It’s 11am at your reception desk. The third patient this morning has filled out the same intake form they filled three months ago — with the address from before they moved. Your front-desk nurse is retyping handwritten NRICs into the EMR. The same paperwork loop keeps running, customer by customer, and the only people who profit from it are the stationery suppliers.
This guide is for the businesses stuck in that loop. We walk through what Singpass and MyInfo do, what data you receive, how GovTech approval works, and what it costs. Most SMEs are live in about ten working days.
How to read this guide. Most buyers come in at one of three stages: figuring out if Singpass is even an option for them (eligibility), planning the technical work (integration), or comparing costs once they’re decided (production). The article walks all three. Skip ahead if you already know which stage you’re in: Stage 1 — Eligibility, Stage 2 — Integration, Stage 3 — Production.
What Singpass is, and what it isn’t
Singpass is Singapore’s national digital identity service, run by the Government Technology Agency (GovTech). Every Singapore Citizen, PR, and most Work Pass holders have one. When a customer taps “Sign in with Singpass” on your site, they confirm their identity using the Singpass app on their phone — the same app they use to log in to their HDB, IRAS, and CPF accounts.
MyInfo is the companion service. Once a user signs in with Singpass, they can consent to share specific pieces of verified personal data with your business — name, NRIC, residential address, date of birth, CPF contributions, and so on. The government fetches this data directly from its source (ICA, HDB, CPF, IRAS) and hands it to you, already verified.
So Singpass is the login. MyInfo is the data. Most businesses want both.
Why Singapore businesses add Singpass
Four reasons cover almost every customer we’ve onboarded:
- To cut paperwork at signup. Instead of asking a new customer to type their name, NRIC, date of birth, and address — and upload a photo of their IC — they tap Singpass once and you get the data pre-filled, already verified. Sign-ups that used to take two minutes now take ten seconds.
- To verify age or eligibility at the counter or on the site. Alcohol and tobacco retailers, Singapore-only promotions, members-only services, and licensed venues can skip the “check the IC” step entirely — the tap confirms the customer’s date of birth, residency, and citizenship straight from ICA’s records.
- To speed up licence applications. Director NRIC data, work-pass verification, beneficial-ownership checks — things SPF, MAS, MOM, and CEA demand before they approve a licence — come straight out of Singpass, cleanly formatted, first time.
- To meet the 2027 NRIC deadline. From January 2027, the PDPC ban on using NRIC numbers as authentication kicks in. If your business currently logs customers in with NRIC + date of birth, Singpass is the standard replacement.
What data you can actually receive
You can request a subset of roughly forty MyInfo fields, grouped into:
- Identity: full name, NRIC or FIN, sex, date of birth, nationality, race, marital status, country of birth.
- Contact: residential address, mobile number, email address.
- Employment and income: employer, occupation, CPF contributions, basic salary, notice period (where the individual consents).
- Housing: HDB ownership status, flat type, address history.
- Other: vehicle ownership, driving licence, pass expiry, family composition.
You can’t just ask for everything. GovTech requires you to justify each field with a clear business purpose tied to your use case. A licensed moneylender applying for KYC can justify CPF and income; a coffee shop doing age verification cannot. In practice we scope the exact field set with you on a discovery call and handle the justification during the application.
The trusted aggregator pattern, explained
Most SME buyers don’t need their own GovTech-issued Singpass credentials at all. GovTech allows specific integrators to host Singpass connections on shared credentials under a pattern called a trusted aggregator. We are one of those integrators.
The shape, in plain English: GovTech vets the aggregator (us) once on infrastructure, security, and data-handling. The aggregator then runs Singpass for many client businesses under one umbrella, each with the data scope appropriate to their use case. From the end-customer’s point of view nothing changes — they tap “Sign in with Singpass” and the data flows. From your point of view, you skip a four-to-six-week direct-application track and inherit our existing infrastructure.
Who qualifies for the aggregator path: non-regulated retail, F&B, professional services (clinics, salons, gyms, tuition), HR / employee onboarding, most licence-renewal use cases (SPF public-entertainment, MEA massage establishments, MOM work-pass filings), customer onboarding under a non-MAS, non-CEA scope.
Who needs their own direct application: MAS-regulated financial services (payment institutions, lending, insurance, fund management); CEA-regulated property transactions where the licensee must hold the integration; certain healthcare flows where the data controller must be the regulated entity. We still run the integration end-to-end — you just appear as the legal applicant on the GovTech paperwork. We draft the application, you sign.
Cost-wise the aggregator path is materially cheaper because the per-business GovTech-application overhead disappears. Time-wise the aggregator path is the difference between “ten working days” and “a quarter”. If you’re comparing Singpass integrators on price, the question to ask first is whether they operate as a trusted aggregator.
How the integration works — from zero to live
Step 1 — The scoping call (about 20 minutes, free)
You describe what your business does and what problem you’re trying to solve. We confirm which MyInfo fields fit the use case, whether your industry needs any regulator sign-off, and roughly how long it’ll take. For non-regulated use cases — retail age checks, customer onboarding, membership — this is normally all we need before we can quote.
Step 2 — The GovTech application (1 to 3 weeks, handled by us)
GovTech reviews every new Singpass integration. The application includes the purpose of each data field, the retention policy, the technical architecture, and the data-protection measures in place. We write and submit this on your behalf. You don’t read any compliance document.
For most small and medium businesses, GovTech lets us host the integration on our own Singpass credentials under the trusted aggregator pattern. That removes the need for you to apply individually, and is how we can go from scoping call to live in ten days for simple use cases. If you’re in a regulated industry (payment services, lending, insurance, property, healthcare) we apply in your name and walk you through the extra steps.
Step 3 — Build and test (3 to 5 working days)
We stand up the Singpass connection on our infrastructure, handle the RSA key pair GovTech issues, and build the specific integration shape you need — a REST API endpoint, a webhook into your CRM, or a short “tap to verify” link. We run it on our staging first; you review on a shared URL before go-live.
Step 4 — Choose your delivery method
You have three main options for how the verified data reaches you:
- REST API: your application calls
/verifyand we return a JSON payload with the consented fields. Under the hood we use the official Singpass login and MyInfo APIs from the GovTech developer portal. Best if you have developers on staff or an existing customer portal to wire into. - Webhook into your CRM: when a customer completes the Singpass flow, we POST the data into your CRM (HubSpot, Pipedrive, Zoho, Salesforce, or custom). Best if you don’t have a dev team and want verifications to appear in the CRM your team already uses.
- Tap-to-verify link: we host a short URL — for example,
singpass.biz/v/your-business— that opens the Singpass flow and emails you the verified payload. Best for licence applications and one-off director-verification needs.
Step 5 — Go live
Once you’re happy with the staging flow, we flip the switch. Your customers tap Singpass, we receive the verified data, we deliver it to you, and you pay only for what you use.
How long does it take, by industry
The honest answer depends on whether your industry needs regulator sign-off and how much MyInfo data you justify. Typical end-to-end timelines for SMEs we’ve shipped:
| Vertical | Time to live | Why |
|---|---|---|
| Retail age verification, customer onboarding, membership signups | 5–10 working days | Non-regulated. We host under our trusted-aggregator credentials. |
| F&B age verification, alcohol-licensed venues | 5–10 working days | Same path as retail; SPF audit trail bundled in. |
| HR, recruitment, internal employee onboarding | 10–14 working days | More MyInfo fields (employer history, CPF) means more justification with GovTech. |
| Public-entertainment / massage-establishment licence renewal | 10–14 working days | SPF director-NRIC packets; we ship the format SPF accepts first time. |
| Real estate, CEA-regulated property flows | 2–3 weeks | Extra AML / residency-status checks in the GovTech justification. |
| MAS-regulated financial services (payment, lending, fintech) | 3–4 weeks | You apply to GovTech in your own name (we draft the paperwork). MAS may have its own KYC sign-off on top. |
Is Singpass free?
For the end user, yes. Customers sign in with Singpass and consent to MyInfo fields for free. GovTech does not charge the individual or the business for the underlying Singpass and MyInfo API calls either.
For a business, the integration is not free. You still have to pay for the scoping, the GovTech application, the integration build, hosting, and ongoing maintenance. That is what our fees cover. If you build in-house, you pay your own engineering team for the same work — plus the learning curve on OpenID Connect, FAPI 2.0, and GovTech’s justification process.
Build it in-house vs use Singpass.biz
Most SMEs we talk to are weighing one of two paths: hire a developer (or borrow one from a software vendor) and build it themselves, or use a managed integration like ours. Both end up at the same Singpass and MyInfo APIs. The cost is in everything around them.
| Build it in-house | Singpass.biz (managed) | |
|---|---|---|
| Time to live | 3–6 months typical (longer for first-timers) | 10 working days for non-regulated SMEs |
| Engineering required | OIDC + FAPI 2.0, JWKS, PKCE, Pushed Authorization Requests, key rotation | None for webhook or tap-to-verify; sample SDKs if you choose REST API |
| GovTech application | You write and submit; rejections common on data justification | We draft and submit on your letterhead; we know the format that gets approved first time |
| Setup cost | S$30k–S$100k+ engineering, plus internal time | One-off setup fee, quoted after scoping |
| Monthly cost once live | Salary cost of the team maintaining it | Small per-verification fee plus hosting; most SMEs under S$1,000/mo |
| Maintenance & upgrades | You own keeping pace with FAPI changes, MyInfo v5+ migrations, certificate rotation | We ship the upgrades behind the scenes |
| 2027 NRIC migration | Your timeline + risk if you miss the deadline | Included in the rollout plan |
Build-it-yourself is the right call when you have a Singpass-experienced engineering team in-house, the use case is highly custom, or it’s a strategic differentiator. For most SMEs whose business is running a clinic, a bar, a property agency, or a salon — the math doesn’t work. You don’t hire a backend engineer to set up your card reader; you don’t need to hire one to set up Singpass either.
If you’re building this yourself: the technical reality
For developers comparing in-house build against managed integration, here is the actual scope of work for a Singpass & MyInfo v5 integration today. The list comes from the official GovTech developer portal and is the same scope we cover when we run an integration on your behalf — the difference is whose engineers learn it first.
Standards: OIDC + FAPI 2.0
Singpass authentication is compliant with OpenID Connect (OIDC) and the FAPI 2.0 Security Profile — not generic OAuth 2.0. A plain OAuth client library will not satisfy the FAPI 2.0 profile. GovTech recommends using an OpenID-certified relying-party library rather than rolling your own.
Key management: JWKS, not X.509
MyInfo v5 apps use JSON Web Key Set (JWKS) for signing and encryption keys, not the X.509 certificate model older Myinfo v3 / v4 apps used. Migration is not a swap — it is a re-architecture of how your keys are exposed. Signing and encryption keys must be configured consistently between your backend and the GovTech portal, or every token request fails.
PKCE and Pushed Authorization Requests
All new Singpass API apps require PKCE (Proof Key for Code Exchange). They also require Pushed Authorization Requests (PAR) — your backend sends authorization parameters to the GovTech PAR endpoint before redirecting the user, instead of stuffing them into a URL. Either omission causes silent “login is broken” failures that look provider-side but are actually request-shape issues.
Redirect URIs: HTTPS app-claimed, not custom schemes
MyInfo v5 dropped support for custom-scheme app-launch URIs (the myapp:// pattern older mobile flows used). All redirect URIs are now HTTPS, with mobile apps using app-claimed HTTPS links. The redirect URI must match the registered value exactly — scheme, host, port, and path. A trailing slash mismatch is enough to break the flow.
Single-purpose apps
MyInfo v5 expects each app to serve a single business purpose. The old multi-purpose-app pattern is no longer accepted; if you have one signup form, one staff portal, and one licence-renewal flow, that is three apps in the GovTech portal, not one with three modes. The GovTech justification process treats each app independently, which is why some teams find their renewal applications fail when the original was approved years ago under a permissive multi-purpose configuration.
userinfo flow + error handling
v5 retrieves consented MyInfo data via the OIDC userinfo endpoint, replacing the older Myinfo data endpoints. Authentication errors now redirect back to your registered redirect URL in most cases — your error handler must parse those responses, not assume a 4xx token failure is provider-side. A bad signature error usually means a JWKS misconfiguration or an expired key, not a Singpass outage.
What we run for you when we host the integration
All of the above. The OIDC client, the JWKS rotation, the PAR flow, the userinfo decoding, the error mapping back to a webhook your CRM understands, the Singpass app-claimed link domain, the PKCE state per session. You receive verified data; we hold the cryptographic and protocol surface area. If you choose the REST API delivery mode instead, we still hold the protocol layer — your application calls our /verify endpoint, not Singpass directly, and gets back a clean JSON payload.
What does it cost, by vertical
We quote after the scoping call. Below are typical ranges we land at for SMEs in each vertical, all-in (setup amortised plus monthly running). Specific numbers depend on volume and regulator scope.
| Vertical | Setup fee (one-off) | Typical monthly run-rate |
|---|---|---|
| Retail age verification, loyalty, returns | Standard | Under S$500/mo for low-volume; under S$1,000/mo for busy outlets |
| F&B alcohol-licensed venues, KTV, nightclubs | Standard | Under S$500/mo for door-check usage; SPF audit-trail bundle included |
| Clinics, salons, gyms, tuition, services | Standard | Under S$500/mo for one location; tier up by site/franchise |
| HR / recruitment / employee onboarding | Standard+ | S$500–S$1,000/mo for typical 30–200 person headcount |
| Real estate (CEA-regulated) | Higher (AML scope) | S$700–S$1,500/mo for active agents and rental managers |
| Public-entertainment / MEA licence renewal | Standard | Per-renewal pricing (annual cycle); director-packet generation included |
| Financial services (MAS-regulated) | Higher (KYC scope) | S$1,000–S$3,000/mo depending on volume and product mix |
The all-in cost is almost always less than the salary cost of one person retyping forms or chasing IC photos for the same volume. We confirm the specific number after the scoping call — no obligation, and no quote chasing afterwards if it isn’t a fit.
What about data privacy?
Every MyInfo request is consented to by the customer at the GovTech authentication screen — no data is released without the individual saying yes. On our side, we retain only what your business justifies; audit logs are kept for the minimum required under the PDPA and any sector-specific retention rules (for example, seven years for financial services under MAS). Full details are in our PDPA Notice.
Do you need developer resources on your side?
If you choose the webhook or tap-to-verify delivery modes — no. We handle the integration end-to-end and deliver the data in a format your existing team can pick up. If you choose the REST API, you’ll want a developer to wire the response into your application; we supply working sample code for TypeScript, Python, PHP, and Go.
What about the 2027 NRIC change?
From 1 January 2027, the PDPC prohibits Singapore businesses from using NRIC numbers — in full or partial form — as a means of authenticating a user online. If your current login page asks for NRIC plus date of birth, you have until 31 December 2026 to switch to a compliant alternative. Singpass is the standard replacement the PDPC itself points to. The full rule, the migration paths, and a realistic week-by-week timeline are covered in our dedicated 2027 NRIC deadline guide.
The short version
Adding Singpass is about ten working days of our time and a few hours of yours. Verified customer data lands in the tools you already use, paperwork disappears, and you’re ready for the 2027 authentication changes before they bite. If MyInfo and the difference between Singpass authentication and verified data is still fuzzy, our Singpass vs MyInfo guide is the cleanest place to start.
Want a specific quote on your use case? Message us on WhatsApp at +65 8040 7913.