circle-info
📢 FAPI 2.0 Documentation Now Live — Migration Required by 31 Dec 2026
Singpass Developer Docschevron-right
search
Singpass Developer PortalSingpass Partner Helpdesk

API Specifications

Please see API Specification v4.0arrow-up-right for in depth specification

hashtag
Person-Sample

get

Retrieves a sample Person data from Myinfo based on UIN/FIN.

This API does not use OAuth2.0 to perform authentication or authorisation, and does not require authorisation token and digital signature.

Note: Null value indicates that an attribute is unavailable.

Path parameters
uinfinstringRequiredExample: S9812381D
Query parameters
scopestring[]Optional

Space separated list of scope requested. Possible scopes are listed in the scopes of the OAuth2 Security Schema above.

Example: name hanyupinyinname
Responses
chevron-right
200

OK.

Note:

  • Response will be a JSON object.
application/json

Person instance's details

get
/com/v4/person-sample/{uinfin}/
Shell
200

OK.

Note:

  • Response will be a JSON object.

hashtag
Authorise

get
/com/v4/authorize

This API triggers Singpass login and obtain consent for the user to retrieve user's data from Myinfo. Once the user has authenticated and consented, an authorisation code (authcode) will be returned via the callback URL defined. The authcode can then be used to retrieve an access token via the Token API.

Note: This API is public and should be implemented as a link or button on partner's online webpage. Note: For partners integrating via android mobile application, please ensure that the "setDomStorageEnable" attribute is enabled.

Query parameters
purpose_idstringRequired

purpose_id should have a corresponding pre-registered purpose(s) description as part of the setup. Purpose description refers to what the user will see in the consent page

response_typestringRequired

Response type for authorisation code flow - must be "code".

Default: code
scopestring[]Required

Space separated list of scopes requested. Possible scopes are listed in the scopes of the OAuth2 Security Schema above.

Example: name hanyupinyinname
code_challengestringRequired

Value resulting from performing Base64 encoding of a SHA256 hash of code_verifier (cryptographic random value generate on server side.) Refer to the section on Proof Key for Code Exchange (PKCE) for more information.

Example: BuXV0_h20H2KgRkhQ2cwDKDkSOcctPPozQv0JRP8D8k
code_challenge_methodstringRequired

Hashing method used in producing code_challenge. Only supports 'S256'

Example: S256
redirect_uristringRequired

Partner's callback URL for Myinfo to return with the authorisation code.

client_idstringRequired

Unique ID for partner's application.

Example: STG-180099999K-TEST01
app_launch_urlstringOptional

Url scheme to launch back user's mobile app after successful authentication using Singpass mobile.

subentity_idstringOptional

UEN of the SaaS partner's client that will be receiving the person data.

Example: 180099736H
Responses
get
/com/v4/authorize
JavaScript
302

Service will redirect all responses to 'redirect_uri' with additional parameters added as response results. Expected parameters include:

  • code: this is the authorisation code partner will use when calling the token endpoint
  • error: if there are any errors encountered, the error code will be given in this parameter.
    • '500' - Unknown or other server side errors.
    • '503' - Myinfo under maintenance. Error description will also be given in error_description parameter.
    • 'access_denied' - When user did not give consent, refer to error_description parameter for the reason.
    • 'invalid_scope' - When application requests for scope(s) that is not permitted.
  • error_description:
    • if error is 'access_denied' i.e. user did not give consent, the description will be 'Resource Owner did not authorize the request'.
    • if error is 'invalid_scope' i.e. scope requested is not allowed, the description will be either 'Invalid realm scope' or 'Invalid client scope'.

Note: If user closes the browser window prematurely, there will be no callback to the 'redirect_uri'.

No content

hashtag
Token

post
/com/v4/token

This API generates an access token when presented with a valid authcode obtained from the Authorise API. This token can then be used to request for the user's data that were consented.

Authorizations
clientassertion

PKI digital signature of assertion metadata for client authentication. Signature will be verified using the public signing key listed in Relying Party's JWKS.

PKCE

OAuth security extention to prevent CSRF and authorization code injection attacks. This replaces the 'state' parameter.

Header parameters
DPoPstringRequired

DPoP Proof (JWT) containing the partner's ephemeral public signing key that can be used to prove legit possession of the access token issued.

Body
codestringRequired

The authcode given by the authorise API.

grant_typestringRequired

Grant type for getting token (default "authorization_code")

Default: authorization_code
client_idstringRequired

Unique ID for your application.

redirect_uristringRequired

Application's callback URL.

client_assertionstringRequired

The assertion being used to authenticate the client. Refer to the Security section on Client Assertion for more details.

client_assertion_typestringRequired

The format of the assertion, which is defined to be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

Default: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
code_verifierstringRequired

Cryptograhic random string generated and kept secret on serverside. Used to compare with code_challenge sent in the authorize call

Responses
chevron-right
200

OK.

Returning a JSON object which contains the authorization access token (JWT) that will be used to retrieve the data from Myinfo.

application/json

Authorisation Token Response JSON

token_typestringRequired

Type of token (Bearer)

Default: Bearer
expires_inintegerOptional

Expiry of access token (in seconds)

scopestringOptional

Scopes requested, separated by space

post
/com/v4/token
NodeJS

hashtag
Person

get
/com/v4/person/{sub}

This API returns user's data from Myinfo when presented with a valid access token obtained from the Token API.

Note: Null value indicates that an attribute is unavailable.

Authorizations
DPoP

Demonstration Proof of Possession, extension that cryptographically bind access tokens to a particular client when they are issued

OAuth2authorizationCodeRequired

The following are the available OAuth2 scopes for Myinfo APIs

Authorization URL: Token URL:
Path parameters
substringRequired

Identifier of user obtained from 'sub' attribute in access token.

Example: 9E9B2260-47B8-455B-89B5-C48F4DB98322
Query parameters
scopestring[]Required

Space separated list of scopes requested. Possible scopes are listed in the scopes of the OAuth2 Security Schema above.

Example: name hanyupinyinname
subentity_idstringOptional

UEN of SaaS partner's client that will be receiving the person data.

Example: 180099736H
Header parameters
AuthorizationanyRequired

Include the access token (JWT) from /token API in this header prefixed with 'DPoP'.

DPoPanyRequired

Include the generated Demonstration of Proof of Possession token.

Responses
chevron-right
200

OK.

Note:

  • Response Content-Type will be 'application/jose', which is a JSON object conforming to the JWE standard (https://tools.ietf.org/html/rfc7516).
  • Response contents are first signed, then encrypted. In order to access the data, partner's application should do the following steps in order:
    1. Decrypt the payload with the partner's private key corresponding to the partner's encryption public key in the onboarded partner's JWKS endpoint.
    2. Validate the decrypted payload signature with Myinfo's public signing key return from Myinfo's JWKS endpoint.
  • After doing the above steps, partner's application will be able to extract the payload in JSON format.
application/json

Person instance's details

get
/com/v4/person/{sub}
NodeJS

PreviousDemonstration of Proof-of-Possession (DPoP)NextTutorials

Last updated

Was this helpful?