# Overview of Singpass Flow
{% hint style="danger" %}
All Login and Myinfo apps must follow Singpass' [FAPI 2.0-compliant authentication API](https://docs.developer.singpass.gov.sg/docs/technical-specifications/integration-guide) by 31 Dec 2026.
The specifications on this page apply to you only if you are maintaining an existing Login / Myinfo (v5) integration. We encourage you to [migrate](https://docs.developer.singpass.gov.sg/docs/technical-specifications/migration-guides/login-myinfo-v5-apps) early to avoid service disruptions.
{% endhint %}
{% @mermaid/diagram content="---
config:
theme: base
sequence:
noteMargin: 20
--------------
sequenceDiagram
actor User
participant yaFE as Your App's
Frontend
participant yaBE as Your App's
Backend
participant Sing as Singpass
```
note right of User: The Authentication Request
User->>yaFE: The user clicks "login with
Singpass" on your app's FE.
yaFE->>yaBE: This calls your app's BE.
activate yaBE
yaBE->>yaBE: Your app's BE generates a code_verifier, code_challenge, nonce,
& state, then associates it with a session (to be sent to the FE).
yaBE->>yaBE: Your app's BE constructs an authorization URL with specific
query parameters: scope, response_type, client_id, redirect_uri,
code_challenge_method, code_challenge, nonce, & state.
yaBE->>User: Your app's BE sets a session cookie on the user's browser,
and redirects the user to the authorization URL.
deactivate yaBE
activate yaFE
User->>Sing: The user is redirected to the authorization URL.
On this page, they authenticate with Singpass and give consent
to release Myinfo data to your app (if applicable).
activate Sing
Sing->>Sing: Singpass does some checks (this is a simplification),
then generates an authorization code.
Sing->>Sing: Singpass constructs a redirect URL (based on
the redirect_uri received) with specific
query parameters: code (the authorization
code) & state (exactly as received).
Sing->>User: Singpass redirects the user
to the redirect URL.
note right of User: The Token Request
User->>yaBE: The user is redirected to the redirect URL,
with the authorization code, state, and session cookie.
deactivate yaFE
activate yaBE
yaBE->>yaBE: Using the session cookie, your app's BE retrieves the
code_verifier, state, & nonce for this session.
yaBE->>yaBE: Your app's BE verifies that the received state matches
the one generated earlier.
yaBE->>yaBE: Your app's BE generates a client assertion.
yaBE->>Sing: Your app's BE sends a POST request to Singpass' token endpoint
with: scope, grant_type, client_id, redirect_uri,
client_assertion_type, client_assertion,
code_verifier, & code (the authorization code).
Sing->>Sing: Singpass does some checks (again, this is a
simplification), then generates an Access Token and
an ID Token. The ID Token contains the nonce sent in
the initial authentication request. If applicable,
the ID Token will also be encrypted using your
public encryption key.
Sing->>yaBE: Singpass returns the Access Token and ID Token.
yaBE->>yaBE: If applicable, your app's BE decrypts the ID Token
using your private encryption key.
yaBE->>yaBE: Your app's BE validates the ID Token:
it must be signed with one of Singpass' signing keys,
its iss value must match Singpass' Issuer URL,
its aud value must match or contain your app's client_id, and
its nonce value must match the one generated earlier.
Note right of yaBE: At this point, your app is able to use the user's ID Token
(i.e. the Singpass Login flow ends here).
note right of User: The UserInfo Request (If Applicable)
yaBE->>Sing: Your app's BE sends a GET request to Singpass' userinfo endpoint,
including the Access Token as a Bearer Token (via the
Authorization request header field.
Sing->>Sing: Singpass does some checks (yet another
simplification), then prepares the userinfo response.
This comes in the form of a signed and encrypted
JWT (i.e. a nested JWT). Note that this JWT is
encrypted using your public encryption key.
Sing->>yaBE: Singpass returns the userinfo response.
yaBE->>yaBE: Your app's BE decrypts the userinfo response
using your private encryption key.
yaBE->>yaBE: Your app's BE validates the userinfo response:
it must be signed with one of Singpass' signing keys,
its iss value must match Singpass' Issuer URL,
its aud value must match or contain your app's client_id, and
its sub value must match the sub claim in the ID token.
Note right of yaBE: At this point, your app is able to use the user's info
(i.e. the Myinfo integration flow ends here).
deactivate Sing
deactivate yaBE" %}
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.developer.singpass.gov.sg/docs/technical-specifications/singpass-authentication-api/overview-of-singpass-flow.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.