Corppass Authorization API (FAPI 2.0)
Integrate with FAPI 2.0 for Enhanced Security
FAPI 2.0 is a high-assurance security profile built on OAuth 2.0 and OpenID Connect, that strengthens authentication and authorisation. Available for technical integration from:
Staging: 23 February 2026
Production: 23 March 2026
What this means for partners
New services created on or after the dates above must use FAPI 2.0 to meet the latest security standards.
Production services onboarded before 23 March 2026 must migrate to FAPI 2.0 by 31 March 2027, ahead of the planned deprecation of the Legacy Security Profile. To ensure continuity of service, we encourage planning and completing migration early. Refer to migration guide
Introduction
This technical specification describes the web-based Application Programming Interfaces (APIs) provided by Corppass for use by Relying Parties (RPs).
It defines the required endpoints and interactions to:
Initiate user authentication using the OpenID Connect (OIDC) protocol
Securely and reliably retrieve identity and authorization information
Corppass implements the OpenID Foundation’s Financial-grade API (FAPI) 2.0 Security Profile, a high-assurance security standard built on top of OAuth 2.0 and OpenID Connect.
This ensures that all authentication and authorization flows are protected using:
JWE-encrypted ID tokens
JWT-based client authentication (client assertions)
Sender-constrained access tokens via DPoP (Demonstration of Proof of Possession)
Getting Started
Follow the Integration Guide for step-by-step instructions on registering your application and implementing the secure authorization flow.
For existing partners moving from the Legacy Security Profile, please refer to the Migration Guide for specific transition steps.
Last updated