FDX API 5.3

The Financial Data Exchange API 5.3, is an API security profile aligning with FAPI security standard and the insurance industry's ACORD annuity standards published in 2023.

Suggest Edits

Our implementation of FDX API 5.3 is split into checkpoints, each having multiple checks to confirm whether a particular observation is compliant. This security profile requires you to include your valid MTLS certificate on all the API requests, excluding requests to authorize an endpoint.

No PAR

Checkpoint 1

Authorization Request Checks

These checks only apply to calls classified as sent to or from the Authorization endpoints and will be looking at the request to these endpoints to ensure the correct information is in the query parameters.

Checkpoint 2

Request JWT Schema Checks

These checks only apply to calls classified as sent to or from the Authorization endpoints and will be looking at the request JWT to these endpoints to ensure the correct information is in the headers, parameters, and payload.

Checkpoint 3

Authorization Response Checks

These checks only apply to calls classified as sent to or from the Authorization endpoints and will be looking at the responses from these endpoints to ensure the correct information is in the URL fragments.

Checkpoint 4

id_token JWT Schema Checks

These checks apply to calls classified as sent to or from the Authorization endpoints and the Access Token endpoints and will be looking at the id_token JWT to ensure the correct information is in the payload.

Checkpoint 5

Token Endpoint Request Checks

These checks only apply to calls classified as sent to or from the Access Token endpoints and will be looking at the requests to these endpoints to ensure the correct information is in the headers and parameters and that the correct HTTP method is being used.

Checkpoint 6

Token Endpoint Response Checks

These checks only apply to calls classified as sent to or from the Access Token endpoints and will be looking at the responses from these endpoints to ensure the correct information is in the headers and parameters.

Checkpoint 7

Access Token Validation

These checks apply to calls classified as sent to or from the Access Token endpoints and the Resource server and will be looking at the access_token JWT to ensure the correct information is in the header and payload.

Checkpoint 8

Resource Server Request Checks

These checks only apply to calls classified as sent to or from the Resource server and will be looking at the requests sent to this server to ensure the correct information is in the header.

Checkpoint 9

Resource Server Response Checks

These checks only apply to calls classified as sent to or from the Resource server and will be looking at the responses from this server to ensure the correct information is in the header and the server returns the correct response code.

PAR

The PAR version of FDX API 5.3 follows the same checkpoints as the No PAR version but skips Checkpoint 2 as there is no JWT for calls using this method.

Updated 2 months ago