What's New in FAPI 2.0: The Future of Open Banking Security

With the ratification of FAPI 2.0 in early 2025, the OpenID Foundation has delivered a major update to the standards underpinning secure financial APIs. Building on the success of FAPI 1.0, this new version brings clarity, flexibility, and broader applicability for Open Banking ecosystems worldwide.

On 19 February 2025, the FAPI Working Group announced that FAPI 2.0 had been formally approved as a final specification. You can read the official announcement on the OpenID Foundation's FAPI Working Group page.

For fintech developers, architects, and compliance leads, FAPI 2.0 marks a significant shift. It rethinks some of the assumptions baked into earlier versions and introduces clearer guidance for modern app architectures, including native apps and decoupled clients.

From Profiles to Levels

FAPI 1.0 had two distinct profiles: read-only and read-write. FAPI 2.0 replaces that with two security levels, providing more flexibility and composability.

• FAPI 2.0 Baseline - covers secure, read-only data access with strong integrity and confidentiality guarantees.
• FAPI 2.0 Advanced - includes requirements for initiating payments or high-risk transactions, with stronger client authentication and sender-constrained tokens.

The two-level approach allows implementers to apply just the right level of security for each use case - without over-engineering or under-protecting their flows.

Support for Non-Browser Clients

FAPI 1.0 was largely browser-centric. FAPI 2.0 explicitly supports non-browser clients, such as mobile apps and IoT systems, enabling safer native experiences and improved support for decoupled authorisation.

This is a critical improvement for Open Banking ecosystems where user interactions may happen across multiple channels. It also better aligns with mobile-first banking use cases.

Cleaner, Sharper, More Future-Proof

FAPI 2.0 includes a number of refinements aimed at simplifying developer adoption. It eliminates ambiguity, aligns terminology with OAuth 2.1, and introduces better defaults. Some of the key changes include:

• Stronger alignment with OAuth 2.0 Security Best Current Practice
• Support for DPoP (Demonstration of Proof-of-Possession) tokens
• Improved handling of signed requests and encrypted response objects

The result is a specification that's easier to implement securely - and more adaptable to future innovation, including OpenID Federation and Decentralised Identity (DID).

A Formal Attacker Model for Real-World Threats

One of the significant additions accompanying FAPI 2.0 is the introduction of an explicit attacker model. This model outlines the types of threats that the specifications are designed to defend against, providing a formal foundation for implementers, auditors, and security teams.

The FAPI 2.0 Attacker Model focuses on powerful network-level adversaries capable of intercepting, modifying, or injecting messages - including compromised clients, malicious users, and replay-capable attackers.

By clearly documenting assumptions and known threat vectors, the attacker model helps align implementations with real-world risks. It also improves auditability and assurance by making it easier to reason about whether a deployment meets the required security guarantees.

This represents a shift from vague threat discussions to precise, testable assertions - a crucial step forward for regulated fintech ecosystems where liability, consumer protection, and risk modelling are all tightly interlinked.

Looking Ahead

FAPI 2.0 won't replace FAPI 1.0 overnight. Many regulatory frameworks still mandate or recommend the original profiles. But over the coming year, expect guidance from market bodies, regulators, and standards groups to shift toward the cleaner, modular approach of FAPI 2.0.

For new projects, adopting FAPI 2.0 from the outset offers a streamlined, standards-aligned path. For existing ones, a phased migration strategy may be needed. Either way, the future of secure financial APIs just got a lot more manageable.