# Migration Guide: Myinfo Business v1/v2 to v3 (FAPI 2.0) This guide assists partners in transitioning existing integrations from Myinfo Business v2 (Legacy) to Myinfo Business v3. Myinfo Business v3 is built on the [Corppass Authorization API (FAPI 2.0)](/technical-specifications/corppass-authorization-api-fapi-2.0.md), which adopts the Financial-grade API (FAPI) 2.0 Security Profile based on OAuth 2.0 and OpenID Connect. ## Why Migrate? FAPI 2.0 introduces enhanced security mechanisms, mandated flows, and updated token structures that improve confidentiality, integrity, and replay protection compared to the Legacy APIs. These changes align with global security best practices and provide long‑term reliability. All legacy Myinfo Business v1/v2 applications will be deprecated, and partners must migrate to continue using the service. *** ## Key Changes

Feature	Myinfo Business (v1/v2)	Myinfo Business (v3) (FAPI 2.0)
API Endpoints	Legacy API endpoints with base URL: Test: `https://test.api.myinfo.gov.sg/biz/[v1\|v2]` Production: `https://api.myinfo.gov.sg/biz/[v1\|v2]` Legacy endpoints: Authorization Endpoint (`/authorise`) Token Endpoint (`/token`) Entity-Person Endpoint (`/entity-person/{uen}/{uuid}`)	Different set of API endpoints with base URL: Staging: `https://stg-id.corppass.gov.sg` Production: `https://id.corppass.gov.sg` Standard OIDC / FAPI 2.0 endpoints: Well-known Endpoints (`/.well-known/openid-configuration`) - where the following endpoints are dynamically obtained Pushed Authorization Request Endpoint Authorization Endpoint Token Endpoint Userinfo Endpoint Refer to Integration Guide for more details.
Enhanced Security	Standard authorization code flow	Enhanced security with Mandatory Client Assertion requirements. Mandatory Proof Key of Code Exchange (PKCE). Mandatory Demonstrating Proof of Possession (DPoP) (sender-constrained tokens).
Authorization Flow	Authorization parameters provided via front-channel (params in URL).	Authorization parameters provided via back-channel Pushed Authorization Request (PAR) endpoint. Refer to Pushed Authorization Request for more details.
Authorization Request Parameters	Authorization Endpoint: `client_id` `authmode` `purpose` `response_type` `redirect_uri` `attributes` `state`	Pushed Authorization Request: `client_id` `client_assertion` `client_assertion_type` `code_challenge` `code_challenge_method` `response_type` `redirect_uri` `scope` `state` `nonce` `acr_values` `dpop_jkt` Authorization Endpoint: `client_id` `request_uri` Refer to Pushed Authorization Request and Authorization Endpoint for more details.
Token Request Parameters	Token Endpoint: `code` `redirect_uri` `grant_type` `client_id` `client_secret` `state`	Token Endpoint: `code` `redirect_uri` `grant_type` `client_id` `client_assertion_type` `client_assertion` `code_verifier` Refer to Token Endpoint for more details.
Data Retrieval Endpoint	Endpoint: `/entity-person/{uen}/{uuid}` `uen` and `uuid` are obtained from the `sub` (uen_uuid) value in the decoded access_token. Legacy payload structure within: `entity` `person`	Endpoint: `/userinfo` (Standard OIDC endpoint) No longer required to provide `uen` and `uuid` values as these are handled through the Standard OIDC flow. Access Token is to be treated as opaque string. Updated payload structure within: `entity_info` `person_info` `corppass_info` Refer to Userinfo Endpoint for more details.
Error Handling	Legacy / custom error formats. API response `code` `message` Redirect URI `error` `error_description` `state`	Standardised OAuth 2.0 Errors. `error` `error_description` `state`
Scopes	Category-based entity scopes and fine-grained person scopes (`basic-profile`, `financials`, `capitals`, `name`, `uinfin`)	Fine-grained scopes across entity and person scopes (e.g., `entity.basic_profile.name`, `entity.basic_profile.uen_status`, `user.name`), allowing for more precise data access control. Refer to Myinfo Business Scopes for more details.

*** ## Migration Steps ### Step 1: Create Myinfo Business v3 Application Create a new Myinfo Business v3 application on the [Singpass Developer Portal (SDP)](https://developer.singpass.gov.sg/). Existing Client ID / App ID cannot be used in the new version as they are not interchangeable. Refer to [Getting Started](/products/myinfo-business/getting-started.md) guide for step-by-step instructions on creating and configuring your application. ### Step 2: Implement Myinfo Business v3 Integration Myinfo Business v3 is built on the [Corppass Authorization API (FAPI 2.0)](/technical-specifications/corppass-authorization-api-fapi-2.0.md) and introduces significant changes to the authorization flow, security requirements, and data handling. As the APIs and integration patterns differ substantially from v1/v2, partners are required to implement the integration based on the latest specifications. Refer to [Integration Guide](/technical-specifications/corppass-authorization-api-fapi-2.0/integration-guide.md) for full implementation details. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0/migration-guides/migration-guide-myinfo-business-v1-v2-to-v3-fapi-2.0.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.