Implementation overview

This document outlines how SuperAPI integrates with a super fund. It is aimed at software engineers, engineering managers, and stakeholders at super funds who need to scope the work involved before committing to an implementation. For implementation specifics, follow the links through to the dedicated guides.

What is SuperAPI?

SuperAPI connects super funds to HR and payroll software, letting employees make their superannuation choice during onboarding and helping employers set their default super fund. A single integration puts your fund in front of both employees and employers across every partner platform we work with.

How fund integration works

A SuperAPI integration is built around four capabilities. Each plugs into your existing authentication and authorisation framework, so no major changes are needed to your current systems. You can implement them individually or together; adopting all four unlocks the full value of the platform.

• Retain confirms whether an arriving employee is already a member of your fund and surfaces their existing account so they can keep contributing to it. See the Retain guide.
• Grow registers a new member in real time when an employee chooses to join your fund, delivering verified personal data at source. See the Grow guide.
• Default Activate recognises employers that already use your fund as their default and confirms that relationship during employer onboarding. See the Default Activate guide.
• Default Win helps your fund be selected when an employer is choosing a default super fund. See the Default Win guide.

Benefits to your fund

• Member retention at job change. Members are most at risk of leaving a fund when they change employer. Retain catches them at exactly that moment and keeps them in your fund.
• New member acquisition. A single integration places your fund in front of employees making a super choice across every HR and payroll platform we partner with.
• Reduced account proliferation. SuperAPI matches employees back to their existing memberships before creating new ones, cutting down on duplicate accounts and lost super.
• Verified data at source. Registrations arrive with identity, TFN, and contact details already validated, reducing manual cleanup, follow-up correspondence, and back-office cost.
• Default fund relationships. Default Activate and Default Win do the same job at the employer level, helping you keep the employers that already use your fund as their default and win new ones when employers are choosing a default.

Branding

When your fund integrates with SuperAPI, its branding is presented exactly as specified in your brand guidelines. Please supply logos, colour palettes, typography, and any other creative material at the start of the project so our design team can prepare the interface.

Implementation timeline

Where APIs for member lookup and creation already exist, a SuperAPI integration can usually be completed in a few weeks. If new endpoints or changes to authentication are needed, additional time will be required. We will agree a detailed plan and timeline with your technical team during project initiation.

Authentication

When SuperAPI calls your fund's APIs, such as member lookup, employer lookup, member creation, or delivery of collected employer details, it authenticates against your systems. SuperAPI supports several authentication methods and fits the one your platform already uses rather than asking you to build something new.

The JWKS based method is documented below because it removes shared secrets from the integration. If your fund uses one of the other methods, we cover the specifics during onboarding.

OAuth2 with our JWKS (private_key_jwt)

SuperAPI authenticates using the private_key_jwt method. Rather than sending a shared client secret, SuperAPI signs a short-lived JWT assertion with its private key, and you verify that signature using SuperAPI's public key. We publish that public key as a JSON Web Key Set (JWKS), so there is no secret to exchange, store, or rotate between us.

Our JWKS endpoint

SuperAPI publishes its public signing keys at a stable, unauthenticated URL:

https://api.superapi.com.au/.well-known/jwks.json

The keys are RSA-2048 and sign with RS256. Each key carries a kid (key ID), which is the RFC 7638 thumbprint of the public key.

TIP

Fetch and cache the JWKS, and select the key whose kid matches the incoming JWT header rather than assuming a single key. This lets us rotate keys without coordinating a change with you.

Verifying the assertion

The JWT assertion SuperAPI signs carries an RS256 header that identifies the signing key (the kid below is illustrative; match it against our JWKS):

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "iXBUEA7B0Vfxhdp0OD91oqBf9ixnt5ysOzR7HnrvaOs"
}

To verify it:

1. Read the kid from the assertion's header.
2. Find the matching public key in our JWKS, fetching and caching the document if you have not already.
3. Verify the RS256 signature against that key.
4. Check the standard claims (iss, sub, aud, exp) against the values agreed during setup.

If your systems restrict inbound traffic by IP address, we can provide SuperAPI's source IP ranges to allowlist on request.

Security

Protecting personally identifiable information is central to the SuperAPI platform. We are ISO 27001:2022 certified and conduct annual penetration testing.

Security features

• Encryption in transit and at rest across all services
• Role-based access control with least-privilege defaults
• Continuous vulnerability scanning and annual penetration tests
• Segregated development, staging, and production environments
• Regular backup and disaster-recovery testing

For an overview of our security controls, see our security FAQ.

Sensitive data handling

Sensitive data, including personally identifiable information and Tax File Numbers, is held in line with our statutory record-keeping obligations under the Superannuation Industry (Supervision) Act. This gives partners a secure repository they can consult when verifying historic events such as an employee's super choice.

All sensitive data is encrypted in transit and at rest. Access is strictly role-based, logged, and reviewed regularly. Operational logs capture only the information needed for security monitoring and auditing, limiting exposure of personal details.

Data is stored solely in Australian data centres certified to ISO 27001 or an equivalent standard. Backups are replicated to geographically separate locations, and the principle of least privilege is enforced across the infrastructure, supported by regular penetration testing.

Getting help

Stuck with something and need help? Please contact us at support@superapi.com.au or by phone on 0405 472 748 (Sam). Have you setup a shared Slack or Teams channel with us? If not, please reach out so we can provide realtime support.