Financial-grade API Security Profile overview
Get familiar with Financial-grade API Security Profile (FAPI): what it is and why it is important. Learn when it should be used and when you have to comply to its rules. Find out how Authorization Control Plane (ACP) can help you protect your APIs in a FAPI-compliant way.
FAPI in a nutshell
Financial-grade API (FAPI) is a highly secured OAuth profile that provides specific implementation guidelines that aim to improve the security and interoperability of your APIs. It is more strict than traditional OAuth and OIDC profiles. FAPI compliance is also an important factor for all participants of the Open Banking environments, such as Open Banking UK, Open Banking Brazil, and more.
ACP FAPI compliance
Its compliant with the FAPI 1.0 guidelines on how to:
FAPI 1.0 compliant flow
The user tries to access the application.
The client redirects the user to the authorize endpoint.
The request must include a request object either using the
requestparameter or the
request_uriparameter. FAPI requires the request objects to be signed with either PS256 or ES256 signing algorithm.
ACP authenticates the user and displays a consent screen if there is an authorization scope to be granted.
The user gives their consent.
ACP issues an authorization code.
After ACP generates the authorization code, ACP is redirected to the redirection endpoint configured for the registered client. The client must have at least one registered redirection URI. If there are multiple registered redirection URIs, the request to the
authorizeendpoint must always include the
The client requests authentication to the token endpoint using authorization code provided in the previous step.
The client application must be configured to use any of the mutual TLS client authentication methods.
ACP validates the request.
ACP returns a certificate-bound access token.
Having certificate-bound access tokens ensures that only a client that has the private key corresponding to the client’s certificate can access the resources. The binding of an access token to the client’s certificate prevents the resources from being accessed with the use of stolen tokens.
The client requests protected resources from the resource server and submits the certificate-bound token it received in the previous step.
The resource server validates the token and responds the requested resources.
ACP compliance in depth
ACP’s authorization servers (workspaces) can be configured to be fully compliant with FAPI’s guidelines for authorization servers. Additionally, while creating a workspace you can choose one of the preconfigured workspace profiles that already are FAPI compliant: Open Banking UK, Open Banking Brazil, and Fintech and mission-critical applications.
To make your workspace FAPI compliant, you should:
Optionally, use certificate bound access tokens as an additional security layer. To learn more about such tokens, see the OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens documentation.