Skip to main content

Finalized Corppass FAPI 2.0 Specifications Now Live & Upcoming October Engagement Sessions

Mandon Kho
Updated

Dear Partners,

As part of our commitment to strengthening security standards and aligning with global best practices, Corppass is adopting FAPI 2.0. We are pleased to announce that the finalized FAPI 2.0 specifications are now available.


Why is this change to FAPI 2.0 important?

This change will bring several key benefits:

  • Bolstered Security: FAPI 2.0 provides a robust framework that protects against common security threats like phishing and token theft, giving your users greater confidence in your services.
  • Streamlined Integration: By standardizing on a single, modern protocol, this update will simplify future integrations and reduce long-term maintenance efforts for partners.
  • Consistency and Scalability: This change creates a more cohesive system across Singpass and Corppass, preparing us for future enhancements and ensuring a consistent experience for all users and partners. Ultimately, this means you can spend less time on security and more time building innovative features for your users.
  • Enhanced User Experience: This enhancement can make context-aware and progressive logins possible, allowing for a smoother user journey.

What do you need to know?

  • The complete and finalized FAPI 2.0 specifications are now ready for your review and integration planning, and can be accessed via https://go.gov.sg/cpfapi2
  • It is mandatory to comply with FAPI 2.0 by H1 2027.
  • Testing environment: We will be providing a dedicated testing environment at a later date to allow you to validate your FAPI 2.0 integration.
  • Upcoming engagement session: We will be holding an engagement session in October for a detailed walkthrough of the changes and addressing any questions you may have. More details are provided below.

What do you need to do?

  • Review the technical specifications: We encourage you to immediately review the finalized specifications, to assess the impact on your e-services and begin your integration planning.
  • RSVP for our engagement sessions: To help us better track attendance and prepare, we kindly ask you to RSVP for the upcoming engagement session. Please save the date:
    • [Public Sector Only] October 30th, 2025, 10am - 12pm
    • The calendar invite will be sent out at a later date for partners who have RSVP-ed.

Timeline summary

Date Action Required
Now Finalized FAPI 2.0 specifications are available for review.
30th October 2025 RSVP for and attend the public sector engagement session.
By H1 2027 Corppass e-services must be FAPI 2.0 compliant

Thank you for your continued partnership as we work together to strengthen security and trust across all digital services. If you have any questions, please reach out to our support team here.

Best regards,

Singpass Partner Experience team

-------------------------------------------------------------------------------------------------------

FAQ: 

1. What is FAPI 2.0?

FAPI 2.0 is a set of security and interoperability standards developed by the OpenID Foundation. It is designed to protect APIs handling sensitive data, particularly in identity and financial systems, by introducing advanced security measures such as proof of possession tokens and stricter authentication protocols.

2. What would the main changes be with the release of FAPI 2.0?

With the release of FAPI 2.0, Corppass is introducing three key changes to its APIs to enhance security. First, Pushed Authorization Requests (PAR) will be required, which involves sending authorization parameters to the server through a secure back-end channel instead of a user-facing URL. This prevents URL tampering and keeps sensitive data out of browser history. Second, the ID Token will now need to be always encrypted using JSON Web Encryption (JWE) and the format of the ID token has been changed to make it easier for partners to parse the required information from the ID token. Third, Demonstration of Proof-of-Possession (DPoP) will be used to cryptographically bind an access token to the client that received it, making a stolen token useless to an attacker as they cannot provide the necessary proof of possession. More detailed implementation guides for these changes will be shared by the end of September 2025. 

3. Is Myinfo Business also required to migrate?

Myinfo Business is not affected at this time. We will reach out to Myinfo Business APIs RPs separately.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk