Financial-grade API (FAPI) 1.0 Advanced

The Financial-grade API (FAPI) 1.0 Advanced Profile is a security specification published by the OpenID Foundation's FAPI Working Group. It defines a highly secured OAuth 2.0 profile designed to protect financial-grade APIs from common attack vectors including authorisation code injection, token replay, and man-in-the-middle attacks.

FAPI Advanced builds on the FAPI 1.0 Baseline profile, adding requirements for signed request objects (JAR), proof of possession tokens, mutual TLS or DPoP for sender-constrained access tokens, and JARM (JWT-Secured Authorisation Response Mode). These security measures ensure that API access is protected even in adversarial network conditions.

The profile has been adopted as the security foundation for open banking standards worldwide, including the UK Open Banking Standard, Australia's CDR Information Security Profile, Brazil's Open Finance security profile, and Saudi Arabia's Open Banking Framework. It is also referenced in the Berlin Group's security guidance.

FAPI 2.0, the next generation of the specification, further simplifies the security model while maintaining the same level of protection. It is expected to supersede FAPI 1.0 in new implementations over the coming years.