Q3. My Enterprise Architecture design requires whitelisting of Myinfo APIs IP address. What is the IP address that I should whitelist?
Myinfo APIs does not support IP whitelisting as our API Gateway is using dynamic IPs. Please whitelist the following Fully Qualified Domain Names (FQDN) instead:
test.api.myinfo.gov.sg
api.myinfo.gov.sg
Q4. How frequent does Myinfo APIs get updated? How do I get notified when there is a new version of Myinfo APIs? Can I continue to use the older API version even if a newer version is released?
The Government plans to make Myinfo more useful for digital transactions by progressively including other frequently-used profile data.
When a new version of APIs is released, there will be a transition period for digital services to migrate to the latest version. The earlier API version is usually deprecated 6 months after the new version is released.
Please ensure that your support emails are registered in your app to receive important announcement such as Myinfo new version or new data items release.
Q5. Does Myinfo APIs support native mobile application?
Myinfo APIs currently only support web-based integration.
Q6. Is there any requirement for the X.509 public key? Can we use the same X.509 certificate for our staging and production environments?
Due to security reasons, please use:
Keys that are from a compatible CA (i.e. self-signed keys are not supported)
Different keys for staging and production environments
You may use the same X.509 public key for different products/services that integrate with Myinfo, as long as different keys are used for staging and production environments.
Q7: What type of digital certificate should I obtain for integrating with Myinfo?
Integration with Myinfo requires X.509 certificate that can produce RS256 digital signature for the purpose of server to server communication.
Q8: Can I use a Web SSL certificate for integrating with Myinfo?
Web SSL certificate proves the authenticity of a domain. As integration with Myinfo is a server to server, the certificate should be issued to your company and not to a domain.
Q9. I am trying to decrypt the JWE response string returned from Myinfo Person API. However, I am getting the following error message:
The library that you are using to decrypt the response string might not support A256GCM algorithm. Please use a library that supports the algorithm.
Q10. My architecture design requires trusting of Myinfo web SSL certificate. Where can I retrieve the certificate?
We recommend that your application trust / pin against the root certificates instead, as the web SSL certificates will be renewed from time to time.
Q11. What are the requirements for callback URLs in the app configurations submission?
Please note the following requirements for callback URLs submission:
Use different callback URLs in staging and production environments.
Use static callback URLs (i.e. dynamic callback URLs are not supported)
Use Fully Qualified Domain Names (FQDN) for both the staging and production callback URLs (i.e. static IP address or port numbers in callback URLs are not supported)
Multiple callback URLs may be submitted for each environment.
Q12. How may I test that my app is able to support cases where additional security verification with Singpass Face Verification is required?
To ensure that SFV works for your Myinfo user journeys, you may verify that camera permissions are enabled through the following methods:
Staging: Test additional Singpass Face Verification through the link provided on the Mockpass page
Production: Test that SFV works for the Myinfo user journey on different modalities (e.g. mobile/computer browser, native mobile app). You can test SFV through the following steps:
a. Initiate the Myinfo user journey in your linked up service with the above App IDs
b. Log in with your Singpass ID and password instead of the QR code
c. Select Singpass Face Verification as the 2FA method instead of SMS OTP
Q13. What are the supports available for me to conduct performance testing?
Performance Testing in Production environment is strictly not allowed. Please submit a request at partnersupport.singpass.gov.sg if you are planning to conduct performance testing in Test environment.
Q14. What is the Myinfo v3 certificate change about?
The last Myinfo v3 X.509 Public Key Certificate have expired on 7th Nov 2024.
After the new certificate is integrated with your digital service, return to App Details page in Singpass Developer Portal and toggle to switch to the new certificate.
Please take note that Step 2 is to be performed immediately after Step 1 is completed.
