Cover image for How OAuth Has Evolved for Fintech APIs

How OAuth Has Evolved: A Journey from Simplicity to Security

• by Opendata Consult Ltd

In the ever-changing world of fintech, security and user experience are paramount. One technology at the heart of both is OAuth—a standard that governs how applications access user data securely. If you’re building or using financial APIs, understanding how OAuth has evolved is essential.

What is OAuth?

OAuth (Open Authorization) is a widely-used protocol that allows users to grant limited access to their resources on one site (like a bank or identity provider) to another site (like a fintech app), without sharing their credentials.

OAuth 1.0: The Beginning

OAuth 1.0 offered a secure alternative to basic authentication but was complex and hard to implement. It used digital signatures and required each API call to be signed, which led to confusion and poor developer experience.

In fintech, OAuth 1.0 was rarely adopted at scale due to its cryptographic complexity and lack of standardisation across providers.

OAuth 2.0: Simplicity Wins

Released in 2012, OAuth 2.0 became the de facto standard. It introduced the concept of access tokens, refresh tokens, and scopes, and supported various flows for different types of clients (e.g., web apps, mobile apps, server-side apps).

OAuth 2.0 prioritised developer usability over strict cryptographic security, allowing broader adoption across fintech and Open Banking ecosystems. It also paved the way for integrations with identity layers like OpenID Connect (OIDC).

FAPI and Modern OAuth in Fintech

As fintech grew more security-conscious, especially with Open Banking regulations, OAuth had to become more robust. Enter the Financial-grade API (FAPI) standards from the OpenID Foundation.

FAPI builds on OAuth 2.0 and introduces:

  • Mutual TLS (mTLS)
  • JWT-secured authorisation requests (JAR)
  • PKCE for public clients
  • ID token validation
  • Proof-of-possession tokens

These enhancements significantly reduce the risk of token theft and replay attacks—critical for fintech applications that deal with sensitive financial data.

OAuth Today: Federation and Beyond

The next chapter for OAuth includes Federated Identity, Decentralised Identity (DID), and OAuth 2.1, which consolidates best practices and removes insecure flows like the implicit grant.

Leading fintechs are implementing Dynamic Client Registration (DCR), Rich Authorisation Requests (RAR), and JWT Secured Authorisation Response Mode (JARM)—features that provide fine-grained control and auditability.