FDX API 5.3
The Financial Data Exchange API 5.3, is an API security profile aligning with FAPI security standard and the insurance industry's ACORD annuity standards published in 2023.
Our implementation of FDX API 5.3 is split into checkpoints, each having multiple checks to confirm whether a particular observation is compliant. This security profile requires you to include your valid MTLS certificate on all the API requests, excluding requests to authorize an endpoint.
No PAR
Checkpoint 1
Authorization Request Checks
These checks only apply to calls classified as sent to or from the Authorization endpoints and will be looking at the request to these endpoints to ensure the correct information is in the query parameters.
Checkpoint 2
Request JWT Schema Checks
These checks only apply to calls classified as sent to or from the Authorization endpoints and will be looking at the request JWT to these endpoints to ensure the correct information is in the headers, parameters, and payload.
Checkpoint 3
Authorization Response Checks
These checks only apply to calls classified as sent to or from the Authorization endpoints and will be looking at the responses from these endpoints to ensure the correct information is in the URL fragments.
Checkpoint 4
id_token JWT Schema Checks
These checks apply to calls classified as sent to or from the Authorization endpoints and the Access Token endpoints and will be looking at the id_token JWT to ensure the correct information is in the payload.
Checkpoint 5
Token Endpoint Request Checks
These checks only apply to calls classified as sent to or from the Access Token endpoints and will be looking at the requests to these endpoints to ensure the correct information is in the headers and parameters and that the correct HTTP method is being used.
Checkpoint 6
Token Endpoint Response Checks
These checks only apply to calls classified as sent to or from the Access Token endpoints and will be looking at the responses from these endpoints to ensure the correct information is in the headers and parameters.
Checkpoint 7
Access Token Validation
These checks apply to calls classified as sent to or from the Access Token endpoints and the Resource server and will be looking at the access_token JWT to ensure the correct information is in the header and payload.
Checkpoint 8
Resource Server Request Checks
These checks only apply to calls classified as sent to or from the Resource server and will be looking at the requests sent to this server to ensure the correct information is in the header.
Checkpoint 9
Resource Server Response Checks
These checks only apply to calls classified as sent to or from the Resource server and will be looking at the responses from this server to ensure the correct information is in the header and the server returns the correct response code.
PAR
The PAR version of FDX API 5.3 follows the same checkpoints as the No PAR version but skips Checkpoint 2 as there is no JWT for calls using this method.
Updated 8 months ago