FAPI 2.0

The Financial-Grade API 2.0, FAPI 2.0, is an API security profile based on the OAuth 2.0 Authorization Framework, currently still in draft form with the newest update in 2024.

Suggest Edits

Our implementation of FAPI 2.0 is split into checkpoints, each having multiple checks to confirm whether a particular observation is compliant. This piece of documentation will only focus on compliance using the DPoP security mechanism however, APImetrics is currently working on implementing the MTLS checks for the future.

Checkpoint R1

Network Layer Checks

For this checkpoint, the checks will be looking at the network layer, such as your TLS certificate for the correct information and if the requests are using HTTPS.

APImetrics is currently working on implementing the MTLS checks for the future.

Checkpoint R2

Authentication Token Checks

For this checkpoint, the checks will look at your authentication tokens, such as your DPoP and Authorization headers for the correct information.

In the original FAPI 2.0 documentation, a few additional checks are not included here as these will be checked in different checkpoints in the APImetrics FAPI 2.0 conformance check.

Checkpoint R3

DPoP Proof JWT Checks

For this checkpoint, the checks will be looking at your DPoP headers and payloads to ensure that the correct information is present.

We have combined the original Section 8 of the FAPI 2.0 documentation with this checkpoint since we can only verify DPoP conformance. APImetrics is currently working on implementing the MTLS checks for the future.

Checkpoint R4 & R5

Access Token JWT Checks

For these checkpoints, the checks will be looking at the headers and payloads of your JWT access tokens to ensure the correct information is present.

Checkpoint R6

Access Token JWT Signature Validation

For these checkpoints, the checks will be looking at the headers and payloads of your JWT access tokens to ensure the correct information is present

APImetrics completes a simplified version of the original FAPI 2.0 guidelines as we do not obtain the public keys from your application. Obtaining the public key would significantly degrade the performance of the conformance checks.

We also do not complete the final check for the JWT header or JWT payload for the same reason as stated above.

Checkpoint R8

Access Token Hash Check

For this checkpoint, the check will be looking at the access token to ensure the correct information is present.

Updated 2 months ago