FAPI 2.0

FAPI 2.0 is an API security profile based on the OAuth 2.0 framework suitable for protecting APIs in high-value scenarios.

The core FAPI functionality is split into two documents, with a third that describes the attacker model

• FAPI 2.0 Security Profile
• FAPI 2.0 Message Signing
• FAPI 2.0 Attacker Model

Specifications Refrenced by FAPI

• RFC 6749 - OAuth 2.0 Framework
• RFC 6750 - OAuth 2.0 Bearer Token Usage
• RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7523 - JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7636 - Proof Key for Code Exchange
• RFC 7662 - OAuth 2.0 Token Introspection
• RFC 8252 - OAuth 2.0 for Native Apps BCP
• RFC 8414 - OAuth 2.0 Authorization Server Metadata
• RFC 8705 - Mutual TLS Client Authentication and Certificate-Bound Access Tokens
• RFC 8725 - JSON Web Token Best Practices
• RFC 9101 - JWT Secured Authorization Request (JAR)
• RFC 9126 - Pushed Authorization Requests (PAR)
• RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification
• DPoP - Demonstrating Proof-of-Possession at the Application Layer
• JWT Response for OAuth Token Introspection
• RFC 9421 - HTTP Message Signatures
• RFC 9530 - HTTP Digest Headers
• JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)

More resources

• Exploring Financial-Grade API (FAPI) with Torsten (Identity Unlocked Podcast)
• FAPI 2.0: Security Profile (Simpler Security, Yes!) (Raidiam)
• All OpenID FAPI Working Group Drafts