DPoP, PKCE, and mTLS: Modern OAuth Defences Demystified 2 June 2025 • by Opendata Consult Ltd Introduction OAuth 2.0 has long been the backbone of secure API access. But as threats evolved, so did the defences. Whether you're a fintech developer, an identity architect, or just someone who's been burned by a bad token design, understanding how to bind, constrain, and protect tokens is key.
Read more →Dynamic Client Registration in Open Banking: UK, Brasil, and FDX Compared Dynamic Client Registration (DCR) is a key component of Open Banking infrastructure, allowing fintechs and banks to onboard securely and automatically. But not all implementations are created equal. Here's how the UK, Brazil, and FDX differ.
Read more →Understanding Optional SSAs in FDX: DCR with and without Software Statements In the world of Dynamic Client Registration (DCR), one acronym tends to trip up even experienced implementers: SSA. While Open Banking specs like the UK's and Brazil's mandate Software Statement Assertions, the FDX spec takes a different approach—SSAs are optional.
Read more →The End of the Implicit Flow: Why OAuth 2.1 Matters for Modern Apps 28 March 2025 • by Opendata Consult Ltd In the world of web security, it's not often that deprecating a feature is cause for celebration. But with OAuth 2.1, that's exactly what's happening. The removal of the implicit flow is one of the most significant and welcome changes in the evolution of OAuth — especially for those building modern, secure fintech apps.
Read more →OAuth has come a long way since its early days. In this article, we explore its evolution from OAuth 1.0 to OAuth 2.0, the rise of FAPI, and what fintech developers need to know about securing APIs in the age of Open Banking and decentralised identity.
Read more →👋 Enjoyed the article?
Book a Call with Us