Verify API
Last updated
Was this helpful?
Last updated
Was this helpful?
The diagram shows how a user consents to sharing of his personal information to your application via Verify:
1. The user scans a Verify QR code pertaining to your application e.g. at a kiosk with Singpass Mobile
2. The user authenticates himself on Singpass Mobile, and provides consent to share requested personal information with your application.
3. Singpass mobile relays an authorisation code to your application's via registered callback URL.
4. Your application then make a series of calls to Verify in order to obtain the user's data.
5. User verifies his particulars displayed by your application before continuing the transaction.
Verify is built on the OAuth 2.0 framework which is the web standard for obtaining user's authorisation in order to access user-owned resources. The flow involves invocation of 3 APIs: authorise, token and person (resource API).
At the end of this process, Verify will return a short-lived "authorisation code" to your application's callback URL.
This API is invoked by your application to obtain an "access token", which can be used to call the person API for the actual data. A valid "authorisation code" from the authorise API will be required in order to exchange for the "access token".
The "access token" will be valid for 30 minutes.
This API returns a JSON response with the personal data that was requested. Your application needs to provide a valid "access token" in order to exchange for the JSON data.
Once your application receives this JSON data, it should then display the user's information for verification.
The diagram below shows the sequence diagram for all 3 APIs:
This API is embedded in the QR code that your application needs to generate (Learn more at ). Upon scanning the QR code using Singpass Mobile, it will trigger the /authorise API. After authentication on SPM, a consent page is displayed requesting the user's explicit consent to allow his/her personal details to be released.
