Table of Contents
Financial-grade API (FAPI), being standardized by a working group under OpenID Foundation (OIDF), aims “to provide specific implementation guidelines for online financial services to adopt by developing a REST / JSON data model protected by a highly secured OAuth profile” (source: OIDF).
The FAPI Security Profiles are intended to be applied to online services in any sectors that requires a higher level of security than provided by standard OAuth or OpenID Connect. There are two types of profiles:
An OAuth profile suitable for read-only API access to financial data and other similar use cases
A security profile suitable for read and write API access to financial services and other similar situations where the risk is higher
The latter one, “FAPI Part 2,” provides higher security measures by leveraging advanced features defined in OpenID Connect specifications in addition to OAuth standards. Here are some notable enhancements:
The following documents and slides might help you understand FAPI.
Financial-grade API (FAPI) is a technical specification that Financial-grade API Working Group of OpenID Foundation has developed. It uses OAuth 2.0 and OpenID Connect (OIDC) as its base and defines additional technical requirements for the financial industry and other industries that require higher security. […] This article explains Financial-grade API security profile.
Authlete has supported Financial-grade API since July 2018 and has been certified since April 2019.
Here is a useful resource that helps you understand how you can build a FAPI-compliant authorization server with Authlete.
This document describes overview of security provisions defined in Financial-grade API - Part 2: Read and Write API Security Profile (hereinafter called “FAPI”) and configuration instructions of Authlete through steps for building a FAPI compliant authorization server.