Authorization Basics

3 mins read

Financial-grade API Security Profile Overview

Get familiar with Financial-grade API Security Profile (FAPI): what it is and why it is important. Learn when it should be used and when you have to comply to its rules. Find out how Cloudentity can help you protect your APIs in a FAPI-compliant way.

FAPI in a Nutshell

Financial-grade API (FAPI) is a highly secured OAuth profile that provides specific implementation guidelines that aim to improve the security and interoperability of your APIs. It is more strict than traditional OAuth and OIDC profiles. FAPI compliance is also an important factor for all participants of the Open Banking environments, such as Open Banking UK, Open Banking Brazil, and more.

Cloudentity FAPI Compliance

Cloudentity is an certified financial-grade API (FAPI) OpenID provider.

Its compliant with the FAPI 1.0 guidelines on how to:

  • Obtain OAuth tokens in a secure manner for access to protected data

  • Use OIDC to identify the user

  • Use tokens to access REST APIs

FAPI 1.0 Compliant Flow

sequenceDiagram participant id1 as User participant id2 as Client application participant id3 as Cloudentity participant id4 as API id1->>id2: Access id2->>id3: Authorization request note right of id2: The authorization request must contain a request object. JWT-secured response can be requested. id3->>id3: Verify the request id3->>id1: Display consent note left of id3: If no authorization scope is to be granted, consent page is skipped id1->>id3: Give consent id3->>id2: Authorization code id2->>id3: Token request note right of id2: Client authentication must be made with the use of mTLS and client certificates id3->>id3: Verify the request id2->>id3: Certificate-bound access token id2->>id4: Request API note right of id2: Request should include the certificate-bound token and the client certificate id4->>id2: Respond
  1. The user tries to access the application.

  2. The client redirects the user to the authorize endpoint.


    The request must include a request object either using the request parameter or the request_uri parameter. FAPI requires the request objects to be signed with either PS256 or ES256 signing algorithm.

  3. Cloudentity authenticates the user and displays a consent screen if there is an authorization scope to be granted.

  4. The user gives their consent.

  5. Cloudentity issues an authorization code.


    After Cloudentity generates the authorization code, Cloudentity is redirected to the redirection endpoint configured for the registered client. The client must have at least one registered redirection URI. If there are multiple registered redirection URIs, the request to the authorize endpoint must always include the redirect_uri parameter.

  6. The client requests authentication to the token endpoint using authorization code provided in the previous step.


    The client application must be configured to use any of the mutual TLS client authentication methods.

  7. Cloudentity validates the request.

  8. Cloudentity returns a certificate-bound access token.


    Having certificate-bound access tokens ensures that only a client that has the private key corresponding to the client’s certificate can access the resources. The binding of an access token to the client’s certificate prevents the resources from being accessed with the use of stolen tokens.

  9. The client requests protected resources from the resource server and submits the certificate-bound token it received in the previous step.

  10. The resource server validates the token and responds the requested resources.

Cloudentity Compliance in Depth

Cloudentity’s authorization servers (workspaces) can be configured to be fully compliant with FAPI’s guidelines for authorization servers. Additionally, while creating a workspace you can choose one of the preconfigured workspace profiles that already are FAPI compliant: Open Banking UK, Open Banking Brazil, CDR Australia, and Fintech and mission-critical applications.

Enabling FAPI

To make your workspace FAPI compliant, you should:

Updated: Jul 19, 2022