Financial-grade API (FAPI) is a set of technical specifications based on OAuth 2.0 and OpenID Connect (OIDC) and their extensions for online financial services and other sectors that require a higher level of security.
While the FAPI specification is formatted as a terse list of technical requirements, readers would be required to have enough knowledge of OAuth 2.0, OIDC, and related specifications and technologies such as JWT (JWS, JWE, JWK, JWA and JWT), and mutual TLS, to understand rationale behind each security provision of the specification.
This white paper describes technical details on Financial-grade API (FAPI) security profiles on a line-by-line basis, and how Authlete implements FAPI to enable flexibile deployment.
What is Financial-grade API?
History of Standardization of FAPI
FAPI Specifications
FAPI Certification Program
Certification for FAPI OpenID Providers
Certification for FAPI-CIBA OpenID Providers
Prior Knowledge to Understand FAPI
Basic Specifications
Mutual TLS
JARM
Part 1: Baseline
Requirements for Authorization Server
Requirements for Public Client
Requirements for Confidential Client
Requirements for Protected Resources
Requirements for Clients to Protected Resources
Security Considerations
Part 2: Advanced
Detached Signature
Requirements for Authorization Server
Requirements for Confidential Client
Security Considerations
How Authlete Implements FAPI
Baseline or Advanced?
Mutual TLS
Access Token Duration
Access Token with Transaction Information
Authorization Details
Conclusion
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
We Handle OAuth/OIDC, You Build What Matters
Say goodbye to complexity with a developer-first OAuth 2.0 and OIDC solution
.png)
