identity & security

FAPI 2.0: The Future of API Security for High-Stakes Customer Interactions

Learn how to improve end-to-end security and privacy for your APIs using the FAPI 2.0 Security Profile.

Sensitive customer scenarios like making payments, sharing personal information, or updating account profiles online are prime targets for attackers. Without robust end-to-end security, these digital interactions face heightened risks of tampering and data breaches that can lead to damaging fraud and theft.

These customer interactions demand more advanced security measures – including elevated API security. That’s where FAPI comes in—developed by the OpenID Foundation, a nonprofit organization that creates open, interoperable identity and authentication standards. FAPI (formerly known as Financial-Grade API) sets the gold standard for API security by offering advanced protocols that safeguard sensitive data and transactions. Initially designed for financial services, FAPI’s protections are widely used across industries, providing end-to-end security and privacy for high-risk interactions.

In this blog post, we introduce FAPI and its latest iteration, FAPI 2.0, highlighting how these standards can help organizations protect critical interactions, enhance data security, and deliver seamless customer experiences.

What is FAPI?

FAPI is a security profile developed by the FAPI Working Group of Identity and Access Management (IAM) experts for the OpenID Foundation. As outlined by OpenID, this working group collaborates to ensure FAPI meets real-world needs for secure and interoperable API frameworks.

Building on the widely used OAuth 2.0 and OpenID Connect standards, FAPI includes protocols that meet the stricter security and privacy requirements for highly sensitive customer actions, such as payments and sensitive data sharing. For example, since the OAuth 2.0 authorization framework can be used for a wide range of scenarios, the FAPI working group has determined a stricter set of modern security best practices that implementers should adhere to for high-risk scenarios. This was achieved by profiling the existing protocols with a formalized attacker model and its formal security analysis.

Why use FAPI?

Although originally formed to create security profiles and API security standards for financial and open banking APIs, the FAPI working group has found a range of industries with high-value use cases that could benefit from a more secure model. In particular, there are three key benefits of using FAPI specifications for strengthening API security outlined by the FAPI working group:

  • Clear, point-by-point specifications that implementers can use as a “checklist.”
  • Exhaustive conformance tests to allow implementers to better secure their software and ensure interoperability.
  • A standards-based approach to providing security for complex interactions (e.g., decoupled authZ flows via CIBA, grant management, pushed request objects).

To become FAPI certified, the FAPI working group provides a suite of conformance tests and a process for self-certification by implementation vendors. There are a number of different FAPI implementations that vendors can certify against.

Understanding the different versions of FAPI

There are different versions of the FAPI specification. Currently, FAPI v1, specifically the FAPI v1 Advanced specification, is the most widely used financial industry standard for protecting APIs used in sensitive scenarios.

FAPI v1 Advanced is required by data standards such as Australian Consumer Data Rights, UK Open Banking, Brazil Open Banking, and other Open Banking initiatives globally. You may not know it (and ideally, you shouldn’t), but when you interact with your bank over the web or connect your mobile wallet with your bank account, you are likely using a FAPI-protected flow.

Some of the protocols advanced by the FAPI Working Group include:

Protocol Description FAPIv1 / FAPIv2
JAR (JWT-Secured Authorization Requests) Protects the integrity of authorization request parameters with non-repudiation via message-level signing of the authentication request. Required in FAPIv1 Advanced. Not Required in FAPIv2 Security Profile, moved to FAPIv2 Message Signing.
PAR (Pushed Authorization Requests) Requires authorization requests to be routed via the backchannel and away from the browser. Optional in FAPIv1 Advanced. Required in FAPIv2 Security Profile.
Private Key JWT client authentication Strong app authentication using asymmetric cryptography. Required option in both FAPIv1 Advanced and FAPIv2 Security Profile.
mTLS (OAuth 2.0 Mutual-TLS Client Authentication) Use transport layer PKI for strong app authentication. Required option in both FAPIv1 Advanced and FAPIv2 Security Profile.
mTLS (OAuth 2.0 Certificate-Bound Access Tokens) Use transport layer PKI for strong app authentication certificate-bound access tokens, typically combined with the above. Required option in both FAPIv1 Advanced and FAPIv2 Security Profile.
DPoP - Demonstrate Proof of Possession (of a private key) Sender-constrain tokens using asymmetric cryptography; alternative option to mTLS certificate-binding. Required option in FAPIv2 Security Profile.
JWE (JSON Web Encryption) Encrypt sensitive data in front-channel tokens. Optional in FAPIv1 Advanced. Not Required in FAPIv2 Security Profile.
RAR (Rich Authorization Request) Provide rich contextual data to the user during authentication and authorization flows. Optional, recommended in FAPIv2 Security Profile.

FAPI 2.0

FAPI 2.0 is an iteration that is better and simpler, easier to use. Many of the updates in the specification are aimed at simplification, ease of implementation, and improved interoperability, based on lessons learned from years of operating FAPI 1.0 services. The FAPI 2.0 specifications have been separated and enable an incremental approach to implementation:

  • Attacker model with security goals
  • Security profile
  • Message signing profile

The FAPI 2.0 Security Profile and Attacker Model have recently been published and are available here: FAPI 2.0 Security Profile, FAPI 2.0 Attacker Model

Here are some key differences between FAPI v1 Advanced and FAPI 2.0:

  • FAPI 2.0 has a broader scope than FAPI 1.0 and aims for improved interoperability between the client and authorization server and between the client and resource server (APIs). This is especially important in ecosystems such as open banking, which grow via the network effect.
  • FAPI 2.0 provides the option of using rich authorization requests to obtain a more fine-grained and richer context for authorizing transactions and API access. This ensures customers understand what they are authorizing, which can help with personalization, improving trust and retention.
  • FAPI 2.0 provides a more versatile and approachable option for sender-constraining tokens and protecting against replay attacks using DPoP. This can help with the adoption of a robust security mechanism for protecting access and refresh tokens.
  • FAPI 2.0 defines protection levels where the baseline security profile aims to be secure against threats described in the security threat model. An additional (advanced) profile adds non-repudiation through message signing.

Early adopters of FAPI 2.0

The FAPI 2.0 specification has gone through two implementer’s drafts and is sufficiently mature. It has undergone a public review period in advance of its final approvals by the OpenID Foundation. FAPI 2.0 is already being targeted to Open Banking regulations across the globe:

  • The Superintendencia Financiera de Colombia (SFC) - the Colombian finance regulator - has issued a press release on its strategy of digitalizing the financial system to increase participation and foster competition and innovation. The SFC has been forward-looking and mandated that Colombian banks implement FAPI 2.0 in its External Circular 004 2024 (7th Feb 2024) on Open Finance and Commercialization of Technology and Digital Infrastructure.
  • The Australian Consumer Data Right (CDR) is targeting FAPI 2.0 as a security uplift.

Advancing API security with FAPI standards and Auth0

Implementing robust API security standards like FAPI for organizations handling sensitive customer interactions is crucial for enhancing privacy and security. FAPI offers a trusted framework for safeguarding financial transactions, personal data, and other critical operations. Auth0 has swiftly adopted and certified against the FAPI 2.0 Security Profile as part of its Highly Regulated Identity (HRI) solution suite. Auth0’s HRI also supports FAPI v1 Advanced certification for “PAR with Private Key JWT” and “PAR with mTLS” profiles.

It’s time to prioritize robust API security

Auth0 simplifies adopting FAPI standards with support for FAPI v1 Advanced and FAPI 2.0, laying the groundwork for compliance and robust protection. Ready to strengthen your API security? Connect with your Auth0 representative to get started.