Dear Partners,
As part of our ongoing commitment to strengthen security standards and align with global security best practices, Singpass will be adopting FAPI 2.0 for all APIs, including Login and Myinfo.
To help partners prepare early, we are pleased to share that the FAPI 2.0 draft specifications for Singpass are now available for your review.
Why is this change to FAPI 2.0 important?
This change will bring several key benefits:
- Bolstered Security: FAPI 2.0 provides a robust framework that protects against common security threats like phishing and token theft, giving your users greater confidence in your services.
- Streamlined Integration: By standardizing on a single, modern protocol, this update will simplify future integrations and reduce long-term maintenance efforts for partners.
- Consistency and Scalability: This change creates a more cohesive system across Singpass and Corppass, preparing us for future enhancements and ensuring a consistent experience for all users and partners. Ultimately, this means you can spend less time on security and more time building innovative features for your users.
- Enhanced User Experience: This enhancement can make context-aware and progressive logins possible, allowing for a smoother user journey.
What do you need to know?
- The draft specifications can be accessed via docs.developer.singpass.gov.sg/docs/upcoming-changes/fapi-2.0-authentication-api-draft-ver.
- Disclaimer: This draft is being shared for early partner reference and preparation. It is not the finalized version.
- The finalized FAPI 2.0 specifications will be shared at a later date, along with detailed integration guides and migration toolkits.
- All Singpass APIs must comply with FAPI 2.0 by 31 December 2026.
What do you need to do?
- Review the draft specifications to assess potential impact on your existing or planned integrations.
- Plan resourcing and timelines early to ensure your applications are ready for compliance once the final specifications are released.
- To ensure you continue receiving critical updates, please verify that the support email(s) in your application configuration are accurate: https://docs.developer.singpass.gov.sg/docs/singpass-developer-portal-sdp/understanding-the-app-config-fields/support-emails
Timeline summary
| Date | Action Required |
| Now | Draft FAPI 2.0 specifications available for review (for early partner reference) |
| End September 2025 | Finalized FAPI 2.0 specifications and migration guides will be released. |
| By 31 December 2026 | All APIs must be FAPI 2.0 compliant |
We encourage partners to begin familiarising themselves with the draft to ensure a smooth transition once finalized specifications are released. Thank you for your continued partnership as we work together to strengthen security and trust across all digital services. If you have any questions, please reach out to our support team here.
Best regards,
Singpass Partner Experience team
------------------------------------------------------------------------------------------------------
FAQ:
1. What is FAPI 2.0?
FAPI 2.0 is a set of security and interoperability standards developed by the OpenID Foundation. It is designed to protect APIs handling sensitive data, particularly in identity and financial systems, by introducing advanced security measures such as proof of possession tokens and stricter authentication protocols.
2. What would the main changes be with the release of FAPI 2.0?
With the release of FAPI 2.0, Singpass is introducing three key changes to its APIs to enhance security. First, Pushed Authorization Requests (PAR) will be required, which involves sending authorization parameters to the server through a secure back-end channel instead of a user-facing URL. This prevents URL tampering and keeps sensitive data out of browser history. Second, the ID Token will now need to be always encrypted using JSON Web Encryption (JWE) and the format of the ID token has been changed to make it easier for partners to parse the required information from the ID token. Third, Demonstration of Proof-of-Possession (DPoP) will be used to cryptographically bind an access token to the client that received it, making a stolen token useless to an attacker as they cannot provide the necessary proof of possession. More detailed implementation guides for these changes will be shared by the end of September 2025.
3. When will the final FAPI 2.0 specifications be released?
We anticipate releasing the finalized FAPI 2.0 specifications along with detailed integration guides and migration toolkits by the end of September 2025. The current draft is being provided for your early review to help with preparation. We expect only minor changes between the draft and the final version.
4. Do I pause my migration now if I am in the midst of migrating?
No, there is no need to pause your current migration. You can continue with your existing plans to move to Myinfo v5 (also referred to as the “new Myinfo”). If you are not yet FAPI 2.0 compliant, you will just need to incorporate FAPI 2.0 changes before 31 December 2026.
5. Are Myinfo Business and Corppass APIs also required to migrate?
Myinfo Business and Corppass APIs are not affected at this time. We will reach out to Myinfo Business APIs and Corppass APIs RPs separately.
Comments
0 comments
Please sign in to leave a comment.