[Openid-specs-fapi] Issue #100: Signing API response payloads (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Wed May 31 09:13:17 UTC 2017

New issue 100: Signing API response payloads

Dave Tonge:

As discussed on the last FAPI call, there is a use case for signing API response payloads. For example of an FI could make a credit decision based on a user's transaction history it obtains from another FI. In such a case it would like to have that transaction history signed rather than storing it as a raw JSON payload. 

We discussed on the call that using JWS is the best approach for this use case and should be recommended in the FAPI spec.

I suggest that this is added to Part 1, Section 6. 

The questions I have are what would be the standard set of claims for such JWTs, e.g. `iat`, etc? Should the resource server have the option to serve either plain JSON or JWTs depending on content negotiation?

Responsible: dgtonge

More information about the Openid-specs-fapi mailing list