FAPI
FAPI stands for Financial-grade API, a set of technical specifications developed by the OpenID Foundation. It is designed for highly-regulated industries to ensure secure data sharing and robust authentication in scenarios involving sensitive financial information, such as banking and payment services.
FAPI 2.0 Security Profile extends OAuth 2.0 and OIDC protocols, with enhanced requirements to mitigate risks like phishing, token theft, or unauthorized access. FAPI is primarily used in Open Banking and similar systems where high security and privacy standards are required.
Certification
Mosaic is a certified FAPI 2.0 provider.
To ensure compliance with FAPI in Mosaic, your apps should adhere to industry best practices, including but not limited to to these principles:
- Enforcing proof key for code exchange (PKCE) alongside client credentials. PKCE ensures the authorization code can be exchanged for ID and access tokens only by a client that requested authentication. See Secure login with PKCE
- Using pushed authorization request (PAR) instead of passing auth parameters in the path. PAR is a secure way to invoke the authorization code flow. See Integrate login using PAR
- Using client JWT assertion signed by your private key for authentication. See RFC 7521 (Assertion Framework) and RFC 7523 (JWT Profile for Client Authentication) .
- Using a strong network-level encryption such as self-signed certificates for mutual TLS (mTLS). See RFC 8705 (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens) .
Mosaic allows you to enforce FAPI 2.0 compliance in client settings—enabling this option ensures a client must be configured and used in accordance with the principles above. For more details on client configuration, see Manage clients.
Additionally, consider the following safeguards for your applications:
- Enforcing multi-factor authentication to prove user's identity
- Providing granular access to resources
- Using short-lived tokens for sensitive operations
- Obtaining explicit user consent when externalizing APIs