Financial-grade API

What is FAPI?

Financial-grade API (FAPI), being standardized by a working group under OpenID Foundation (OIDF), aims “to provide specific implementation guidelines for online financial services to adopt by developing a REST / JSON data model protected by a highly secured OAuth profile” (source: OIDF).

FAPI Security Profiles

The FAPI Security Profiles are intended to be applied to online services in any sectors that requires a higher level of security than provided by standard OAuth or OpenID Connect. There are two types of profiles:

The latter one, “FAPI Part 2,” provides higher security measures by leveraging advanced features defined in OpenID Connect specifications in addition to OAuth standards. Here are some notable enhancements:

The following documents and slides might help you understand FAPI.

  1. Financial-grade API (FAPI), explained by an implementer

    Financial-grade API (FAPI) is a technical specification that Financial-grade API Working Group of OpenID Foundation has developed. It uses OAuth 2.0 and OpenID Connect (OIDC) as its base and defines additional technical requirements for the financial industry and other industries that require higher security. […] This article explains Financial-grade API security profile.

  2. Financial-grade API (FAPI) and CIBA, IIW Fall 2019

Authlete and FAPI

Authlete has supported Financial-grade API since July 2018 and has been certified since April 2019.

Here is a useful resource that helps you understand how you can build a FAPI-compliant authorization server with Authlete.

  • Authlete API Tutorial: FAPI Basics

    This document describes overview of security provisions defined in Financial-grade API - Part 2: Read and Write API Security Profile (hereinafter called “FAPI”) and configuration instructions of Authlete through steps for building a FAPI compliant authorization server.