<aside> <img src="https://prod-files-secure.s3.us-west-2.amazonaws.com/1e47ff86-f2e4-4455-a921-e047cdf6846c/07532275-72a5-4500-938b-6d77994e18ea/1010520-200.png" alt="https://prod-files-secure.s3.us-west-2.amazonaws.com/1e47ff86-f2e4-4455-a921-e047cdf6846c/07532275-72a5-4500-938b-6d77994e18ea/1010520-200.png" width="40px" /> Table of contents

• Integration process
• Data points retrieved from Singpass
• Useful links </aside>

Integration process

Generate dynamic QR code

Source: https://api.singpass.gov.sg/library/verify/developers/generateqrcode

1. Combine URL in the format:

   <https://app.singpass.gov.sg/sgverify?callback=https%3A%2F%2Ftest.yourcallbackurl%2Fcallback&client_id=STG2-SGVERIFY-SELF-TEST&nonce=4110833&qr_type=dynamic&signature_method=RS256&state=kiosk001&timestamp_expiry=1602324610000&timestamp_start=1570702210000&v=2&signature=h8jdRRpS5ArE0pdWDXHv04JiELnEvR54ulO7O0x//mewoZDQW+cfnSPdwC2kZZzLkMYtd2HjeTLBqTG5HKjbDiH3C5YkB9lS81mVgV3oj6E7LjzPZQgypNHzp1F3sBrj/4MNjJbL119VA15RJ0HlR1sOeF05yR7rFkDAZfRth37UFAFYoVDFzU4MwLYZt7W0eNRESXWVWLK94qqJg/ubR/xNKXqI93Tdw032DxapCIM3jLwQhk327f6a21ZpnSOKWXxWl1FUv4WcOxHXLvs8B/C43kJpn8TpGMHUyk5cRB/kFxljltH1Yq4n5ROhXFhjQUmk+nTMVsg31MKl6NKQnA==>
   

2. Pass relevant URL parameters:

   Parameter	Description	Type	Example
   callbackrequired	Your application's registered callback URL (URL encoded) for Verify to return authorization code to.	string	Example: "https%3A%2F%2Ftest.yourcallbackurl%2Fcallback"
   client_idrequired	Unique ID for your application.	string	Example: "STG2-SGVERIFY-SELF-TEST"
   nonce	Unique-random text to prevent replay attack. Note: Mandatory only if qr_type is dynamic	string	Example: 4110833
   qr_typerequired	Type of QR	string
   Enum: "static" "dynamic"
   signature_methodrequired	Signature algorithm used to produce the digital signature.	string	Default: "RS256"
   staterequired	Identifier that represents the user's session/transaction with the client for reconciling query and response. The same value will be sent back via the callback URL. Use a unique system generated number for each user/transaction.	string	Example: "kiosk001"
   timestamp_expiryrequired	QR code expiry timestamp (UNIX epoch time in milliseconds)	string	Example: "1602324610000"
   timestamp_startrequired	QR code start timestamp (UNIX epoch time in milliseconds)	string	Example: "1570702210000"
   vrequired	Version of Verify API.	string	Default: 2
   signaturerequired	Binary of the generated signature encoded in Base64 URL-safe format. This digital signature will be used to ensure non-repudiation of the request.	string	Example: "MEyCBY/XSBBB..."

3. Generate QR code

   1. For dynamic QR codes, you will need to use platform specific libraries to generate the QR code image on the fly

4. Display QR code to the Client:

   1. Generated QR code should correspond to the Singpass display guideline.

   2. In the event that the Verify system is unavailable, the digital service should display an error indicator with the following error message:

      <aside> ℹ️ Note:

      We are unable to validate your identity through Verify.

      Please contact [email protected] if you require additional assistance.

      </aside>

ID verification

Source: https://api.singpass.gov.sg/library/verify/developers/overview

Singpass Verify Integration is built on the OAuth 2.0 framework which is the web standard for obtaining user's authorization in order to access user-owned resources. The flow involves invocation of 3 APIs: authorize, token and person (resource API).

1. Client scans or taps on generated QR code and is redirected to Singpass mobile
2. Client authenticates on Singpass mobile and provides consent to share the requested personal information
3. At the end of this process, Verify returns a short-lived "authorization code" to Panjia’s callback URL
4. Token API is invoked by Panjia to obtain an "access token", which can be used to call the **Person API** for the actual data. A valid "authorization code" from the Authorize API will be required in order to exchange for the "access token". The "access token" will be valid for 30 minutes.
5. Person API returns a JSON response with the personal data that was requested. Panjia needs to provide a valid "access token" in order to exchange for the JSON data.

Error handling

https://api.singpass.gov.sg/library/verify/developers/resources-error-codes