FAPI

FAPI stands for Financial-grade API, a set of technical specifications developed by the OpenID Foundation. It is designed for highly-regulated industries to ensure secure data sharing and robust authentication in scenarios involving sensitive financial information, such as banking and payment services.

FAPI 2.0 Security Profile extends OAuth 2.0 and OIDC protocols, with enhanced requirements to mitigate risks like phishing, token theft, or unauthorized access. FAPI is primarily used in Open Banking and similar systems where high security and privacy standards are required.

Certification

Mosaic is a certified FAPI 2.0 provider.

To ensure compliance with FAPI in Mosaic, your apps should adhere to industry best practices, including but not limited to to these principles:

Mosaic allows you to enforce FAPI 2.0 compliance in client settings—enabling this option ensures a client must be configured and used in accordance with the principles above. For more details on client configuration, see Manage clients.

Additionally, consider the following safeguards for your applications:

  • Enforcing multi-factor authentication to prove user's identity
  • Providing granular access to resources
  • Using short-lived tokens for sensitive operations
  • Obtaining explicit user consent when externalizing APIs