Security Model

Security Profile

As defined by the Bahrain OBF, access to these APIs is secured using the Open ID Foundation's Financial Grade API (FAPI) Profile. This profile enables user authentication of consents for access to Open Banking services.

Our Open Banking API Specification supports the following:

  • ID Token Signing Algorithm: PS256
  • Response Types: code id_token
  • Request Object Signing Algorithms: PS256
  • Token Endpoint Auth Singing Algorithms: PS256
  • Token Endpoint Auth Methods: private_key_jwt, tls_client_auth

For private_key_jwt - the aud claim is the url of the token endpoint as specified in OIDC client authentication.

The request object used in OIDC flows the aud claim is the issuer url from our API's .wellknown endpoint.

Note: Our Sandbox API also offers less strict profiles to assist with integration testing.

Certificate Support

TPPs will need to use both Transport and Signing Certificates. Separate certificates are required for each of the Sandbox and Production environments.

Table of Content
Please wait