZGdXhuRRCv6LR3RK_SKizIDy1IwP0O5P6s4BKPXNaqjMwdoRKJdwB5euOGN3lK2Nh8hnzBO5Mp_lHf5XbbvdQ5oLWYDPRy19m6sSYPUIP4PfEguY7KmgbTjRd1ciptIetsRtQhKtYs6oLFp1hziwfk9AUYhkLN4dphSfamAZQeFct4lG4-Q865NezAupIs1BgTYPEu8q4Bw0-NXm0S0wISOJxmOCVng3h2uH4lqQY_bS7fGu4b8E30_-NWPesfKGc-dtVG3x7S1vEfDqjqnxY6XzzDnJOv-Op4cfjnATX067utxIJF2o9lo_9AG3Cul3xyGk9gx3DwHKImX_ldaJAajosUQQ8XUyuIsRjO_L8fQG2N9bYsKHt9qX2fK8fZGEfKsERw35i9AOifdlWxT5rcDM202zvZl9RGZOLGv3Z9JUfwtgAPKrEn5bXHwP__tefKgo9Ba__UUivtDzNwQE-ZVMoyKWMTKFLrULlfC9PaBO0UbVp4JsTVjcNgEVsLED-Y3rCBjNjehAGVyJxRcKUsngAEUAZJvNjGxaq149-Q6I7X6JOhrofY_8hqc74d4ROrDZ4vun2qVCzmrQmcCakEGpp9Y2wat0I-v7Q05COWWWu4EL_wdtgRnazA0DnH3el8ZUohsqNQ.fh6pMCnKcgo9yodwB5dPKcxdTZftoEmHKkB-KRxZPiI chevron-rightSample decrypted ID token (this is a JWS)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#sample-decrypted-id-token-this-is-a-jws) Copy eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFsaWFzL3N0Zy1zcC1hdXRoLWFwaS1pZC10b2tlbi1zaWduaW5nLWtleS1rbXMtYXN5bW1ldHJpYy1rZXktYWxpYXMifQ.eyJpYXQiOjE3Njk3Mzk4MjMsImV4cCI6MTc2OTc0MDQyMywiaXNzIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkiLCJzdWIiOiI3YzljNzJlYy01YmUyLTQ5NWEtYTc4ZS02MWU4MDlhMmEyMzYiLCJhdWQiOiJSc3JPeTJpQjBlZFI1M1RKU3VENVVMYWQxcEdtclZaTCIsImFtciI6WyJwd2QiXSwic3ViX2F0dHJpYnV0ZXMiOnsibmFtZSI6Ik5BTUUgT0YgUzU0MTA4MjhBIn0sInN1Yl90eXBlIjoidXNlciIsIm5vbmNlIjoiV2pxVU1NbU9ldllPWG13QzI3bWNBUVdzRkJuM083d3doYlJJdGwyRkprOCIsImFjciI6InVybjpzaW5ncGFzczphdXRoZW50aWNhdGlvbjpsb2E6MSJ9.pI0nhe0BLToMbuZ-9lpQiBNj2sj_ZWJwYFMT83u4yewZupTClPLUeYp08RR_sV2I70H6qpVmydRmoH8R9SipHQ chevron-rightSample decoded ID token payload[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#sample-decoded-id-token-payload) Copy { "sub": "7c9c72ec-5be2-495a-a78e-61e809a2a236", "aud": "RsrOy2iB0edR53TJSuD5ULad1pGmrVZL", "acr": "urn:singpass:authentication:loa:1", "sub_type": "user", "sub_attributes": { "name": "NAME OF S5410828A" }, "amr": ["pwd"], "iss": "https:\/\/stg-id.singpass.gov.sg\/fapi", "exp": 1769740423, "iat": 1769739823, "nonce": "WjqUMMmOevYOXmwC27mcAQWsFBn3O7wwhbRItl2FJk8" } [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#jwt-claims) JWT Claims ---------------------------------------------------------------------------------------------------------------------------------------------------- The decrypted JWT will have the following claims: Claim Description Data Type `sub` The principal that is the subject of the JWT. Contains a globally unique identifier for the user. String `sub_type` A property to describe what is the type of the subject of the JWT. For Singpass, this is always the string `"user"` `sub_attributes` This contains some information related to the user's identifiers. This is only returned if the `user.identity` , `name`, `email`, or `mobileno` scope is requested. Object containing key-value pairs. See the [section below](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#the-sub_account-claim) for full details. `act` An object describing actor acting on behalf of the `sub`. This is currently unused, but this may be used in the future for delegation (e.g. a child acting on behalf of their parent, or vice-versa). This object will contain a `sub` claim, which contains the UUID of the actor. If the `user.identity` , `name`, `email`, or `mobileno` scope is requested, it will also contain the respective data for the actor in the `sub_attributes` claim. If the `sub_attributes` claim is returned, the format of `sub_attributes` is described in the [section below](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#the-sub_account-claim) . An object containing `sub` and `sub_attributes` (if requested). `aud` The client ID of your registered client, provided by Singpass during app onboarding. A 32-character case-sensitive alphanumeric string. `iss` The issuer identifier of our authorization server. String `iat` The unix timestamp, in seconds, at which we issued this JWT. Number `exp` The unix timestamp, in seconds, on or after which this JWT **must not** be accepted for processing. Number `amr` An array of authentication method references. This refers to the form factors used by the user to authenticate themselves. The array will contain all the form factors used for this authentication. For example, if the user authenticated themselves using their password and SMS OTP, then this array will contain both `pwd` and `otp-sms`. Array of strings. The possible values are: * `face` * `pwd` * `otp-sms` * `face-alt` * `swk` (software key) * `hwk` (hardware key) Note that this list is non-exhaustive, and we reserve the right to introduce new values without prior notice to you. `acr` The authentication class reference value used for this transaction. This identifies the level of assurance that this authentication satisfied. One of the following values: * urn:singpass:authentication:loa:1 * This indicates that only username and password was used for authentication. This will only happen in the staging environment. * urn:singpass:authentication:loa:2 * This indicates that 2-factor authentication was used for authentication. * urn:singpass:authentication:loa:3 * This indicates that 3-factor authentication, with face verification as a third factor, was used for authentication. `nonce` This is the same nonce that you used in your authorization request. String chevron-rightSample ID token[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#sample-id-token) [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#the-sub_attributes-claim) The sub\_attributes Claim --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The `sub_attributes` claim is an object that will contain the following properties: Property Description Data Type `account_type` The Singpass account type for this user. For Singpass Foreign Account (SFA) holders, this will be `"foreign"`. For all other Singpass accounts (i.e. those belonging to Singapore Citizens, Permanent Residents, or FIN holders), this will be `"standard"`. A string, which is either `"foreign"` or `"standard"`. This is only present if the `user.identity` scope was requested. `identity_number` A string which contains a referencable identifier for the user. For Singapore Citizens and Permanent residents, this will be their NRIC. For FIN holders, this will be their FIN. For Singpass Foreign Account holders, this will be their foreign ID. String. This is only present if the `user.identity` scope was requested. `identity_coi` The country code for the of issuance of the identity. For Singapore Citizens, Permanent Residents, and FIN holders, this will be `"SG"`. For Singpass Foreign Account holders, this will be the country code of the country which issued the user's foreign ID. 2-letter country code. This is only present if the `user.identity` scope was requested. `name` The user's principal name Non-empty string. This will only be present if the `name` scope is requested. `email` The user's email address String. This will only be present if the `email` scope is requested, and if the user has an email registered with Singpass. `mobileno` The user's mobile number. This will always be a Singapore mobile number, and it will not include the country code. Numeric string. This will only be present if the `moibleno` scope is requested, and if the user has a mobile number registered with Singpass. For Singpass Foreign Account (SFA) users, this will always be absent. chevron-rightSample sub\_attributes for Singapore Citizen, Permanent Resident, or FIN holder[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#sample-sub_attributes-for-singapore-citizen-permanent-resident-or-fin-holder) chevron-rightSample sub\_attributes for Singpass Foreign Account holder[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#sample-sub_attributes-for-singpass-foreign-account-holder) [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#verification-checks) Verification Checks ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- circle-info If you are using a [certified OIDC Relying Party libraryarrow-up-right](https://openid.net/developers/certified-openid-connect-implementations/) , these checks will be automatically performed by the library, though you must pass the nonce to the library for it to perform the nonce check. In order to ensure that the ID token is valid, you must perform the following checks: 1. Verify that the `iss` claim matches the issuer identifier of our authorization server, which you can obtain from the `issuer` field in the [OpenID configuration](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) of our authorization server. 2. Verify that the `aud` claim matches your client ID. 3. Ensure that the current time is before the timestamp in the `exp` claim. 4. Ensure that the `nonce` claim is the same as the nonce that you had sent in the authorization request. If you are integrating with Singpass Login, then the flow ends here. If you are integrating with Myinfo (v5), then the next and final step would be to retrieve the user's information using the `/userinfo` endpoint. [Previous3\. The Token Requestchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) [Next5\. The Userinfo Requestchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo) Last updated 2 months ago Was this helpful? * [JWT Claims](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#jwt-claims) * [The sub\_attributes Claim](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#the-sub_attributes-claim) * [Verification Checks](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#verification-checks) Was this helpful? Copy { "aud": "gnY6Erichpb5t4NFRP9R4L7aEC9N0FQH", "iss": "https://id.singpass.gov.sg/fapi", "exp": 1727322545, "iat": 1727321945, "nonce": "L5nmQfcetDDIeincoqvCrFyGv+nHobkv4XocNYPCXaQ=", "sub": "1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9", "sub_type": "user", "sub_attributes": { "account_type": "standard", "identity_number": "S1234567G", "identity_coi": "SG" } } Copy "sub_attributes": { "account_type": "standard", "identity_number": "S1234567G", "identity_coi": "SG", "name": "John Doe", "email": "[email protected]", "mobileno": "91231234", } Copy "sub_attributes": { "account_type": "foreign", "identity_number": "K28394589", "identity_coi": "TK", "name": "Larry Doe", "email": "[email protected]", } --- # FAQ | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q1.-what-are-the-benefits-of-upgrading-to-the-new-version-of-myinfo) Q1. What are the benefits of upgrading to the new version of Myinfo? The new version of Myinfo API improves the security posture of the API and data shared. It aligns to current industry and RFC standards, and improves operations flows for partners to minimise service disruption during key rotation. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q2.-i-am-currently-using-myinfo-v3.-when-is-the-deadline-to-upgrade-to-myinfo-v4) Q2. I am currently using Myinfo v3. When is the deadline to upgrade to Myinfo v4? It is no longer mandatory for partners to migrate to Myinfo v4. All new onboardings will be to the new Myinfo. 1. Partners on Myinfo v3/v4 will have till end Sep 2026 to migrate to Myinfo v5. 2. Partners are expected to ensure that their apps are compliant with FAPI 2.0 by 31 December 2026. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q3.-what-should-i-do-when-a-users-data-in-the-business-conflicts-with-the-users-data-retrieved-from) Q3. What should I do when a user’s data in the business conflicts with the user’s data retrieved from Myinfo? You should assess which dataset takes precedence, based on business or regulatory requirements and also factor in the following: 1. Whether the data retrieved from government sources; 2. Time-stamp of the data retrieved, to determine which is more recent. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q4.-can-i-request-for-more-data-items-than-what-i-need-for-my-digital-service) Q4. Can I request for more data items than what I need for my digital service? No. You should only request for the data items that you need for your digital service. This is aligned with the guidelines of the Personal Data Protection Act, which instructs the collection of personal data in an appropriate manner for the circumstances. Each request will be reviewed prior to approval. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q5.-i-would-like-to-linkup-multiple-digital-services-with-myinfo.-do-i-submit-a-single-request-for-a) Q5. I would like to linkup multiple digital services with Myinfo. Do I submit a single request for all my digital services or one request for each digital service? A new request must be submitted for digital services with different use cases/user journeys. If in doubt, please submit a request for every digital service. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q6.-my-digital-service-saves-user-data-in-the-transaction-session-or-cookie.-if-the-user-closes-the) Q6. My digital service saves user data in the transaction session or cookie. If the user closes the browser and comes back to the digital service again, can I populate the digital form using data saved in the session or cookie? No. To prevent stale data from being mistaken as a Myinfo data, every user profile retrieved by a digital service must fetch new data from Myinfo. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q7.-i-would-like-to-design-my-digital-service-to-depend-solely-on-myinfo-to-fill-up-a-form.-is-this) Q7. I would like to design my digital service to depend solely on Myinfo to fill up a form. Is this a recommended approach? Digital services should allow users to manually fill up forms to access digital services to accommodate the following scenarios: 1. User does not wish to use Myinfo; 2. If the user is a foreigner who does not have Myinfo or if the user does not have a Singpass account; or 3. If the Myinfo service is temporarily unavailable (e.g. system maintenance). * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q8.-can-my-digital-service-retrieve-user-data-for-backend-processing-without-displaying-it-on-a-digi) Q8. Can my digital service retrieve user data for backend processing without displaying it on a digital form? No, all data retrieved from Myinfo have to be displayed on the digital form for verification by the user, prior to form submission. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q9.-how-should-my-digital-service-handle-scenarios-where-the-user-finds-that-the-verified-data-retri) Q9. How should my digital service handle scenarios where the user finds that the verified data retrieved from Myinfo is out-of-date? (e.g. user has not updated ICA about his/her change of registered address) Businesses may allow users to fill out the form manually with the correct data. In this case, data previously retrieved from Myinfo should not be saved. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q10.-are-the-registered-addresses-of-users-restricted-to-singapore-addresses) Q10. Are the registered addresses of users restricted to Singapore addresses? No, the registered address field can contain overseas addresses. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q11.-my-digital-service-requires-only-the-last-three-months-of-the-users-cpf-contribution-history.-c) Q11. My digital service requires only the last three months of the user’s CPF contribution history. Can my digital service only show the last three months of CPF contribution history? The retrieval of CPF contribution history will return the last 15 months of the user’s CPF contribution. All 15 months of the contribution should be displayed on your digital service form. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q12.-is-there-any-guideline-to-display-cpf-contribution-history-data) Q12. Is there any guideline to display CPF contribution history data? Digital services should adhere to the CPF Display Guidelines when retrieving and displaying CPF data: Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q13.-i-have-some-issues-uploading-my-x.509-public-key-with-my-ios-device.-how-can-i-upload-my-x.509) Q13. I have some issues uploading my X.509 public key with my iOS device. How can I upload my X.509 public key? It is recommended to upload your X.509 public key using compatible browsers (e.g. Safari, Chrome, Firefox) on your desktop. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q14.-i-have-been-given-a-corppass-account-by-my-corppass-administrator.-however-i-am-unable-to-login) Q14. I have been given a CorpPass account by my CorpPass administrator. However, I am unable to login to the portal using the CorpPass account. Please check with your CorpPass administrator to ensure your CorpPass account is given permission to access 'Singpass API Developer and Partner Portal'. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q15.-what-is-the-estimated-turnaround-time-after-i-have-submitted-an-app-request) Q15. What is the estimated turnaround time after I have submitted an app request? We will respond to you in two weeks upon submission of your app request. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q16.-what-is-the-estimated-turnaround-time-after-i-have-submitted-my-app-configurations) Q16. What is the estimated turnaround time after I have submitted my app configurations? Upon successful submission, your app configurations will take effect within 5 to 10 minutes. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q17.-we-are-a-solution-company-looking-to-build-a-product-platform-integrated-with-myinfo-for-our-cl) Q17. We are a solution company looking to build a product/platform integrated with Myinfo for our client. How do we go about doing so? Please submit a joint link-up request through your client. You may refer to our portal for the on-boarding process. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q18.-can-the-consent-page-be-customised-to-allow-users-to-select-fields-that-they-wish-to-retrieve-f) Q18. Can the consent page be customised to allow users to select fields that they wish to retrieve from Myinfo? To optimise the user experience for customers, users need to consent to share all data items relevant to a transaction. This allows a more seamless and secure user journey that minimises form-filling and document submission. If users are uncomfortable with sharing any data items, they may opt to fill the form manually. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q19.-can-foreigners-use-myinfo-to-transact-with-digital-services) Q19. Can foreigners use Myinfo to transact with digital services? Foreigners who have a valid Singpass account will have a Myinfo profile, and they can use the service. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q20.-can-i-add-additional-data-item-s-to-my-app-after-it-has-been-submitted) Q20. Can I add additional data item(s) to my app after it has been submitted? You may add additional data item(s) to your app after the original request has been approved. Please click on the 'Edit' button and under 'Scopes Selection' choose your additional data item(s) for your app. A revised user journey should be submitted to reflect the additional data item(s), and the justification updated. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q21.-what-are-the-charges-fees-for-using-myinfo-api) Q21. What are the charges/fees for using Myinfo API? Charges for using Myinfo API started from Apr 2022. Please log in with Singpass to view pricing table. * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q22.-i-am-a-financial-institution.-is-utilisation-of-ndi-services-subject-to-mas-expectations-under) Q22. I am a financial institution. Is utilisation of NDI services subject to MAS’ expectations under the Guidelines on Outsourcing? The Monetary Authority of Singapore (MAS) has issued a guidance to all financial institutions in June 2020. For outsourcing arrangements involving services which are wholly provided by the Government Technology Agency (GovTech) or agents appointed by GovTech, they will not be subject to the MAS Guidelines on Outsourcing. Please refer to the list of services [here](https://docs.developer.singpass.gov.sg/docs/products/singpass-login) . * * * #### [hashtag](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/faq#q23.-who-do-i-contact-if-i-require-more-details) Q23. Who do I contact if I require more details? If you have any other query, please submit a request at [partnersupport.singpass.gov.sgarrow-up-right](https://partnersupport.singpass.gov.sg/) . [PreviousScheduled Downtimeschevron-left](https://docs.developer.singpass.gov.sg/docs/products/singpass-myinfo/scheduled-downtimes) [NextOverview of Singpasschevron-right](https://docs.developer.singpass.gov.sg/docs/introduction/overview-of-singpass) Last updated 2 months ago Was this helpful? Was this helpful? --- # (Legacy) Pre-FAPI 2.0 API Specifications | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. The purpose of this guide is to describe the necessary APIs that Relying Parties (RPs) must invoke to facilitate an Open ID Connect (OIDC) authentication for a Singpass user via the Redirect Authentication Flow. RPs are to implement the following steps: **Frontend:** * Step 1a: Redirect to [Authorization endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint) . **Backend:** * Step 4: Exchange auth code with ID token (involves client authentication) using [Token endpointarrow-up-right](https://github.com/SingpassPX/dev-docs/blob/main/technical-specifications/singpass-authentication-api/2.-token-endpoint) . [PreviousMyinfo (v4) appschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps) [NextOverview of Singpass Flowchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/overview-of-singpass-flow) Last updated 1 month ago Was this helpful? Was this helpful? --- # JSON Web Key Sets (JWKS) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#overview) Overview ------------------------------------------------------------------------------------------------------------------------------------------------ A JSON Web Key Set (JWKS) is a set of keys that contain a list of cryptographic keys that can be used either for signature verification or for encryption. Each key in the JWKS is stored in the JSON Web Key format, as specified in [RFC 7517arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7517) . In order to integrate with Singpass, you are required to [register](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#registration-of-jwks) your JWKS with us. The same JWKS can be reused across multiple Singpass integrations. Conversely, we also broadcast our JWKS at [https://id.singpass.gov.sg/.well-known/keysarrow-up-right](https://id.singpass.gov.sg/.well-known/keys) . These are our public keys used for signing, and you should use them to verify the signature in both the ID token and the Userinfo response. chevron-rightExample JWKS[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#example-jwks) Copy { "keys": [\ {\ "kty": "EC",\ "alg": "ES256",\ "use": "sig",\ "kid": "ydGFKJbIoqzSJyMpUiprLpaQz7RxV8C_HLiCW-l0q1k",\ "crv": "P-256",\ "x": "vx_9JwRUaXaj8nE21-mgtjrx2JPkOM_iawIIbIV2huc",\ "y": "ZvqP1ErOvOmMvaaWVA2WzB6eroYsz4I1PML1AiEIvsQ"\ },\ {\ "kty": "EC",\ "alg": "ECDH-ES+A256KW",\ "use": "enc",\ "kid": "R-G-GcB8vBaBCdQENkLD5k8MJnLQG4a1TR1Fx94CUvM",\ "crv": "P-256",\ "x": "fr9yjpnKygf6ZwR0L9kVIGES-B4CqQUo8_X_PyF725s",\ "y": "5iaXtCMTRXZzA-RwAHji0KUi_5XrrzeIGDuOoDNdPxo"\ }\ ] } [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#purpose-of-jwks) Purpose of JWKS -------------------------------------------------------------------------------------------------------------------------------------------------------------- The keys that you provide in your JWKS will be used for the following: * Verification of your [client assertions](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) (they are signed by one of your private keys). This is done during both the [Pushed Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) and [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) * Encryption of the [ID Token](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) * Encryption of the [Userinfo response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#response) [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#registration-of-jwks) Registration of JWKS ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ When registering your JWKS with us, you have two options: 1. Directly register the JWKS with us as a JSON object in your app configuration 2. Host the JWKS on a publicly accessible URL, and register that URL with us in your app configuration. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#requirements-for-jwks) Requirements for JWKS -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#general) General 1. Your JWKS must have at least one encryption key and one signing key. 2. All of the keys in your JWKS must **not** expose your private key. Specifically, it must **not** contain the `d` property, which represents the private key. Exposure of this property is a critical security vulnerability. 3. All of the keys in the JWKS must: 1. Have unique key IDs in the `kid` field. Additionally, any new keys should not reuse previously-used key IDs. 2. Contain a `kty` of `EC` 3. Contain one of the following `crv` values: 1. `P-256` 2. `P-384` 3. `P-521` 4. If your JWKS is hosted at a URL: 1. The URL **must** be publicly accessible at all times 2. It should respond as fast as possible, as the user experience of your users will be affected if your JWKS endpoint takes a long time to respond. In the worst case, it must respond within 3 seconds; otherwise, your users will fail to authenticate with us. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#signing-keys) Signing Keys 1. Must have a `use` value of `sig` ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#encryption-keys) Encryption Keys 1. Must have a `use` value of `enc` 2. Must contain one of the following `alg` values: 1. `ECDH-ES+A128KW` 2. `ECDH-ES+A192KW` 3. `ECDH-ES+A256KW` [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#key-rotation) Key Rotation -------------------------------------------------------------------------------------------------------------------------------------------------------- You should rotate your keys at least once a year. You will be able to rotate your keys without downtime. The process for rotating encryption keys and signing keys is slightly different, and will be outlined below. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#signing-keys-1) Signing Keys 1. Generate your new signing key pair, and add the public signing key to your JWKS **without** removing the old public signing key. The newly added key must have a different `kid` from any of the existing keys. 2. Wait for 1 hour. This ensures that our cache has expired and that we will have fetched your new keys, which we can then use to verify requests that you sign using your new key. 3. Start signing your requests using your new private key. 4. Remove the old public signing key from your JWKS. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#encryption-keys-1) Encryption Keys 1. Generate your new encryption key. 2. Update your application such that it can perform decryption using either the old or the new key, depending on the `kid` value in the JWE header. 3. Replace the old key in your JWKS with the new key. The new key should have a different `kid` from the old one. 4. Wait for one hour. This ensures that our cache has expired, and that we will only perform encryption using your new key. 5. Remove the old encryption key from your JWKS. [PreviousTechnical Conceptschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts) [NextGeneration Of Client Assertionchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) Last updated 2 months ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#overview) * [Purpose of JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#purpose-of-jwks) * [Registration of JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#registration-of-jwks) * [Requirements for JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#requirements-for-jwks) * [General](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#general) * [Signing Keys](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#signing-keys) * [Encryption Keys](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#encryption-keys) * [Key Rotation](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#key-rotation) * [Signing Keys](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#signing-keys-1) * [Encryption Keys](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#encryption-keys-1) Was this helpful? --- # Government Scheme | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close id name description Data Available Source pioneergen.eligibility Pioneer Generation Eligibility The Government has introduced the Pioneer Generation Package to honour and thank our pioneers for their hard work and dedication in making Singapore what it is today. The package includes a host of initiatives aimed at making healthcare affordable for our Pioneer Generation for life. SC MOF/CPFB merdekagen.eligibility Merdeka Generation Eligibility The Government has introduced the Merdeka Generation Package to honour and thank our Merdeka Generation for their contributions. The package supports the aspirations of Merdeka Generation seniors in their silver years by helping them to stay active and healthy and providing them better peace of mind over future healthcare costs. SC MOF/CPFB chas Community Health Assist Scheme The Community Health Assist Scheme (CHAS) enables all Singapore Citizens, including Pioneer Generation (PG) and Merdeka Generation (MG) cardholders, to receive subsidies for medical and/or dental care\* at participating General Practitioner (GP) and dental clinics. For patients with chronic conditions, CHAS complements the Chronic Disease Management Programme (CDMP), which allows for MediSave to be used for outpatient treatment (for the same set of chronic conditions) covered under CHAS. Besides enjoying CHAS subsidies for the treatment of their chronic conditions, patients can also tap on their MediSave to defray part of the cost of these treatments. Patients who seek treatment for their chronic conditions at CHAS GP clinics can also receive subsidised rates for healthcare services such as Diabetic Foot Screening (DFS), Diabetic Retinal Photography (DRP) and nurse counselling at Community Health Centres (CHCs) and Primary Care Network (PCN) clinics. SC MOH [PreviousPropertychevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/property) [NextUser Guidechevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide) Last updated 8 months ago Was this helpful? Was this helpful? --- # 2. Token Endpoint | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. Endpoint to obtain an ID token and access token. The ID token is a signed JWT that contains user information in the `sub` claim, and is signed by Singpass ASP. RPs will be able to verify the ID token’s JWT signature with our [JWKS endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/.well-known-endpoints/jwks-endpoint) . RPs are expected to validate the ID token as per [OpenID connect specsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) . For the OIDC authentication flow, only the following grant(s) is supported: * `authorization_code` (see the [Authentication using the Authorization Code Flowarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth) in the OpenID connect specs for more details) In the below sections, we are going to describe the API contract: * [Authorization Code Grant](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant) * [Client JWK Requirements](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements) [PreviousFor Mobile Developerschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint/for-mobile-developers) [NextAuthorization Code Grantchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant) Last updated 2 months ago Was this helpful? Was this helpful? --- # For Mobile Developers | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. To facilitate your in-app browser implementation, the following table contains technical resources to help assess, test and implement the changes requested. Android iOS Sample codes implementing the recommended Proof Key for Code Exchange ([PKCEarrow-up-right](https://www.rfc-editor.org/rfc/rfc8252) ) for Singpass logins [Android-Singpass-in-app-browser-login-demoarrow-up-right](https://github.com/singpass/Android-Singpass-in-app-browser-login-demo) [iOS-Singpass-in-app-browser-login-demoarrow-up-right](https://github.com/singpass/iOS-Singpass-in-app-browser-login-demo) In-app browser documentations [Chrome Custom Tabsarrow-up-right](https://developer.chrome.com/docs/android/custom-tabs) \[iOS 9 to iOS 10\] [SFSafariViewControllerarrow-up-right](https://developer.apple.com/documentation/safariservices/sfsafariviewcontroller) \[iOS 11\] [SFAuthenticationSessionarrow-up-right](https://developer.apple.com/documentation/safariservices/sfauthenticationsession) \[iOS 12 and above\] [ASWebAuthenticationSessionarrow-up-right](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) [PreviousRedirection on successchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint/redirection-on-success) [Next2\. Token Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint) Last updated 2 months ago Was this helpful? Was this helpful? --- # Site URL | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This is the public URL of your application which users will access. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Ft75bGNFxTKjV9zfdqxjb%252Fimage.png%3Falt%3Dmedia%26token%3D2220f8ca-02cf-475a-8fb8-99f5f8029920&width=768&dpr=3&quality=100&sign=6f76548a&sv=2) Singpass Developer Portal App Config Page - Site URL field circle-exclamation URL with IP address (e.g. https://123.123.1.1) is not allowed. [PreviousApp Descriptionchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/app-description) [NextSupport Emailschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/support-emails) Last updated 3 months ago Was this helpful? Was this helpful? --- # Changelog | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close circle-info All new Login and Myinfo apps follow Singpass' [FAPI 2.0-compliant API spec](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) . This changelog applies to you only if you are upgrading a Login / Myinfo (v5) integration that was set up prior to Feb 2026. If so, you may wish to refer to [this migration guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) . If you are instead upgrading a legacy Myinfo (v3/v4) app, please refer to our [other migration guides](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides) . [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#the-fapi-2.0-security-profile) The FAPI 2.0 Security Profile ---------------------------------------------------------------------------------------------------------------------------------------------------------- The FAPI 2.0 Security Profile builds on top of the existing OIDC specifications. Singpass is already OIDC-compliant, which means that you will not need to update your entire existing integration—you will only need to update some parts of the integration. The following diagram provides an overview of the parts of the Singpass flow that are changing. The changed parts are highlighted in red. For ease of comparison, the same diagram, but for the prior authentication API flow (i.e. without these changes), can be found [here](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/overview-of-singpass-flow) . You may also view an interactive version of this diagram in [this pagearrow-up-right](https://tinyurl.com/singpass-fapi2-changelog) . ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F59c2TsOuHYy8fDp0JHhq%252Fmermaid-diagram-2025-09-03-101046.png%3Falt%3Dmedia%26token%3D2faab839-d281-4d73-bc3b-bdb540c90a0a&width=768&dpr=3&quality=100&sign=20d66add&sv=2) [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#pushed-authorization-requests) Pushed Authorization Requests ---------------------------------------------------------------------------------------------------------------------------------------------------------- _Relevant steps in sequence diagram: steps 4-7_ Previously, you would have performed the authorization request by redirecting users to an authorization URL containing all the authorization request parameters (such as `redirect_uri`, `client_id`, `scopes` ) in its query parameters. We will now instead require pushed authorization requests (as specified in [RFC 9126arrow-up-right](https://datatracker.ietf.org/doc/html/rfc9126) ) to be performed during the authentication flow. This was done for improved security, as using pushed authorization requests will prevent tampering of the authorization request parameters in the authorization URL. Switching to pushed authorization requests requires you to make two changes: 1. Before redirecting the user to the authorization URL, you must first make a POST request to the `pushed_authorization_request_endpoint` (which is published in the authorization server metadata) with a request body containing all the authorization request parameters. This is represented by steps 4-5 in the sequence diagram. 2. When you redirect the user to the authorization URL, the query parameters of the URL should only contain `request_uri` (returned from the pushed authorization request) and your `client_id`. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#new-parameters-for-authorization-requests) New Parameters for Authorization Requests ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- _Relevant step in sequence diagram: step 4_ We now support some new parameters for authorization requests. These parameters are: * `acr_values` * `authentication_context_type` * `authentication_context_message` These new parameters, which you will pass in the pushed authorization request, will provide you greater control over what your users will experience during the authentication process. Full details of these parameters can be found in [this page](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#singpass-specific-parameters) . circle-exclamation Myinfo (v3/v4) apps have authorization requests that differ from Login and Myinfo (v5) apps, so you will need to make more changes if you are currently integrating with a Myinfo (v3/v4) app. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#demonstrating-proof-of-possession-dpop) Demonstrating Proof-of-Possession (DPoP) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ _Relevant steps in sequence diagram: steps 5, 17, and 22_ You may also read [this blog postarrow-up-right](https://auth0.com/blog/what-are-oauth-push-authorization-requests-par/) to understand more about pushed authorization requests. A DPoP proof (as specified in [RFC 9449arrow-up-right](https://datatracker.ietf.org/doc/html/rfc9449) ) is now required for the following requests: * The pushed authorization request * The token request * The userinfo request This was introduced in order to ensure that both the authorization code and the access token (issued on steps 10-13 and 19 respectively in the sequence diagram) can only be used by you and not by any other party. You may read more about DPoP in our guide [here](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) . circle-exclamation If you are currently integrating with a Myinfo (v4) app, you will only need to add DPoP for the pushed authorization request. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#id-token-encryption-and-format) ID Token Encryption and Format ------------------------------------------------------------------------------------------------------------------------------------------------------------ _Relevant steps in sequence diagram: steps 20-21_ The ID token will now always be encrypted using JSON Web Encryption (JWE), regardless of the client profile of your app. Previously, the ID token was only encrypted if you had requested for NRIC to be returned in the ID token. Note that this will now require you to add an encryption key into your JWKS, if you do not already have one. Additionally, the format of the claims returned in the ID token is also different. A summary of the changes are: * The `sub` claim will now only contain the UUID of the user. Previously, it contained key-value pairs containing different values depending on your app's client profile and the type of user, but we have now simplified the claim to just always be the UUID. * If you require NRIC (for SC/PR), FIN (for pass holders) or the foreign ID (for SFA users) to be returned in the ID token, you may request for the new `user.identity` scope. If the scope is requested, then this information will be returned in the new `sub_attributes` claim in the ID token. Here are some examples to illustrate the difference: chevron-rightID token differences[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#id-token-differences) Note: for brevity, the examples here do not contain the whole ID token - they only contain the parts that have changed. Note also that `sub_account` in the new ID token will only be returned if requested as part of the `scopes` in the authorization request. User type Old ID token New ID token Singapore Citizen / PR FIN holders Singpass Foreign Account For full details on the new format, you may refer to [ID token specs](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) . [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#userinfo-response-format) Userinfo Response Format ------------------------------------------------------------------------------------------------------------------------------------------------ _Relevant step in sequence diagram: step 26_ The userinfo response will have a slightly different format. The format of the data itself remains unchanged - the only difference is that the data is now nested inside a `person_info` field. The userinfo response will remain encrypted using JWE - no changes will be made on how it is encrypted. Here's an example to illustrate the difference: chevron-rightUserinfo payload difference[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#userinfo-payload-difference) Old response New response circle-exclamation Myinfo (v3/v4) integrations will also need to start using the userinfo endpoint instead of the Myinfo Get Person API. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#enforcement-of-proof-of-key-code-exchange-pkce) Enforcement of Proof of Key Code Exchange (PKCE) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- We will be enforcing PKCE (specified in [RFC 7636arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7636) ) for all integrations with the new authentication API. This is a requirement for FAPI 2.0 compliance, and will help to protect you against misuse of the authorization code. Read more about PKCE in our guide [here](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) . [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#removal-of-support-for-custom-scheme-urls) Removal Of Support For Custom Scheme URLs ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Previously, custom scheme URLs (i.e. URLs that do not use the `https://` scheme) were allowed to be registered as redirect URLs and app launch URLs. This was done to support redirection to mobile apps. We will be dropping support for the usage of such URLs with the new specifications. If you are currently using custom scheme URLs for mobile app redirection, you are required to instead use App-claimed https URLs ([Universal Linksarrow-up-right](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content) for iOS, and [App Linksarrow-up-right](https://developer.android.com/training/app-links) for Android) for this purpose instead. This is being done to ensure that redirects from Singpass cannot be intercepted by malicious applications. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#authentication-error-responses) Authentication Error Responses Currently, we generally do not redirect back to your redirect URL when an error occurs. This will change with the new authentication API. We will now be redirecting back to your redirect URL in more scenarios with an Authentication Error Response, which is specified in [section 3.1.2.6 of the OpenID specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) . With this change, you will get more information about what are the errors that users face while authenticating with Singpass, and can handle the error flows appropriately. However, this also means that you must ensure that you have proper error handling in place for these errors. View our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect#failed-authentication) to see the full list of errors that could be sent to you during the redirect. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#changes-in-amr-claim-values) Changes In \`amr\` Claim Values ---------------------------------------------------------------------------------------------------------------------------------------------------------- The `amr` claim values returned in the ID token have been updated. You can ignore this section if you have not been reading the `amr` claim values. Note that if you have previously been reading the `amr` claim values to determine the level of assurance of the authentication transaction, we recommend that you read the new `acr` claim value instead, which directly provides the level of assurance without requiring you to map the `amr` values to a level of assurance. By using the `acr` claim instead of the `amr` claim, you would not need to update your implementation should we introduce new form factors. Specifically, the following changes have been made: ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#change-in-naming) Change in naming Some of the `amr` values have had their names changed for clarity. Specifically, these three claims have changed: Previous value New value `sms` `otp-sms` `fv` `face` `fv-alt` `face-alt` ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#provision-of-all-form-factors-when-face-verification-is-used) Provision of all form factors when face verification is used Previously, when face verification was used **as a third factor** during the authentication, the `amr` claim would only be `["fv"]`, even though multiple form factors were used in the authentication. With the FAPI2.0 implementation, the `amr` claim would now always contain all form factors used in order to provide more clarity. For example: Form factors used Previous amr New amr Username/password, SMS OTP, face verification `["fv"]` `["pwd", "otp-sms", "face"]` QR, face verification `["fv"]` `["swk", "face"]` Username/password, face verification `["pwd", "fv"]` `["pwd", "face"]` (note: no change in number of elements, since face verification was used as a second factor) [PreviousUnderstanding the basics of OIDCchevron-left](https://docs.developer.singpass.gov.sg/docs/introduction/understanding-the-basics-of-oidc) [NextIntegration Guidechevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) Last updated 23 days ago Was this helpful? * [The FAPI 2.0 Security Profile](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#the-fapi-2.0-security-profile) * [Pushed Authorization Requests](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#pushed-authorization-requests) * [New Parameters for Authorization Requests](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#new-parameters-for-authorization-requests) * [Demonstrating Proof-of-Possession (DPoP)](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#demonstrating-proof-of-possession-dpop) * [ID Token Encryption and Format](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#id-token-encryption-and-format) * [Userinfo Response Format](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#userinfo-response-format) * [Enforcement of Proof of Key Code Exchange (PKCE)](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#enforcement-of-proof-of-key-code-exchange-pkce) * [Removal Of Support For Custom Scheme URLs](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#removal-of-support-for-custom-scheme-urls) * [Authentication Error Responses](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#authentication-error-responses) * [Changes In \`amr\` Claim Values](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#changes-in-amr-claim-values) * [Change in naming](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#change-in-naming) * [Provision of all form factors when face verification is used](https://docs.developer.singpass.gov.sg/docs/technical-specifications/changelog#provision-of-all-form-factors-when-face-verification-is-used) Was this helpful? Copy { "sub": "s=S8829314B,u=1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9" } Copy { "sub": "1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9", "sub_type": "user" "sub_attributes": { "account_type": "standard", "identity_number": "S8829314B", "identity_coi": "SG" } } Copy { "sub": "s=G4542206U,u=1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9" } Copy { "sub": "1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9", "sub_account": { "account_type": "standard", "identity_number": "G4542206U", "identity_coi": "SG" } } Copy { "sub": "s=Y7613265T,fid=G730Z-H5P96,coi=DE,u=e2af740e-25b4-4b19-b527-494670952cb0" } Copy { "sub": "e2af740e-25b4-4b19-b527-494670952cb0", "sub_account": { "account_type": "foreign", "identity_number": "G730Z-H5P96", "identity_coi": "DE" } } Copy { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" }, "iss": "https://stg-id.singpass.gov.sg", "sub": "s=S9000001B,u=d45d8f21-6178-4713-b962-8635ed2a945a", "aud": "tWT3rfImn9hCezlLr0M1nRUvQ40fCNL4", "iat": 1746678089 } Copy { "person_info": { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" }, } "iss": "https://stg-id.singpass.gov.sg", "sub": "d45d8f21-6178-4713-b962-8635ed2a945a", "aud": "tWT3rfImn9hCezlLr0M1nRUvQ40fCNL4", "iat": 1746678089 } --- # Myinfo (v4) apps | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#overview) Overview -------------------------------------------------------------------------------------------------------------------------------------- The protocol used by Myinfo (v4) apps is largely similar to the one used by the new FAPI 2.0 API. The changes required mostly involve configuring new Myinfo (v5) apps, adopting Pushed Authorization Requests, and making minor changes to your request/response parsing. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#creating-new-app) Creating New App ------------------------------------------------------------------------------------------------------------------------------------------------------ Before you start on the new integration, you must first create a new Myinfo (v5) app on the Singpass Developer Portal. Your existing Myinfo (v4) app cannot be used for the new integration. Refer to our User Guide to understand how to create your [staging app](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-app) (for testing purposes) and your [production app](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-production-app) . Note that Myinfo (v5) apps should only have a single purpose. If your current Myinfo (v4) app has multiple purposes, you will need to create a new Myinfo (v5) app for each purpose. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#changes-required) Changes Required ------------------------------------------------------------------------------------------------------------------------------------------------------ Listed below are the changes that you will need to make to your existing integration for it to work with the new authentication API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#general) General #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-1.-update-custom-scheme-urls) 1\. Update custom scheme URLs The new Authentication API no longer supports the use of custom scheme URLs (i.e. URLs that do not start with `https://` ) as redirect URLs or app launch URLs. If you are currently integrating with Singpass via an Android or iOS app, and rely on such URLs for redirection back to the mobile app, you will need to change these URLs to use app-claimed HTTPS URLs instead. App-claimed HTTPS URLs are HTTPS URLs which, when opened on a mobile device, will launch your mobile app. Android applications support app-claimed HTTPS URLs via Android App Links, while iOS applications support them via universal links. Read the [official Android documentationarrow-up-right](https://developer.android.com/training/app-links) and the [official iOS documentationarrow-up-right](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) to understand how to implement Android App Links and universal links respectively. Once your applications support redirection via app-claimed HTTPS, you should update your app's configuration in the Singpass Developer Portal to add your new HTTPS URLs. Refer to our [Singpass Developer Portal User Guide](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) if you are unsure on how to do this. You will also need to update your backend integration with us. Specifically, you will need to change these parameters in your authorization request: 1. The `redirect_uri` and `app_launch_url` parameters must be updated to use the new HTTPS URLs that you have configured. 2. The `redirect_uri_https_type` parameter in the authorization request should be added with a value of `app_claimed_https` , to indicate that the redirection is being done using an app-claimed HTTPS URL. Once the backend changes are completed and deployed, you should proceed to remove the old custom scheme URLs from your app's configuration in the Singpass Developer Portal. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#authorization-request) Authorization Request #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-1.-use-pushed-authorization-request) 1\. Use pushed authorization request In your existing integration, you would have sent the authorization request by redirecting the user to the authorization endpoint, with the authorization request parameters being included as query parameters. In the new integration, you should instead send the authorization request parameters by first sending the authorization request parameters via a pushed authorization request, which will return a short-lived `request_uri` in the response. You should then redirect the user the user to the authorization endpoint, with the `request_uri`, together with your `client_id`, as query parameters. Note that the DPoP header needs to be sent when making the pushed authorization request. The DPoP header that you send for this request should be generated in the same way as the DPoP header you currently generate when calling the token API for your Myinfo (v4) app. For more details, you may refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) . #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-2.-remove-parameters-that-are-no-longer-used) 2\. Remove parameters that are no longer used There are some parameters in the authorization request which are no longer required in the new API. These parameters should be removed from the authorization request: * `subentity_id` * `purpose_id` (this will be configured in the Singpass Developer Portal instead of being sent for every request) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-3.-ensure-app_launch_url-is-pre-registered-in-the-singpass-developer-portal) 3\. Ensure app\_launch\_url is pre-registered in the Singpass Developer Portal In the new Authentication API, the app launch URLs must be pre-registered with us when you configure your app in the Singpass Developer Portal. If you use the `app_launch_url` parameter, you will need to ensure that the value you are sending in this parameter has been pre-registered in your app's configuration. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-4.-add-nonce-and-state-parameter) 4\. Add nonce and state parameter You are required to include a `nonce` and `state` in your authorization request for the new API. Refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#basic-oidc-parameters) to understand how these parameters should be generated and what they are used for. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#token-exchange) Token Exchange #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-1.-parse-the-id-token) 1\. Parse the ID token In the new API, the token request returns an encrypted ID token in addition to the access token. You should decrypt this ID token and perform verification checks to ensure that it is legitimate. Read our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) to understand how to perform the decryption and what sort of verification checks are required. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-2.-update-your-client-assertion-implementation) 2\. Update your client assertion implementation You should no longer include `cnf.jkt` in the JWT payload for your client assertion. Aside from this change, the method to generate the client assertion should be the same as the method you are currently using for your Myinfo (v4) app. Refer to our [guide on generating client assertions](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) for the full reference on generating client assertions for the new API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#userinfo-request) Userinfo Request The userinfo request replaces the Person API call used in Myinfo (v4), but the authentication mechanism is the same. Refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-request) to view a sample request. Here's a quick comparison of the two endpoints: Userinfo Person API Request Response #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-1.-remove-sub-from-the-path) 1\. Remove sub from the path In Myinfo (v4), you were required to pass the `sub` from the access token as a path parameter when calling the Person API. This is no longer required in the new API. You should no longer perform any parsing of the access token. If you still wish to obtain the UUID of the user, you should do so by parsing the ID token instead. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-2.-remove-all-query-parameters) 2\. Remove all query parameters The new API does not require any query parameters in the userinfo request. All of the user's data belonging to the scopes requested during the Authorization request will be returned. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#id-3.-handle-the-new-format-of-the-userinfo-response) 3\. Handle the new format of the userinfo response The userinfo response has a slightly different format compared to the response of the Person API. The format of the data itself remains unchanged - the only difference is that the data is now nested inside a `person_info` field. You will thus need to update your parsing logic to extract the user's data from the `person_info` field, instead of from the root of the response data. [PreviousMyinfo (v3) appschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps) [Next(Legacy) Pre-FAPI 2.0 API Specificationschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api) Last updated 23 days ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#overview) * [Creating New App](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#creating-new-app) * [Changes Required](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#changes-required) * [General](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#general) * [Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#authorization-request) * [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#token-exchange) * [Userinfo Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps#userinfo-request) Was this helpful? Copy GET /userinfo HTTP/1.1 Host: id.singpass.gov.sg Authorization: DPoP eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyLWphbmUtZG9lIiwiYXVkIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20vZGF0YSIsImV4cCI6MTc1NjczMDM4MCwiaWF0IjoxNzI1MTk0MzgwLCJqdGkiOiJ0eC0xMjMtYWJjIiwiY25mIjp7ImprdCI6Ik93SWlGaVl2T0NXRkpiV1hlbUdUZzRtU1NYQkNwZk9NaFhRV21XOTBVSEEifX0.dGhpcy1pcy1hLXBsYWNlaG9sZGVyLXNpZ25hdHVyZS1hcy1pdC1yZXF1aXJlcy1hLXByaXZhdGUta2V5 DPoP: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiQXNWakh4elZ4MURaNnNKcEpzUnM2ek5YYXFmcFR3UmNfcXV0bWw0aEFJQSIsInkiOiI0SkhwVVZDRE5DaXhOTW9OclIzSElodFRzTWNfMF9NcmdpMzJxR3VoUkQ4In19.eyJqdGkiOiIyZmM3Y2Q4ZC0xN2IzLTRlYTUtYTg4ZC1lZWM0NTY5M2JhZDQiLCJodG0iOiJHRVQiLCJodHUiOiJodHRwczovL2lkLnNpbmdwYXNzLmdvdi5zZy91c2VyaW5mbyIsImlhdCI6MTc1NjcwODI0N30.wBYjFQRzY2o5aG82LjR1X8qT9bZ-jK3c7hI5fE0gP9vR_7sU6tW5xV4yZ3aB2cE1dF0eG9hI8jJ7kL6mN5oP4qR Copy GET /com/v4/person/{sub}?scope=name,uinfin HTTP/1.1 Host: api.myinfo.gov.sg Authorization: DPoP eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyLWphbmUtZG9lIiwiYXVkIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20vZGF0YSIsImV4cCI6MTc1NjczMDM4MCwiaWF0IjoxNzI1MTk0MzgwLCJqdGkiOiJ0eC0xMjMtYWJjIiwiY25mIjp7ImprdCI6Ik93SWlGaVl2T0NXRkpiV1hlbUdUZzRtU1NYQkNwZk9NaFhRV21XOTBVSEEifX0.dGhpcy1pcy1hLXBsYWNlaG9sZGVyLXNpZ25hdHVyZS1hcy1pdC1yZXF1aXJlcy1hLXByaXZhdGUta2V5 DPoP: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiQXNWakh4elZ4MURaNnNKcEpzUnM2ek5YYXFmcFR3UmNfcXV0bWw0aEFJQSIsInkiOiI0SkhwVVZDRE5DaXhOTW9OclIzSElodFRzTWNfMF9NcmdpMzJxR3VoUkQ4In19.eyJqdGkiOiIyZmM3Y2Q4ZC0xN2IzLTRlYTUtYTg4ZC1lZWM0NTY5M2JhZDQiLCJodG0iOiJHRVQiLCJodHUiOiJodHRwczovL2lkLnNpbmdwYXNzLmdvdi5zZy91c2VyaW5mbyIsImlhdCI6MTc1NjcwODI0N30.wBYjFQRzY2o5aG82LjR1X8qT9bZ-jK3c7hI5fE0gP9vR_7sU6tW5xV4yZ3aB2cE1dF0eG9hI8jJ7kL6mN5oP4qR Copy { "person_info": { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" } }, // above scopes are returned in the same format as the Myinfo Get Person response "iss": "https://id.singpass.gov.sg/fapi", "sub": "d45d8f21-6178-4713-b962-8635ed2a945a", "aud": "T5sM5a53Yaw3URyDEv2y9129CbElCN2F", "iat": 1746678089 } Copy { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" } } --- # Testing with Singpass App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Refer to guide below to test your integration with Staging Singpass App on QR authentication or 2FA Authentication. [![Logo](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fpartnersupport.singpass.gov.sg%2Fhc%2Ftheming_assets%2F01JCPYZAK4QV117PRTK0GBSZH7&width=20&dpr=3&quality=100&sign=d3673e37&sv=2)Staging Singpass App Installation Tutorial GuidePartner Support Centerchevron-right](https://partnersupport.singpass.gov.sg/hc/en-sg/articles/33107472981657-Staging-Singpass-App-Installation-Tutorial-Guide#01HZ3YJQC5AF7BW8V4CXV5ZWQQ) [PreviousToken-based Authenticationchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/token-based-authentication) [NextMyinfo Test Personaschevron-right](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) Last updated 11 months ago Was this helpful? Was this helpful? --- # Requesting Userinfo | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. Clients must present a valid access token (of type `Bearer`) to retrieve the UserInfo claims. This access token is produced from the [token endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#http-response) . Only those claims that are scoped in the successful authentication request will be made available to the client. Example request to get the `userinfo` claims: Copy GET /userinfo HTTP/1.1 Host: id.singpass.gov.sg Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6ImF0K2p3dCIsImtpZCI6ImFsaWFzL3ByZC1zcC1hdXRoLWFwaS1pZC10b2tlbi1zaWduaW5nLWtleS1rbXMtYXN5bW1ldHJpYy1rZXktYWxpYXMifQ.eyJzdWIiOiJzPVM2NTAwMDEwRSx1PWIyMGVhNjRhLTc2OTQtNDQyZi04Njc0LTRjMDVkNmQ5NDdmZiIsImNsaWVudF9pZCI6Ik9RYnNHU0NUNWRzUEhmUWdGbGlieUZud1g0YUpXYWlaIiwic2NvcGUiOiJvcGVuaWQgdWluZmluIG5hbWUgYmlydGhjb3VudHJ5IGRpYWxlY3QgZG9iIGhhbnl1cGlueWlubmFtZSBuYXRpb25hbGl0eSBwYXNzcG9ydGV4cGlyeWRhdGUgcGFzc3BvcnRudW1iZXIgcmFjZSByZXNpZGVudGlhbHN0YXR1cyBzZWNvbmRhcnlyYWNlIHNleCIsImp0aSI6ImF0LWJRTmEtT2FveEdvdXh3TTFiSmtsTU5leFNvSjJLOXJOcGdFS0wyb0ptcEEiLCJpYXQiOjE3Mjg2MjIxMTksImV4cCI6MTcyODYyMzkxOSwiYXVkIjoiaHR0cHM6Ly9pZC5zaW5ncGFzcy5nb3Yuc2cvdXNlcmluZm8iLCJpc3MiOiJodHRwczovL2lkLnNpbmdwYXNzLmdvdi5zZyJ9.3KjEQKXEhc88e6mRCv6sIe4U-psd1Pe4hLp7hQCN6MQGcHNFHpL8lmJ3B-RAxeunb-HKAxQLfSWnzpu767EQYQ Example response: Copy HTTP/1.1 200 OK Content-Type: application/jwt; eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwiYWxnIjoiRUNESC1FUytBMjU2S1ciLCJraWQiOiJ0ZXN0LXJwLWtleS0wMSIsImVwayI6eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6IjZkWHpIbFBFT2d0c0ZCZlc0THRlNlV3a00taXk2NGJ0dkF2c0R2WTYtd00iLCJ5IjoiZDRTZkdrYnRiZ19lakhPZnJ6Ul9fU2R1b0tCYVluVHVKbU84Uk0zUWFENCJ9fQ.jZi6w7zl9Tbl0t-AucyVCIzoaztu6QAtvQh4eegdBQ5ekTRJBPhChtuaT0WLVRsWd7WFmiZA3R27VVs6ZoYZy2_Oq7-SfNpZ.FhY_KkI5FhrsEz-v77SrwQ.rGdyiIXNvn_pra6AW48V_zIR59C4qDVL0JdJ9lmz9OLmnepy4X2ZpfbvaU54NU6d94g9KjWRYUprqoFLBQJB2c1_87qfCT-phkluJOYX0nyEIHahYvqADmxd7wtu3KguYEz45EPa2mSLgYM6ieUsR0Mw5s9pUjPkl3TomSIeN-4K9ZebeyPbkygxiT7bX74o31ODqXRDED-2kqeTpuqs6Dx92sUV-HNhPDIVnYp7nJurqvh46mF4Zt83OuH3QDOVmQsQQxYUupE95vfRZae9cQx8ZMrGTC-GSXNAqv2Gd6q5V4n9FFBwsOvsn-Gwd6i3gxYKMYr8k4jRQ2ykBYtFWMryeBZQCBhHaZEpcbZFCgLaD5XvXmWjNwA1Qm_gkPBF6Luhm6wYgjURxCwA7FQx4sZkrNL5jZjTfRaW38GiBHnvTXEPdGFVzXwIohVVqCCFr7nrf1uQfq1UXKduZVrtcTLnX7v1-sVEhpFyGFCmDtKAtQSaLvg4IMDK7U943NgB3ddRjJK4PQuBtivexSBgJc_RRIKIBKIQJxI3WYId0-WxmDsMSzgCZ5iJWIfKqUEAbhImtK2vzcqNs8obgEeIfzZPYd9g977l0PgPiJzfoCBQDirxu-ftEOLlepT6YIMnetSbrs3y6bQDjdMBv-SDXHRwFT7qRZefdoUSV9yhsN52_U4P8W7u4l_uUJWZHZyhxgMDg7AluRBSPG2g4ti7I8B_3cYsEY9m4YYYMLlIhhM5cRg4KfJeoRH7UK9unkNeyGRjLLRLwisL3tQN1KsPdVeaAUYOuFKtaz-3U8lW3zprYdeJ0cNERiToczOjmpvv.PUNV3te9SF7OgGY8UFbIzTBJy7iJhBb4RDy9Kj5cuFc circle-check An access token can be re-used up to its validity period of thirty (30) minutes. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/3.-userinfo-endpoint/requesting-userinfo#error-response) **Error Response** Singpass generally follows OIDC error response specifications. For more information, please refer to the [Userinfo error response specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError) . * * * **An access token is only valid for 30 minutes**. Sending a request to the `/userinfo` endpoint beyond its lifetime will result in an `invalid_token` error: Copy HTTP/1.1 401 Unauthorized Date: Wed, 09 Oct 2024 10:49:52 GMT Content-Type: application/json; charset=utf-8 {"id":"afc64481-a01b-44c8-a716-52ef45c9c527","error":"invalid_token","error_description":"An error has occurred.","trace_id":"1-67065fd0-079db77d1f7a760e616f2271"} [Previous3\. Userinfo Endpointchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/3.-userinfo-endpoint) [NextValidating the payloadchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/3.-userinfo-endpoint/validating-the-payload) Last updated 2 months ago Was this helpful? Was this helpful? --- # .well-known Endpoints | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [OpenID Discovery Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/.well-known-endpoints/openid-discovery-endpoint) [JWKS Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/.well-known-endpoints/jwks-endpoint) [PreviousValidating the payloadchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/3.-userinfo-endpoint/validating-the-payload) [NextOpenID Discovery Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/.well-known-endpoints/openid-discovery-endpoint) Last updated 2 months ago Was this helpful? Was this helpful? --- # Redirection on success | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. Once the user has authenticated successfully, Singpass will redirect the browser to the RP’s registered `redirectUri` along with the `code` and `state` parameters or an interstitial page for users have launched authentication from the RP’s native app. The interstitial page is required to solicit a user interaction for launching from certain in-app browsers. Singpass will redirect to the interstitial page if the `redirectUri` is custom-schemed or app-claimed HTTPS. To specify that the `redirectUri` is an app-claimed HTTPS, the RP must include the query parameter `redirect_uri_https_type=app_claimed_https` at [Authorization endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint) . Example redirect location: `**https://partner.gov.sg/redirect?code=XcyzlSeX1hIyJFlstxsSF_UeXC5DtiYkFgJ8VVx52mg&state=NGRlZThmNzQtZDU5YS00YTY1LWFkODItYmE4NDA4Y2UwY2Uw**` Parameter Description code A securely generated random number in **base64-url** format. This parameter must be sent to the [Token endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint) along with others to exchange for the user’s ID token. state The same `state` parameter provided to the [Authorization endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint) . Once redirected, the RP should invoke the [Token endpoint](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint) to obtain an ID token and complete the login process. > Note: The `code` parameter has a lifetime of **2 minutes**. RPs must exchange it for an ID token within this period. [Previous1\. Authorization Endpointchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint) [NextFor Mobile Developerschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint/for-mobile-developers) Last updated 2 months ago Was this helpful? Was this helpful? --- # Error Response | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. Singpass APIs are RESTful in design and communicate classes of errors based on the **HTTP status code**. The status code should be used to determine if the error is caused by consumer or provider. Consumers should log the HTTP status code along with the `id` and/or `trace_id` of the error. HTTP Status Description 4xx Errors caused by API consumer. You can expect codes such as 400, 401, 403, 404 etc. if incorrect requests are made to APIs. Example: **400 Bad Request due to invalid/missing request arguments** 5xx Errors caused by API provider or its dependencies. You can expect codes such as 500, 502, 503 etc if there is an issue on Singpass or its dependencies. Example: **500: Internal Server Error due to some kind of programming error.** Example: Invalid Request Parameters Copy HTTP/1.1 400 Bad Request Connection: keep-alive Cache-Control: no-cache, no-store, must-revalidate Transfer-Encoding: chunked Content-Type: application/json Date: Thu, 26 Sep 2024 03:36:41 GMT Content-Length: 190 { "id" : "bcba4bc3-534e-4891-bfa2-e872b4502d80", "error" : "CLIENT_SIDE_ERROR", "error_description" : "This is an invalid request.", "trace_id" : "66f4d6c93a23476106150eb7c40d7dc9" } Example: Server Error Path Type Description `id` `String` The unique identifier for this error/request. Please log this identifier for support and debugging purposes. `trace_id` `String InstanceOfAssertFactory` (Optional) An auxiliary id for request correlation across services. Please also log this identifier for operational support and debugging purposes. `error` `String` Error code representing broad class of error; likely to be one of CLIENT\_SIDE\_ERROR, ARGUMENTS\_NOT\_VALID, SERVER\_SIDE\_ERROR, TOO\_MANY\_REQUESTS. However, specific error codes can be returned for some endpoints, in which case you may find more details in the documentation for that endpoint. `error_description` `String` Returns human readable general information about the reason for the error. Note that due to security reasons; detailed information is unlikely to be available in this message. [PreviousJWKS Endpointchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/.well-known-endpoints/jwks-endpoint) [NextPricingchevron-right](https://docs.developer.singpass.gov.sg/docs/pricing/pricing) Last updated 2 months ago Was this helpful? Was this helpful? Copy HTTP/1.1 500 Internal Server Error Cache-Control: no-cache, no-store, must-revalidate X-XSS-Protection: 0 X-Frame-Options: DENY Date: Thu, 26 Sep 2024 03:36:41 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Transfer-Encoding: chunked Content-Type: application/json Content-Length: 192 { "id" : "bcba4bc3-534e-4891-bfa2-e872b4502d80", "error" : "SERVER_SIDE_ERROR", "error_description" : "An unexpected error occurred.", "trace_id" : "66f4d6c97ef952fbff9f2d20f6b826f9" } --- # 1. Authorization Endpoint | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. > NOTE: This section is only applicable for the Redirect Authentication Flow. Upon user action (e.g. user clicks on a login button on the RP’s website), the RP should redirect the User Agent (browser) to Singpass's authorization endpoint with the request parameters documented below. See [OpenID connect specsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint) for more details. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#sample-request) Sample Request ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > NOTE: The actual GET request is made by the browser - RPs only need to construct the URL and redirect the browser to it. Copy $ http GET 'https://stg-id.singpass.gov.sg/auth?scope=openid&response_type=code&redirect_uri=https%3A%2F%2Fpartner.gov.sg%2Fredirect&nonce=bb5e1672-a460-4a9b-874e-c38d55ac3922&client_id=T5sM5a53Yaw3URyDEv2y9129CbElCN2F&state=dGVzdCBzdHJpbmcK&code_challenge=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&code_challenge_method=S256' [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#sample-response) Sample Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This will be a 302 response that redirects the browser to the Singpass login page. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#request-parameters) Request Parameters -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Parameter Description `scope` **Mandatory**. A string value where `openid` is the minimum scope value. **For** `**/userinfo**` **flows:** Multiple scope values MAY be used by creating a space-delimited, case-sensitive list of ASCII scope values. For example, `openid name uinfin`. See [OIDC Scope Values specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) for more details. The full list of supported scopes for Singpass can be found [here](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog) . `response_type` The authorization processing flow to be used. Supported value is `code` for the Authorization Code Flow. `client_id` The `clientId` provided by Singpass during onboarding. It is the App ID found at the top of your app configuration page. `redirect_uri` The URL that Singpass will eventually redirect the user to after the user completes the login process using the Singpass App. The value will be validated against the list of redirect URIs that were pre-registered with Singpass during onboarding. `nonce` A session-based, unique, and non-guessable value that the RP should generate per auth session. This parameter should ideally be generated and set by the RP’s backend and passed to the frontend. As part of threat modelling, NDI is requesting for the nonce parameter so as to mitigate MITM replay attacks against the ASP Service’s Token Endpoint and its resulting ID Token. This parameter serves the same purpose as [OIDC 1.0’s nonce parameterarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) . Maximum of 255 characters. We recommend that you use a hex-encoded random number such as `java.security.SecureRandom` or `UUIDv4`. `state` A session-based, unique, and non-guessable value that the RP should generate per auth session. This parameter should ideally be generated and set by the RP’s backend and passed to the frontend. As part of threat modelling, NDI is requesting for the state parameter so as to mitigate replay attacks against the RP’s redirection endpoint (`redirectUri`). This parameter serves the same purpose as [OAuth 2.0’s `state` parameterarrow-up-right](https://tools.ietf.org/html/rfc6749#section-4.1.1) . Maximum of 255 characters. Must match `regexp` pattern of `[A-Za-z0-9/+_-=.]+,`. `code_challenge` The hash of a code verifier generated using the hash method specified in `code``_challenge_method_`_. This is to enable Proof Key for Code Exchange (PKCE). This is an extension to the authorization code flow to prevent CSRF and authorization code injection attacks. Refer_ [_here_arrow-up-right](https://www.rfc-editor.org/rfc/rfc7636) _for more details about PKCE._ _Must match_ `_regexp_` _pattern of_ `_[a-zA-Z0-9_``-]{43} (Mandatory)`. `code_challenge_method` The method used to generate the `code_challenge` from the code verifier. Only `S256` is supported. (Mandatory) `redirect_uri_https_type` (Required if the `redirect_uri` uses is an [app-claimed HTTPS URLarrow-up-right](https://datatracker.ietf.org/doc/html/rfc8252#section-7.2) ) Supported values are `app_claimed_https` and `standard_https` (default). This value is ignored if the `redirect_uri` has a custom scheme. `app_launch_url` (Optional) Intended for iOS mobile apps which use QR authentication via redirect auth. This adds the possibility for the user to be redirected back to the provided App Link after they successfully authorize themselves on the Singpass App. The value passed here should be the App Link registered with Apple’s App Store. The provided value will be validated according to the list of app launch URLs which the RP has pre-registered with NDI. `esrvc` (Special case internal use only) eService ID value for multi-tenant RPs / Singpass OIDC bridge. The value will be validated against registered eServices or registered RP’s `client_external_id`. `acr_values` (Special case internal use only) Authentication Context Class Reference passed by the Singpass Portal kickoff endpoint. Will be forwarded to Singpass OIDC authorization endpoint if provided. Refer to this table to determine whether to include the `app_launch_url` param: Authenticating From app\_launch\_url Param Relying Party website Do not include Relying Party website on a mobile browser Do not include Relying Party mobile app Can include [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#error-response) Error Response ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Singpass generally follows OIDC error response specifications. For more information, please refer to [Authorization Error Response specificationsarrow-up-right](https://tools.ietf.org/html/rfc6749#section-4.1.2.1) . [PreviousOverview of Singpass Flowchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/overview-of-singpass-flow) [NextRedirection on successchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint/redirection-on-success) Last updated 2 months ago Was this helpful? * [Sample Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#sample-request) * [Sample Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#sample-response) * [Request Parameters](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#request-parameters) * [Error Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#error-response) Was this helpful? --- # Login / Myinfo (v5) apps | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#overview) Overview -------------------------------------------------------------------------------------------------------------------------------------------- If you are migrating an existing Login or Myinfo (v5) app, there will not be any need for you to create a new app in the Singpass Developer Portal. Instead, you can integrate with the new authentication API using your existing app. During the migration process, you can simultaneously have integrations with both the old authentication API and the new one. How this will work will be as follows: * If you send the authorization request parameters via [pushed authorization request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) , then the new API will be used for that authentication flow. * If you send the authorization request parameters via a [browser redirect to the authorization endpointarrow-up-right](https://github.com/SingpassPX/dev-docs/blob/main/technical-specifications/singpass-authentication-api/1.-authorization-endpoint) , then the old API will be used for that authentication flow. This will allow you to test your new integration or to perform a staged rollout of the new integration in production without affecting the existing integration, so long as pushed authorization requests are only used when the new API is going to be used. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#changes-required) Changes Required ------------------------------------------------------------------------------------------------------------------------------------------------------------ Listed below are the changes that you will need to make to your existing integration for it to work with the new authentication API. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#general) General #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-1.-implement-demonstration-of-proof-of-possession-dpop) 1\. Implement Demonstration of Proof of Possession (DPoP) DPoP is a security mechanism in which the access token and authorization code is bound to a private key that is known only to you, preventing malicious parties from using your code or token. Read our [guide to DPoP](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) to understand how to implement it. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-2.-handle-authentication-error-responses) 2\. Handle Authentication Error Responses In the old Authentication API, we do not always redirect back to your redirect URL when an error occurs. In the new API, we will be redirecting back to your redirect URL on most errors, with an Authentication Error Response, which is specified in [section 3.1.2.6 of the OpenID specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#AuthError) . You should refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect) to understand how to handle these responses. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-3.-update-custom-scheme-urls) 3\. Update custom scheme URLs The new Authentication API no longer supports the use of custom scheme URLs (i.e. URLs that do not start with `https://` ) as redirect URLs or app launch URLs. If you are currently integrating with Singpass via an Android or iOS app, and rely on such URLs for redirection back to the mobile app, you will need to change these URLs to use app-claimed HTTPS URLs instead. App-claimed HTTPS URLs are HTTPS URLs which, when opened on a mobile device, will launch your mobile app. Android applications support app-claimed HTTPS URLs via Android App Links, while iOS applications support them via universal links. Read the [official Android documentationarrow-up-right](https://developer.android.com/training/app-links) and the [official iOS documentationarrow-up-right](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) to understand how to implement Android App Links and universal links respectively. Once your applications support redirection via app-claimed HTTPS, you should update your app's configuration in the Singpass Developer Portal to add your new HTTPS URLs. Refer to our [Singpass Developer Portal User Guide](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) if you are unsure on how to do this. You will also need to update your backend integration with us. Specifically, you will need to change these parameters in your authorization request: 1. The `redirect_uri` and `app_launch_url` parameters must be updated to use the new HTTPS URLs that you have configured. 2. The `redirect_uri_https_type` parameter in the authorization request should be added with a value of `app_claimed_https` , to indicate that the redirection is being done using an app-claimed HTTPS URL. Once the backend changes are completed and deployed, you should proceed to remove the old custom scheme URLs from your app's configuration in the Singpass Developer Portal. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#authorization-request) Authorization Request #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-1.-use-pushed-authorization-request) 1\. Use pushed authorization request In your existing integration, you would have sent the authorization request by redirecting the user to the authorization endpoint, with the authorization request parameters being included as query parameters. In the new integration, you should instead send the authorization request parameters by first sending the authorization request parameters via a pushed authorization request, which will return a short-lived `request_uri` in the response. You should then redirect the user the user to the authorization endpoint, with the `request_uri`, together with your `client_id`, as query parameters. For more details, you may refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) . #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-2.-add-parameters-for-proof-key-for-code-exchange-pkce) 2\. Add parameters for Proof Key for Code Exchange (PKCE) PKCE is required for all apps in the new API. If you are not yet sending `code_challenge` and `code_challenge_method` in your authentication request, you are required to do so for the new API. Read our [guide on PKCE](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) to better understand what you need to do. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-3.-only-for-login-apps-add-authentication_context_type-to-the-authentication-request) 3\. (Only for Login apps) Add authentication\_context\_type to the authentication request If you are integrating using a Login app, you will need to add a new parameter called `authentication_context_type` into the authorization request parameters, which should be sent as part of the pushed authorization request. Read more about this new parameter in our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#singpass-specific-parameters) . ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#token-exchange) Token Exchange #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-1.-implement-decryption-of-the-id-token) 1\. Implement decryption of the ID token In the new authentication API, all ID tokens will be encrypted. You will need to implement ID token decryption if you are currently receiving unencrypted ID tokens during token exchange. Additionally, you must add an encryption key to your JWKS if you do not already have one. circle-info You will be receiving unencrypted ID tokens if your app's profile type is set to "UUID Only". You can view your app's profile type in the [Singpass Developer Portalenvelope](https://docs.developer.singpass.gov.sg/cdn-cgi/l/email-protection#43362d2726252a2d2627) . No changes are required if you are already performing decryption of the ID token. You can refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) to better understand how the ID token is being encrypted. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-2.-update-parsing-of-the-sub-claim) 2\. Update parsing of the sub claim Previously, the `sub` claim in the ID token contained comma-separated key-value pairs containing various attributes. It now contains only the user's UUID: Previous New Due to this change, you should remove any custom parsing logic that you have previously implemented to extract the values of each field from the `sub` claim. If you require only the user's UUID, you can now simply read the value of the `sub` claim without needing any more parsing. Read the next section if you require other details that was previously in the `sub` claim. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-3.-request-for-the-new-user.identity-scope-and-read-the-new-sub_attributes-claim) 3\. Request for the new `user.identity` scope and read the new `sub_attributes` claim In your current integration, you may be retrieving the following information from the `sub` claim in the ID token: * The user's NRIC/FIN * The user's foreign ID or the country of issuance for the foreign ID (for Singapore Foreign Account users) In the new integration, this information is now instead returned in a newly introduced `sub_attributes` claim in the ID token. For this new claim to be returned, you must first update your app's configuration in the Singpass Developer Portal to request for the new `user.identity` scope for your app. Refer to our [Singpass Developer Portal User Guide](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) if you are unsure on how to do this. Once the new scope has been approved, the `sub_attributes` claim will be returned in the ID token if you are using the new API. Refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token#the-sub_account-claim) to understand the structure of this new claim. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#userinfo-request) Userinfo Request #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-1.-handle-the-new-format-of-the-userinfo-response) 1\. Handle the new format of the userinfo response The userinfo response will have a slightly different format. The format of the data itself remains unchanged - the only difference is that the data is now nested inside a `person_info` field. You will thus need to update your parsing logic to extract the user's data from the `person_info` field, instead of from the root of the response data. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#id-2.-update-authorization-header-prefix-to-be-dpop-instead-of-bearer) 2\. Update Authorization header prefix to be DPoP instead of Bearer In the old API, the Authorization header would have been sent as a bearer token, in this format: In the new API, it should be sent with a `DPoP` prefix instead: [PreviousMigration Guideschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides) [NextMyinfo (v3) appschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps) Last updated 1 month ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#overview) * [Changes Required](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#changes-required) * [General](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#general) * [Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#authorization-request) * [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#token-exchange) * [Userinfo Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps#userinfo-request) Was this helpful? Copy { "sub": "s=S8829314B,u=1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9" } Copy { "sub": "1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9" } Copy Authorization: Bearer Copy Authorization: DPoP --- # Allowed Scopes | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This allows the selection of [scopes](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog) for your digital service/application. circle-info For production environment, every additional scope needs to be reviewed by the Singpass Admin and goes through an approval process. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fyy0L4kaBbIaXRRGa74qT%252Fimage.png%3Falt%3Dmedia%26token%3Dae1ebcc3-e01f-460c-81a5-655ff6b3ec5f&width=768&dpr=3&quality=100&sign=6169df78&sv=2) Singpass Developer Portal App Config Page - Allowed Scopes field [PreviousSupport Emailschevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/support-emails) [NextRedirect URLchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/redirect-url) Last updated 1 year ago Was this helpful? Was this helpful? --- # Redirect URL | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close A redirect URL is a URL in your digital service/application that Singpass will use to redirect users after they have been authenticated or when the ID Token is being returned. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FVPh25Z56QSThiJU8naqQ%252Fimage.png%3Falt%3Dmedia%26token%3De803af59-2df5-4ee1-9563-059d7185a760&width=768&dpr=3&quality=100&sign=e3010435&sv=2) Singpass Developer Portal App Config Page - Redirect URL field circle-exclamation URL with IP address (e.g. https://123.123.1.1) is not allowed. [PreviousAllowed Scopeschevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/allowed-scopes) [NextToken-based Authenticationchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/token-based-authentication) Last updated 2 months ago Was this helpful? Was this helpful? --- # Token-based Authentication | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Select the token-based authentication type. This will be used by Singpass for verification and encryption purposes. You can do so only via one of the following forms: * **JWKS Endpoint** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FGtSiJPZ56uvACWgAIYz4%252Fimage.png%3Falt%3Dmedia%26token%3D52a3f3c2-b847-4663-9229-ac6fa7108866&width=768&dpr=3&quality=100&sign=2d5e3c3&sv=2) * **JWKS Object** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FhgogppiyYgoAgXq8g7SF%252Fimage.png%3Falt%3Dmedia%26token%3D13334bd9-68c7-4dcf-890f-c656e4b26ef7&width=768&dpr=3&quality=100&sign=d47de1ef&sv=2) Singpass Developer Portal App Config Page - Token-based authentication field [PreviousRedirect URLchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/redirect-url) [NextTesting with Singpass Appchevron-right](https://docs.developer.singpass.gov.sg/docs/testing/testing-with-singpass-app) Last updated 2 months ago Was this helpful? Was this helpful? --- # App Name | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close This app name is the name of your digital service/application. This will appear on the consent page that your users will see when they give consent to login to your digital service. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FFHr2zjwX8AXfDmXM63kN%252Fimage.png%3Falt%3Dmedia%26token%3Df27714f4-4ed4-4ddf-9902-96a43661b129&width=768&dpr=3&quality=100&sign=d0eedbe1&sv=2) Singpass Developer Portal App Config Page - App name field ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FEabLckL7oimysaEW5zbn%252FScreenshot%25202024-10-14%2520at%252011.12.18%25E2%2580%25AFAM.png%3Falt%3Dmedia%26token%3D2e651630-11ae-4763-b35d-05aa26d93c80&width=768&dpr=3&quality=100&sign=e845845b&sv=2) Singpass Consent Page [PreviousUnderstanding the App Config Fieldschevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields) [NextApp Descriptionchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/app-description) Last updated 2 months ago Was this helpful? Was this helpful? --- # Contact | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close If you have any other queries, please go to [partnersupport.singpass.gov.sgarrow-up-right](http://partnersupport.singpass.gov.sg/) and submit a request. [![Logo](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2Fpromptly.hack2026.com.sg%2Ffavicon.ico&width=20&dpr=3&quality=100&sign=f424b90a&sv=2)PromptlyPromptlychevron-right](https://promptly.hack2026.com.sg/ask/sdp) [PreviousMyinfo Test Personaschevron-left](https://docs.developer.singpass.gov.sg/docs/testing/myinfo-test-personas) Last updated 2 months ago Was this helpful? Was this helpful? --- # Understanding the App Config Fields | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [App Namechevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/app-name) [App Descriptionchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/app-description) [Site URLchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/site-url) [Support Emailschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/support-emails) [Allowed Scopeschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/allowed-scopes) [Redirect URLchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/redirect-url) [Token-based Authenticationchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/token-based-authentication) [PreviousHow to View or Download Your Invoicechevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/how-to-view-or-download-your-invoice) [NextApp Namechevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/app-name) Last updated 2 months ago Was this helpful? Was this helpful? --- # Support Emails | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Provide the contact person's email addresses. Singpass admins will use these email addresses to contact you and your team(s) with notifications, announcements, or clarifications regarding the digital service/application. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FCwidnTZ9ZYeA9EYV1Nne%252Fimage.png%3Falt%3Dmedia%26token%3D8b243ff5-5206-4cb9-a0a8-0dcd48001973&width=768&dpr=3&quality=100&sign=543d0b37&sv=2) Singpass Developer Portal App Config Page - Support Emails field [PreviousSite URLchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/site-url) [NextAllowed Scopeschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/allowed-scopes) Last updated 1 year ago Was this helpful? Was this helpful? --- # Demonstrating Proof of Possession (DPoP) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#overview) Overview ---------------------------------------------------------------------------------------------------------------------------------------------------------------- DPoP ([RFC 9449arrow-up-right](https://www.rfc-editor.org/rfc/rfc9449.html) ) protects your integration from: 1. Authorization code inteception 2. Access token misuse or leakage It works by binding the _authorization code_ and _access token_ to a private key that only your system controls. allowing only you to use them for [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) and [Requesting For Userinfo](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo) respectively. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#when-is-dpop-required) **When is DPoP Required?** You must include a **DPoP proof JWT** in the DPoP request header for the following API calls: * [Pushed Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) * [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange) * [Requesting for Userinfo](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo) If DPoP is missing or invalid the request will be rejected #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#key-requirements) **Key Requirements** circle-exclamation You **must** use the same DPoP key pair across all three requests for a single authentication. You should generate a different ephemeral key for each authentication. * Generate a **new** ephemeral DPoP key pair for each authentication session * Use the **same key pair across all three requests** (PAR → Token → Userinfo) for that session * Do not reuse the key pair across different login sessions #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#what-is-the-dpop-proof-jwt) What Is the DPoP Proof JWT? The DPoP Proof JWT is a signed JWT (JWS) that proves you own the private key bound to the token — without exposing the private key. To implement: * We recommend using a standard JWT library * You may refer to [this listarrow-up-right](https://www.jwt.io/libraries?support=sign&algorithm=es256) to look for a suitable library for your programming language. To learn more about JWTs and their structure, you may read [this articlearrow-up-right](https://www.jwt.io/introduction) . ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#dpop-proof-jwt-structure-and-requirements) DPoP Proof JWT Structure and Requirements #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#jwt-header) JWT Header The JWT header should contain the following parameters: Parameter Description Data Type `alg` The signature algorithm that you are using to sign this JWT One of the following strings: * `ES256` * `ES384` * `ES512` `typ` The type of this JWT Must be the string `dpop+jwt` `jwk` The public key, in JSON Web Key format, that corresponds to the private key used to sign the JWT Object in JSON Web Key format chevron-rightSample JWT header[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#sample-jwt-header) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#jwt-payload) JWT Payload The JWT payload should contain the following claims: Claim Description Data type `htm` The HTTP method of the request that you are making Either the string `POST` or `GET` `htu` The URL that you are making the request to. URL `iat` The unix timestamp, in seconds, at which you generated this JWT. This value must be a [`NumericDate`arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7519#section-2) type, representing seconds. `exp` The unix timestamp, in seconds, on or after which this JWT **must not** be accepted by us for processing. Note also that this must be less than or equal to 2 minutes after `iat`. This value must be a [`NumericDate`arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7519#section-2) type, representing seconds. `jti` A unique identifier for this token. This identifier must only be used once. You should generate a new `jti` value for every request String `ath` Required only for the userinfo request. This should be the base64url-encoded SHA-256 hash of the access token. A base64url-encoded string. chevron-rightSample JWT payload[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#sample-jwt-payload) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#signing-and-using-the-jwt) Signing and using the JWT The JWT should be signed using your private DPoP key to form a JSON Web Signature (JWS) in compact serialisation format. This is a format where the three parts of the JWS (the header, the payload, and the signature), are base64url encoded and concatenated together, using a dot (`.`) as the separator. The private key used to sign the JWT must correspond to the public key indicated in the `jwk` parameter in the JWT header. This JWS should then be included in the `DPoP` request header when you are making requests that require DPoP. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#validate-your-dpop-implementation) Validate Your DPoP Implementation you can validate your DPoP proof JWT using this online validator tool: [DPoP & Client Assertion Validatorarrow-up-right](https://client-assertion-dpop-validator.vercel.app/) This tool helps you: * Verify JWT structure and compact format * Check required header parameters (alg, typ, jwk) * Validate required payload claims * Confirm signature validity * Detect common implementation errors [PreviousProof Key for Code Exchange (PKCE)chevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) [NextOpenID Provider Configurationchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) Last updated 1 month ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#overview) * [DPoP Proof JWT Structure and Requirements](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#dpop-proof-jwt-structure-and-requirements) * [Signing and using the JWT](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#signing-and-using-the-jwt) * [Validate Your DPoP Implementation](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop#validate-your-dpop-implementation) Was this helpful? Copy { "alg": "ES256", "typ": "dpop+jwt", "jwk": { "crv": "P-256", "kty": "EC", "x": "T59MDXABUkdP7DAvAnuZ3l-iLUylObl1v6DBqAp8LU0", "y": "D7NSWZW9_r2wZC10yobEiOgjoqDppoMdYSG3YV16QjU" } } Copy { "jti": "50ac59b2-a1e7-4bac-909b-68b692207b6c", "htm": "POST", "htu": "https://stg-id.singpass.gov.sg/fapi/par", "iat": 1771819829, "exp": 1771819949 } Copy DPoP: --- # 3. Userinfo Endpoint | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. The UserInfo endpoint is an OAuth 2.0 [protected resourcearrow-up-right](http://tools.ietf.org/html/rfc6749#section-7) of the Singpass Authentication server; where client applications can retrieve consented [claimsarrow-up-right](http://openid.net/specs/openid-connect-core-1_0.html#Claims) , or assertions, about the logged-in end-user. The claims are typically packaged in a JSON object where the `sub` member denotes the subject (end-user) identifier, along with the data items that were tagged to the scopes requested in the `/auth` [request parametersarrow-up-right](https://github.com/SingpassPX/dev-docs/blob/main/technical-specifications/singpass-authentication-api/1.-authorization-endpoint#request-parameters) earlier. > The full list of scopes are under the [Myinfo Data Catalogue](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog) > . For the purposes of Userinfo in the context of Singpass, we will be returning an encrypted payload in the form of a signed JSON Web Token (JWS) in a JSON Web Encrypted (JWE) token. [PreviousClient JWK Requirementschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements) [NextRequesting Userinfochevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/3.-userinfo-endpoint/requesting-userinfo) Last updated 2 months ago Was this helpful? Was this helpful? --- # Myinfo (v3) apps | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#overview) Overview -------------------------------------------------------------------------------------------------------------------------------------- The Myinfo (v3) integration differs significantly from the new Authentication API, as while Myinfo (v3) wes based on OAuth 2.0, the new Authentication API is based on OIDC with the FAPI 2.0 Security Profile, which contains several extensions to the OAuth 2.0 flow. Due to these differences, we recommend that you perform a new integration from scratch using one of the [certified OIDC Relying Party Librariesarrow-up-right](https://openid.net/developers/certified-openid-connect-implementations/) , instead of updating your existing integration. Doing so should simplify your integration. You can refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) to understand how to perform a new integration. Regardless of which approach you choose to take, this document will highlight all of the differences between your existing integration and the new integration. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#creating-new-app) Creating New App ------------------------------------------------------------------------------------------------------------------------------------------------------ Before you start on the new integration, you must first create a new Myinfo (v5) app on the Singpass Developer Portal. Your existing Myinfo (v3) app cannot be used for the new integration. Refer to our User Guide to understand how to create your [staging app](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-app) (for testing purposes) and your [production app](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-production-app) . There are two important differences between the setup for Myinfo (v3) apps and Myinfo (v5) apps: 1. Myinfo (v5) apps should only have a single purpose. If your current Myinfo (v3) app has multiple purposes, you will need to create a new Myinfo (v5) app for each purpose. 2. Myinfo (v5) apps perform authentication and verification using JSON Web Key Sets (JWKS) instead of using X.509 public key certificates. You will be required to configure your JWKS instead of your certificate when creating your new Myinfo (v5) apps. Your JWKS must have at least one signing key and one encryption key. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#changes-required) Changes Required ------------------------------------------------------------------------------------------------------------------------------------------------------ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#general) General #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-1.-implement-demonstrating-of-proof-of-possession-dpop) 1\. Implement Demonstrating of Proof of Possession (DPoP) DPoP is a security mechanism in which the access token and authorization code is bound to a ephemeral private key that is known only to you, preventing malicious parties from using your code or token. Read our [DPoP guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) for instructions on how to implement DPoP. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-2.-update-custom-scheme-urls) 2\. Update custom scheme URLs The new Authentication API no longer supports the use of custom scheme URLs (i.e. URLs that do not start with `https://` ) as redirect URLs or app launch URLs. If you are currently integrating with Myinfo via an Android or iOS app, and rely on such URLs for redirection back to the mobile app, you will need to change these URLs to use app-claimed HTTPS URLs instead. App-claimed HTTPS URLs are HTTPS URLs which, when opened on a mobile device, will launch your mobile app. Android applications support app-claimed HTTPS URLs via Android App Links, while iOS applications support them via universal links. Read the [official Android documentationarrow-up-right](https://developer.android.com/training/app-links) and the [official iOS documentationarrow-up-right](https://developer.apple.com/documentation/xcode/supporting-universal-links-in-your-app) to understand how to implement Android App Links and universal links respectively. Once your applications support redirection via app-claimed HTTPS, you should update your app's configuration in the Singpass Developer Portal to add your new HTTPS URLs. Refer to our [Singpass Developer Portal User Guide](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) if you are unsure on how to do this. You will also need to update your backend integration with us. Specifically, you will need to change these parameters in your authorization request: 1. The `redirect_uri` and `app_launch_url` parameters must be updated to use the new HTTPS URLs that you have configured. 2. The `redirect_uri_https_type` parameter in the authorization request should be added with a value of `app_claimed_https` , to indicate that the redirection is being done using an app-claimed HTTPS URL. Once the backend changes are completed and deployed, you should proceed to remove the old custom scheme URLs from your app's configuration in the Singpass Developer Portal. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#authorization-request) Authorization Request #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-1.-use-pushed-authorization-request) 1\. Use pushed authorization request In your existing integration, you would have sent the authorization request by redirecting the user to the authorization endpoint, with the authorization request parameters being included as query parameters. In the new integration, you should instead send the authorization request parameters by first sending the authorization request parameters via a pushed authorization request, which will return a short-lived `request_uri` in the response. You should then redirect the user the user to the authorization endpoint, with the `request_uri`, together with your `client_id`, as query parameters. For more details, you may refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) . #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-2.-remove-parameters-that-are-no-longer-used) 2\. Remove parameters that are no longer used There are some parameters in the authorization request which are no longer required in the new API. These parameters should be removed from the authorization request: * `authmode` * `purpose` (this will be configured in the Singpass Developer Portal instead of being sent for every request) * `login_type` #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-3.-update-existing-parameters) 3\. Update existing parameters There are some parameters used in the Myinfo (v3) parameters which are still used in the new API, but they have been changed, as detailed below: Old parameter name New parameter name Other changes attributes scope This needs to be changed from a comma-separated string to a space-separated string, and `openid` has to be added. For example: * old: `name,hanyupinyinname` * new: `openid name hanyupinyinname` appLaunchURL app\_launch\_url The app launch URL you are using will need to be pre-registered in the Singpass Developer Portal #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-4.-add-parameters-for-proof-of-key-code-exchange-pkce) 4\. Add parameters for Proof of Key Code Exchange (PKCE) You are required to implement PKCE for the authentication flow in the new API. Read our [PKCE guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) for instructions on how to implement PKCE. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-5.-add-nonce-parameter) 5\. Add nonce parameter You are required to include a `nonce` in your authorization request for the new API. Refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#basic-oidc-parameters) to understand how the `nonce` should be generated and what it is used for. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#token-exchange) Token Exchange #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-1.-add-parameters-for-proof-of-key-code-exchange-pkce) 1\. Add parameters for Proof of Key Code Exchange (PKCE) As part of the PKCE implementation, you will need to include the `code_verifier` as part of the request body when making the request to the token endpoint. This must be the same `code_verifier` that you had used to generate the `code_challenge` when making the authorization request earlier. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-2.-authenticate-using-client-assertion-instead-of-pki-signature) 2\. Authenticate using client assertion instead of PKI Signature In the new API, you will authenticate yourself when calling the token endpoint by generating a client assertion instead of a PKI signature. Specifically: * You should no longer send an `Authorization` header when calling the token endpoint * You should no longer send the `client_secret` in the request body * You will need to send `client_assertion` and `client_assertion_type` in the request body. Refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/3.-token-exchange#request-body) to understand what the values of these parameters should be. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-3.-remove-the-state-parameter) 3\. Remove the state parameter The new API does not support the `state` parameter in the request body, so it should be removed. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-4.-parse-the-id-token) 4\. Parse the ID token In the new API, the token request returns an encrypted ID token in addition to the access token. You should decrypt this ID token and perform verification checks to ensure that it is legitimate. Read our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) to understand how to perform the decryption and what sort of verification checks are required. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#userinfo-request) Userinfo Request The userinfo request replaces the Person API call used in Myinfo (v3). Refer to our [Integration Guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/5.-requesting-for-userinfo#sample-request) for the full specifications of the new userinfo request. Here's a quick comparison of the two endpoints: Userinfo Person API Request Response The exact changes required are listed below. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-1.-remove-sub-from-the-path) 1\. Remove sub from the path In Myinfo (v3), you were required to pass the `sub` from the access token as a path parameter when calling the Person API. This is no longer required in the new API. You should no longer perform any parsing of the access token. If you still wish to obtain the UUID of the user, you should do so by parsing the ID token instead. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-2.-remove-pki-signature) 2\. Remove PKI Signature PKI signature is no longer needed for the API call. Instead, authentication is done via [DPoP](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-1.-implement-demonstration-of-proof-of-possession-dpop) and the access token. Thus, you should update your Authorization header to only include the access token in the format `DPoP `. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-3.-remove-all-query-parameters) 3\. Remove all query parameters The new API does not require any query parameters in the userinfo request. All of the user's data belonging to the scopes requested during the Authorization request will be returned. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-4.-handle-the-new-format-of-the-userinfo-response) 4\. Handle the new format of the userinfo response The userinfo response has a slightly different format compared to the response of the Person API. The format of the data itself remains unchanged - the only difference is that the data is now nested inside a `person_info` field. You will thus need to update your parsing logic to extract the user's data from the `person_info` field, instead of from the root of the response data. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#id-5.-update-access-token-prefix) 5\. Update access token prefix When calling the Person API, your access token would have had a `Bearer` prefix: In the new API, you should change this prefix to `DPoP`: [PreviousLogin / Myinfo (v5) appschevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) [NextMyinfo (v4) appschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v4-apps) Last updated 2 months ago Was this helpful? * [Overview](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#overview) * [Creating New App](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#creating-new-app) * [Changes Required](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#changes-required) * [General](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#general) * [Authorization Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#authorization-request) * [Token Exchange](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#token-exchange) * [Userinfo Request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/myinfo-v3-apps#userinfo-request) Was this helpful? Copy GET /userinfo HTTP/1.1 Host: id.singpass.gov.sg Authorization: DPoP eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyLWphbmUtZG9lIiwiYXVkIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20vZGF0YSIsImV4cCI6MTc1NjczMDM4MCwiaWF0IjoxNzI1MTk0MzgwLCJqdGkiOiJ0eC0xMjMtYWJjIiwiY25mIjp7ImprdCI6Ik93SWlGaVl2T0NXRkpiV1hlbUdUZzRtU1NYQkNwZk9NaFhRV21XOTBVSEEifX0.dGhpcy1pcy1hLXBsYWNlaG9sZGVyLXNpZ25hdHVyZS1hcy1pdC1yZXF1aXJlcy1hLXByaXZhdGUta2V5 DPoP: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IkVDIiwiY3J2IjoiUC0yNTYiLCJ4IjoiQXNWakh4elZ4MURaNnNKcEpzUnM2ek5YYXFmcFR3UmNfcXV0bWw0aEFJQSIsInkiOiI0SkhwVVZDRE5DaXhOTW9OclIzSElodFRzTWNfMF9NcmdpMzJxR3VoUkQ4In19.eyJqdGkiOiIyZmM3Y2Q4ZC0xN2IzLTRlYTUtYTg4ZC1lZWM0NTY5M2JhZDQiLCJodG0iOiJHRVQiLCJodHUiOiJodHRwczovL2lkLnNpbmdwYXNzLmdvdi5zZy91c2VyaW5mbyIsImlhdCI6MTc1NjcwODI0N30.wBYjFQRzY2o5aG82LjR1X8qT9bZ-jK3c7hI5fE0gP9vR_7sU6tW5xV4yZ3aB2cE1dF0eG9hI8jJ7kL6mN5oP4qR Copy GET /com/v3/person/{sub}?attributes=name,uinfin&client_id=EXAMPLE_CLIENT HTTP/1.1 Host: api.myinfo.gov.sg Authorization: PKI_SIGN timestamp="1505900210349", nonce="150590021034800", app_id="STG2-MYINFO-SELF-TEST", signature_method="RS256", signature="EEm+HEcNQajb5FkVd82zjojk+daYZXxSGPCO R2GHZeoyjZY1PK+aFMzHfWu7eJZYMa5WaEwWxdOdq5hjNbl 8kHD7bMaOks7FgEPdjE++TNomfv7 SMktDnIvZmPYAxhjb/C9POU2KT6tSlZT/Si/qMgD1cryaPw SeMoM59UZa1GzY mqlkveba7rma58uGwb3wZFH0n57UnouR6LYX DOOLkqi8uMZBuvRUvSJRXETAj2N0hT+4QJiN96Ct6IEQh/w oZh0o74K5Ol9Pp DSM08qC7Lj6N/k694J+hbBQVVviGn7/6mDkfbwdMDuoKs4t 7NpqmAnwT+xaQS IZcexfrAVQYA==",Bearer eyJ0eXAiOiJhdCtqd3QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2F1dGguZXhhbXBsZS5jb20iLCJzdWIiOiJ1c2VyLWphbmUtZG9lIiwiYXVkIjoiaHR0cHM6Ly9hcGkuZXhhbXBsZS5jb20vZGF0YSIsImV4cCI6MTc1NjczMDM4MCwiaWF0IjoxNzI1MTk0MzgwLCJqdGkiOiJ0eC0xMjMtYWJjIiwiY25mIjp7ImprdCI6Ik93SWlGaVl2T0NXRkpiV1hlbUdUZzRtU1NYQkNwZk9NaFhRV21XOTBVSEEifX0.dGhpcy1pcy1hLXBsYWNlaG9sZGVyLXNpZ25hdHVyZS1hcy1pdC1yZXF1aXJlcy1hLXByaXZhdGUta2V5 Copy { "person_info": { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" } }, // above scopes are returned in the same format as the Myinfo Get Person response "iss": "https://id.singpass.gov.sg/fapi", "sub": "d45d8f21-6178-4713-b962-8635ed2a945a", "aud": "T5sM5a53Yaw3URyDEv2y9129CbElCN2F", "iat": 1746678089 } Copy { "uinfin": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "S9000001B" }, "name": { "lastupdated": "2024-09-26", "source": "1", "classification": "C", "value": "SOH HAO FENG" } } Copy Authorization: Bearer Copy Authorization: DPoP --- # Education and Employment | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close id name description Data Available Source employment Name of Employer FIN MOM occupation Occupation For FIN - Value will be returned in the description. FIN MOM cpfemployers CPF Employers Employer Name for the CPF Contribution. Includes contribution month/year. Only Contribution(s) related to employment will be provided. Other contributions, such as self-employed or government top-ups, are presently excluded. CPF will return the contributions received (or paid on) in the past 15 months up to the preceding month. Note that a member could have multiple contributions per month from the same employer. SC,PR CPFB academicqualifications.transcripts Singapore-Cambridge Examination Singapore-Cambridge (GCE N, O, A Levels) Examination results attained. SC,PR,FIN MOE academicqualifications.certificates Singapore-Cambridge Examination (OpenCert) Singapore-Cambridge (GCE N, O, A Levels) Examination results attained. Data to be returned in OpenCert format. [Click herearrow-up-right](https://www.opencerts.io/) to find out about OpenCert format. SC,PR,FIN MOE ltavocationallicences.tdvl.licencename LTA Vocational Licences - TDVL Licence Name A Taxi Driver's Vocational Licence allows one to drive a taxi. Licence Name of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.tdvl.vocationallicencenumber LTA Vocational Licences - TDVL Vocational Licence Number A Taxi Driver's Vocational Licence allows one to drive a taxi. Unique Vocational Licence Number for LTA Vocational Licence holder. SC,PR,FIN LTA ltavocationallicences.tdvl.expirydate LTA Vocational Licences - TDVL Expiry Date A Taxi Driver's Vocational Licence allows one to drive a taxi. Expiry date of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.tdvl.status LTA Vocational Licences - TDVL Status A Taxi Driver's Vocational Licence allows one to drive a taxi. Status of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.pdvl.licencename LTA Vocational Licences - PDVL Licence Name A Private Hire Car Driver's Vocational Licence allows one to drive a private hire car. Licence Name of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.pdvl.vocationallicencenumber LTA Vocational Licences - PDVL Vocational Licence Number A Private Hire Car Driver's Vocational Licence allows one to drive a private hire car. Unique Vocational Licence Number for LTA Vocational Licence holder. SC,PR,FIN LTA ltavocationallicences.pdvl.expirydate LTA Vocational Licences - PDVL Expiry Date A Private Hire Car Driver's Vocational Licence allows one to drive a private hire car. Expiry date of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.pdvl.status LTA Vocational Licences - PDVL Status A Private Hire Car Driver's Vocational Licence allows one to drive a private hire car. Status of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.bavl.licencename LTA Vocational Licences - BAVL Licence Name A Bus Attendant's Vocational Licence allows one to work as a bus attendant on a school bus. Licence Name of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.bavl.vocationallicencenumber LTA Vocational Licences - BAVL Vocational Licence Number A Bus Attendant's Vocational Licence allows one to work as a bus attendant on a school bus. Unique Vocational Licence Number for LTA Vocational Licence holder. SC,PR,FIN LTA ltavocationallicences.bavl.expirydate LTA Vocational Licences - BAVL Expiry Date A Bus Attendant's Vocational Licence allows one to work as a bus attendant on a school bus. Expiry date of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.bavl.status LTA Vocational Licences - BAVL Status A Bus Attendant's Vocational Licence allows one to work as a bus attendant on a school bus. Status of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.bdvl.licencename LTA Vocational Licences - BDVL Licence Name A Bus Driver's Vocational Licence allows one to drive a private hire bus/excursion bus/ school bus. Licence Name of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.bdvl.vocationallicencenumber LTA Vocational Licences - BDVL Vocational Licence Number A Bus Driver's Vocational Licence allows one to drive a private hire bus/excursion bus/ school bus. Unique Vocational Licence Number for LTA Vocational Licence holder. SC,PR,FIN LTA ltavocationallicences.bdvl.expirydate LTA Vocational Licences - BDVL Expiry Date A Bus Driver's Vocational Licence allows one to drive a private hire bus/excursion bus/ school bus. Expiry date of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.bdvl.status LTA Vocational Licences - BDVL Status A Bus Driver's Vocational Licence allows one to drive a private hire bus/excursion bus/ school bus. Status of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.odvl.licencename LTA Vocational Licences - ODVL Licence Name An Omnibus Driver’s Vocational Licence allows one to drive an omnibus. Licence Name of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.odvl.vocationallicencenumber LTA Vocational Licences - ODVL Vocational Licence Number An Omnibus Driver’s Vocational Licence allows one to drive an omnibus. Unique Vocational Licence Number for LTA Vocational Licence holder. SC,PR,FIN LTA ltavocationallicences.odvl.expirydate LTA Vocational Licences - ODVL Expiry Date An Omnibus Driver’s Vocational Licence allows one to drive an omnibus. Expiry date of LTA Vocational Licence. SC,PR,FIN LTA ltavocationallicences.odvl.status LTA Vocational Licences - ODVL Status An Omnibus Driver’s Vocational Licence allows one to drive an omnibus. Status of LTA Vocational Licence. SC,PR,FIN LTA [PreviousFinancechevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/finance) [NextFamilychevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/family) Last updated 11 months ago Was this helpful? Was this helpful? --- # Client JWK Requirements | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. Clients are expected to provide public keys to Singpass in the [JWKarrow-up-right](https://tools.ietf.org/html/rfc7517) format. These public keys will be used in the following (non-exhaustive) scenarios: * Signature JWK used to verify the signature of the [client assertion JWTarrow-up-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#client-authentication-client-assertion-jwt) presented during token request. * Encryption JWK used to [encrypt an ID token](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant) which contains the user’s PII. The client must provide the public key(s) during onboarding, and they can do so only via **ONE** of the following forms: * Provide a JWKS in a JSON format. * Host the JWKS on a publicly accessible URL. This endpoint must be compatible with Singpass's [service level expectations](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwks-url-service-level-expectations) . Signing key is always required for both `direct` and `direct_pii_allowed` clients. Encryption key is only required for `direct_pii_allowed` clients. `direct_pii_allowed` clients must ensure that the provided JWKS or the resource returned by the JWKS URL contains both the signing and encryption keys. > TIP: [mkjwk.orgarrow-up-right](https://mkjwk.org/) > is a useful open-source tool to generate different types of JWK for signing and encryption; compliant with Singpass's broad requirements on structure. While we **DO NOT** suggest this as a secure way to generate your _real_ keypair (including private key); this can be a useful tool to understand how JWK works; and how it is represented for signing and encryption purposes; while you are reviewing against our supported algorithms below. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwk-for-signing) JWK for signing ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The signing JWK will be used to verify the [client assertion JWTarrow-up-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#client-authentication-client-assertion-jwt) provided during `/token` request, thereby authenticating the client. Clients are allowed to provide multiple signature keys in the JWKS / hosted on the JWKS url provided during client creation. The signature JWK should have the following attributes: * Must have key `use` of value `sig` per [rfc7517#section-4.2arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.2) * Must contain a key ID in the standard `kid` field per [rfc7517#section-4.5arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.5) * Will be used by Singpass to select the relevant key to verify the client assertion * Must be an EC key, with curves: `P-256`, `P-384` or `P-521` _(NIST curves, aka_ `_secp256r1_`_,_ `_secp384r1_`_,_ `_secp521r1_` _respectively)_ _Example EC signing key using P-256 and a timestamped key Id_ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#key-rotation) **Key Rotation** Relying parties can **rotate** their signing keys in a self-driven manner. To do this with **zero downtime** the Relying party must * support use of **JWKS URLs** and be onboarded as such * ensure their replacement signing key has a different key ID (`kid`) to the original key * ensure their replacement signing key matches the other cryptographic key requirements To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new signing key pair (`K2`) supported for signing. T0 Relying party **adds** public key `K2` to its JWKS endpoint (and leaves `K1` on the endpoint). T0 - T+1 hour Singpass's cache will expire, and re-retrieves the relying party’s published keys from their JWKS endpoint which now includes `K2`. \> T+1 hour Relying party changes their system to start signing client assertions using the new signing key `K2`. Clean Up Post-validation, relying party can remove key `K1` from their JWKS endpoint when they are comfortable their new signing key is working. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwk-for-encryption) **JWK for encryption** ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The encryption JWK will be used to [encrypt ID tokens](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant) requested from the `/token` endpoint. Singpass will select the strongest available, supported encryption key from either a **local JWKS**, or **JWKS URL** to encrypt returned ID tokens for those relying parties who require any PII in the ID token. The encryption JWK must have the following attributes: * Must not contain the `d` property * The `d` property represents the private key of your key pair, and should never be exposed. Exposure in the JWK is a critical security vulnerability. * If you have accidentally included the `d` property in your JWK, remove it immediately and rotate your keys. * Must have key `use` of value `enc` per [rfc7517#section-4.2arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.2) * Must contain a key ID in the standard `kid` field per [rfc7517#section-4.5arrow-up-right](https://tools.ietf.org/html/rfc7517#section-4.5) * The key ID will be specified in the returned JWE header so that clients can pick the right key for decryption * Must have key type (`kty`) of `EC` * Must specify the appropriate key encryption `alg` the relying party wants Singpass to use, consistent with the key type/curve (`kty`), and meet the requirements below on allowed `alg`/`curve`/key sizes, consistent with [RFC7518 - JSON Web Algorithm specificationarrow-up-right](https://tools.ietf.org/html/rfc7518#section-4.1) Status **Required** for new Relying Parties Key encryption algorithm (`alg`) ECDH-ES+A128KW ECDH-ES+A192KW ECDH-ES+A256KW Curve (`crv`) P-256 _(NIST, aka secp256r1)_ P-384 _(NIST, aka secp384r1)_ P-521 _(NIST, aka secp521r1)_ _Example EC encryption key using P-256 and a timestamped key Id; asking us to encrypt the CEK using ECDH-ES+A128KW_ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#key-preference) **Key Preference** If the relying party exposes _multiple supported encryption keys_, Singpass will select the key to use for encrypting tokens based on the following logic: 1. prefer any EC key (`kty`) matching the above requirements 2. prefer EC keys with stronger `crv` (curve) _above_ EC keys with weaker curve 3. prefer EC keys with stronger `alg` key wrapping _above_ weaker ones 4. otherwise pick the first compatible key we find ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#key-rotation-1) **Key Rotation** Relying parties can **rotate** their encryption keys in a self-driven manner. To do this with **zero downtime** the Relying party must * support use of **JWKS URLs** and be onboarded as such * have the ability to decrypt tokens produced with either **one of two** different encryption keys based on either * selecting the correct decryption key by its key ID (`kid`) * trial-and-error decryption against multiple keys in a collection * ensure their replacement key matches the other cryptographic key requirements noted above To do this with zero downtime, the following procedure should be followed by the Relying Party: Time Action Prep Relying party generates a new encryption key pair (`K2`) supported for decryption. The existing key pair (`K1`) is still available for decryption of ID tokens. T0 Relying party **removes** public key `K1` and **adds** public key `K2` on its JWKS endpoint. T0 - T+1 hour Singpass's caches will expire at any (indeterminate) time within this period, and start encrypting tokens with new encryption key `K2`. T0 - T+1 hour Relying party may be receiving tokens encrypted with either `K1` or `K2` keys throughout this period; and must be able to decrypt either. \> T+1 hour Relying party can remove support for decrypting with the previous `K1` key. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwks-url-service-level-expectations) JWKS URL Service Level Expectations ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Singpass requires that any JWKS is published on an endpoint that * is served behind HTTPS on port `443` using a TLS server certificate issued by a standard _publicly verifiable CA issuer_ (no private CAs), with _complete cert chain_ presented by the server; * is publicly accessible (no IP whitelisting, mTLS or other custom HTTP header requirements outside standard HTTP headers such as `Content-Type`, `Accept`); * is able to respond in a timely fashion with respect to the below configuration. Per try timeout 3s Max attempts 3 Cache duration for retrieved JWKS 1h > Note: While the above is a technical requirement; the user experience of your users may be affected if we are unable to retrieve your JWKS in a timely fashion upon our cache expiry due to slower token exchanges with your backend. We recommend aiming for this response to be as fast as possible based on an in-memory cache; or simple static asset retrieval. If Singpass fails to retrieve a valid JWKS from the provided URL after cache expiry, the relying party’s token exchange will fail with an OAuth2/OIDC `invalid_client` error in these circumstances: * if _client assertions_ are used, and we are unable to validate the relying party’s assertion using their signing key * if _encryption of returned ID tokens_ is required, and we are unable to retrieve the relying party’s preferred encryption key [PreviousAuthorization Code Grantchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant) [Next3\. Userinfo Endpointchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/3.-userinfo-endpoint) Last updated 2 months ago Was this helpful? * [JWK for signing](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwk-for-signing) * [Key Rotation](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#key-rotation) * [JWK for encryption](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwk-for-encryption) * [Key Preference](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#key-preference) * [Key Rotation](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#key-rotation-1) * [JWKS URL Service Level Expectations](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements#jwks-url-service-level-expectations) Was this helpful? Copy { "kty": "EC", "use": "sig", "kid": "sig-2021-01-15T12:09:06Z", "crv": "P-256", "x": "Tjm2thouQXSUJSrKDyMfVGe6ZQRWqCr0UgeSbNKiNi8", "y": "8BuGGu519a5xczbArHq1_iVJjGGBSlV5m_FGBJmiFtE" } Copy { "kty": "EC", "use": "enc", "kid": "enc-2021-01-15T12:09:06Z", "crv": "P-256", "x": "xom6kD54yfXRPvMFVYFlVjUKzmNhz7wf0DP_2h9kXtY", "y": "lrh8C9c8-SBJTm1FcfqLkj2AnHtaxpnB1qsN6PiFFJE", "alg": "ECDH-ES+A128KW" } --- # Property | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close id name description Data Available Source hdbownership.noofowners HDB Ownership - Number of Owners Number of Owners. Note that this does not include executors, administrators or trustees. SC,PR,FIN HDB hdbownership.address HDB Ownership - Address Flat Address. SC,PR,FIN HDB hdbownership.hdbtype HDB Ownership - Type of HDB Dwelling HDB Flat Type. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (HDBTypeCode) for list of possible values. SC,PR,FIN HDB hdbownership.leasecommencementdate HDB Ownership - Lease Commencement Date Lease Period Start Date. SC,PR,FIN HDB hdbownership.termoflease HDB Ownership - Term of Lease Term of lease for the property computed from the lease commencement date. SC,PR,FIN HDB hdbownership.dateofpurchase HDB Ownership - Date of Purchase Effective Date of flat purchase. SC,PR,FIN HDB hdbownership.dateofownershiptransfer HDB Ownership - Date of Transfer of Ownership Effective date of partial transfer without monetary consideration (e.g. addition, deletion or substitution of a co-owner) for an HDB sold flat. For partial transfer of flat where at least one of the current owner remains in the household, the Date of Purchase remains unchanged while the Date of Transfer of Ownership will be updated. For outright transfer where there is a total change of all owner(s), only the Date of Purchase will be updated. SC,PR,FIN HDB hdbownership.loangranted HDB Ownership - Loan Granted The amount of housing loan granted to owner(s) by HDB. SC,PR,FIN HDB hdbownership.originalloanrepayment HDB Ownership - Original Loan Repayment Period The number of years for loan repayment opted by owner(s) at the time the loan is first granted to him/her. SC,PR,FIN HDB hdbownership.balanceloanrepayment HDB Ownership - Balance Loan Repayment Period The remaining number of year(s) and month(s) available to repay the loan. SC,PR,FIN HDB hdbownership.outstandingloanbalance HDB Ownership - Outstanding HDB Loan Balance Outstanding amount payable to HDB. SC,PR,FIN HDB hdbownership.monthlyloaninstalment HDB Ownership - Monthly Loan Instalment Monthly instalment payable to HDB. SC,PR,FIN HDB hdbownership.purchaseprice HDB Ownership - Purchase Price This refers to the price at which the flat owner paid for the flat. SC,PR,FIN HDB hdbownership.outstandinginstalment HDB Ownership - Outstanding Instalment This refers to the outstanding instalment owed by the flat owner(s) which includes the current month instalment. GST is not applicable. If there is advance payment, the value will be 0. SC,PR,FIN HDB [PreviousVehicle and Driving Licencechevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/vehicle-and-driving-licence) [NextGovernment Schemechevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/government-scheme) Last updated 9 months ago Was this helpful? Was this helpful? --- # Obtaining Access to the Singpass Developer Portal (SDP) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close To log in to the [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) , your Singpass account must first be authorised via Corppass to act on behalf of your organisation. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F69AP5eYfpxCVSyyt1h5u%252Fscreen-1763450704432.gif%3Falt%3Dmedia%26token%3D71283335-1c3a-4a81-a836-66dff7de1c20&width=768&dpr=3&quality=100&sign=8bc1e9c2&sv=2) **Step 1 — Identify your Corppass Admin** 1. Visit https://www.corppass.gov.sg 2. Go to Services → Find your Corppass Admin 3. Authenticate with Singpass 4. Search for your organisation using the Unique Entity Number (UEN) This will show you who the **Corppass Admin(s)** are within your entity. **Step 2 — Request Access** Contact your Corppass Admin and ask them to grant your Singpass account the necessary permissions to access: * **Singpass API Developer and Partner Portal** Once the admin assigns the access rights, you will be able to log in to the Singpass Developer Portal. [PreviousUser Guidechevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide) [NextLogging in to the Singpass Developer Portal (SDP)chevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/logging-in-to-the-singpass-developer-portal-sdp) Last updated 2 months ago Was this helpful? Was this helpful? --- # Create Staging Test Account | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Prerequisites: * You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) before you can create Staging Test Account. * You have already toggled your Dashboard view to Staging. * You have at least one Staging App. 1. Click **App Name hyperlink** on your Dashboard - Staging view. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FS2W2pb3fmddVxuuiOBpJ%252FScreenshot%25202024-09-23%2520at%25206.04.10%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3D027848f0-0b1d-4b89-9918-00622284b5ea&width=768&dpr=3&quality=100&sign=d06bd80a&sv=2) 1. You will be redirected to view the Staging App details. On the left menu, click **Test accounts.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FwxPHGDxx9G9lsS1mzFqm%252FScreenshot%25202024-09-23%2520at%25209.51.23%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3Df7c5c27d-3cb9-4768-9bcb-0290f06428f7&width=768&dpr=3&quality=100&sign=6f004dfa&sv=2) 1. You will be redirected to view the list of Test Accounts. Click **Create.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FHvyuvuwiTuZkDun4TblX%252FTest%2520Account%2520View.png%3Falt%3Dmedia%26token%3D4a47e53b-d3d7-48a7-96b3-51d2abc8db9f&width=768&dpr=3&quality=100&sign=659a1aae&sv=2) 1. A new test account is created and displayed. Click the eye icon to view the Password of the test account. Note: Please note that you can only create a **maximum** of **5** test accounts. Test accounts usage is not restricted to a specific app. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FnvPrerID9JartnUY3xbn%252FTest%2520Account%2520-%2520New%2520Rec%2520Created.png%3Falt%3Dmedia%26token%3Dd53e21a0-db5b-4209-bdfb-154a2c689bcf&width=768&dpr=3&quality=100&sign=ef185ad9&sv=2) [PreviousEdit Staging Appchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-staging-app) [NextCreate Production Appchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-production-app) Last updated 2 months ago Was this helpful? Was this helpful? --- # Toggling Between Staging and Production | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FE22kZPkbPRf0IsrGb4IZ%252Fscreen-1763451548039.gif%3Falt%3Dmedia%26token%3Ddfa25620-bd04-4887-84a5-186cdf29d479&width=768&dpr=3&quality=100&sign=f005f2dd&sv=2) After you have successfully logged in to SDP, the dashboard will default to the **Staging environment**, showing all your entity's staging apps. To **switch environments**, click the **environment toggle** at the top of the page: * “Working with mock data in Staging” * “Working with live data in Production” This allows you to easily move between the **Staging** (test) and **Production** (live) environments. [PreviousLogging in to the Singpass Developer Portal (SDP)chevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/logging-in-to-the-singpass-developer-portal-sdp) [NextCreate Staging Appchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-app) Last updated 2 months ago Was this helpful? Was this helpful? --- # Logging in to the Singpass Developer Portal (SDP) | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FcvnOAlWAdTrvXOtcG2Hp%252Fscreen-1763451239592.gif%3Falt%3Dmedia%26token%3D367b6c96-7ee6-4fcf-b268-0ce7e9187f24&width=768&dpr=3&quality=100&sign=410bca2&sv=2) Before logging in, ensure your Singpass account has been authorised via Corppass to act on behalf of your organisation. **Step 1 — Access the Portal** Go to https://developer.singpass.gov.sg and click **“Log in with Singpass"**. **Step 2 — Authenticate** Complete the Singpass authentication flow. _Note: You will be logging in as a Business User._ **Step 3 — Select Your Entity** After authentication, you will be prompted to select the entity (UEN) you are representing. * If you are authorised for only one entity, this selection page will not appear. * If you have access to multiple entities, choose the correct entity you want to transact for. **Step 4 — Access the Dashboard** Click on the entity name. You will be redirected to the SDP Dashboard. You’re in! You have successfully accessed the Singpass Developer Portal. By default, the dashboard will display all Staging applications for that entity. [PreviousObtaining Access to the Singpass Developer Portal (SDP)chevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/obtaining-access-to-the-singpass-developer-portal-sdp) [NextToggling Between Staging and Productionchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/toggling-between-staging-and-production) Last updated 2 months ago Was this helpful? Was this helpful? --- # User Guide | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FNQ6X0yETtGHyneckBrns%252Fimage.png%3Falt%3Dmedia%26token%3D578fb399-3248-4a12-968f-b52144688b9c&width=768&dpr=3&quality=100&sign=3e5cce8d&sv=2) ### [hashtag](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide#overview) **Overview** The Singpass Developer Portal (SDP) is the central platform where organisations: * **Create** and **manage** Singpass API applications * **Configure** redirect URIs, JWK Urls, certificates, scopes, and other settings * Access **billing** information, **test accounts**, and **services agreement** This guide walks you through everything you need to know to navigate the portal efficiently. Access to the SDP is necessary to begin integration with Singpass APIs * * * [PreviousGovernment Schemechevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/government-scheme) [NextObtaining Access to the Singpass Developer Portal (SDP)chevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/obtaining-access-to-the-singpass-developer-portal-sdp) Last updated 2 months ago Was this helpful? Was this helpful? --- # How to View Entity Transactions | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Steps: 1. Go to the Singpass Developer Portal. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F2LFfZA5pRMXJ2UJS8do1%252FScreenshot%25202026-03-18%2520at%25201.29.59%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3D84671d01-d0e5-4bd6-9f95-c5db028ccc72&width=768&dpr=3&quality=100&sign=de2d7179&sv=2) 1. At the top right corner, click **Entity Analytics** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FQ7ejq9W0OXZdW0h4vteW%252Fimage.png%3Falt%3Dmedia%26token%3Db2c3efe8-8aeb-4daa-a580-cfd91e72732b&width=768&dpr=3&quality=100&sign=b050bb0e&sv=2) 1. Click **Login** to view the transaction breakdown for Login apps by e-service. Click **Myinfo** to view the transaction breakdown for Myinfo apps by e-service. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FhJoKsgjbGXA0GcMEQ7HG%252Fimage.png%3Falt%3Dmedia%26token%3D9cc6c812-948e-4442-a437-9945ac966ab9&width=768&dpr=3&quality=100&sign=57b2433a&sv=2) 1. Click **Export usage data** to export the transaction data. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FTh2tq4iVZds1eaoMsLkz%252Fimage.png%3Falt%3Dmedia%26token%3D53a2e5d5-1bcf-4814-9e4a-0505db4be58f&width=768&dpr=3&quality=100&sign=68f4fb7b&sv=2) [PreviousHow to View Production App Transactionschevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/how-to-view-production-app-transactions) [NextHow to View or Download Your Invoicechevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/how-to-view-or-download-your-invoice) Last updated 29 days ago Was this helpful? Was this helpful? --- # Finance | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close id name description Data Available Source cpfbalances.oa CPF Balances - Ordinary Account The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. The CPF balance here would include Ordinary Account (OA). Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. SC,PR CPFB cpfbalances.ma CPF Balances - Medisave Account The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. The CPF balance here would include Medisave Account (MA). Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. SC,PR CPFB cpfbalances.ra CPF Balances - Retirement Account The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. The CPF balance here would include Retirement Account (RA) if applicable to the user. Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. SC,PR CPFB cpfbalances.sa CPF Balances - Special Account The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. The CPF balance here would include Special Account (SA). Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. SC,PR CPFB cpfcontributions CPF Contribution History (up to 15 months) The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. For each contribution record, the 4 fields (Paid for Month, Paid On, Employer Name, Contribution Total) will be provided. Only Contribution(s) related to employment will be provided. Other contributions, such as self-employed or government top-ups, are presently excluded. CPF will return the contributions received (or paid on) in the past 15 months up to the preceding month. Note that a member could have multiple contributions per month from the same employer. **1\. Example 1:** If the query is made in March-24, contribution provided will be for contribution received in the period from January-23 to March-24 (inclusive). This is provided that March-24 contribution had been received, else contribution provided will be January-23 to February-24. **2\. Example 2:** Assuming a member has a late CPF contribution for work done in Nov-22 (beyond January-23 to March-24) that was credited only in Jan-23. If the query is made in March-24, contribution provided will include the late contribution as it was received in the period from January-23 to March-24. The contribution period range of January-23 to March-24 (inclusive) remains. Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. SC,PR CPFB cpfhousingwithdrawal CPF Housing Withdrawal The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. The CPF Housing Withdrawal data include the following for the purpose of financing a HDB flat or private residential property: a) Address: This is the registered address of property which withdrawal is made. b) Principal Withdrawal Amount: This is the CPF principal amount user has withdrawn under the CPF housing schemes. c) Monthly Instalment Amount: This is the monthly CPF deduction for payment of user's property. d) Accrued Interest Amount: This is the interest that user would have earned had user's savings remained in the CPF account. e) Total Amount of CPF Allowed for Property: The maximum CPF savings allowed to be used for the financing the property, excluding the amount used for stamp duty and legal fees. Click [herearrow-up-right](https://docs.developer.singpass.gov.sg/docs/products/myinfo/data-display-guidelines) to refer to the CPF display guidelines. SC,PR CPFB noa-basic Notice of Assessment (Basic, Latest Year) This refers to the taxpayer's total income after deducting allowable expenses and approved donations. Total income includes: (i) Trade (ii) Employment (iii) Rent (iv) Interest This field will only return: (i) 1 yearly assessable income and (ii) the corresponding year value. The yearly assessable income will be the latest available income up to the last 2 Years of Assessments. If the subscriber does not have any assessment record for up to 2 back years, Myinfo will return the following: a) Assessable Income= 'NA' or '-' b) Year Assessed='NA'. To note: i. Assessable Income details is only available for finalised assessment. Thus, income information will not be available if the subscriber has a Default Assessment (e.g. taxpayers who have not submitted their tax return). ii. This may not be applicable for foreigners depending on their tax residency. For example, in the case of double tax treaties with other countries, foreigner may not need to pay Singapore tax. SC,PR,FIN IRAS noahistory-basic Notice of Assessment (Basic, Last 2 Years) Similar to 'Notice of Assessment (Basic, Latest Year)' data field, but for the last 2 years instead. SC,PR,FIN IRAS noa Notice of Assessment (Detailed, Latest Year) Similar to 'Notice of Assessment (Basic, Latest Year)' data field, including the following income breakdown a) Employment b) Trade c) Rent d) Interest Additional details in this data field: a) Tax clearance : Indicator will be 'Y' for scenario where non-Singapore Citizen employee that ceases employment in Singapore, and goes on an overseas posting or plans to leave Singapore for more than three months. Only need to display this field if the value = 'Y'. b) Tax Category : Type of Income Tax Bill. For more details, [click herearrow-up-right](https://www.iras.gov.sg/taxes/individual-income-tax/basics-of-individual-income-tax/receive-tax-bill-pay-tax-check-refunds/understanding-my-tax-assessment) . SC,PR,FIN IRAS noahistory Notice of Assessment (Detailed, Last 2 Years) Similar to 'Notice of Assessment (Basic, Latest Year)' data field, but for the last 2 years instead. SC,PR,FIN IRAS ownerprivate Ownership of Private Residential Property This refers to the ownership of private residential property. Note that this does not include shophouses which are assessed as commercial properties. This field will be 'Y', if the corresponding NRIC/FIN, in IRAS records, is a primarily, secondary or CC owner of an active private residential property and is required to pay property tax. Otherwise will be 'N'. Where the NRIC/FIN is not found in IRAS records, it will be returned as 'NA'. SC,PR IRAS cpfinvestmentscheme.account CPF Investment Scheme - Account The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. CPF savings can be used in these investment schemes - CPF Investment Scheme (CPFIS) & Special Discounted Shares (SDS) Scheme. CPFIS account data includes Agent Bank under CPFIS-OA and Investment Account number which refer to the CPF Investment account that user has opened with one of the CPFIS-OA agent banks under the CPFIS. SC,PR CPFB cpfinvestmentscheme.sdsnetshareholdingqty CPF Investment Scheme - Number of Discounted Singtel Shares The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. CPF savings can be used in these investment schemes - CPF Investment Scheme (CPFIS) & Special Discounted Shares (SDS) Scheme. Number of Discounted Singtel Shares refers to the number of discounted Singtel shareholdings held under the SDS Scheme. SC,PR CPFB cpfinvestmentscheme.saqparticipationstatus CPF Investment Scheme - Self-Awareness Questionnaire (SAQ) Participation Status The Central Provident Fund is a mandatory social security savings scheme funded by contributions from employers and employees. CPF savings can be used in these investment schemes - CPF Investment Scheme (CPFIS) & Special Discounted Shares (SDS) Scheme. Self-Awareness Questionnaire (SAQ) Participation Status refers to whether the user has taken the CPFIS Self-Awareness Questionnaire (SAQ) to help assess if CPFIS is suitable for the user. SC,PR CPFB [PreviousPersonalchevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/personal) [NextEducation and Employmentchevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/education-and-employment) Last updated 11 months ago Was this helpful? Was this helpful? --- # 1. The Authorization Request | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close The first step in the Singpass authentication flow is the authorization request. This involves kicking off a Login or Myinfo (v5) transaction by redirecting users to Singpass' login page, while also providing some information about what this transaction is for (e.g. the data you wish to retrieve). Singpass requires the use of Pushed Authorization Requests (PAR) ([RFC 9126arrow-up-right](https://datatracker.ietf.org/doc/html/rfc9126) ), so this step actually consists of the following sub-steps: 1. First, send a POST request to our `**pushed_authorization_request_endpoint**` (as defined in our [OpenID configuration](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) ). If successful, you will receive a response containing a `request_uri`. 2. Next, using that `request_uri` and our `**authorization_endpoint**` (also defined in our [OpenID configuration](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) ), construct an authorization URL. 3. Finally, redirect the user to that authorization URL. More details about these sub-steps are provided below. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) 1\. Sending the pushed authorization request --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The pushed authorization request is a HTTP POST request that is sent to the pushed authorization request endpoint. Your request should contain a request body in the `application/x-www-form-urlencoded` format. The request body supports a lot of parameters, which can be divided into several groups: parameters specified by basic OIDC, parameters for PKCE, parameters for DPoP, and Singpass-specific parameters. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#basic-oidc-parameters) Basic OIDC Parameters These are parameters that are specified as part of the original OIDC specifications. More information about them can be viewed in the [official specificationsarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html) . Parameter Description Data type `response_type` The authorization processing flow to be used. Only the value `code` is supported, as mandated by FAPI2.0 specifications. `scope` A space-delimited string, representing a list of scopes that you are requesting. The scopes that you request will determine the data that is returned in the ID token and in the userinfo endpoint. A space-delimited string representing a list of scopes. For Myinfo apps, See our [Data Catalogarrow-up-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog) for the allowed values. For Login apps, there are some basic scopes that are allowed. The scopes are `user.identity` , `name`, `email`, and `mobileno` . See [Parsing the ID token](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) for more details. The `openid` scope **must** be specified, as per the OIDC specifications. In addition to the scopes listed in the Data Catalog, the `sub_account` scope is also supported. See [Parsing the ID token](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/4.-parsing-the-id-token) for more details. `state` A session-based, unique, and non-guessable value that you should generate per auth session. This is used to mitigate Cross-Site Request Forgery (CSRF) attacks. This parameter should be uniquely generated for each request and set by your backend. The generated value should be persisted in the backend and associated with your user's session, as it will be needed later. This string must be generated in a cryptographically secure way, and should ideally be at least 30 characters long. We recommend using a version 4 UUID for this purpose. A string with a maximum length of 255 characters. It must match the regular expression pattern `[A-Za-z0-9/+_-=.]+`. `nonce` A session-based, unique, and non-guessable value that you should generate per auth session. This is used to mitigate replay attacks. Just like the `state` parameter, this parameter should be uniquely generated for each request and set by your backend. The generated value should be persisted in the backend and associated with your user's session, as it will be needed later. This string must be generated in a cryptographically secure way, and should ideally be at least 30 characters long. We recommend using a version 4 UUID for this purpose. A string with a maximum length of 255 characters. We recommend using a randomly-generated version 4 UUID for this purpose. `client_id` The client ID of your registered client, provided by Singpass during app onboarding. It is the App ID found at the top of your app configuration page A 32-character case-sensitive alphanumeric string. `redirect_uri` The URL that Singpass will eventually redirect the user to after the user completes the login process using the Singpass App. The value will be validated against the list of redirect URLs that were pre-registered with Singpass during onboarding. URL `acr_values` A string indicating your preference on the level of assurance required for this authentication. Multiple values, in descending order of preference, may be provided as a space-delimited string. Should multiple valid values be provided, we will use the first available level of assurance for the authentication. This parameter is applicable only to specific high risk use cases. It should only be used when a higher assurance level is genuinely required, and such use will need to be whitelisted by us. If you believe your use case may qualify, please submit a request at [https://partnersupport.singpass.gov.sgarrow-up-right](https://partnersupport.singpass.gov.sg/) for our review. Optional. The possible values are: * urn:singpass:authentication:loa:2 * This refers to an assurance level of 2, meaning that only 2FA is required. * urn:singpass:authentication:loa:3 * This refers to an assurance level of 3, meaning that face verification as a third factor is required. Note that you will incur charges starting from 1 Jan 2026 should you opt for an assurance level of 3. `client_assertion_type` The type of client assertion. Must be the string `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`, as mandated by OIDC specifications. `client_assertion` Your client assertion, which is used for authentication. Refer to [Generation of Client Assertion for instructions](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) on how this should be generated. A string containing the signed JWT. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#pkce-parameters) PKCE Parameters These are parameters used for Proof of Key Code Exchange (PKCE), which is an additional security measure put in place to protect the authorization code against misuse by malicious actors. Read our [guide on PKCE](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/proof-key-for-code-exchange-pkce) to understand what these parameters are for and how to generate the `code_challenge`. Parameter Description Data Type `code_challenge` The base64url encoded SHA256 hash of a randomly generated `code_verifier`. A base64url-encoded string.(note: base64url encoding is not the same as base64 encoding) `code_challenge_method` The method used to generate the `code_challenge` from the `code_verifier` Only the value `S256` is supported, as mandated by FAPI 2.0 specifications ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#dpop-parameters) DPoP Parameters These are parameters used to perform authorization code binding to your DPoP key, which is a further security measure to protect the authorization code against misuse by malicious actors. Parameter Description Data Type `dpop_jkt` The JWK Thumbprint of your proof-of-possession public key. The JWK thumbprint should be computed using the SHA256 hash algorithm, and encoded using base64url. String Note that `dpop_jkt` is only required if your request does not contain the DPoP header (which contains the DPoP Proof JWT). For simplicity, we recommend sending the [DPoP header](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) in the request rather than using the `dpop_jkt` request parameter, as you will also need to implement DPoP header generation in later steps. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#singpass-specific-parameters) Singpass-Specific Parameters These are parameters which are not part of any standard, but are instead specific to Singpass. Parameter Description Data Type `authentication_context_type` A value selected from a predefined list describing the type of transaction that your user is performing the authentication for. This will be used for anti-fraud purposes. **Mandatory and only allowed for Login apps**, The list of possible values is provided [below](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#possible-authentication_context_type-values) . `authentication_context_message` A string value providing context on what users are performing authentication for. This will be displayed to users when they are performing authentication. For guidance on writing authentication messages, refer [herearrow-up-right](https://partnersupport.singpass.gov.sg/hc/en-sg/articles/54859616559769-What-is-Authentication-Context-Message) . All messages are subject to audit and compliance monitoring. String, with a maximum length of 100 characters. The allowable characters are `A-Z`, `a-z`, `0-9`, ``, `.`, `,`, `-`, `@`,`'`,`!`, `(`, `)` Optional, and **allowed only for Login apps.** `redirect_uri_https_type` This value describes the type of redirect that you intend to perform. You should specify this as `app_claimed_https` if you are performing a redirection to a mobile app via an App-claimed https URL. Either `app_claimed_https` or `standard_https`. This field is optional; it defaults to `standard_https` if not provided. `app_launch_url` This value is only required if your authentication journey starts and ends for an iOS mobile app. This should be an iOS App Link which will bring the user back to your application after they complete authentication on the Singpass app. Optional. _only applicable for iOS mobile app integration_ chevron-rightSample request (Myinfo)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#sample-request-myinfo) chevron-rightSample request (Login)[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#sample-request-login) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#possible-authentication_context_type-values) Possible authentication\_context\_type values You should select an appropriate `authentication_context_type` value depending on your use case. The possible values for each type of use case are shown below. chevron-rightCPF transactions[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#cpf-transactions) Event Enum Value Change Payment Mode CPF\_CHANGE\_PAYMENT\_MODE Change daily withdrawal limits CPF\_CHANGE\_DAILY\_WITHDRAWAL\_LIMIT Profile Update CPF\_PROFILE\_UPDATE Link to Bank account CPF\_LINK\_BANK\_ACCOUNT Funds transfer CPF\_FUNDS\_TRANSFER chevron-rightBanking[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#banking) Event Enum Value CASA opening BANK\_CASA\_OPENING CASA Initial usage BANK\_CASA\_INITIAL\_USAGE Debit/Credit Card application BANK\_CARD\_APPLICATION Debit/Credit Card initial usage BANK\_CARD\_INITIAL\_USAGE Loan Application BANK\_LOAN\_APPLICATION Successful addition of local recipient BANK\_ADD\_LOCAL\_RECEIPIENT Successful addition of overseas recipient BANK\_ADD\_OVERSEAS\_RECIPIENT Increase transfer limit BANK\_INCREASE\_TRANSFER\_LIMIT Report Fraud or suspicious activity BANK\_REPORT\_FRAUD\_SUSPICIOUS\_ACTIVITY Funds transfer BANK\_FUNDS\_TRANSFER\_LOCAL Remit money overseas BANK\_REMIT\_MONEY\_OVERSEAS Report lost cards BANK\_REPORT\_LOST\_CARD Change of notification method BANK\_CHANGE\_NOTIFICATION\_METHOD Increase credit card limit BANK\_INCREASE\_CREDIT\_CARD\_LIMIT Cash advance BANK\_REQUEST\_CASH\_ADVANCE Increased inflow and outflow of funds transfer BANK\_INCREASE\_INFLOW\_OUTFLOW Activation of a dormant account BANK\_ACTIVATE\_DORMANT\_ACCOUNT Login using a new device BANK\_LOGIN\_NEW\_DEVICE Login from an unfamiliar IP BANK\_LOGIN\_UNFAMILIAR\_IP User Information Update BANK\_UPDATE\_USER\_INFORMATION New device registration BANK\_NEW\_DEVICE\_REGISTRATION Unlock money lock BANK\_UNLOCK\_MONEY\_LOCK Google Pay / Apple Pay card onboarding BANK\_GOOGLE\_PAY\_APPLE\_PAY\_CARD\_ONBOARDING chevron-rightOther Financial Institutions[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#other-financial-institutions) Event Enum Value Account Opening FI\_ACCOUNT\_OPENING Link Bank account FI\_LINK\_BANK\_ACCOUNT Increase transfer limit FI\_INCREASE\_TRANSFER\_LIMIT Increase withdrawal limit FI\_INCREASE\_WITHDRAWAL\_LIMIT Initiate Deposit FI\_INITIATE\_DEPOSIT chevron-rightTelcos[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#telcos) Event Enum Value SIM card application TELCO\_SIM\_CARD\_APPLICATION Activation of SIM card TELCO\_SIM\_CARD\_ACTIVATION Change of account details TELCO\_CHANGE\_ACCOUNT\_DETAILS Activate Roaming TELCO\_ACTIVATE\_ROAMING Change of notification method TELCO\_CHANGE\_NOTIFICATION\_METHOD chevron-rightOthers[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#others) Event Enum Value General authentication APP\_AUTHENTICATION\_DEFAULT Making a payment APP\_PAYMENT\_DEFAULT Password Change APP\_ACCOUNT\_PASSWORD\_CHANGE\_DEFAULT Password Reset APP\_ACCOUNT\_PASSWORD\_RESET\_DEFAULT Account Details Change APP\_ACCOUNT\_DETAILS\_CHANGE\_DEFAULT App onboarding APP\_ONBOARDING\_DEFAULT ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#response) Response #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#successful-response) Successful Response If the request was successful, you will receive a response in JSON format which contains the following parameters: Parameter Description Data type `request_uri` This is a reference to the payload that you have sent in this request. This will be needed in the next step String `expires_in` This is a number, in seconds, representing the lifetime of the `request_uri` Number. We set this value to be 60 seconds. chevron-rightSample successful response body[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#sample-successful-response-body) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#error-response) Error Response If there was a problem with the request, you will receive a response in JSON format which will instead contain these parameters: Parameter Description Data type `error` An error code identifying the type of error that has occurred. This will be an enum value. The possible values are detailed [below](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#possible-error-values) . `error_description` A human-readable text description of the error. String. This is optional. `error_uri` URI of a web page that includes additional information about the error URL. This is optional. `state` This will be the same state parameter passed in the authorization request. A string with a maximum length of 255 characters. It must match the regular expression pattern `[A-Za-z0-9/+_-=.]+` chevron-rightSample error response body[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#sample-error-response-body) #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#possible-error-values) Possible error values The table below lists the possible values of `error` that we may return: error What this error indicates `invalid_request` The request had missing or invalid parameters. You should ensure that all the parameters follow the specifications listed above. This error will also be returned if you did not send either the `DPoP` header or the `dpop_jkt` parameter. `invalid_client` This error may occur if your client assertion could not be verified. This is most commonly caused by a malformed JWKS, or an incorrectly generated client assertion. Refer to our guides on [client assertions](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/generation-of-client-assertion) and [JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks) , and make sure that your implementation follows both of these guides. This can also be caused by an invalid `client_id` being passed. Check that your `client_id` is correct, and that your app is currently active. `invalid_scope` The `scope` parameter that you have provided is invalid. This is typically caused if you did not include the `openid` scope, or if you are requesting for a scope which your app is not allowed to request. If requesting for a new scope, you will need to [edit your app](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) and add the new scope into the list of your app's allowed scopes. `invalid_dpop_proof` The `DPoP` header which you have provided is invalid, expired, or malformed. Read our [DPoP guide](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop) and ensure that your implementation follows the instructions in the guide. `server_error` The server encountered an unexpected error. You should check `error_description` to understand what was the cause of the error. This error can potentially be caused by your JWKS endpoint not being reachable. Read our guide on [JWKS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/json-web-key-sets-jwks#requirements-for-jwks) and ensure that you follow the requirements. In particular, your JWKS endpoint must be publicly accessible and should respond in a timely manner. If the cause was not your JWKS endpoint, you may perform up to 3 retries using an exponential backoff strategy. If the request still fails, you should guide users to alternative authentication methods. `temporarily_unavailable` The server is temporarily unavailable to handle the request. You may perform up to 3 retries using an exponential backoff strategy. If the request still fails, you should guide users to alternative authentication methods, or to guide them to try again some time later. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-2.-redirecting-the-user-to-the-authorization-url) 2\. Redirecting the user to the authorization URL ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- After you complete the pushed authorization request, the next step is to redirect the user to open the authorization URL in their browser. The base URL for the authorization URL can be located as the `authorization_endpoint` field in our authorization server's [OpenID Configuration](https://docs.developer.singpass.gov.sg/docs/technical-specifications/technical-concepts/openid-connect-discovery) . You will only need to attach two query parameters to the authorization endpoint to form the authorization URL: Parameter Description `client_id` The client ID of your registered client, provided by Singpass during app onboarding. It is the App ID found at the top of your app configuration page. This must be the same client ID that you passed in the request body of the pushed authorization request. `request_uri` The `request_uri` returned by the pushed authorization request. Once you have redirected the user to the authorization URL, the next step would be to wait for the user to complete authentication. Once they complete authentication, they will be redirected back to the `redirect_uri` that you specified. View the next page to understand how to handle the redirect. chevron-rightSample authorization URL[hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#sample-authorization-url) [PreviousIntegration Guidechevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) [Next2\. Handling the Redirectchevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/2.-handling-the-redirect) Last updated 21 days ago Was this helpful? * [1\. Sending the pushed authorization request](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-1.-sending-the-pushed-authorization-request) * [Basic OIDC Parameters](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#basic-oidc-parameters) * [PKCE Parameters](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#pkce-parameters) * [DPoP Parameters](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#dpop-parameters) * [Singpass-Specific Parameters](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#singpass-specific-parameters) * [Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#response) * [2\. Redirecting the user to the authorization URL](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide/1.-authorization-request#id-2.-redirecting-the-user-to-the-authorization-url) Was this helpful? Copy POST /fapi/par HTTP/1.1 Host: stg-id.singpass.gov.sg Accept-Charset: ISO-8859-1 DPoP: eyJhbGciOiJFUzI1NiIsImp3ayI6eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ1c2UiOiJzaWciLCJ4IjoiV2REWGw2SDVjb1g4WjByTDk3UjduMG9KYWpKUXhrRmhXTTVNRzdTZlhnQSIsInkiOiJZeThhcFZRdkVxVDM0ZzhKSDVYUzRIcFBXbTBOMURCaFVMcU5lT3FtTUdJIn0sInR5cCI6ImRwb3Arand0In0.eyJleHAiOjE3NzA3MjE2ODIsImh0bSI6IlBPU1QiLCJodHUiOiJodHRwczovL3N0Zy1pZC5zaW5ncGFzcy5nb3Yuc2cvZmFwaS9wYXIiLCJpYXQiOjE3NzA3MjE1NjIsImp0aSI6ImRjMjYzNDVmLTYzNDEtNGJkYi1hMmVjLTUwZWE4YzRhOGNmMCJ9.QFCtwt8D1VSVEmBuFhHFec7Ii_f981nlIB2s-P-jbHdJR7F22p5r8RC7-lWOExn3vNBmFSP_KGUgo_XIcfhTMw Content-Type: application/x-www-form-urlencoded Content-Length: 1037 response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback&client_id=dNGEOSUjyJjTqytbxsspyJAyQIj3tyha&scope=openid%20name%20nationality%20noa&state=5bfda4b1-f67b-4f3c-bbbc-6ca81461fb5a&nonce=5e652418-2373-47f7-8003-43f062244046&code_challenge=52TX5w33iX1u5XEZRmq5IGhZwlajZVVyvdO5ZTqIH6o&code_challenge_method=S256&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6InNpZy0yMDI0IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3NpbmdwYXNzLmdvdi5zZyIsImV4cCI6MTc3MDcyMTY4MiwiaWF0IjoxNzcwNzIxNTYyLCJpc3MiOiJkTkdFT1NVanlKalRxeXRieHNzcHlKQXlRSWozdHloYSIsImp0aSI6IjhiMGJkY2E1LTgxNWEtNDI5OC1hZTJlLThjNGQ3NDU0NjM0ZSIsInN1YiI6ImROR0VPU1VqeUpqVHF5dGJ4c3NweUpBeVFJajN0eWhhIn0.qLAv2f6twnoIRR1VOMs5w3daRStOrznH7guJT-yIfRTtK0RB_iFSpgJAOQ4sSKMl7k5pSyIlNWpqMhZTKSeFIA Copy POST /fapi/par HTTP/1.1 Host: stg-id.singpass.gov.sg Accept-Charset: ISO-8859-1 DPoP: eyJhbGciOiJFUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7ImNydiI6IlAtMjU2Iiwia3R5IjoiRUMiLCJ4IjoiRTRhOHp0NTZuMnF3WmE3R1ZPdVV4SHMtUHNQWVIzYnVCNGhtcURyTnV3OCIsInkiOiJWQ3ktckFmN3dMOC1PeWlhdS1kS0dJdmN5THpTMHJULTFlQkxyTGVNM09NIn19.eyJqdGkiOiJmMTM3MzgyYS02MjUwLTQxMjUtYjc5NC0yY2Y2OGRlZTljMzAiLCJodG0iOiJQT1NUIiwiaHR1IjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkvcGFyIiwiaWF0IjoxNzcwODA1ODM5LCJleHAiOjE3NzA4MDU5NTl9.DNeFnNXvmxGr5ZZW9o6mfVoG9uCRbgXxRgyhXWlED0xpkV1uSmNTVSA4QA_VVUNjLEgufNXzRqg7vqeyUyQ6nw Content-Type: application/x-www-form-urlencoded Content-Length: 965 response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2Fcallback&client_id=asC7y1wuFmqwCXys6S5EnaILNcy4yJDx&scope=email%20mobileno%20name%20openid%20user.identity&state=b24a1eae-e01b-4856-affd-3098b9fe0fe8&nonce=e9d4d941-99c4-4db1-90d2-1d77906e3a65&code_challenge=52TX5w33iX1u5XEZRmq5IGhZwlajZVVyvdO5ZTqIH6o&code_challenge_method=S256&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJhc0M3eTF3dUZtcXdDWHlzNlM1RW5hSUxOY3k0eUpEeCIsInN1YiI6ImFzQzd5MXd1Rm1xd0NYeXM2UzVFbmFJTE5jeTR5SkR4IiwiYXVkIjoiaHR0cHM6Ly9zdGctaWQuc2luZ3Bhc3MuZ292LnNnL2ZhcGkiLCJpYXQiOjE3NzA4MDU4MzksImV4cCI6MTc3MDgwNTk1OSwianRpIjoiYWZlODg1ZjQtY2FjMC00YmQwLThkMGItMWE3MDkxNzFiMzI1In0.7W_mjPhS6DbvEd32obSany8bqOcrVaS_AvhojjqSHGX6P9OjJUxIdPsjpifO_E8tE3Px-F5egFy2-7nXLLdIFg&authentication_context_type=APP_AUTHENTICATION_DEFAULT&authentication_context_message=Complete%20the%20set%20up%20of%20your%20mobile%20banking%20token Copy { "request_uri": "urn:ietf:params:oauth:request_uri:Tku8lLFs7d_UPZznhREj0", "expires_in": 60 } Copy { "error": "invalid_request", "error_description": "The request is missing a required parameter, includes an unsupported value, or is malformed.", "state": "e32b9f28-5d34-4c0f-8b0e-6b670566c97f" } Copy https://id.singpass.gov.sg/fapi/auth?client_id=T5sM5a53Yaw3URyDEv2y9129CbElCN2F&request_uri=urn:ietf:params:oauth:request_uri:Tku8lLFs7d_UPZznhREj0 --- # How to View Production App Transactions | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close **Individual App Transactions View** 1\. Log in to [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) using your Singpass account that is authorised to transact on behalf of your entity. 2\. Once logged in, navigate to your company’s Production Apps page. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FYbTGfu0rBDdjBpmXQlbc%252Fimage.png%3Falt%3Dmedia%26token%3D2749837a-e895-482e-88db-b0b02368d54f&width=768&dpr=3&quality=100&sign=51463800&sv=2) 3\. Click on the app for which you want to view transaction details. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FDkAK0YAU730rcNroFLW2%252Fimage.png%3Falt%3Dmedia%26token%3D5ca028c1-7404-4f15-990f-0a3ac8c76548&width=768&dpr=3&quality=100&sign=7c936579&sv=2) 4\. When the app page opens, locate the left menu and click on “Analytics”. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fjg06V4JrP8FbWDRl2aJ0%252Fimage.png%3Falt%3Dmedia%26token%3Decff7709-0dd6-44b0-8018-1340e0835ec4&width=768&dpr=3&quality=100&sign=18ecc93&sv=2) 5\. Here, you will be able to view your app’s transaction graph and use filters to sort data by month and year. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FHEYc5JdGr5A8t8LnhE0y%252Fimage.png%3Falt%3Dmedia%26token%3D59dbe19e-76f2-4143-84a1-f23c52a0ed6e&width=768&dpr=3&quality=100&sign=c781960d&sv=2) **Entity App Transactions view** To have an overview of the transactions of all your apps, you can do the following: 1. Log in to [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) using your Singpass account that is authorised to transact on behalf of your entity. 2. Once logged in, navigate to your company’s Production Apps page. 3. Beside your "Entity Name" click on _"view entity analytics"._ ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FfU6LAZeYOmNRMmpDfrvX%252Fimage.png%3Falt%3Dmedia%26token%3Dc7d09fb2-5ec1-4d7f-8763-57def558eec5&width=300&dpr=3&quality=100&sign=29a123e0&sv=2) 1. Select the Month-Year and navigate between the "Login" and "Myinfo" Tab to view the total transactions incurred for your Entity's Login/Myinfo apps. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FQT0KRrOwuKz5PQQj3Rlr%252Fimage.png%3Falt%3Dmedia%26token%3D5d972d3a-3b29-4bf4-adc8-98d0c4ddc150&width=768&dpr=3&quality=100&sign=13d2fa19&sv=2) [PreviousActivate Production Appchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/activate-production-app) [NextHow to View Entity Transactionschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/how-to-view-entity-transactions) Last updated 2 months ago Was this helpful? Was this helpful? --- # Create Staging App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close **Prerequisites:** * Ensure you are logged in to the [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) * Switch your Dashboard view to **Staging**. **Steps to create a new app:** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FS2W2pb3fmddVxuuiOBpJ%252FScreenshot%25202024-09-23%2520at%25206.04.10%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3D027848f0-0b1d-4b89-9918-00622284b5ea&width=768&dpr=3&quality=100&sign=d06bd80a&sv=2) 1. Click **\+ New App** on your Dashboard. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F5MU79fQ3s2N8AwNf94gd%252Fimage.png%3Falt%3Dmedia%26token%3D1e5d16e7-2630-4538-8615-f1dde5deb49a&width=768&dpr=3&quality=100&sign=4faf015e&sv=2) **Click + New app no approval is required to create this app** 1. Select the **App Type** or **API Type** you wish to create: * Singpass Myinfo – for form-filling use cases * Singpass Login – for authentication use cas ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FuD2dH6Y7Sx7EDMmaNeha%252Fimage.png%3Falt%3Dmedia%26token%3Da700ec0c-ef79-4f63-995b-5d2c027bdfa1&width=768&dpr=3&quality=100&sign=cb4de447&sv=2) 1. Fill in your **app details.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FbVR4pL26BTzS6haNuLO5%252Fimage.png%3Falt%3Dmedia%26token%3D649d3cee-8c8b-4b84-a3cf-277456d83c57&width=768&dpr=3&quality=100&sign=44896414&sv=2) 2. Provide your **technical details.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fx0AWUZB5ZXIPEfB8yAF3%252Fimage.png%3Falt%3Dmedia%26token%3Dc7c8b2f6-a85b-43e9-8797-f73f6d79b2c3&width=768&dpr=3&quality=100&sign=ed89898d&sv=2) 1. Select the **relevant scopes** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F2dgZ448pCuwU4xRhQpuq%252Fimage.png%3Falt%3Dmedia%26token%3Dd3f98b68-cd69-4e93-8325-ab70a34ed878&width=768&dpr=3&quality=100&sign=c09206c4&sv=2) 1. Review your selected scopes and **submit the app** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F99QGJVWfDyloIswSTEZo%252Fimage.png%3Falt%3Dmedia%26token%3Da43566cd-32b6-47ab-a325-418d7927e1c8&width=768&dpr=3&quality=100&sign=5e5610bb&sv=2) [PreviousToggling Between Staging and Productionchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/toggling-between-staging-and-production) [NextEdit Staging Appchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-staging-app) Last updated 2 months ago Was this helpful? Was this helpful? --- # View Singpass Service Agreement | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) . By default, you are looking at all the Staging apps of the entity. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FS2W2pb3fmddVxuuiOBpJ%252FScreenshot%25202024-09-23%2520at%25206.04.10%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3D027848f0-0b1d-4b89-9918-00622284b5ea&width=768&dpr=3&quality=100&sign=d06bd80a&sv=2) 1. Expand the profile icon, click on **Service Agreement**. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F776eoOpwSpMtYqP8fGUe%252FSvc%2520Agreement%2520Menu.png%3Falt%3Dmedia%26token%3Dd27d07b4-a02a-4ed2-950c-a5de09e3fbdf&width=768&dpr=3&quality=100&sign=422a88b2&sv=2) 1. You will be redirected to Services Agreement Review page. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FDTfYFIxz7u6OMYa42VaH%252FView%2520Svc%2520Agreement.png%3Falt%3Dmedia%26token%3Dce7880ad-da76-4bfc-8c26-8470e141b3f6&width=768&dpr=3&quality=100&sign=95fe4447&sv=2) [PreviousConsent to Singpass Service Agreementchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/consent-to-singpass-service-agreement) [NextUpdating Billing Contact Informationchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/updating-billing-contact-information) Last updated 11 months ago Was this helpful? Was this helpful? --- # How to View or Download Your Invoice | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) . By default, you are looking at all the Staging apps of the entity. 1. Expand the profile icon, click on **Billing.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FdHshNLwW6TBlIZnMwMKD%252Fimage.png%3Falt%3Dmedia%26token%3Da739c4d2-17b0-47d9-b187-8f4623bd0351&width=768&dpr=3&quality=100&sign=7c2fc96a&sv=2) 1. Click on **Billing - Invoices** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fh1DS0zNiJnNqrUTTAYwH%252Fimage.png%3Falt%3Dmedia%26token%3D5ac60b96-d980-4ae3-92eb-cdd24cb70eb2&width=768&dpr=3&quality=100&sign=d00da2cf&sv=2) 1. Search for your invoices by MMM YYYY [PreviousHow to View Entity Transactionschevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/how-to-view-entity-transactions) [NextUnderstanding the App Config Fieldschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields) Last updated 10 months ago Was this helpful? Was this helpful? --- # Activate Production App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Prerequisites: * You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) before you can create a Production App. * You have already toggled your Dashboard view to Production. * You have an existing Deactivated Production App. * The entity has already agreed to the Singpass Services Agreement. 1. Click **App Name hyperlink** on your Dashboard - Production view. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fci7m7gaHYMyFz7vRyvPX%252FScreenshot%25202024-11-18%2520at%252011.19.41%25E2%2580%25AFAM.png%3Falt%3Dmedia%26token%3D0298faf9-d4cc-48ac-a70c-6d3c54eeacd3&width=768&dpr=3&quality=100&sign=31a6c69b&sv=2) 1. You will be redirected to view the Production App details. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FfDVltkLv4PB7piCIrGez%252FScreenshot%25202024-11-18%2520at%252011.07.17%25E2%2580%25AFAM.png%3Falt%3Dmedia%26token%3Dec31049c-442e-4fee-8306-e02a2753464d&width=768&dpr=3&quality=100&sign=7d3bd54f&sv=2) 1. Click **Activate App.** 2. Once successfully activated, the app status will be updated to **Activated** and you will see the option to **Deactivate App.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fx6s7JEk1eGLjT2jSbrwK%252FPROD%2520View%2520App%2520-%2520Activated.png%3Falt%3Dmedia%26token%3D401514cf-9b86-45df-97d5-02acf80b2a86&width=768&dpr=3&quality=100&sign=e2ee2d09&sv=2) [PreviousDeactivate Production Appchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/deactivate-production-app) [NextHow to View Production App Transactionschevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/how-to-view-production-app-transactions) Last updated 2 months ago Was this helpful? Was this helpful? --- # Personal | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close id name description Data Available Source uinfin NRIC/FIN NRIC number or FIN of user. NRIC number is the unique identifier given to every Singapore Citizens (SC) and Permanent Residents (PR), while FIN is the unique identifier for Foreigners. SC,PR,FIN ICA/MOM partialuinfin Partial NRIC/FIN Last 3 numerical digits and checksum of the NRIC/FIN number, prefixed with '\*\*\*\*\*' (e.g. "\*\*\*\*\*567A" from the full NRIC number of "S1234567A"). SC,PR,FIN \- name Principal Name Includes Surname if any. Note that Principal Name does not represent the full name as printed on the NRIC/FIN card or Digital IC (Read [herearrow-up-right](https://partnersupport.singpass.gov.sg/hc/en-sg/articles/32683301388569-Does-Myinfo-Principal-Name-match-the-Full-Name-printed-on-the-NRIC-FIN-card-or-Digital-IC) for more info) SC,PR,FIN ICA/MOM aliasname Alias Name Refers to an alternate/additional name of the user that is legally recognised. SC,PR ICA hanyupinyinname Hanyu Pinyin Name Refers to the officially romanised Chinese name of the user. SC,PR ICA hanyupinyinaliasname Hanyu Pinyin Alias Name Refers to the legally-recognised alternate officially romanised Chinese name of the user. SC,PR ICA marriedname Married Name Refers to the family name or surname adopted by the user upon marriage. SC,PR ICA sex Sex Gender of the user. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (SexCode) for list of possible values. SC,PR,FIN ICA/MOM race Race Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (RaceCode) for list of possible values. SC,PR,FIN ICA/MOM secondaryrace Secondary Race Refers to secondary racial category of the Person, if any. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (RaceCode) for list of possible values. SC,PR ICA dialect Dialect Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (DialectCode) for list of possible values. SC,PR ICA dob Date of Birth SC,PR,FIN ICA/MOM residentialstatus Residential Status Indicate if the user is a Citizen, PR or others. Blank value will be returned for FIN holder. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (ResidentialCode) for list of possible values. SC,PR ICA nationality Nationality/Citizenship Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (NationalityCitizenshipCode) for list of possible values. SC,PR,FIN ICA/MOM birthcountry Country/Place of Birth Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (CountryPlaceCode) for list of possible values. SC,PR,FIN ICA/MOM passportnumber Passport Number SC ICA passportexpirydate Passport Expiry Date SC ICA passtype Pass Type This refers to the pass type of a FIN holder. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (PassTypeCode) for list of possible values. Note that this only applies to a FIN holder with a valid pass issued by ICA/MOM. FIN ICA/MOM passstatus Pass Status This refers to the pass status of a FIN holder. Available values: * Live * Approved. (Interim status in which the FIN holder has yet to receive the pass) Note that this only applies to a FIN holder with a valid pass issued by ICA/MOM. FIN ICA/MOM passexpirydate Pass Expiry Date This refers to the pass expiry date of a FIN holder. Note that this only applies to a FIN holder with a valid pass issued by ICA/MOM. FIN ICA/MOM employmentsector Employment Sector This refers to the employment sector of a FIN holder. Note that this only applies to a FIN holder with a valid pass issued by MOM. FIN MOM mobileno Mobile Number Mobile number must be made editable at digital services even though data source is Singpass. SC,PR,FIN Singpass email Email Address Email address must be made editable at digital services even though data source is Singpass. SC,PR,FIN Singpass regadd Registered Address For SC/PR - Registered address is the address that is printed on the NRIC card. For FIN - Registered address is applicable for foreigners under the following Pass Types: **ICA-issued Passes** - Long Term Visit Pass / Long Term Visit Pass + - Student Pass - Immigration Exemption Order **MOM-issued Passes** - S Pass - Employment Pass - Personalised Employment Pass - EntrePass - Dependent Pass SC,PR,FIN ICA/MOM hdbtype Type of HDB Note that this is determined based on user's Registered Address (if it is a HDB flat). It therefore has no association with HDB ownership. Refer to [Code Listingarrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (HDBTypeCode) for list of possible values. SC,PR,FIN HDB housingtype Type of Housing Note that this is determined based on user's Registered Address (if it is not a HDB flat). It has no association with housing ownership. Refer to [Code Listing arrow-up-right](https://public.cloud.myinfo.gov.sg/dpp/frontend/assets/api-lib/myinfo/downloads/myinfo-api-code-tables.xlsx) (HousingTypeCode) for list of possible values. SC,PR,FIN URA [PreviousCatalogchevron-left](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog) [NextFinancechevron-right](https://docs.developer.singpass.gov.sg/docs/data-catalog-myinfo/catalog/finance) Last updated 22 days ago Was this helpful? Was this helpful? --- # Consent to Singpass Service Agreement | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close **Sample** Company Name: SDP Admin UEN. 1. In PROD environment, click on the button as shown where you will be able to see your UEN signed in to SDP. Click on "Service Agreement". ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FVjYmaGxXdWoUb0sge86p%252Fimage.png%3Falt%3Dmedia%26token%3De6157d1e-ecfa-4646-81da-3d463d812956&width=768&dpr=3&quality=100&sign=897fd59b&sv=2) 1. You will be able to see a copy of the Service Agreement. Click "Next". ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FKCibSxmatLEG3UvPcGRQ%252Fimage.png%3Falt%3Dmedia%26token%3Def6741a2-3fae-44e9-8544-e2e24c17f07b&width=768&dpr=3&quality=100&sign=b9a10014&sv=2) 1. You will be able to see the company Point-of-Contact (POC) and Company/Entity Name. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FdhUpAhLXrta9pdy6E3DG%252Fimage.png%3Falt%3Dmedia%26token%3D7ef8bd82-b7c7-400f-81c4-e8ed4d6d64ba&width=768&dpr=3&quality=100&sign=1803bd4f&sv=2) 1. Fill in the details required under "Agreement related contact details", and click "Accept". ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FznkAeIJfiGsW3H7dzBij%252Fimage.png%3Falt%3Dmedia%26token%3Db06a0f15-117a-49ef-b03f-47dfe9be11c9&width=768&dpr=3&quality=100&sign=8235e880&sv=2) 1. You will be able to see that the Services Agreement has been accepted by the company Point-of-Contact (POC) and company/entity name. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FgKzDBFYyBqId4BiHIiUu%252Fimage.png%3Falt%3Dmedia%26token%3Daa79cbbf-2bc2-49a8-b06a-3d40e15a8a82&width=768&dpr=3&quality=100&sign=1a5fa781&sv=2) 1. After the agreement has been accepted, you will be able to create app in PROD environment (+ New app) ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F7P3pswuuFPj7Haj0kowo%252Fimage.png%3Falt%3Dmedia%26token%3D4578b365-07cc-48d5-9cf2-a39e028de2cf&width=768&dpr=3&quality=100&sign=4e245151&sv=2) [PreviousEdit Production Appchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) [NextView Singpass Service Agreementchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/view-singpass-service-agreement) Last updated 2 months ago Was this helpful? Was this helpful? --- # Updating Billing Contact Information | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close 1. Log in to [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) . 2. In the **top menu**, click on the **profile icon**. 3. Select the **Billing** tab. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FpRs4hWOA0jExyY4dCI6g%252Fimage.png%3Falt%3Dmedia%26token%3Db8d0d436-086a-44b8-a36d-5056727f981f&width=768&dpr=3&quality=100&sign=33ecb1fd&sv=2) 1. Click the **Edit** button. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F9BCTcomFMtbo3KZenDX3%252Fimage.png%3Falt%3Dmedia%26token%3D43214019-c0d2-4d40-b505-f033cfefebb6&width=768&dpr=3&quality=100&sign=88c44454&sv=2) 5\. Update the Login or MyInfo **billing contact details** as needed. 6\. Click **Update** to save your changes. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F2SJAFghPGoZ4wJkxYGys%252Fimage.png%3Falt%3Dmedia%26token%3D8683f031-c8ab-4377-a8f6-e43a82740603&width=768&dpr=3&quality=100&sign=8dd31eb8&sv=2) [PreviousView Singpass Service Agreementchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/view-singpass-service-agreement) [NextDeactivate Production Appchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/deactivate-production-app) Last updated 11 months ago Was this helpful? Was this helpful? --- # Edit Staging App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Prerequisites: * You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) before you can edit Staging App. * You have already toggled your Dashboard view to Staging. * You have at least one Staging App to be edited. 1. Click **App Name** hyperlink on your Dashboard - Staging view. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FS2W2pb3fmddVxuuiOBpJ%252FScreenshot%25202024-09-23%2520at%25206.04.10%25E2%2580%25AFPM.png%3Falt%3Dmedia%26token%3D027848f0-0b1d-4b89-9918-00622284b5ea&width=768&dpr=3&quality=100&sign=d06bd80a&sv=2) 1. You will be redirected to view the Staging App details. Click **Edit**. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FadvqprwpHGbfuqzkMNrG%252FSTG%2520View%2520App.png%3Falt%3Dmedia%26token%3D31d9f7d5-821b-4653-b8cd-fa1c8b1eac3f&width=768&dpr=3&quality=100&sign=b086e5e2&sv=2) 2. Edit the necessary details and click Update. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FYRMU7IDv7XIrGu1DM5sS%252Fimage.png%3Falt%3Dmedia%26token%3D0891ccde-2cfa-430e-b639-36de5a359806&width=768&dpr=3&quality=100&sign=74867689&sv=2) 3. You will be redirected to view the updated Staging App details. [PreviousCreate Staging Appchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-app) [NextCreate Staging Test Accountchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-test-account) Last updated 2 months ago Was this helpful? Was this helpful? --- # Deactivate Production App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Prerequisites: * You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) before you can create Production App. * You already toggled your Dashboard view to Production. * The entity have already agreed to Singpass Service Agreement. 1. Click **App Name hyperlink** on your Dashboard - Production view. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FeEmGplmRJzchGAT5Ry0s%252FDashboard%2520-%2520Prod.png%3Falt%3Dmedia%26token%3D4aa64ee7-6245-4461-8f41-3903ce5551f0&width=768&dpr=3&quality=100&sign=3681a418&sv=2) 1. You will be redirected to view the Production App details. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FDmdQP5c4OggEtK75XJrT%252FView%2520App%2520PROD%2520Activated.png%3Falt%3Dmedia%26token%3D15e8172c-c432-4370-a2c8-07146c6dccd5&width=768&dpr=3&quality=100&sign=54a638bc&sv=2) 1. Click **Deactivate App.** 2. Once successfully deactivated, the app status will be updated to **Deactivated** and you will see the option to **Activate App.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FfDVltkLv4PB7piCIrGez%252FScreenshot%25202024-11-18%2520at%252011.07.17%25E2%2580%25AFAM.png%3Falt%3Dmedia%26token%3Dec31049c-442e-4fee-8306-e02a2753464d&width=768&dpr=3&quality=100&sign=7d3bd54f&sv=2) [PreviousUpdating Billing Contact Informationchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/updating-billing-contact-information) [NextActivate Production Appchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/activate-production-app) Last updated 2 months ago Was this helpful? Was this helpful? --- # Create Production App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close **Prerequisites:** * You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) before you can create Production App. * You have already toggled your Dashboard view to Production. * The entity has already agreed to the Singpass Service Agreement. 1. **Click the '+ New app' button on the right side.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FiI67BAMnQraxmZ2v3cmS%252Fimage.png%3Falt%3Dmedia%26token%3De1605427-75b3-4d38-aa2d-a512395617ac&width=768&dpr=3&quality=100&sign=f76121d1&sv=2) Initiate the process of creating a new APP by clicking the '+ New app' button located on the right side of the screen. 1. **Select the relevant API that you wish to integrate with.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FQLDznbt2uOQQlGHDvNg9%252Fimage.png%3Falt%3Dmedia%26token%3Dd59d01ba-4d5b-4332-ac24-6a2374080c9d&width=768&dpr=3&quality=100&sign=4836daa7&sv=2) If you want to integrate with Myinfo, select the 'Myinfo' product by clicking on its card to proceed with the API setup 1. **Fill up the relevant App details** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FdWoqzCQvuj9VvnD5vo0n%252Fimage.png%3Falt%3Dmedia%26token%3D172e04a6-f78d-4ee7-b263-34ba91d2284b&width=768&dpr=3&quality=100&sign=25e44205&sv=2) Begin entering details by clicking on the 'App name' input field to provide the name of your application. Do look at the Consent screen above to see how the information provided will appear on the consent screen displayed to your end users. 1. **After filling in your app details, click the 'Next' button at the bottom right to proceed with providing your technical details** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FwRUIVkIEpAM2Hagi1WIo%252Fimage.png%3Falt%3Dmedia%26token%3Df6be3ea6-618c-476d-8fef-0523acb5046a&width=768&dpr=3&quality=100&sign=af36929a&sv=2) Continue to the next step by clicking the 'Next' button located at the bottom right of the screen. 1. **Fill up your App's Technical Configuration Details** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fy4rWhOhc7OMcRBR0NxB4%252Fimage.png%3Falt%3Dmedia%26token%3D63df4eda-dcca-4548-a24e-561c15fc2bc7&width=768&dpr=3&quality=100&sign=bed14f74&sv=2) Fill up all app configuration input fields including redirect url(s), jwks endpoint, mobile app launch url 1. **After filling in the details click on the Next button to continue to the data scopes selection** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FXRpOnDP5icuuYGjLKwuR%252Fimage.png%3Falt%3Dmedia%26token%3Dc23b322a-437b-4bf4-89d6-d59845d866c3&width=768&dpr=3&quality=100&sign=a2e4a3be&sv=2) Select the 'Next' button at the bottom-right corner to continue to the data scopes selection. 1. **Check the relevant data scopes** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FPIkGRRfnkmmelyfSgFOv%252Fimage.png%3Falt%3Dmedia%26token%3Dc2f213bd-a876-409e-903d-f6e14ad8e6e1&width=768&dpr=3&quality=100&sign=bcef5df9&sv=2) Select the relevant scopes for your app 1. **Click 'Next' button after selecting your scopes to review your scopes selected** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F0abtGXcLqNowO4WMYaf4%252Fimage.png%3Falt%3Dmedia%26token%3Dbe3470fb-6b73-4e0c-ad3b-3b12bb750347&width=768&dpr=3&quality=100&sign=aa7ab435&sv=2) Proceed to the next step by clicking the 'Next' button at the bottom right corner. 1. **After reviewing the selected data scopes, click the 'Next' button to continue.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FfyhS5E6Kj12qEeDY5AKQ%252Fimage.png%3Falt%3Dmedia%26token%3Db3fb2088-15ad-4193-9b6e-cf41380d2646&width=300&dpr=3&quality=100&sign=f0aee103&sv=2) 2. **Upload the User Journey and Click 'Submit app' button.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FHwZdy82K0yyvSBnOHTyu%252Fimage.png%3Falt%3Dmedia%26token%3Da75eeac5-91f8-4d46-9e67-4c52b92bde84&width=768&dpr=3&quality=100&sign=4bd5e435&sv=2) Initiate the app submission process by clicking the 'Submit app' button. 1. **Check the acknowledgment checkbox and submit your application. Do note that the approval process may take up to two weeks do factor in this time when planning your app launch.** ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F8CnEObSdxdvZDXNMxxjk%252Fimage.png%3Falt%3Dmedia%26token%3D36b0d51f-46c2-4409-90b4-ee74fa2a45e5&width=768&dpr=3&quality=100&sign=3aded30f&sv=2) [PreviousCreate Staging Test Accountchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-staging-test-account) [NextEdit Production Appchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/edit-production-app) Last updated 2 months ago Was this helpful? Was this helpful? --- # Edit Production App | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close Prerequisites: * You have to be successfully logged into [Singpass Developer Portalarrow-up-right](https://developer.singpass.gov.sg/) before you can edit Production App. * You have already toggled your Dashboard view to Production. * You have at least one Production App (Status = **Activated**) to be edited. 1. Click **App Name hyperlink** on your Dashboard - Production view. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252FeEmGplmRJzchGAT5Ry0s%252FDashboard%2520-%2520Prod.png%3Falt%3Dmedia%26token%3D4aa64ee7-6245-4461-8f41-3903ce5551f0&width=768&dpr=3&quality=100&sign=3681a418&sv=2) 1. You will be redirected to view the Production App details. Click **Edit**. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fx6s7JEk1eGLjT2jSbrwK%252FPROD%2520View%2520App%2520-%2520Activated.png%3Falt%3Dmedia%26token%3D401514cf-9b86-45df-97d5-02acf80b2a86&width=768&dpr=3&quality=100&sign=e2ee2d09&sv=2) circle-info Edit button will **not** be visible for App with Status = Pending Approval. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fz6Zr4T7tCpuLLZJHjbsO%252Fimage.png%3Falt%3Dmedia%26token%3D744963a8-aa76-498f-9a49-90799f4feed0&width=768&dpr=3&quality=100&sign=4c4df4ed&sv=2) 1. Edit the necessary details and click **Update**. circle-info App name, User Journey, App Purpose or Allowed Scopes changes will go through approval process before the changes are applied. circle-info Authentication Flow is disabled for Production Environment. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252F1eXFs22NJzO8QYmIdx78%252FPROD%2520Edit%2520App.png%3Falt%3Dmedia%26token%3Db940ee5e-6eb3-4c43-ac47-0a908ae75f02&width=768&dpr=3&quality=100&sign=2096085&sv=2) 1. You will be redirected to view the updated Production App details. ![](https://docs.developer.singpass.gov.sg/docs/~gitbook/image?url=https%3A%2F%2F2816701917-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FW3T7d7fy7OGYkZf4zVKU%252Fuploads%252Fx6s7JEk1eGLjT2jSbrwK%252FPROD%2520View%2520App%2520-%2520Activated.png%3Falt%3Dmedia%26token%3D401514cf-9b86-45df-97d5-02acf80b2a86&width=768&dpr=3&quality=100&sign=e2ee2d09&sv=2) [PreviousCreate Production Appchevron-left](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/create-production-app) [NextConsent to Singpass Service Agreementchevron-right](https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/user-guide/consent-to-singpass-service-agreement) Last updated 2 months ago Was this helpful? Was this helpful? --- # Authorization Code Grant | Singpass Developer Docs [circle-info\ \ 📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026\ \ Singpass Developer Docschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) close triangle-exclamation All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026. The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions. [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#client-authentication-client-assertion-jwt) Client Authentication - Client Assertion JWT --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#assertion-jwt-structure) Assertion JWT Structure The RP is required to generate an assertion JWT that has the following header and claims, and is signed with the JWK that was provided during onboarding. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jwt-header) **JWT Header** The header **must include** `**alg**` **and** `**typ**`. The supported `alg` types are: * `ES256` * `ES384` * `ES512`. This must match the `alg` value in the signing key used to sign the assertion (if the signing JWK specifies `alg` explicitly). The header should also include `kid` of the signing key to help identify which of the RP’s signing keys was used, though this is not mandatory. If omitted, we will test against all known signing keys when attempting to verify the signature. _example_ Copy { "typ": "JWT", "alg": "ES256", "kid": "rp_key_01" } #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jwt-claims) **JWT Claims** Path Type Description `sub` `String` This should be `client_id` of the registered client. `aud` `String` The recipient that the JWT is intended for. This must match the `issuer` field in the response of the OpenID discovery endpoint ([https://id.singpass.gov.sg/.well-known/openid-configurationarrow-up-right](https://id.singpass.gov.sg/.well-known/openid-configuration) ) e.g. [https://id.singpass.gov.sgarrow-up-right](https://id.singpass.gov.sg/) . `iss` `String` This should be `client_id` of the registered client. `iat` `Number` The time at which the JWT was issued. [https://tools.ietf.org/html/rfc7519#section-4.1.6arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.6) `exp` `Number` The expiration time on or after which the JWT MUST NOT be accepted by Singpass for processing. Additionally, Singpass will not accept tokens with an `exp` longer than 2 minutes since `iat`. [https://tools.ietf.org/html/rfc7519#section-4.1.4arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.4) `jti` `String` A unique identifier for this token. This identifier must only be used once. You should generate a new `jti` value for every request. `code` `String` (Optional) This should be the auth `code` which is used to exchange for an ID token. It should be identical to the `code` form param sent outside the `client_assertion`. This enables increased security by signing the `code` so that the `client_assertion` can only be used once for a specific request. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#request-response-structure) Request / Response Structure Curl request #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#form-parameters) Form parameters Parameter Description `client_id` The Client Identifier registered. It is the App ID found at the top of your app configuration page. `redirect_uri` The redirect URI being used in this auth session. `grant_type` The type of grant being requested. This must be set to `authorization_code`. `code` The code issued earlier in the auth session. `scope` (Optional) If no value is provided, it defaults to `openid`. If provided, then only `openid` is allowed. `client_assertion_type` This MUST be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`. `client_assertion` A JWT identifying the client. `code_verifier` (Mandatory) This is the session-based, unique, and non-guessable value that the RP had used to generate the `code_challenge`. Must match `regexp` pattern of `[a-zA-Z0-9_\-.~]+` minimum length of 43 characters and a maximum length of 128 characters. #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#http-request) HTTP request #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#http-response) HTTP response #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#request-body) Request body #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#response-body) Response body #### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#response-fields) Response fields Path Type Description `access_token` `String` For Login flows, the access token will be a random string that is not to be used. For Myinfo flows, the token will be an encoded JSON Web Token (JWT). This token is to be used to exchange for payload at UserInfo Endpoint. `token_type` `String` The type of token being requested, Bearer only so far. `id_token` `String` The ID token with relevant claims in JWT format signed by the ASP. Note that the example response body shows a JWS (3-part structure separated by dots), but the format will differ for a JWS in JWE (5-part structure). Refer [here](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#id-token-structure) for more details about the ID token structure. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#error-response) **Error Response** Singpass generally follows OIDC error response specifications. For more information, please refer to [Token Error Response specificationsarrow-up-right](https://tools.ietf.org/html/rfc6749#section-5.2) . [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#id-token-structure) ID Token Structure ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The format and structure of the issued ID Token will vary depending on the client’s profile as specified in this table below: Client Profile `sub` Claim Content ID token format `direct` UUID only (eg. `u=32af8b7d-ad1d-4c25-8dc7-0a981b533000`) JWS `direct_pii_allowed` **Regular NRIC holders**: NRIC and UUID (eg. `s=S1234567A,u=32af8b7d-ad1d-4c25-8dc7-0a981b533000`) **Singpass Foreign Account (SFA) holders**: Singpass User ID (UID), Foreigner ID (FID), Country-of-Issuance (COI) and UUID (eg. `s=Y7613265T,fid=G730Z-H5P96,coi=DE,u=e2af740e-25b4-4b19-b527-494670952cb0`) This class of users were previously known as "Foreign Unique Account" or "Singpass Foreign Unique Account" users. Only designated relying parties are able to have SFA users authenticate & complete token exchange. JWS in JWE (encrypted with client’s JWK) See section below for more details about the JWE format. `bridge` (special case internal use only) NRIC and UUID (eg. `s=S1234567A,u=32af8b7d-ad1d-4c25-8dc7-0a981b533000`) JWS ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#overview-of-a-jws-in-jwe) Overview of a JWS in JWE An encrypted ID token will returned from the `/token` endpoint is a JWS in JWE that is in compact serialization form. It has the following structure: * JWE Header * Encrypted Key * Initialization Vector * Encrypted Payload (if decrypted, this would be the Base64 encoded form of a [JWS ID Token](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#overview-of-jws) ) * Authentication Tag See [https://datatracker.ietf.org/doc/html/rfc7516#section-3.1arrow-up-right](https://datatracker.ietf.org/doc/html/rfc7516#section-3.1) for more details. ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jwe-header) JWE Header The JWE will contain these standard headers. Refer to [https://tools.ietf.org/html/rfc7515#section-4arrow-up-right](https://tools.ietf.org/html/rfc7515#section-4) for more information about each header. > Note: Relying parties should use the `kid` field in the header to determine which key NDI used for encryption. _example_ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#overview-of-jws) Overview of JWS The [JWSarrow-up-right](https://tools.ietf.org/html/rfc7515) ID token returned from the `/token` endpoint is in compact serialization form. A JWS has the following structure. * JWS Header * Payload (containing claims) * Signature ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jws-header) JWS Header The JWS ID token will contain these standard headers. Refer to [https://tools.ietf.org/html/rfc7515#section-4arrow-up-right](https://tools.ietf.org/html/rfc7515#section-4) for more information about each header. _example_ ### [hashtag](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jws-claims) JWS Claims The JWS ID token will contain the following claims. _example_ _Table 1. Description of Claims_ Path Type Description `sub` `String` The principal that is the subject of the JWT. Contains a comma-separated, key=value mapping that identifies the user; possibly including multiple alternate IDs representing the user. The keys included vary by the profile of the OIDC client, and the user type, however the minimal format is `u=` where UUID represents the user’s globally unique identifier. [https://tools.ietf.org/html/rfc7519#section-4.1.2arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.2) `aud` `String` The client\_id of the relying party. [https://tools.ietf.org/html/rfc7519#section-4.1.3arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.3) `iss` `String` The principal that issued the JWT. [https://tools.ietf.org/html/rfc7519#section-4.1.1arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.1) `iat` `Number` The time at which the JWT was issued. [https://tools.ietf.org/html/rfc7519#section-4.1.6arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.6) `exp` `Number` The expiration time on or after which the JWT MUST NOT be accepted for processing. Defaults to 10 minutes since "iat". [https://tools.ietf.org/html/rfc7519#section-4.1.4arrow-up-right](https://tools.ietf.org/html/rfc7519#section-4.1.4) `amr` `Array` Authentication method references. Example values are `["face"]`, `["fv"]`, `["fv-alt"]`, `["otp"]`, `["pwd","fv"]`, `["pwd","otp-email"]`, `["pwd","sms"]`, `["pwd","swk"]`, `["pwd"]`, `["sso"]`. Note that this list is non-exhaustive, and NDI reserves the right to introduce new values without prior notice to RPs. `nonce` `String` String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Clients MUST verify that the nonce Claim Value is equal to the value of the nonce parameter sent in the Authentication Request. [https://openid.net/specs/openid-connect-core-1\_0.html#IDTokenarrow-up-right](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) `acr` `String` (Optional) The Authentication Context Class Reference. The values are context-specific and agreed upon between NDI and relying parties when used. [Previous2\. Token Endpointchevron-left](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint) [NextClient JWK Requirementschevron-right](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/client-jwk-requirements) Last updated 2 months ago Was this helpful? * [Client Authentication - Client Assertion JWT](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#client-authentication-client-assertion-jwt) * [Assertion JWT Structure](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#assertion-jwt-structure) * [Request / Response Structure](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#request-response-structure) * [Error Response](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#error-response) * [ID Token Structure](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#id-token-structure) * [Overview of a JWS in JWE](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#overview-of-a-jws-in-jwe) * [JWE Header](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jwe-header) * [Overview of JWS](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#overview-of-jws) * [JWS Header](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jws-header) * [JWS Claims](https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/2.-token-endpoint/authorization-code-grant#jws-claims) Was this helpful? Copy $ curl 'https://stg-id.singpass.gov.sg/token' -i -X POST \ -H 'Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1' \ -d 'grant_type=authorization_code&redirect_uri=http%3A%2F%2Fexample.com&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJraWQiOiJycF9rZXlfMDEiLCJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJnblk2RXJpY2hwYjV0NE5GUlA5UjRMN2FFQzlOMEZRSCIsImF1ZCI6Imh0dHBzOi8vc3RnLWlkLnNpbmdwYXNzLmdvdi5zZyIsImNvZGUiOiJuMGVzYzNOUnplN0xUQ3U3aVl6UzZhNWFjYzNmMG9ncDQiLCJpc3MiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJleHAiOjE3MjczMjIwNjUsImlhdCI6MTcyNzMyMTk0NX0.AAAAAAAAAAAAAAAAAAAAAIvHG8uapa4w10pPn_S_7uyYPXNJWU7389sTLNHXrCKhAAAAAAAAAAAAAAAAAAAAAIxyKbbZfLSkduU6WIPrrPe1kGvmHmzXL4PHpgAJ0g0d&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&client_id=gnY6Erichpb5t4NFRP9R4L7aEC9N0FQH&code_verifier=mN7szCmmIc6Z2Vg-iaX7f7RDVsKAhY5GG-r7Crq0jxTdxY0xyPKnsAEWtEMdZ3D8QW5rs-C824W3Jwntcw' Copy POST /token HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=ISO-8859-1 Host: stg-id.singpass.gov.sg Content-Length: 788 grant_type=authorization_code&redirect_uri=http%3A%2F%2Fexample.com&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJraWQiOiJycF9rZXlfMDEiLCJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJnblk2RXJpY2hwYjV0NE5GUlA5UjRMN2FFQzlOMEZRSCIsImF1ZCI6Imh0dHBzOi8vc3RnLWlkLnNpbmdwYXNzLmdvdi5zZyIsImNvZGUiOiJuMGVzYzNOUnplN0xUQ3U3aVl6UzZhNWFjYzNmMG9ncDQiLCJpc3MiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJleHAiOjE3MjczMjIwNjUsImlhdCI6MTcyNzMyMTk0NX0.AAAAAAAAAAAAAAAAAAAAAIvHG8uapa4w10pPn_S_7uyYPXNJWU7389sTLNHXrCKhAAAAAAAAAAAAAAAAAAAAAIxyKbbZfLSkduU6WIPrrPe1kGvmHmzXL4PHpgAJ0g0d&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&client_id=gnY6Erichpb5t4NFRP9R4L7aEC9N0FQH&code_verifier=mN7szCmmIc6Z2Vg-iaX7f7RDVsKAhY5GG-r7Crq0jxTdxY0xyPKnsAEWtEMdZ3D8QW5rs-C824W3Jwntcw Copy HTTP/1.1 200 OK Cache-Control: no-cache, no-store, must-revalidate x-ndi-response-category: client-assertion-auth-code X-XSS-Protection: 0 X-Frame-Options: DENY Date: Thu, 26 Sep 2024 03:39:05 GMT Connection: keep-alive Vary: Origin Vary: Access-Control-Request-Method Vary: Access-Control-Request-Headers X-Content-Type-Options: nosniff Transfer-Encoding: chunked Content-Type: application/json Content-Length: 597 { "access_token" : "Ul5JqK8vJX8Jfgo7UjpiIigF7DciW7YGnUACLN1/T80=", "token_type" : "Bearer", "id_token" : "eyJraWQiOiJuZGlfc3RnXzAxIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJnblk2RXJpY2hwYjV0NE5GUlA5UjRMN2FFQzlOMEZRSCIsInN1YiI6InM9Uzg4MjkzMTRCLHU9MWMwY2VlMzgtM2E4Zi00ZjhhLTgzYmMtN2EwZTRjNTlkNmE5IiwiYW1yIjpbInB3ZCIsInN3ayJdLCJpc3MiOiJodHRwczovL3N0Zy1pZC5zaW5ncGFzcy5nb3Yuc2ciLCJleHAiOjE3MjczMjI1NDUsImlhdCI6MTcyNzMyMTk0NSwibm9uY2UiOiJMNW5tUWZjZXREREllaW5jb3F2Q3JGeUd2K25Ib2JrdjRYb2NOWVBDWGFRPSJ9.bD1osnkuL-hXCXY9L_LbveANix_tBsjk8872bL04tTPFGMkzMjE85W8fTwQXrPSFnwQtgzmLB2__i0vdGYnfgA" } Copy grant_type=authorization_code&redirect_uri=http%3A%2F%2Fexample.com&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJraWQiOiJycF9rZXlfMDEiLCJ0eXAiOiJKV1QiLCJhbGciOiJFUzM4NCJ9.eyJzdWIiOiJnblk2RXJpY2hwYjV0NE5GUlA5UjRMN2FFQzlOMEZRSCIsImF1ZCI6Imh0dHBzOi8vc3RnLWlkLnNpbmdwYXNzLmdvdi5zZyIsImNvZGUiOiJuMGVzYzNOUnplN0xUQ3U3aVl6UzZhNWFjYzNmMG9ncDQiLCJpc3MiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJleHAiOjE3MjczMjIwNjUsImlhdCI6MTcyNzMyMTk0NX0.AAAAAAAAAAAAAAAAAAAAAIvHG8uapa4w10pPn_S_7uyYPXNJWU7389sTLNHXrCKhAAAAAAAAAAAAAAAAAAAAAIxyKbbZfLSkduU6WIPrrPe1kGvmHmzXL4PHpgAJ0g0d&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&client_id=gnY6Erichpb5t4NFRP9R4L7aEC9N0FQH&code_verifier=mN7szCmmIc6Z2Vg-iaX7f7RDVsKAhY5GG-r7Crq0jxTdxY0xyPKnsAEWtEMdZ3D8QW5rs-C824W3Jwntcw Copy { "access_token": "Ul5JqK8vJX8Jfgo7UjpiIigF7DciW7YGnUACLN1/T80=", "token_type": "Bearer", "id_token": "eyJraWQiOiJuZGlfc3RnXzAxIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJhdWQiOiJnblk2RXJpY2hwYjV0NE5GUlA5UjRMN2FFQzlOMEZRSCIsInN1YiI6InM9Uzg4MjkzMTRCLHU9MWMwY2VlMzgtM2E4Zi00ZjhhLTgzYmMtN2EwZTRjNTlkNmE5IiwiYW1yIjpbInB3ZCIsInN3ayJdLCJpc3MiOiJodHRwczovL3N0Zy1pZC5zaW5ncGFzcy5nb3Yuc2ciLCJleHAiOjE3MjczMjI1NDUsImlhdCI6MTcyNzMyMTk0NSwibm9uY2UiOiJMNW5tUWZjZXREREllaW5jb3F2Q3JGeUd2K25Ib2JrdjRYb2NOWVBDWGFRPSJ9.bD1osnkuL-hXCXY9L_LbveANix_tBsjk8872bL04tTPFGMkzMjE85W8fTwQXrPSFnwQtgzmLB2__i0vdGYnfgA" } Copy { "kid": "client_01", "cty": "JWT", "enc": "A256CBC-HS512", "alg": "ECDH-ES+A256KW" } Copy { "kid": "ndi_stg_01", "typ": "JWT", "alg": "ES256" } Copy { "aud": "gnY6Erichpb5t4NFRP9R4L7aEC9N0FQH", "sub": "s=S8829314B,u=1c0cee38-3a8f-4f8a-83bc-7a0e4c59d6a9", "amr": ["pwd", "swk"], "iss": "https://stg-id.singpass.gov.sg", "exp": 1727322545, "iat": 1727321945, "nonce": "L5nmQfcetDDIeincoqvCrFyGv+nHobkv4XocNYPCXaQ=" } ---