Start with Identity
Subscribe
Standard · stable

FAPI (Financial-grade API)

FAPI 1.0 and FAPI 2.0OpenID FoundationFAPI 2.0 Security Profile finalizedOfficial spec ↗

What it is

FAPI, the Financial-grade API profile from the OpenID Foundation, is a tightened security profile layered on OAuth 2.0 and OpenID Connect. It exists because plain OAuth, while flexible, leaves choices that are unsafe for high-value APIs like banking and payments. FAPI removes that ambiguity and mandates the strong options.

How it works

FAPI raises the bar with requirements such as:

  • Sender-constrained tokens (mutual TLS or DPoP) so a stolen token cannot be replayed by another client.
  • Pushed Authorization Requests (PAR) so request parameters are sent over a back channel and cannot be tampered with.
  • Strong client authentication and signed request objects.

Status

FAPI 1.0 is widely deployed in open banking regimes (UK, Brazil, Australia and others). FAPI 2.0 simplifies and strengthens the profile and is the current target for new implementations.

When to use it

When you expose APIs that move money or highly sensitive data, or when a regulator or open-banking scheme requires it. For ordinary consumer login, standard OIDC is sufficient.

Pitfalls

  • FAPI is demanding to implement correctly; use a certified provider rather than building it yourself.
  • Conformance matters: look for OpenID Foundation FAPI certification on any platform you rely on.

Related

Glossary: FAPI, PAR, DPoP. Standards: OAuth 2.0, OpenID Connect.

Independent, community-driven reference. Always confirm details against the official specification linked above.