Financial-grade API (FAPI)

What is FAPI?

Financial-grade API (FAPI), being standardized by a working group under OpenID Foundation (OIDF), aims “to provide specific implementation guidelines for online financial services to adopt by developing a REST / JSON data model protected by a highly secured OAuth profile” (source: OIDF).

FAPI Security Profiles

The FAPI Security Profiles are intended to be applied to online services in any sectors that requires a higher level of security than provided by standard OAuth or OpenID Connect. There are two types of profiles:

The latter one, “FAPI Part 2,” provides higher security measures by leveraging advanced features defined in OpenID Connect specifications in addition to OAuth standards. Here are some notable enhancements:

The following documents and slides might help you understand FAPI.

  1. A Comprehensive Commentary on Financial-grade API

    This white paper describes technical details on Financial-grade API (FAPI) security profiles on a line-by-line basis, and how Authlete implements FAPI to enable flexibile deployment.

Authlete and FAPI

Authlete has supported Financial-grade API since July 2018 and has been certified since April 2019.

Here is a useful resource that helps you understand how you can build a FAPI-compliant authorization server with Authlete.

The session explains comparison of Authlete’s unique semi-hosted approach and traditional approaches for deploying OAuth infrastructure, and how Authlete has extended its client authentication functions and supported mutual TLS to implement Financial-grade API (FAPI).

A tutorial to configure Authlete to build a Financial-grade API (FAPI) compliant authorization server.

A tutorial to integrate Authlete’s reference implementations with an Authlete service, that has been configured with settings described in another tutorial, Financial-grade API (FAPI) Basics.