Our implementation of FAPI-RW-ID2 is split into checkpoints, each having multiple checks to confirm whether a particular observation is compliant. This security profile requires you to include your valid MTLS certificate on all the API requests, excluding requests to authorize an endpoint. Some checks are currently unavailable as APImetrics cannot currently correlate different API calls to each other.

Checkpoint 1

Token Endpoint Call-1 Checks

For this checkpoint, the checks will be looking at the first call to the Authorization Server's Token endpoint, such as the body containing the correct parameters and that the TLS version is 1.2 or later.

Checkpoint 2

OpenBanking Intent ID Checks

For this checkpoint, the checks will be looking at the Account endpoint requests to ensure the correct information is in the request headers and bodies as well as returning the correct HTTPS code.

Checkpoint 3

Authorization Request Checks

For this checkpoint, the checks will be looking at the Authorization endpoint requests to ensure the correct information is present in the parameters and that redirects are pointed to a valid URL.

Checkpoint 4

Authorization Response Checks

For this checkpoint, the checks will be looking at the Authorization endpoint responses to ensure the correct information is present in the headers and payloads.

Checkpoint 5

Access Token Request Checks

For this checkpoint, the checks will be looking at the Access Token requests to ensure the correct information is present in the parameters.

Checkpoint 6

Access Token Response Checks

For this checkpoint, the checks will be looking at the Access Token responses to ensure the correct information is present in the parameters.

Checkpoint 7

Resource Server Checks

For this checkpoint, the checks will be looking at the Resource Server to ensure the correct information is present in the headers.