> For the complete documentation index, see [llms.txt](https://docs.corppass.gov.sg/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy.md).

# Corppass Authorization API (Legacy)

{% hint style="warning" %}
**Action Required: Upgrade to FAPI 2.0 by 31 March 2027**

FAPI 2.0 is a high-assurance security profile built on OAuth 2.0 and OpenID Connect, that strengthens authentication and authorisation. [Refer to documentation](/technical-specifications/corppass-authorization-api-fapi-2.0.md)

\
**What this means for partners**

* New services must use FAPI 2.0 to meet the latest security standards.
* All existing services onboarded before 23 March 2026 must migrate to FAPI 2.0 by 31 March 2027, as the legacy security profile will be deprecated on 1 April 2027. To ensure continuity of service, we encourage planning and completing migration early. [Refer to migration guide](/technical-specifications/corppass-authorization-api-fapi-2.0/migration-guides/migration-guide-legacy-to-fapi-2.0.md)
* Submit your migration plan (current progress and target date) so we can support your transition and avoid service disruption. [Submit migration plan](https://go.gov.sg/cp-fapi-migration-plan)
  {% endhint %}

This technical specification outlines the web-based Application Programming Interfaces (APIs) designed for use by Relying Parties (RPs) and clients. It specifies the APIs that RPs must invoke to facilitate OpenID Connect (OIDC) authentication and retrieve authorization information for Corppass users.

The following diagram illustrates the OIDC flow between the RP and Corppass, detailing the interactions required to authenticate users and access their authorization information:

<figure><img src="/files/NB9Jbhoias1Y0Nn0iz5O" alt=""><figcaption></figcaption></figure>

All RPs should follow these steps, as illustrated in the above diagram. A short summary of the diagram:

1. **Discover OpenID Provider Configuration**
   * Retrieve the details of the OpenID Provider by querying the OpenID Discovery endpoint. Refer to the [OpenID Discovery Endpoint](/technical-specifications/corppass-authorization-api-legacy/endpoints/well-known-endpoints/openid-discovery-endpoint.md) section.
2. **Initiate Authorization Request**
   * Send an authorization request to the Corppass Authorization Endpoint to obtain an authorization code. Refer to the [Authorization Endpoint](/technical-specifications/corppass-authorization-api-legacy/endpoints/authorization-endpoint.md) section.
3. **User Authentication**
   * The user will be prompted to log in with Singpass and authenticate using their Singpass credentials.
4. **Token Exchange**
   * Exchange the authorization code and client assertion at the Token Endpoint to obtain the ID token and access token. Refer to the [Token Endpoint](/technical-specifications/corppass-authorization-api-legacy/endpoints/token-endpoint.md) section.
5. **ID Token Encryption**
   * Corppass retrieves the RP's encryption public key from the client’s JWKS during the token issuance process. Refer to the [Client JWKS](/technical-specifications/technical-concepts/client-jwks.md) section.
6. **ID Token Signature Validation**
   * The RP retrieves Corppass's signing public key from the JWKS endpoint to validate the signature of the ID token. Refer to the [JWKS Endpoint](/technical-specifications/corppass-authorization-api-legacy/endpoints/well-known-endpoints/jwks-endpoint.md) section.
7. **Retrieve Authorization Information**
   * Use the access token to query the Authorization Info Endpoint and retrieve the Corppass user’s authorization details. Refer to the [Authorization Info Endpoint](/technical-specifications/corppass-authorization-api-legacy/endpoints/authorization-info-endpoint.md) section


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.corppass.gov.sg/technical-specifications/corppass-authorization-api-legacy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.