Skip to main content

Singpass FAPI 2.0 Error Troubleshooting Guide

Gayle_LAU@tech.gov.sg
Updated

General Flow

  1. Call par endpoint

  2. Redirect user to auth endpoint

  3. Exchange code at token endpoint

  4. (Only for Myinfo apps) Call userinfo endpoint

 

par endpoint errors

Status Code

 

error

 

error_description

 

Common Causes

 

What To Do

 

400

bad_request

Request parameters invalid

Missing/invalid parameters

authentication_context_message invalid Contains special characters

No DPoP header

Check full POST body

Must match ^[a-zA-Z0-9 ]*$ (only letters, numbers, spaces)

400

invalid_scope

Scope not onboarded in SDP

Verify scope in developer portal

400

invalid_request

An error has occurred.

Missing DPoP header / wrong content type

 

Client doesnt allow ACR values please remove the ACR

Ensure DPoP header present and content-type is application/x-www-form-urlencoded

400

invalid_client

RP failed client assertion authentication

Wrong signing key / expired JWT

Check client assertion claims and signature

401

invalid_dpop_proof

Failed to verify the DPoP proof JWT

Expired / wrong htm / wrong htu

Check DPoP Ensure exp ≤120s, htm=POST, htu exact match

502

upstream_dependency_error

An error has occurred.

JWKS not reachable

Check JWKS endpoint Ensure public HTTPS access and valid JSON

 
 

auth endpoint errors

Error Code

 

What It Means

 

Common Causes

 

What To Do

 

PX-E0013

request_uri missing/expired/mismatch

Expired PAR / wrong client_id

Ensure request_uri from latest PAR response

PX-E1000

Request parameters invalid.

not state/request_uri parameter

check if paramenters are correct

PX-E0008

Scope(s) provided may be unregistered

 

 

 
 

token endpoint errors

Status Code

 

Error

 

error_description

 

Common Causes

 

What To Do

 

400

invalid_grant

Authorization code invalid

Code reused / expired / redirect_uri mismatch

Use fresh code, check redirect_uri

check post request parameters

400

invalid_request

An error has occurred.

Missing parameters

Check full POST body

400

invalid_client

RP failed client assertion authentication

Wrong signing key / expired JWT

Check client assertion claims and signature

401

invalid_dpop_proof

Failed to verify the DPoP proof JWT

Expired / wrong htm / wrong htu

Check DPoP Ensure exp ≤120s, htm=POST, htu exact match

401

invalid_dpop_proof

Incoming DPOP Proof JWT does not match the initial dpop_jkt sent at PAR endpoint

Different key from PAR

Use same DPoP keypair throughout flow

 
 
 

userinfo errors

Status Code

 

Error

 

error_desciption

 

What To Do

 
 

Status Code

 

Error

 

error_desciption

 

What To Do

 

400

invalid_request

Myinfo profile not provisioned

Use test user with provisioned Myinfo profile

401

invalid_dpop_proof

DPoP verification failed

Ensure correct DPoP key + exp ≤120s

 
 
 

 

 
Related content
 

Related to

Related articles

Comments

0 comments

Please sign in to leave a comment.