« All Articles
OpenID Foundation Specifications
2024-10-01

FAPI 2.0 Attacker Model and Security Profile

Abstract: The FAPI 2.0 Security Profile is an API security profile based on the OAuth 2.0 Authorization Framework and related specifications that aims to reach the security goals laid out in the FAPI 2.0 Attacker Model so that it is suitable for protecting APIs in high-value scenarios. It also follows the recommendations in the OAuth Security BCP.

FAPI 2.0 specifies the process for a client to obtain sender-constrained tokens from an authorization server and use them securely with resource servers. The OpenID Foundation FAPI Working Group publishes additional documents that build on this profile as part of the FAPI 2.0 framework.

The security property is formally analysed under the aforementioned attacker model.