Dear Partners,
On 11 Jun 2026, we are enabling RFC 9207 Issuer Identification for FAPI 2.0 in the production environment. This adds an iss query parameter to all FAPI 2.0 authorization responses on your redirect URI, for both success and error flows.
This change applies to your Singpass FAPI 2.0 integration only. We will implement the same for Corppass FAPI 2.0 at a later date; we will notify you separately when that timeline is confirmed.
What you need to know:
1. All redirect responses will now include iss=https://id.singpass.gov.sg/fapi:
- Success: ?code=abc123&state=xyz&iss=https://id.singpass.gov.sg/fapi
- User cancels consent: ?error=access_denied&...&iss=https://id.singpass.gov.sg/fapi
- Server error: ?error=server_error&...&iss=https://id.singpass.gov.sg/fapi
2. The new config flag authorization_response_iss_parameter_supported is in the STG OpenID configuration: https://stg-id.singpass.gov.sg/fapi/.well-known/openid-configuration
What you need to do:
1. Start testing in Singpass FAPI 2.0 staging environment. The change is already live in STG. Verify your integration handles the additional iss parameter without issues.
2. Check your Web Application Firewall (WAF) rules. If your redirect URI is behind a WAF, confirm it does not block unexpected query parameters. This is the most common cause of breakage.
Most integrations will not be affected. The risk is limited to WAF configurations that reject unknown query parameters, or frontends that selectively forward only specific parameters to the backend.
If you have any questions, please reach out to our support team here.
Best regards,
Singpass Partner Experience team
Comments
0 comments
Please sign in to leave a comment.