# Corppass Authorization API (Legacy)

{% hint style="warning" %}
**Action Required: Upgrade to FAPI 2.0 by 31 March 2027**

FAPI 2.0 is a high-assurance security profile built on OAuth 2.0 and OpenID Connect, that strengthens authentication and authorisation. [Refer to documentation](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0)

\
**What this means for partners**

* New services must use FAPI 2.0 to meet the latest security standards.
* All existing services onboarded before 23 March 2026 must migrate to FAPI 2.0 by 31 March 2027, as the legacy security profile will be deprecated on 1 April 2027. To ensure continuity of service, we encourage planning and completing migration early. [Refer to migration guide](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-fapi-2.0/migration-guides/migration-guide-legacy-to-fapi-2.0)
* Submit your migration plan (current progress and target date) so we can support your transition and avoid service disruption. [Submit migration plan](https://go.gov.sg/cp-fapi-migration-plan)
  {% endhint %}

This technical specification outlines the web-based Application Programming Interfaces (APIs) designed for use by Relying Parties (RPs) and clients. It specifies the APIs that RPs must invoke to facilitate OpenID Connect (OIDC) authentication and retrieve authorization information for Corppass users.

The following diagram illustrates the OIDC flow between the RP and Corppass, detailing the interactions required to authenticate users and access their authorization information:

<figure><img src="https://1605527357-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FpwMYYKh1MoYyFF7hQI6N%2Fuploads%2FXEyk7P5OcxXPJaNzK3gk%2FCorppass%20Authorization%20Flow%20(Page%201).svg?alt=media&#x26;token=2ac201ec-aca9-446c-933a-9bcb260ab154" alt=""><figcaption></figcaption></figure>

All RPs should follow these steps, as illustrated in the above diagram. A short summary of the diagram:

1. **Discover OpenID Provider Configuration**
   * Retrieve the details of the OpenID Provider by querying the OpenID Discovery endpoint. Refer to the [OpenID Discovery Endpoint](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/well-known-endpoints/openid-discovery-endpoint) section.
2. **Initiate Authorization Request**
   * Send an authorization request to the Corppass Authorization Endpoint to obtain an authorization code. Refer to the [Authorization Endpoint](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/authorization-endpoint) section.
3. **User Authentication**
   * The user will be prompted to log in with Singpass and authenticate using their Singpass credentials.
4. **Token Exchange**
   * Exchange the authorization code and client assertion at the Token Endpoint to obtain the ID token and access token. Refer to the [Token Endpoint](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/token-endpoint) section.
5. **ID Token Encryption**
   * Corppass retrieves the RP's encryption public key from the client’s JWKS during the token issuance process. Refer to the [Client JWKS](https://docs.corppass.gov.sg/technical-specifications/technical-concepts/client-jwks) section.
6. **ID Token Signature Validation**
   * The RP retrieves Corppass's signing public key from the JWKS endpoint to validate the signature of the ID token. Refer to the [JWKS Endpoint](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/well-known-endpoints/jwks-endpoint) section.
7. **Retrieve Authorization Information**
   * Use the access token to query the Authorization Info Endpoint and retrieve the Corppass user’s authorization details. Refer to the [Authorization Info Endpoint](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy/endpoints/authorization-info-endpoint) section