The Ultimate FAPI Guide: Standards, Certification & Compliance for Secure APIs

Despite the name, FAPI is not only for banks. While born out of Open Banking, it is now used to secure APIs across a wide range of industries, including:

• Healthcare APIs - protecting patient records, digital identity, and health data exchanges.
  
  
• Energy & utilities - enabling secure smart meter, billing, and customer data APIs in regulated markets.
  
  
• Government services - national ID systems, benefits platforms, and cross-agency data sharing.
  
  
• Payment processors and card networks - issuers and acquirers exposing APIs for clearing, settlement, or tokenized card payments.
  
  
• Digital wallets and super-apps - ensuring secure connections between wallets, merchants, and embedded finance providers.
  
  
• Remittances and cross-border payments - safeguarding integrity of transfers and anti-fraud compliance.
  
  
• Insurance and insurtech platforms - onboarding brokers or partners through secure APIs handling high-risk claims and policy data.
  
  
• Corporate treasury & B2B payment hubs - powering liquidity, FX, trade finance, and ERP integrations.
  
  
• Fintech APIs - such as payroll, expense management, and embedded credit.
  
  

At its core, FAPI eliminates weak API keys and static secrets. Instead, it enforces:

• Mutual TLS (mTLS) - certificate-based authentication for both client and server.
  
  
• Cryptographic proof-of-possession tokens - making stolen tokens useless.
  
  
• Message-level signatures - ensuring non-repudiation and integrity.
  
  

If your APIs handle sensitive, regulated, or high-value data, FAPI is the profile you can’t afford to ignore.

Why FAPI Matters Today

The digital economy runs on APIs, but most are dangerously under-protected.

• A 2025 API Security Profile revealed that 84% of organisations outside regulated ecosystems still rely on static API keys or basic authentication. Once leaked, these secrets allow unlimited access.

• Attackers increasingly target API connections for fraud, data theft, and credential replay.

• Regulators now expect certificate-bound, auditable security, not patchwork fixes.

For banks, fintechs, and enterprises, FAPI provides:

• Stronger Security - protection against phishing, token theft, replay, and impersonation.

• Faster Onboarding - a consistent profile that reduces integration complexity.

• Compliance Readiness - adopting FAPI aligns your authorisation server with the security foundations of PSD2, PCI DSS 4.0, or CFPB 1033. For example, PCI DSS requires credential rotation; FAPI’s certificate-based model provides the cryptographic trust layer that makes this easier to enforce.

• Interoperability Across Ecosystems - FAPI certification ensures APIs align with global best practices. While ecosystems may adopt FAPI 1.0, 2.0, or add profiles like Message Signing, FAPI conformance reduces the cost of adapting to each.

In short: FAPI turns API access from a risk into a framework of trust.

FAPI Standards: 1.0 vs 2.0

FAPI has evolved significantly. Here’s what you need to know.

FAPI 1.0 Overview

FAPI 1.0 introduced multiple profiles:

• Baseline Profile - OAuth Authorisation Code flow with PKCE.

• Advanced Profile - stronger security with JWT-secured Authorisation Requests (JAR), JWT Authorisation Response Mode (JARM), and mTLS sender-constrained tokens.

• CIBA Profile - backchannel authentication for non-browser flows, such as mobile push notifications.

Where it’s used:

• UK Open Banking

• Berlin Group (EU)

• Financial Data Exchange (FDX, US)

• Australia’s Consumer Data Right

Challenge: While robust, FAPI 1.0 introduced additional implementation steps. Features such as JAR and JARM deliver strong guarantees of integrity and authenticity but require precise signing and validation. Without the right tools, this can be complex for developers.

How Raidiam Helps: Platforms like Raidiam Connect simplify this process by providing the infrastructure to handle JAR, JARM, and certificate-based flows seamlessly, allowing teams to benefit from strong security without needing deep cryptographic expertise.

FAPI 2.0 Overview

FAPI 2.0 modernises and consolidates the model:

• Security Profile - baseline with Pushed Authorisation Requests (PAR), PKCE, and sender-constrained tokens (via mTLS or DPoP).

• Message Signing Profile - adds non-repudiation with message-level signatures.

Key changes compared to 1.0:

• Confidential clients only - removes support for weaker public clients, such as single-page apps.

• PAR as the default request mechanism - in FAPI 2.0, Pushed Authorisation Requests simplify request handling and improve interoperability. However, JAR and JARM remain highly relevant: if you need to secure request and response payloads with stronger cryptographic guarantees, you can use them alongside PAR.

• Mandatory PKCE - eliminates code interception attacks.

• Explicit attacker model - simplifies compliance and threat modelling.

While FAPI 2.0 standardises around PAR, many large-scale ecosystems such as Open Banking UK and Open Finance Brazil continue to rely on JAR and JARM for their proven integrity and assurance. In practice, ecosystems may adopt either model, and Raidiam Connect supports both, removing the complexity while maintaining full compliance.

Result: FAPI 2.0 broadens adoption by making high-assurance security easier to achieve while recognising that JAR and JARM remain essential in regulated deployments.

FAPI 1.0 vs 2.0: Quick Comparison

Bottom line: If you are starting fresh, adopt FAPI 2.0 for simplicity and forward compatibility.

FAPI Security: Core Components

FAPI enforces defence-in-depth by mandating proven cryptographic mechanisms:

Mutual TLS (mTLS)

During the TLS handshake, both parties establish a secure, certificate-bound channel. This ensures the server is authenticated and that the client application proves its identity using a certificate rather than a static secret.

What is an mTLS certificate? It is a cryptographic credential used by both servers and applications. Each certificate is unique, revocable, and resistant to spoofing - a significant upgrade over static API keys.

Sender-Constrained Tokens

Access tokens are bound to the client that requested them. Even if intercepted, they cannot be replayed from another client or device.

Message Signing Profile

Provides transaction integrity and non-repudiation. Every sensitive message or payment request can be signed, ensuring it has not been altered and that the sender cannot deny originating it.

Together, these mechanisms create trustworthy, auditable, and regulator-ready APIs.

FAPI Compliance & Certification

What Is FAPI Compliance?

FAPI compliance means that your authorisation server conforms to the OpenID Foundation’s FAPI profiles (1.0 or 2.0). This means the server supports and enforces all required security measures, including mTLS, sender-constrained tokens, PKCE, and optional message signing.

What Is FAPI Certification?

FAPI certification is a formal conformance testing programme run by the OpenID Foundation. An organisation can submit its authorisation server or platform for testing. Passing demonstrates that the system enforces FAPI requirements correctly and consistently, allowing the organisation to display the “FAPI Certified” mark – a trusted assurance for regulators, partners, and customers.

With Raidiam Assure, this process becomes faster and simpler. Assure provides automated conformance and interoperability testing to validate that your platform meets FAPI requirements before official certification.

Within Raidiam Connect, certification becomes operational. Participants can upload their proof of certification into the directory, ensuring that only certified servers and clients are permitted to exchange data. This transforms certification from a one-time milestone into an active, verifiable layer of ecosystem trust.

Why Certification Matters

• Banks - demonstrate compliance to regulators and auditors with a globally recognised benchmark.

• Fintechs - prove to partners that your platform enforces high-assurance security without ad hoc reviews.

• Enterprises - reduce risk exposure, strengthen your security posture, and enhance partner confidence when handling sensitive data.

In regulated industries, FAPI certification is rapidly becoming a requirement for participation and trust.

FAPI in Open Banking and Beyond

Why FAPI?

When regulators, central banks, and industry consortia designed Open Banking frameworks, they faced a challenge: enabling mass API access at national scale while maintaining bank-grade security.

Traditional methods such as API keys, VPNs, or shared secrets were inadequate because they:

• Could be stolen and replayed (no proof-of-possession).

• Did not guarantee the identity of the calling party.

• Lacked interoperability across hundreds of institutions.

• Were hard to audit and enforce consistently.

FAPI addressed these issues in a standardised, interoperable profile:

• Certificate-based authentication (mTLS, PKI) replaces weak secrets, ensuring only verified clients can call APIs.

• OAuth 2.0 and OpenID Connect foundations ensure global alignment with widely used standards.

• Consent and data minimisation controls help enforce least-privilege access.

• Cryptographic non-repudiation (message signing) creates a tamper-proof audit trail.

Where It’s Proven

• UK Open Banking - the first national trust framework built on FAPI, now a global reference model. 

• Brazil’s Open Finance - 940+ institutions onboarded, more than 100 billion API calls in 2024, secured by FAPI.

• Australia’s Consumer Data Right (CDR) - FAPI at the centre of cross-industry data sharing.

• Healthcare in Norway - FAPI 2.0 securing patient data and healthcare APIs, demonstrating adoption beyond finance.

• Insurance and Telecoms - regulators extending FAPI to insurance and communications data-sharing frameworks, such as Brazil’s Open Insurance.

FAPI is becoming the universal profile for high-assurance APIs, offering a proven balance of scalability, interoperability, and strong security.

How Raidiam Helps You Get FAPI Right

Raidiam Connect delivers everything you need to achieve and operationalise FAPI compliance without integration overhead:

• Fully FAPI-certified platform (1.0 and 2.0) - ready to deploy against the latest profiles.

• Mutual TLS (mTLS) and sender-constrained tokens - built-in certificate-bound authentication ensures every connection is verifiable and tokens cannot be replayed.

• Embedded PKI - no external certificate authority required; certificate issuance, rotation, and revocation are fully automated.

• Directory, Authorisation Server and Policy Engine in one - integrated, standards-first architecture.

• JAR and JARM support - secure both client requests (JAR) and authorisation server responses (JARM) to strengthen message integrity and reduce attack surfaces.

• Self-service onboarding - partners can register, obtain certificates, and rotate credentials automatically.

• Trusted at scale - proven in UK Open Banking and Brazil Open Finance (27 million customers, over 100 billion API calls).

With Raidiam, you do not just meet FAPI requirements – you operationalise mTLS, sender-constrained tokens, and secure message flows from day one.

→ Request a demo of Raidiam Connect by clicking here.

Conclusion: FAPI as the Future of API Trust

APIs form the backbone of digital business, but without robust security, they can also become the weakest link.

FAPI is the recognised profile for securing high-stakes APIs, ensuring:

• Stronger security through cryptographic, certificate-based trust.

• Simplified compliance with international regulations.

• Interoperability across industries and jurisdictions.

Whether you are a bank, fintech, or enterprise API provider, adopting FAPI - particularly FAPI 2.0 - is the clearest path to trust, compliance, and competitive advantage.

With Raidiam Connect, you gain a proven, FAPI-certified trust platform already powering the world’s largest data-sharing ecosystems.

Next Step: Ready to secure your APIs with FAPI? Book a free trial.