Why FAPI is the Backbone of Secure Open Banking

Open Banking has reshaped how consumers and institutions interact with financial data. At the heart of this transformation lies the need for secure, interoperable APIs that can handle sensitive information without compromise. Enter FAPI—the Financial-grade API—a security profile developed by the OpenID Foundation specifically to meet the demands of high-risk financial data exchange.

In this article, we explore why FAPI is essential for Open Banking, what problems it solves, and how it enhances the security posture of any fintech implementation.

What is FAPI?

The Financial-grade API (FAPI) is a profile layered on top of OAuth 2.0 and OpenID Connect. While OAuth provides the basic framework for authorisation, FAPI defines a concrete, secure way to implement it in environments where data sensitivity and financial risk are high—like banking, payments, and investment platforms.

FAPI 1.0 is split into two profiles:

• Read-Only Profile – for securely accessing financial data (e.g. account information).
• Read-Write Profile – for initiating actions like payments, transfers, or standing orders.

These profiles include strict requirements that harden OAuth against common threats and elevate trust between parties.

Core Features That Make FAPI Secure

FAPI introduces a set of security mechanisms to reduce risks like token leakage, replay attacks, and impersonation. Some of the key features include:

• PKCE for public clients – prevents authorisation code interception in mobile and browser-based apps.
• Mutual TLS (mTLS) or Private Key JWT authentication – ensures that only legitimate, pre-registered clients can use tokens.
• JWT-secured authorisation requests (JAR) – protects against tampering by allowing signed authorisation requests.
• ID token validation – ensures tokens have not been forged or modified, enabling secure user identity confirmation.
• Non-reusable, sender-constrained access tokens – tokens bound to a client or device that cannot be replayed elsewhere.

These features, combined with strict validation and logging expectations, help ensure trust, non-repudiation, and minimal attack surface across financial APIs.

Why FAPI is Critical for Open Banking

Traditional OAuth 2.0 is flexible but permissive—perfect for social media logins, but too loose for high-value transactions or data access. FAPI imposes discipline where OAuth leaves room for interpretation. This is especially important in regulated ecosystems, where uniformity and compliance are as critical as security itself.

In the UK, Brazil, Australia, and many other Open Banking ecosystems, FAPI has become the de facto standard. It’s a cornerstone of security frameworks like UK Open Banking and Open Finance Brasil. Without it, third-party providers (TPPs) and banks cannot interoperate safely at scale.

The Arrival of FAPI 2.0

As of Q1 2025, the OpenID Foundation has formally ratified FAPI 2.0, marking a significant milestone in the maturity of API security for financial services. FAPI 2.0 consolidates previous lessons, simplifies terminology, and introduces new profiles for more modern use cases like decoupled flows and non-browser clients.

While FAPI 1.0 remains widely used and supported, the future is moving toward a leaner, more modular FAPI 2.0 approach. We’ll cover the key changes and migration considerations in a separate article.