What is the difference between FAPI 1.0 and FAPI 2.0?

FAPI 2.0 is a significant security upgrade. Key changes: FAPI 2.0 requires DPoP or mTLS token binding (FAPI 1.0 allowed bearer tokens); FAPI 2.0 mandates PAR (FAPI 1.0 allowed query parameter authorization requests); FAPI 2.0 simplifies the profile structure from Advanced/Baseline to a single security profile. Fiskil implements FAPI 2.0.

How long does FAPI certification take?

With Fiskil, the technical implementation takes 1–2 weeks. Running the conformance test suite and generating the certification report takes another 2–3 days. The total timeline from decision to certification is typically 3–4 weeks, compared to 6–12 months for custom implementations.

How complex is mTLS management?

Fiskil handles mTLS complexity entirely. Certificate issuance, rotation, revocation, and chain validation are automated. You configure the policy (validity period, key size, rotation schedule) and Fiskil manages the operational details. Partners receive certificates through the onboarding portal.

What is the performance impact of FAPI 2.0?

FAPI 2.0 adds approximately 20–40ms of latency to each request for mTLS handshake, DPoP verification, and request object validation. The PAR flow adds one additional round trip (typically 50–100ms) but this occurs only during initial authorization, not on every data request.

Is FAPI 2.0 backward compatible with FAPI 1.0?

FAPI 2.0 is not directly backward compatible, but Fiskil supports running both profiles simultaneously during migration. Existing FAPI 1.0 clients continue to work while new clients onboard on FAPI 2.0. You can set a migration deadline after which FAPI 1.0 is deprecated.

Which regulations require FAPI?

Australia's CDR mandates FAPI 2.0 for all data holders and recipients. Brazil's Open Finance requires FAPI. The UK's Open Banking uses a FAPI-based security profile. The US Section 1033 references FAPI security standards. PSD3 in Europe is expected to adopt FAPI 2.0. Even without a mandate, FAPI is considered best practice for financial data sharing.

Can we use our own certificate authority?

Yes. Fiskil supports three CA options: Fiskil-managed CA (simplest), your enterprise CA (most control), or a third-party CA like DigiCert or Let's Encrypt (for compatibility with existing PKI). The CA choice doesn't affect FAPI compliance—all options meet the specification requirements.

How are DPoP keys managed?

DPoP keys are generated and managed by the client application (not by Fiskil). Each client generates an asymmetric key pair and includes a proof-of-possession JWT with every token request. Fiskil verifies the proof against the client's public key. This design means clients control their own keys without sharing private key material.

Third-Party Applications

FAPI 2.0 Security

Data Provider

FAPI 2.0 Security for Third-Party Data Sharing

Standard OAuth 2.0 wasn't designed for financial-grade data sharing. FAPI 2.0 addresses the security gaps with mTLS, signed requests, and token binding—but implementing it from scratch takes 6–12 months of specialized security engineering. Fiskil Data Provider comes pre-certified, so you get FAPI 2.0 security without the implementation burden.

Standard OAuth 2.0 Isn't Enough for Financial Data

Standard OAuth 2.0 lacks the security properties required for financial-grade data sharing. FAPI 2.0 is the answer, but implementing it from scratch requires deep cryptographic expertise and months of engineering effort.

—
mTLS certificate management is operationally complex with rotation, revocation, and chain validation
—
Signed request objects require cryptographic key management infrastructure
—
DPoP (Demonstration of Proof-of-Possession) implementation lacks standard libraries in most ecosystems
—
PAR (Pushed Authorization Requests) adds latency and complexity to authorization flows
—
FAPI conformance testing requires specialized expertise and access to conformance test suites

Pre-Certified FAPI 2.0 Infrastructure

Fiskil Data Provider includes a pre-certified FAPI 2.0 security layer with managed mTLS, request signing, DPoP token binding, and Pushed Authorization Requests. No custom cryptographic implementation required.

Capabilities

Key Capabilities

Managed mTLS

Full mutual TLS certificate lifecycle management including issuance, rotation, revocation, and chain validation. Certificates are provisioned automatically for registered partners and rotated on configurable schedules without service interruption.

Request Object Signing

Automatic signing and verification of OAuth request objects using your choice of RS256, PS256, or ES256 algorithms. Key management is handled by Fiskil, including rotation, backup, and hardware security module integration where required.

DPoP Token Binding

DPoP (Demonstration of Proof-of-Possession) implementation that binds access tokens to the requesting client's cryptographic key. Prevents token theft and replay attacks, which is required by FAPI 2.0 for financial-grade security.

Pushed Authorization Requests (PAR)

PAR endpoint that accepts authorization requests as authenticated POST requests instead of URL query parameters. Eliminates request parameter leakage, supports large request payloads, and provides request object integrity validation.

Implementation

Implementation Guide

Enabling FAPI 2.0 security on Fiskil Data Provider typically takes 1–2 weeks, primarily for certificate configuration and conformance testing.

Enable FAPI Profile

Activate the FAPI 2.0 security profile on your Fiskil Data Provider instance. This enables all FAPI-required security features: mTLS, signed request objects, DPoP, and PAR. Non-FAPI endpoints continue to work normally during the transition.

Configure mTLS Certificates

Set up the mTLS certificate authority. Choose between Fiskil-managed CA, your own enterprise CA, or a third-party CA. Configure certificate policies including validity period, key size requirements, and revocation check mechanisms.

Set Up PAR Endpoint

Configure the Pushed Authorization Request endpoint. Set request lifetime, maximum request size, and supported grant types. Test the PAR flow with your registered applications to verify correct operation.

Verify with Conformance Suite

Run the FAPI 2.0 conformance test suite against your configured endpoints. Fiskil provides a built-in conformance runner that tests all FAPI 2.0 requirements and generates a certification report. Address any failures before enabling production traffic.

Features

Key Features

Certificate Lifecycle Management

Automated certificate issuance, renewal, and revocation for all mTLS connections. Supports OCSP stapling and CRL distribution for real-time revocation checking.

Request Signing Service

Centralized request signing service that handles key management, algorithm selection, and signature verification. Supports RS256, PS256, and ES256 signing algorithms.

Token Binding Enforcement

Automatic enforcement of DPoP token binding on all data access requests. Tokens without valid proof-of-possession are rejected, preventing token theft and replay attacks.

PAR Server

High-availability PAR server that accepts authenticated authorization requests. Supports request object encryption, lifetime management, and one-time-use enforcement.

Conformance Test Suite

Built-in FAPI 2.0 conformance test runner that validates your configuration against the full FAPI 2.0 specification. Generate certification-ready reports with one command.

Security Event Monitoring

Real-time monitoring of security events including certificate failures, signature verification errors, DPoP violations, and suspicious access patterns. Integrates with your existing SIEM.

"Partnering with Fiskil on our open data needs has been a game-changer for us in delivering and maintaining our data holder solution."

Fahad Liaqat at Pacific Blue

Executive Manager Operations and New Markets

FAQs

Explore More Use Cases

AI Data Access

Auth0 Integration

Combine Auth0 identity management with Fiskil Data Provider for enterprise-grade AI data sharing. FAPI 2.0 security, consent management, and audit trails on top of your existing Auth0 infrastructure.

Open Banking

Auth0 Data Holder

Transform your Auth0-powered institution into a compliant open banking data holder. Customer authentication stays with Auth0; Fiskil adds FAPI 2.0 data sharing, consent management, and regulatory reporting.

Open Banking

Compliance Automation

Automate ongoing open banking compliance with regulatory reporting, audit trail management, standard auto-updates, and compliance dashboard. Significantly reduce compliance costs with Fiskil Data Provider.

Get started today

Talk to us about what you're building and we'll show you how we can help.

Speak with a Fiskil integration expert today

Loading Contact Form...