Verify API

Logical Architecture Overview

The diagram shows how a user consents to sharing of his personal information to your application via Verify:

1. The user scans a Verify QR code pertaining to your application e.g. at a kiosk with Singpass Mobile

2. The user authenticates himself on Singpass Mobile, and provides consent to share requested personal information with your application.

3. Singpass mobile relays an authorisation code to your application's via registered callback URL.

4. Your application then make a series of calls to Verify in order to obtain the user's data.

5. User verifies his particulars displayed by your application before continuing the transaction.


Understanding OAuth2.0 flow for Verify APIs

Verify is built on the OAuth 2.0 framework which is the web standard for obtaining user's authorisation in order to access user-owned resources. The flow involves invocation of 3 APIs: authorise, token and person (resource API).

1. Authorise

This API is embedded in the QR code that your application needs to generate (Learn more at Verify QR Code). Upon scanning the QR code using Singpass Mobile, it will trigger the /authorise API. After authentication on SPM, a consent page is displayed requesting the user's explicit consent to allow his/her personal details to be released.

At the end of this process, Verify will return a short-lived "authorisation code" to your application's callback URL.

Note: Your application will need to provide a callback URL (API) in order to receive the "authorisation code".

2. Token

This API is invoked by your application to obtain an "access token", which can be used to call the person API for the actual data. A valid "authorisation code" from the authorise API will be required in order to exchange for the "access token".

The "access token" will be valid for 30 minutes.

Note:This API is a server-to-server call (does not go through browser)

3. Person

This API returns a JSON response with the personal data that was requested. Your application needs to provide a valid "access token" in order to exchange for the JSON data.

Once your application receives this JSON data, it should then display the user's information for verification.

Note:This API is a server-to-server call (does not go through browser)

The diagram below shows the sequence diagram for all 3 APIs:

Last updated

Was this helpful?