For Authlete 2.x documentation, see 2.x version.
What is FAPI?
Financial-grade API (FAPI), being standardized by a working group under OpenID Foundation (OIDF), aims “to provide specific implementation guidelines for online financial services to adopt by developing a REST / JSON data model protected by a highly secured OAuth profile” (source: OIDF).FAPI Security Profiles
The FAPI Security Profiles are intended to be applied to online services in any sectors that requires a higher level of security than provided by standard OAuth or OpenID Connect. There are two types of profiles:- Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline A baseline security profile of OAuth that is suitable for protecting APIs with a moderate inherent risk
- Financial-grade API Security Profile (FAPI) 1.0 – Part 2: Advanced An advanced security profile of OAuth that is suitable for protecting APIs with high inherent risk, such as those giving access to highly sensitive data, or triggering financial transactions (e.g., payment initiation)
- Prevention of sender impersonation and message tampering in terms of authorization request and response
- Using request object
- Using hybrid flow or JARM
- Prevention of leakage and unauthorized use of authorization code
- Strict checking of Redirect URI (
redirect_uri)
- Strict checking of Redirect URI (
- Prevention of client impersonation
- Client authentication with mutual TLS client authentication or JWT
- Prevention of unauthorized use of tokens
- A Comprehensive Commentary on Financial-grade API This white paper describes technical details on Financial-grade API (FAPI) security profiles on a line-by-line basis, and how Authlete implements FAPI to enable flexibile deployment.
Authlete and FAPI
Authlete has supported Financial-grade API since July 2018 and has been certified since April 2019. Here is a useful resource that helps you understand how you can build a FAPI-compliant authorization server with Authlete.- Authlete FAPI Enhancements The session explains comparison of Authlete’s unique semi-hosted approach and traditional approaches for deploying OAuth infrastructure, and how Authlete has extended its client authentication functions and supported mutual TLS to implement Financial-grade API (FAPI).
- FAPI Basics A tutorial to configure Authlete to build a Financial-grade API (FAPI) compliant authorization server.
- FAPI Basics Supplement: Integration with Reference Implementations A tutorial to integrate Authlete’s reference implementations with an Authlete service, that has been configured with settings described in another tutorial, Financial-grade API (FAPI) Basics.
