FAPI (Financial-grade API) is widely misunderstood. Seven common misconceptions are addressed: FAPI is a security profile built on OAuth 2.0/2.1, not a new protocol. Its scope extends beyond finance to e-Health, e-Signing, and government services. FAPI 2.0 is a complete redesign, not an incremental update, replacing the OIDC Hybrid Flow with a hardened Authorization Code Flow. OAuth 2.1 does not make FAPI redundant since FAPI 2.0 mandates features OAuth 2.1 only recommends and is backed by a formal attacker model. FAPI 2.0 requires confidential clients, but public clients can still participate via patterns like Backend for Frontend. Finally, Pushed Authorization Requests (PAR) are mandatory in FAPI 2.0 not just for URL shortening but to move sensitive authorization parameters to the secure back-channel.
Table of contents
Misconception 1: FAPI Is a New ProtocolMisconception 2: FAPI Is for Banks and Financial OrganizationsMisconception 3: FAPI 2.0 Is an Incremental Update of FAPI 1.0Misconception 4: OAuth 2.1 Makes FAPI RedundantMisconception 5: You Can Use Any Type of Client with FAPIMisconception 6: You Can’t Use Public Clients with FAPIMisconception 7: Pushed Authorization Requests Support Simply Shortens URLsWrapping UpSort: