# Technical Concepts

This section provides foundational knowledge required to successfully integrate with the **Corppass Authorization API**. It introduces the core standards, security mechanisms, and token structures that underpin Corppass’s authentication and authorization flows.

Understanding these concepts is critical for implementing secure, standards-compliant interactions between **Relying Parties (RPs)** and **Corppass**, and ensures alignment with the **OpenID Connect (OIDC)** and **OAuth 2.0** protocols.

### What This Section Covers

* [**Client JWKS** ](/technical-specifications/technical-concepts/client-jwks.md)– How public keys are published and rotated for signature/encryption validation.
* [**JWS and JWE**](/technical-specifications/technical-concepts/jws-and-jwe.md) – Token formats used to sign or encrypt authentication data.
* [**Client Assertion JWT**](/technical-specifications/technical-concepts/client-assertion-jwt.md) – A secure, private-key-based method for client authentication.
* [**Proof Key for Code Exchange (PKCE)** ](/technical-specifications/technical-concepts/proof-key-of-code-exchange-pkce.md)– Mitigates code interception during OAuth flows.
* [**Demonstrating Proof of Possession (DPoP)**](/technical-specifications/technical-concepts/demonstrating-proof-of-possession-dpop.md) – Ensures tokens and auth codes are bound to a client-held key and can't be replayed.

### Standards and Specifications Reference

For developers who are interested in the underlying standards Corppass adheres to

<table><thead><tr><th width="255.54296875">Reference</th><th>Summary</th></tr></thead><tbody><tr><td><a href="https://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0</a></td><td>Defines the core protocol for identity authentication built on top of OAuth 2.0. Covers ID tokens, user authentication flows, and UserInfo endpoints.</td></tr><tr><td><a href="https://openid.net/connect/">OpenID Connect Overview</a></td><td>High-level overview of OpenID Connect and its role in identity federation and SSO. Ideal starting point for newcomers.</td></tr><tr><td><a href="https://datatracker.ietf.org/doc/html/rfc7519">RFC 7519: JSON Web Token (JWT)</a></td><td>Defines the structure of JWTs — compact, URL-safe tokens used for conveying claims securely between parties.</td></tr><tr><td><a href="https://www.rfc-editor.org/rfc/rfc7515.html">RFC 7515: JSON Web Signature (JWS)</a></td><td>Describes how to digitally sign content (like JWTs) to ensure integrity and authenticity. Used in ID/access tokens.</td></tr><tr><td><a href="https://datatracker.ietf.org/doc/html/rfc7516">RFC 7516: JSON Web Encryption (JWE)</a></td><td>Describes how to encrypt content (like ID tokens) to protect confidentiality. Used when issuing encrypted ID tokens.</td></tr><tr><td><a href="https://datatracker.ietf.org/doc/html/rfc7636">RFC 7636: PKCE (Proof Key for Code Exchange)</a></td><td>An extension to OAuth 2.0 that adds security to public clients by mitigating code interception attacks.</td></tr><tr><td><a href="https://datatracker.ietf.org/doc/html/rfc7523">RFC 7523: JWT Profile for OAuth 2.0 Client Authentication</a></td><td>Specifies how clients can use signed JWTs to authenticate to the token endpoint — used in Client Assertion JWT.</td></tr><tr><td><a href="https://www.rfc-editor.org/rfc/rfc8705.html">RFC 8705: OAuth 2.0 DPoP</a></td><td>Defines a proof-of-possession mechanism for OAuth 2.0 to bind access tokens to a public key. Used to prevent token replay and enforce sender-constrained access. RPs must generate and sign a DPoP proof JWT with every protected API request.</td></tr><tr><td><a href="https://openid.net/specs/fapi-security-profile-2_0-final.html">FAPI 2.0 Security Profile</a></td><td>Specifies a high-security profile for OpenID and OAuth APIs. Includes requirements for DPoP, JWS-request objects, client authentication, and error handling best practices.</td></tr><tr><td><a href="https://json-schema.org/draft-07">JSON Schema Draft 07</a></td><td>Defines how JSON structures are validated — used to describe token claims, payloads, or configuration metadata.</td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.corppass.gov.sg/technical-specifications/technical-concepts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.