AccueilGlossaire › FAPI (Financial-grade API)

FAPI (Financial-grade API)

Identité

Profil OAuth/OIDC sécurité hautes pour APIs financières et open banking.

FAPI (Financial-grade API) est un profil de sécurité OAuth 2.0 / OIDC développé par OpenID Foundation FAPI Working Group, spécifiant configurations strictes pour APIs financières et tout système exigeant high security. Adopté massivement Open Banking UK, EU PSD2, Brazil Open Finance, Australian Consumer Data Right, Berlin Group.

Versions :
(1) **FAPI 1.0** (2018) — Read-Only et Read-Write profiles. Largely deprecated en faveur FAPI 2.0.
(2) **FAPI 2.0** (2023+) — simplified, secured by design, modernized. Recommended pour nouveaux deployments.

FAPI 2.0 mandates :
(1) **PKCE** mandatory (S256).
(2) **PAR** (Pushed Authorization Requests) mandatory.
(3) **Sender-constrained tokens** — mTLS OR DPoP required.
(4) **No implicit flow**.
(5) **Strict redirect_uri** exact match.
(6) **Encrypted ID tokens** optional.
(7) **Strong client authentication** at token endpoint (mTLS, private_key_jwt).
(8) **Exhaustive validations** on tokens et responses.

FAPI 2.0 Message Signing (additional profile) ajoute :
(1) **JAR** (signed request).
(2) **JARM** (signed response).
(3) **HTTP Message Signatures** for resource API requests.

Why FAPI matters :
- Financial APIs handle money movements, account data — high-value targets.
- Standard OAuth misconfigurations led to many vulnerabilities (CSRF, code interception, token theft).
- Regulatory drivers : PSD2 SCA (Strong Customer Authentication), CDR, Open Banking mandates.
- FAPI provides battle-tested secure-by-default config.

Certifications :
- **OpenID Foundation Certification Program** — official conformance tests.
- Required for production deployment in some regulations (UK Open Banking Directory certification mandatory).
- IdPs : Authlete, Curity, ForgeRock, Okta, Auth0, Microsoft Entra (partial), Keycloak (community).
- Clients : Open source libraries Filip Skokan node-openid-client, AppAuth mobile, OIDC clients certified.

Deployment effort : significant — many components (PAR, DPoP, mTLS PKI, signed responses) — but provides robust foundation. Justified for financial, healthcare critical, government high-assurance.

For consumer apps : standard OAuth 2.1 + PKCE + SameSite cookies typically sufficient. FAPI overkill. Compétences SC-300, AZ-500, CISSP, CRISC.

Certifications qui couvrent ce concept
SC-300 AZ-500 CISSP CRISC
Termes liés
PAR (Pushed Authorization Requests) JAR (JWT-Secured Authorization Request) JARM (JWT Secured Authorization Response Mode) DPoP (Demonstrating Proof of Possession)

Préparez vos certifications IT gratuitement

200+ certifications, 400 000+ questions, examens blancs chronométrés.

Voir le catalogue →
← Retour au glossaire