API Documentation
A list of API endpoints supported by sgID.
Endpoints
Create an sgID authorization URL to redirect your user to so that they can authenticate with Singpass
Must be set to code because sgID only supports the authorization code flow
codePossible values: sgID client ID which was provided to you during client registration
MYCLIENT-PRODThe callback URL that was provided during registration. sgID redirects to this URL with the authorization code after the user authenticates with Singpass
https://example.com/callbackA URL-encoded string of the scopes your client will request for
openid%20myinfo.name%20myinfo.passport_expiry_date%20myinfo.nric_numberRandomly generated string to be returned in the ID token. Used to prevent replay attacks as part of the OpenID Connect 1.0 spec
BQO8SV3ALIYA808IZ8O7PKWRI8A8X6MIA unique and non-guessable value associated with each authentication request about to be initiated. Used to prevent CSRF attacks and to maintain state as part of the OAuth 2.0 spec (RECOMMENDED)
tk39drykro3The method used to verify the code challenge. Throws an error response if the value is not 'S256'
S256A SHA256 hashed string that should be used to verify against the code verifier in the token request
CUZX5qE8Wvye6kS_SasIsa8MMxacJftmWdsIA_iKp3IA HTML page which contains a sgID QR code if the request is successful, or an error code and error message if there is a problem with the request.
<head>...</head><body>......<body>Server error
Exchange auth code for access token as part of sgID authorization code flow
sgID client ID which was provided to you during client registration
sgID client secret which was provided to you during client registration
Authorization code that was received from the callback URL after the user authenticates with Singpass
This field must take the value authorization_code as sgID only supports the OAuth 2.0 authorization code flow
A cryptographically random string that was used to generate your code challenge in the authorization request
Successful token exchange
Access Token to be used with retrieving the encrypted payload from user info endpoint
JWT token with the associated user claims. Encodes the following:
- iss (hostname)
- sub (end user's unique identifier)
- aud (client id)
- nonce (only returned if provided in authorization url)
- exp (seconds before auth request and access token expires)
- iat (timestamp at which id token was issued)
{"access_token":"I6zGnxYTy4fZubtb7LcG48K1fHWb5b","id_token":"eyJhbGciOiJ...[truncated]...L6zm6LaWfkBoA"}Invalid request due to one of the following errors:
- Invalid grant type
- Missing parameters in the request body (
client_id,client_secret,redirect_uri, orcode) - Invalid grant (auth code is expired or invalid, or redirect_uri does not match
Invalid client credentials
Server error
Exchange access token for user info as part of sgID authorization code flow
Successfully retrieve user info from sgID
End user's unique identifier for your client - This is the same value as the sub claim in the id_token returned from the previous response.
Note that as part of sgID's privacy-preserving measures, each end user's unique identifier is different for each sgID client
An AES-128-GCM symmetric key, or a block key, that is encrypted with your client's RSA-2048 public key.
JSON object which contains the data you requested in your application scope. To prevent sgID from reading the data, the payload is encrypted with the block key referenced in the definition for the key attribute in the same response body.
Refer to our onboarding guide for instructions on decrypting the payload.
Missing or invalid bearer token
Server error
A JSON object representing sgID's public keys
A JWK container object which contains an array of JWK Key Objects. See the IETF document for JSON Web Key (JWK) for more details.
Each of the items in the array is a JWK Key Object
{"kty":"RSA","kid":"g9DT_3W6OUaKCmjciEM0XNTsz6yTE1bBFec-xiN9zZk","n":"rzz[...]tfbF3Q","e":"AQAB","use":"sig"}A JSON object representing sgID's public keys
A JSON object representing a set of Claims about the sgID's configuration as an OpenID Provider
A JSON object representing a set of Claims about the sgID's configuration as an OpenID Provider. See RFC 7033 for more details
Issuer of ID Token
https://api.id.gov.sg/v2URL of the sgID's OAuth 2.0 Authorization Endpoint
https://api.id.gov.sg/v2/oauth/authorizeURL of the sgID's OAuth 2.0 Token Endpoint
https://api.id.gov.sg/v2/oauth/tokenURL of the sgID's UserInfo Endpoint
https://api.id.gov.sg/v2/oauth/userinfoURL of the sgID's JSON Web Key Set document
https://api.id.gov.sg/v2/.well-known/jwks.jsonJSON array containing a list of the OAuth 2.0 response_type values that sgID supports
["code"]JSON array containing a list of the OAuth 2.0 Grant Type values that sgID supports
["authorization_code"]JSON array containing a list of the OAuth 2.0 [RFC6749] scope values that sgID supports
["openid","myinfo.nric_number","myinfo.name"]JSON array containing a list of the JWS signing algorithms (alg values) supported by sgID for the ID Token to encode the Claims in a JWT
["RS256"]JSON array containing a list of the Subject Identifier types that sgID supports
["pairwise"]JSON array containing a list of supported code challenge methods for PKCE
["S256"]A JSON object representing a set of Claims about the sgID's configuration as an OpenID Provider
Last updated
Was this helpful?