Fett, DanielRoßnagel, HeikoSchunck, Christian H.Mödersheim, Sebastian2021-05-202021-05-202021978-3-88579-706-7https://dl.gi.de/handle/20.500.12116/36503A growing number of APIs, from the financial, health and other sectors, give access to highly sensitive data and resources. With the Financial-grade API (FAPI) Security Profile, the OpenID Foundation has created an interoperable and secure standard to protect such APIs. The first version of FAPI has recently become an official standard and has already been adopted by large ecosystems, such as OpenBanking UK. Meanwhile, the OpenID Foundation’s FAPI Working Group has started the work on a the second version of FAPI, putting a focus on robust interoperability, simplicity, a more structured approach to security, and improved non-repudiation. In this paper, we give an overview of the FAPI profiles, discuss the learnings from practice that influence the development of the latest version of FAPI, and show how formal security analysis helps to shape security decisions.enAuthorizationAuthenticationSecurityInteroperabilityText/Conference Paper1617-5468