Financial-grade API (FAPI) is a set of technical specifications based on OAuth 2.0 and OpenID Connect (OIDC) and their extensions for online financial services and other sectors that require a higher level of security.

While the FAPI specification is formatted as a terse list of technical requirements, readers would be required to have enough knowledge of OAuth 2.0, OIDC, and related specifications and technologies such as JWT (JWS, JWE, JWK, JWA and JWT), and mutual TLS, to understand rationale behind each security provision of the specification.

This white paper describes technical details on Financial-grade API (FAPI) security profiles on a line-by-line basis, and how Authlete implements FAPI to enable flexibile deployment.

• What is Financial-grade API?
• History of Standardization of FAPI
• FAPI Specifications
• FAPI Certification Program
  • Certification for FAPI OpenID Providers
  • Certification for FAPI-CIBA OpenID Providers
• Prior Knowledge to Understand FAPI
  • Basic Specifications
  • Mutual TLS
  • JARM
• Part 1: Baseline
  • Requirements for Authorization Server
  • Requirements for Public Client
  • Requirements for Confidential Client
  • Requirements for Protected Resources
  • Requirements for Clients to Protected Resources
  • Security Considerations
• Part 2: Advanced
  • Detached Signature
  • Requirements for Authorization Server
  • Requirements for Confidential Client
  • Security Considerations
• How Authlete Implements FAPI
  • Baseline or Advanced?
  • Mutual TLS
  • Access Token Duration
  • Access Token with Transaction Information
  • Authorization Details
• Conclusion