Financial-grade API (FAPI)
Driven by the security needs of Open Banking, PSD2 and the finance industry, the FAPI Working Group devised a set of OAuth 2.0 profiles for client applications and authorisation servers.
The FAPI security features
|
Strong client authenticationPrivate-key based authentication via mutual TLS or with a signed JWT. The client keys can be stored in a HSM or similarly secured module. |
Sender-constrained tokensThe issued access tokens can be optionally bound to a client X.509 certificate, preventing their replay in the case of a leak. |
|
Upgraded OAuth 2.0Use of OAuth extensions to upgrade security, such as PKCE for preventing code interception and JAR for signed authZ requests. |
Modern TLSTLS 1.2 and 1.3 with proven ciphers is required for securing the HTTP messages between clients and server. STS and DNSSEC is recommended. |
FAPI compliance
The Connect2id server covers the FAPI 1.0 profiles:
- Baseline – Intended for applications that need access tokens and / or OpenID Connect login and where moderate security is sufficient.
- Advanced – For applications that demand the high OAuth 2.0 and OpenID Connect security, such as applications that initiate financial transactions.
The FAPI WG is going to finalise a 2.0 profile in 2025 to support rich authorisations (RAR) and the ability to manage granted consent via an API.