Term · 28. International Regulations

FAPI 2.0 (Financial-grade API) FAPI 2.0

Protocol Source: OpenID FAPI 2.0

Definition

OpenID Foundation Financial-grade API Security Profile 2.0 — high-security authorization profile for financial APIs (open banking, fintech). Requires mTLS or DPoP for sender-constrained tokens, Pushed Authorization Requests (PAR), JWT-secured Authorization Requests (JAR), no implicit flow, no plain bearer tokens. Adopted by UK Open Banking, Brazil Open Finance, Australia Consumer Data Right, EU PSD3 (in development).

Synonyms

Financial-grade API 2.0
OpenID FAPI 2.0

Application: Regulatory: IETF RFC (e.g., 7519 JWT, 6749 OAuth 2.0)

Standards & regulations

IETF

Sources

FAPI 2.0 Security Profile (OpenID Foundation) primary source

Related terms

DPoP (Demonstration of Proof of Possession) (DPoP)

Demonstration of Proof-of-Possession — IETF RFC 9449, OAuth 2.0 mechanism binding an access token to a private key held …
Kerberos

Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and …
mTLS (mutual TLS) (mTLS)

Mutual TLS — both client and server authenticate each other via certificates during TLS handshake. RFC 8705 specifies OA …
OAuth 2.1 (OAuth 2.1)

IETF draft consolidating OAuth 2.0 (RFC 6749) with security best practices and deprecating insecure patterns: removes im …
OIDC PAR (Pushed Authorization Requests) (PAR)

OAuth 2.0 Pushed Authorization Requests — IETF RFC 9126. Client sends authorization request parameters directly to the a …
OpenID Connect (OIDC)

Identity layer on top of OAuth 2.0 (OpenID Foundation, OIDC Core 1.0). Provides standardized authentication via JWT ID t …

← Back to glossary · Open in main list