FAPI 2.0
The Financial-Grade API 2.0, FAPI 2.0, is an API security profile based on the OAuth 2.0 Authorization Framework, currently still in draft form with the newest update in 2024.
Our implementation of FAPI 2.0 is split into checkpoints, each having multiple checks to confirm whether a particular observation is compliant. This piece of documentation will only focus on compliance using the DPoP security mechanism however, APImetrics is currently working on implementing the MTLS checks for the future.
Checkpoint R1
Network Layer Checks
For this checkpoint, the checks will be looking at the network layer, such as your TLS certificate for the correct information and if the requests are using HTTPS.
APImetrics is currently working on implementing the MTLS checks for the future.
Checkpoint R2
Authentication Token Checks
For this checkpoint, the checks will look at your authentication tokens, such as your DPoP and Authorization headers for the correct information.
In the original FAPI 2.0 documentation, a few additional checks are not included here as these will be checked in different checkpoints in the APImetrics FAPI 2.0 conformance check.
Checkpoint R3
DPoP Proof JWT Checks
For this checkpoint, the checks will be looking at your DPoP headers and payloads to ensure that the correct information is present.
We have combined the original Section 8 of the FAPI 2.0 documentation with this checkpoint since we can only verify DPoP conformance. APImetrics is currently working on implementing the MTLS checks for the future.
Checkpoint R4 & R5
Access Token JWT Checks
For these checkpoints, the checks will be looking at the headers and payloads of your JWT access tokens to ensure the correct information is present.
Checkpoint R6
Access Token JWT Signature Validation
For these checkpoints, the checks will be looking at the headers and payloads of your JWT access tokens to ensure the correct information is present
APImetrics completes a simplified version of the original FAPI 2.0 guidelines as we do not obtain the public keys from your application. Obtaining the public key would significantly degrade the performance of the conformance checks.
We also do not complete the final check for the JWT header or JWT payload for the same reason as stated above.
Checkpoint R8
Access Token Hash Check
For this checkpoint, the check will be looking at the access token to ensure the correct information is present.
Updated 8 months ago