Glossary / Authorization
FAPI
FAPI is a set of security profiles from the OpenID Foundation that harden OAuth 2.0 and OpenID Connect for high-value APIs such as open banking, where the cost of a breach is high.
Also: FAPI, Financial-grade API
FAPI, originally the Financial-grade API, is a hardened profile of OAuth 2.0 and OpenID Connect. It tightens the baseline with requirements such as sender-constrained tokens, stronger client authentication, and signed requests and responses, closing gaps that are acceptable for low-risk apps but not for moving money or sharing sensitive financial data.
It is maintained by the OpenID Foundation and is the security baseline behind many open banking and open finance ecosystems, where regulators or schemes require a consistent, high-assurance way for third parties to access accounts with user consent.
For CIAM in regulated sectors, FAPI is the profile to follow when an identity platform exposes or consumes APIs that carry financial or otherwise sensitive operations, rather than relying on plain OAuth defaults.
Sources
- OpenID Foundation, FAPI Working Group: https://openid.net/wg/fapi/
Related terms
Standards
- OpenID FAPI