# Technical Guidelines

## 1. Transaction Log

Digital services which have integrated with Myinfo should track and store user transactions for potential issue management.

The following are some of the suggested minimum fields for tracking:

* UUID, Partial NRIC/FIN or NRIC/FIN (as relevant to usage under PDPA guidelines)
* Fields requested from Myinfo
* Time Stamp

In the event of user feedback or contact, these transaction logs may be requested by Myinfo to reconcile and resolve issues raised by the user.

***

## 2. X.509 Public Key

To implement RS256 (RSA Signature with SHA-256) Digital Signature for Myinfo APIs in your apps, please use a X.509 Public Key Certificate with RSA key size of 2048 bits or larger from one of the following compatible Certificate Authority (CA):

* Comodo/Sectigo
* digiCert
* GeoTrust
* GlobalSign
* [Netrust](https://www.netrust.net/netrust-singpass-myinfo-certificates)\*
* Thawte
* VeriSign

\*Certificate must be issued by Netrust. Entrust-issued certs are not accepted.

{% hint style="danger" %}
ECC and ECDSA Public Key Certificates are currently NOT supported.
{% endhint %}

***

## 3. TLS & Cipher Suites

**IMPORTANT:** In line with contemporary industry best practices, Myinfo supports TLS 1.2.

The list of supported strong cipher suites include:

* TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384
* TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256
* TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384
* TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256

***

## 4. Callback URLs

For security reasons:

* Different callback URLs should be used for staging and production environments
* Fully Qualified Domain Name (FQDN) of staging and production environments should be used (i.e. instead of IP address)
* Callback URLs should not contain Hash (#) or Wildcard (\*) characters

***

## 5. Mobile App integration

* Myinfo offers integration via browser redirections. Native application integration is not supported.
* Integration should be done via in-app browser (not WebViews) or external browser.
* For services integrating on Android, setDomStorageEnable should be enabled.
* Camera permissions for your app must be enabled to support cases where additional security verification with Singpass Face Verification is required.