Question

In Open Banking architectures utilizing FAPI standards, what is the specific purpose of the &#x27;sender-constrained access token&#x27; compared to a standard OAuth 2.0 bearer token?

Accepted Answer

A standard OAuth 2.0 bearer token is like a physical key to a house that anyone can use if they happen to find it on the ground. Whoever presents the token to an API gains access, regardless of whether they are the original person who requested it. In contrast, a sender-constrained access token is cryptographically bound to the specific client that requested it, functioning like a key that only works when presented by the person whose fingerprint is registered to the lock. The FAPI standard requires this binding to prevent token theft and misuse. If a malicious actor intercepts a bearer token, they can use it to impersonate the legitimate client until the token expires. If they intercept a sender-constrained token, they cannot use it because they lack the private cryptographic key required to prove they are the authorized sender. This process uses Mutual TLS, or mTLS, where the client must present a digital certificate during the API call. The authorization server embeds the thumbprint of that certificate into the token. When the client uses that token, the API server verifies that the certificate presented in the mTLS connection matches the thumbprint embedded in the token. If the certificates do not match, the request is rejected, ensuring that even if the token is stolen, it is useless to any other party.

Home → All Courses → Engineering and Technology Courses → FinTech Engineering → Flashcard

In Open Banking architectures utilizing FAPI standards, what is the specific purpose of the 'sender-constrained access token' compared to a standard OAuth 2.0 bearer token?