Applying FAPI 1.0 Advanced With Akana

FAPI is an important framework, and now you can apply FAPI 1.0 Advanced in the Akana API platform. In this blog, you'll learn what FAPI is, why it matters, and how it works.

What Is FAPI? (Financial-Grade API)

FAPI is a general-purpose high-security API protection profile over OAuth. In its initial version, the profile was explicitly targeting APIs in the financial services domain. Over time, however, it became clear that the profile is equally beneficial to high security requiring APIs in other verticals as well (for example, health, public sector and other verticals that handle sensitive data and, as a result, are often subject to regulation).

As critical business processes increasingly depend on APIs, security has become a focal point of concern. API endpoints and, in particular, the data that they give access to, should be protected from unauthorized access at all times.
Over time, numerous specifications have come into existence that address major security concerns. For example, authorized client access to API endpoints is addressed in the specifications that together constitute the OAuth2.0 framework. Today, OAuth2.0 is widely used, in particular for securing API endpoints that are accessible over the public internet. However, it has become clear that implementing OAuth2.0 does not ensure adequate protection on its own.

Why FAPI Matters

Nowadays, the use of OAuth2.0 is quite common as a means to secure API access, and many will perceive it to provide sufficient protection against unauthorized access.

However, sensitive data may still be exposed to attackers, particularly as a result of misconfiguration. Such misconfiguration can easily result from gaps in the underlying specifications or a misconception of these specifications, as they sometimes leave room for interpretation or allow a choice from multiple alternative approaches without being explicit about the respective pros and cons.

FAPI closes the gaps. Essentially, it does so by explicitly prescribing which elements from the current OAuth/OIDC specifications should (and should not) be used and how they should be used. In other words, it provides a security profile that makes explicit choices and leaves no room for interpretation.

Though FAPI 1.0 formally consists of two parts, Baseline and Advanced, it is the latter which is most significant. FAPI 1.0 Advanced builds on Baseline but is more restrictive, offering a more robust security profile. Hence, FAPI 1.0 Advanced has been adopted far more widely than the Baseline profile.

Applying FAPI 1.0 Advanced significantly improves the protection of API endpoints and the data accessible through them. At the same time, it also improves interoperability (as the profile is like a foundational spec that any implementation should follow).

In the remaining sections of this blog post, when we mention FAPI, we are referring to FAPI 1.0 Advanced by default.

What FAPI Does

Possible attacks that are enabled by an incomplete OAuth2.0 implementation have been published over the years. 

For example, an attacker can hijack a resource owner identity and login to a legitimate website pretending to be that user (Auth Code Injection Attack) to gain unauthorized access to resource owner data.

Also, attackers may get ahold of access tokens, again giving them unauthorized access to data.

More delicate attacks are also possible, e.g., in situations where JWT access tokens are being used without proper validation of the signing algorithm that is presented in the JWT header. The JWT access token, though manipulated by the attacker, may still be accepted by the resource server (and the attacker gains access to the resources).

Such attacks and others are effectively prevented by applying FAPI.

Essentially, to increase the security of OAuth2.0, what FAPI does is:

1. Allow all parties (client, authorization server, resource server) to ensure whether a given message (request, response) is actually coming from the party it is expected to come from, and:
2. Validate whether the message’s integrity (request, response) has not been compromised.

The security implications of using OAuth2.0 with or without FAPI can be illustrated through the following analogy. OAuth2.0 without FAPI is allowing you to buy a ticket for bus or train — but should you lose the ticket, anyone that happens to find it is able to travel legitimately. Applying FAPI, in comparison, is like travelling on an international flight. Not only does purchasing an international flight ticket require you to provide proof of your identity (passport), you will also need to show both your ticket and passport when boarding the plane to have officials confirm your identity and verify you are the rightful owner of the ticket.

Would you prefer anyone with a valid ticket to gain access to your valuable business data, or require further proof?

Does FAPI Matter Outside Financial Services?

While these stringent security measures are currently being leveraged with banking APIs in particular, many other industries could benefit greatly from implementing the FAPI profile.

In the United States, large banking and insurance organizations still struggle with aggregator services and FinTech companies who continue using screen scraping as a means to an end. These larger enterprises have looked at FAPI and open banking as a potential route to greater competition and as a check on risky FinTech organizations.

Healthcare and telecommunications players could likewise benefit, as both of these sectors face heated competition from emerging technology platforms while dealing with sensitive consumer records. By adopting FAPI protocols and prioritizing an API-first methodology, many could speed their market competitiveness by offering similar disruptive services at greater scale.

As a security profile like FAPI gains popularity, one thing is certain: end consumers stand to benefit most. With disruptive startups and established organizations clambering to scale API-first frameworks, the next few years could provide significant market shifts, with end users gaining greater security and access to more advanced products in traditional markets.

How Akana Supports FAPI

With Akana, FAPI is more than a fancy concept. Akana’s current 2024.1.1 release extends support for FAPI 1.0 Advanced — all communication between client and authorization server is now compliant with the profile. What’s more, the implementation in Akana includes just a handful of easy-to-apply steps, as is explained in this video.

Ready to put secure API management software to work in your organization?

Start Free Trial