Dear Partners,
Following our earlier communication regarding the FAPI 2.0 draft specifications, we are pleased to announce that the finalised FAPI 2.0 specifications are now available. This release includes additional resources to guide you through the transition, ensuring a smooth and secure integration.
What’s new?
We have updated the documentation to include several key sections to support your migration efforts:
- Finalised Specifications: The complete and finalized FAPI 2.0 specifications are now ready for your review and integration planning.
- Technical Concepts: A new section has been added to provide a deeper understanding of the core technical changes, such as Pushed Authorization Requests (PAR) and Demonstration of Proof-of-Possession (DPoP).
- Migration Guides: Detailed migration guides are now available to walk you through the necessary steps for updating your existing integrations to comply with FAPI 2.0.
You can access all of these resources at: https://go.gov.sg/spfapi2
Why is this change to FAPI 2.0 important?
This change will bring several key benefits:
- Bolstered Security: FAPI 2.0 provides a robust framework that protects against common security threats like phishing and token theft, giving your users greater confidence in your services.
- Streamlined Integration: By standardising on a single, modern protocol, this update will simplify future integrations and reduce long-term maintenance efforts for partners.
- Consistency and Scalability: This change creates a more cohesive system across Singpass and Corppass, preparing us for future enhancements and ensuring a consistent experience for all users and partners. Ultimately, this means you can spend less time on security and more time building innovative features for your users.
- Enhanced User Experience: This enhancement can make context-aware and progressive logins possible, allowing for a smoother user journey.
What else do you need to know?
-
As previously communicated,
- The deadline to complete your migration from Myinfo v3/v4 to Myinfo v5 is 30 September 2026.
- All Singpass APIs must comply with FAPI 2.0 by 31 December 2026.
- Testing environment: We will be providing a dedicated testing environment at a later date to allow you to validate your FAPI 2.0 integration.
- Upcoming engagement sessions: We will be holding engagement sessions in October for a detailed walkthrough of the changes and addressing any questions you may have. More details are provided below.
What do you need to do?
- Review the new resources: We encourage you to immediately review the finalized specifications, migration guides, and the new technical concepts section to assess the impact on your applications and begin your integration planning.
-
RSVP for our engagement sessions: To help us better track attendance and prepare for our public and private sector partners, we kindly ask you to RSVP for the upcoming engagement sessions. Please save the dates:
-
[Private Sector Only] October 23rd, 2025, 10am - 12pm
- RSVP via this form: https://go.gov.sg/spespvtoct2025
-
[Public Sector Only] October 30th, 2025, 10am - 12pm
- RSVP via this form: https://go.gov.sg/speswogoct2025
- This is a joint session for Singpass and Corppass FAPI 2.0.
- The calendar invite will be sent out at a later date for partners who have RSVP-ed.
-
[Private Sector Only] October 23rd, 2025, 10am - 12pm
- Ensure support emails are updated: To ensure you continue receiving critical updates, please verify that the support email(s) in your application configuration are accurate: https://go.gov.sg/sp-poc-update
Timeline summary
| Date | Action Required |
| Now | Finalized FAPI 2.0 specifications, migration guides, and technical concepts are available for review. |
| 23rd October 2025 | RSVP for and attend the private sector engagement session. |
| 30th October 2025 | RSVP for and attend the public sector engagement session. |
| By 30th September 2026 | Myinfo v3/v4 decommissioned |
| By 31st December 2026 | All APIs must be FAPI 2.0 compliant |
Thank you for your continued partnership as we work together to strengthen security and trust across all digital services. If you have any questions, please reach out to our support team here.
Best regards,
Singpass Partner Experience team
-------------------------------------------------------------------------------------------------------
FAQ:
1. What is FAPI 2.0?
FAPI 2.0 is a set of security and interoperability standards developed by the OpenID Foundation. It is designed to protect APIs handling sensitive data, particularly in identity and financial systems, by introducing advanced security measures such as proof of possession tokens and stricter authentication protocols.
2. What would the main changes be with the release of FAPI 2.0?
With the release of FAPI 2.0, Singpass is introducing three key changes to its APIs to enhance security. First, Pushed Authorization Requests (PAR) will be required, which involves sending authorization parameters to the server through a secure back-end channel instead of a user-facing URL. This prevents URL tampering and keeps sensitive data out of browser history. Second, the ID Token will now need to be always encrypted using JSON Web Encryption (JWE) and the format of the ID token has been changed to make it easier for partners to parse the required information from the ID token. Third, Demonstration of Proof-of-Possession (DPoP) will be used to cryptographically bind an access token to the client that received it, making a stolen token useless to an attacker as they cannot provide the necessary proof of possession.
3. Do I pause my migration now if I am in the midst of migrating?
No, there is no need to pause your current migration. You can continue with your existing plans to move to Myinfo v5 (also referred to as the “new Myinfo”). If you are not yet FAPI 2.0 compliant, you will need to incorporate FAPI 2.0 changes before 31 December 2026.
4. Is Myinfo Business also required to migrate?
Myinfo Business is not affected at this time. We will reach out to Myinfo Business APIs RPs separately.
5. How / When can I start testing FAPI 2.0? I tried using the /par endpoint but received an 403 error response.
The current environment is not ready for testing. Once it is ready, we will reach out to all partners again.
Comments
0 comments
Please sign in to leave a comment.