Table of Contents
Financial-grade API (FAPI), being standardized by a working group under OpenID Foundation (OIDF), aims “to provide specific implementation guidelines for online financial services to adopt by developing a REST / JSON data model protected by a highly secured OAuth profile” (source: OIDF).
The FAPI Security Profiles are intended to be applied to online services in any sectors that requires a higher level of security than provided by standard OAuth or OpenID Connect. There are two types of profiles:
Financial-grade API Security Profile (FAPI) 1.0 – Part 1: Baseline
A baseline security profile of OAuth that is suitable for protecting APIs with a moderate inherent risk
Financial-grade API Security Profile (FAPI) 1.0 – Part 2: Advanced
An advanced security profile of OAuth that is suitable for protecting APIs with high inherent risk, such as those giving access to highly sensitive data, or triggering financial transactions (e.g., payment initiation)
The latter one, “FAPI Part 2,” provides higher security measures by leveraging advanced features defined in OpenID Connect specifications in addition to OAuth standards. Here are some notable enhancements:
The following documents and slides might help you understand FAPI.
A Comprehensive Commentary on Financial-grade API
This white paper describes technical details on Financial-grade API (FAPI) security profiles on a line-by-line basis, and how Authlete implements FAPI to enable flexibile deployment.
Authlete has supported Financial-grade API since July 2018 and has been certified since April 2019.
Here is a useful resource that helps you understand how you can build a FAPI-compliant authorization server with Authlete.
The session explains comparison of Authlete’s unique semi-hosted approach and traditional approaches for deploying OAuth infrastructure, and how Authlete has extended its client authentication functions and supported mutual TLS to implement Financial-grade API (FAPI).
Authlete API Tutorial: FAPI Basics
A tutorial to configure Authlete to build a Financial-grade API (FAPI) compliant authorization server.
FAPI Basics Supplement: Integration with Reference Implementations
A tutorial to integrate Authlete’s reference implementations with an Authlete service, that has been configured with settings described in another tutorial, Financial-grade API (FAPI) Basics.