Financial-grade API (FAPI)

The Financial-grade API (FAPI) specifications, developed by the OpenID Foundation, define strict security requirements for OAuth 2.0 and OpenID Connect flows in financial and high-risk environments. FAPI compliance ensures that applications securely handle sensitive data, prevent token theft, mitigate replay attacks, and comply with industry standards for financial APIs.

WSO2 Identity Server implements FAPI 1.0 – Advanced to help organizations achieve secure, standards-compliant API access.

To create a FAPI compliant application, refer to the guide on registering a FAPI-compliant application.

FAPI 1.0 – Advanced compliance features

WSO2 Identity Server fully supports the FAPI 1.0 Advanced Security Profile:

• Mandatory Signed Request Objects: Requests can be passed by value (request) or by reference (request_uri) for enhanced security.

• JWT Secured Authorization Response Mode (JARM): Authorization responses are returned as signed JWTs to ensure authenticity.

• Client Authentication: Supports confidential clients using mutual TLS and Private Key JWT.

• Sender-Constrained Access Tokens: Access tokens are bound to clients with Mutual TLS (MTLS).

• Secure Token Handling: Access and refresh tokens are issued and validated according to FAPI 1.0 Advanced security requirements.

These features protect financial API interactions against interception, forgery, and replay attacks.

WSO2 Identity Server undergoes continuous security reviews and updates. Compliance with the latest FAPI specifications is verified with every release. Cryptographic algorithms and frameworks are updated to meet industry standards. New security features and compliance enhancements are integrated without disrupting existing deployments.

Organizations deploying WSO2 Identity Server can confidently achieve FAPI 1.0 Advanced compliance, protecting financial data, reducing operational risk, and simplifying regulatory adherence.