Financial-grade API

Summary

FAPI (formerly Financial-grade API) is an API security profile developed by the FAPI Working Group of the OpenID Foundation. It is built on OAuth 2.0 and OpenID Connect, and defines security requirements for APIs that handle sensitive data or high-value transactions. Originally developed for open banking, the profile has since been applied to other domains including healthcare and e-government. Several national open banking frameworks have adopted FAPI as a mandatory security standard.

Background

OAuth 2.0 is a general-purpose authorisation framework designed to accommodate a wide range of use cases, including low-risk operations. In financial services, APIs may expose account data, initiate payments, or process irreversible transactions, and the security requirements are correspondingly stricter than standard OAuth provides. The FAPI Working Group was formed within the OpenID Foundation to develop a constrained profile of OAuth 2.0 and OpenID Connect that removes unsafe optional configurations and mandates specific cryptographic security mechanisms.^[1]

The working group was originally called the "Financial-grade API Working Group". The name was later shortened to "FAPI Working Group" after the working group concluded that the profile was applicable to any high-value use case, not only financial services.^[1]

Technical overview

FAPI works by profiling OAuth 2.0 and OpenID Connect rather than defining new protocols. It narrows the range of permitted configurations, mandates specific mechanisms, and adds security extensions not present in standard OAuth. Among the requirements across FAPI profiles are sender-constrained access tokens (via mutual TLS or Demonstrating Proof-of-Possession), Pushed Authorisation Requests to protect the integrity of authorisation parameters, and certificate-based client authentication in place of shared secrets. The FAPI 2.0 Advanced profile additionally specifies mechanisms for non-repudiation across all exchanges.^[2]

Formal security analysis

The security of FAPI 1.0 was subject to formal analysis by Fett, Hosseyni, and Küsters, using the Web Infrastructure Model (WIM). The analysis uncovered previously unknown attacks on authentication, authorisation, and session integrity properties, and produced a formal proof of security for a corrected version of the specification. The paper was published at the IEEE Symposium on Security and Privacy in 2019 and is cited in the FAPI 2.0 specification.^[3] A formal analysis of FAPI 2.0 was subsequently published in ACM Transactions on Privacy and Security.^[4]

Versions

FAPI 1.0

FAPI 1.0 defines two compliance levels. The Baseline profile covers read-only API access, such as retrieving account information. The Advanced profile covers read-write access, such as payment initiation, and requires a higher level of security. The first Implementers Draft was published in July 2017, followed by a second in October 2018. The Final specification was published in March 2021.^[1]

FAPI 2.0

FAPI 2.0 was published as a Final specification on 22 February 2025.^[2] The revision prioritises interoperability by reducing optional configurations, and extends the scope of the profile to cover fine-grained and transactional authorisation. FAPI 2.0 defines a Baseline profile, which targets a comparable security level to FAPI 1.0 Advanced, and a separate Advanced profile (also referred to as Message Signing) that adds non-repudiation to all exchanges. Conformance tests were made available in March 2023.

FAPI 2.0 is not fully backwards compatible with FAPI 1.0, though both versions share some mechanisms, including the Authorisation Code flow with PKCE.

Adoption

Several national open banking and open finance frameworks have adopted FAPI as their security profile.

In the United Kingdom, the Open Banking Standard was established under the Competition and Markets Authority's Retail Banking Market Investigation Order 2017, which required the nine largest current account providers to implement open banking.^[5] The UK Open Banking Standard adopted FAPI 1.0 as its security profile.^[6]

Australia's Consumer Data Right standard adopted FAPI 1.0 and has indicated a planned upgrade to FAPI 2.0.^[1] Brazil's Open Finance framework references FAPI standards for its API security requirements.^[1] In the United States, the Financial Data Exchange (FDX) operates under a liaison agreement with the FAPI Working Group to align North American open banking standards with FAPI specifications.^[1]

On 7 February 2024, Colombia's Superintendencia Financiera issued Circular Externa 004 de 2024, which established technical and security standards for open finance. The circular requires supervised entities participating in the open finance ecosystem to comply with FAPI 2.0.^[7]

Certification

The OpenID Foundation operates a self-certification programme for FAPI compliance. Organisations test their implementations against conformance suites maintained by the Foundation, and results are published publicly. Certification for FAPI 1.0 and FAPI 2.0 are separate, and independent of OpenID Connect certification.^[1]

Early implementations of FAPI-CIBA certification included Authlete, Ping Identity, and Ozone API Financial Technology, alongside OpenBanking UK.^[8]

References

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 "FAPI Working Group". OpenID Foundation. Retrieved 2026-04-01.
↑ ^2.0 ^2.1 "FAPI 2.0 Security Profile". OpenID Foundation. 22 February 2025. Retrieved 2026-04-01.
↑ Fett, Daniel; Hosseyni, Pedram; Küsters, Ralf (2019). "An Extensive Formal Security Analysis of the OpenID Financial-grade API". IEEE Symposium on Security and Privacy: 1054–1072. doi:10.1109/SP.2019.00067. line feed character in |title= at position 53 (help)
↑ "Formal Security Analysis of the OpenID FAPI 2.0 Family of Protocols". ACM Transactions on Privacy and Security. 2024. doi:10.1145/3699716. line feed character in |title= at position 56 (help)
↑ "Retail Banking Market Investigation Order 2017". Competition and Markets Authority. 2 February 2017. Retrieved 2026-04-01.
↑ "Security Profiles". Open Banking Limited. Retrieved 2026-04-01.
↑ "Circular Externa 004 de 2024". Superintendencia Financiera de Colombia. 7 February 2024. Retrieved 2026-04-01.
↑ "OpenID Certification Program Expands with the Release of FAPI-CIBA Certification". OpenID Foundation. 16 September 2019. Retrieved 2026-04-01. line feed character in |title= at position 58 (help)

This article "Financial-grade API" is from Wikipedia. The list of its authors can be seen in its historical and/or the page Edithistory:Financial-grade API. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.

[auto1-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 "FAPI Working Group". OpenID Foundation. Retrieved 2026-04-01.

[auto-2] 2.0 ^2.1 "FAPI 2.0 Security Profile". OpenID Foundation. 22 February 2025. Retrieved 2026-04-01.

[3] Fett, Daniel; Hosseyni, Pedram; Küsters, Ralf (2019). "An Extensive Formal Security Analysis of the OpenID Financial-grade API". IEEE Symposium on Security and Privacy: 1054–1072. doi:10.1109/SP.2019.00067. line feed character in |title= at position 53 (help)

[4] "Formal Security Analysis of the OpenID FAPI 2.0 Family of Protocols". ACM Transactions on Privacy and Security. 2024. doi:10.1145/3699716. line feed character in |title= at position 56 (help)

[5] "Retail Banking Market Investigation Order 2017". Competition and Markets Authority. 2 February 2017. Retrieved 2026-04-01.

[6] "Security Profiles". Open Banking Limited. Retrieved 2026-04-01.

[7] "Circular Externa 004 de 2024". Superintendencia Financiera de Colombia. 7 February 2024. Retrieved 2026-04-01.

[8] "OpenID Certification Program Expands with the Release of FAPI-CIBA Certification". OpenID Foundation. 16 September 2019. Retrieved 2026-04-01. line feed character in |title= at position 58 (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]