As defined by the Bahrain OBF, access to these APIs is secured using the Open ID Foundation's Financial Grade API (FAPI) Profile. This profile enables user authentication of consents for access to Open Banking services.
Our Open Banking API Specification supports the following:
PS256code id_tokenPS256PS256private_key_jwt, tls_client_authFor private_key_jwt - the aud claim is the url of the token endpoint as specified in OIDC client authentication.
The request object used in OIDC flows the aud claim is the issuer url from our API's .wellknown endpoint.
Note: Our Sandbox API also offers less strict profiles to assist with integration testing.
TPPs will need to use both Transport and Signing Certificates. Separate certificates are required for each of the Sandbox and Production environments.