Skip to main content
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
To help customers configure their Auth0 tenant to adhere to one of the Financial-grade API (FAPI) profiles, the Application model includes a compliance_level property that can be set to one of three values:
  • null or undefined: No compliance level is required. This is the default.
  • fapi1_adv_mtls_par: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using mTLS and PAR.
  • fapi1_adv_pkj_par: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using Private Key JWT and PAR.
  • fapi2_sp_pkj_mtls: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using Private Key JWT and mTLS Token Sender-Constraining.
  • fapi2_sp_mtls_mtls: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using mTLS Client Authentication and mTLS Token Sender-Constraining.
Complying with a FAPI profile requires a number of configuration changes. Setting the compliance_level ensures that no authorization request can succeed unless the request and the configuration is compliant with the selected standard. For example, both the fapi1_adv_pkj_par and fapi1_adv_mtls_par compliance levels require PAR. If either of these compliance levels are selected, PAR is required regardless of the value of the require_pushed_authorization_requests setting. Attempting an authorization without using PAR results in the following error response:
In some cases, setting a compliance level also changes Auth0’s behavior. For example, both the fapi1_adv_pkj_par and fapi1_adv_mtls_par compliance levels cause Auth0 to include a s_hash claim in the returned containing a SHA256 hash of the state value. This allows the ID tokens to act as a detached signature. The following tables summarize the additional validation rules and changes to Auth0’s behavior that each compliance level enables:

Configure FAPI Compliance for a client

To perform this using the Auth0 Dashboard:
  1. Navigate to Auth0 Dashboard > Applications.
  2. Select the application.
  3. Select the Application Settings tab.
  4. Open the Advanced Settings section.
  5. In the OAuth tab, select the FAPI Compliance Enforcement Level.
The options to configure FAPI compliance are:
  • None: No compliance level is required. This is the default.
  • FAPI 1 Advanced profile using Private Key JWT and PAR: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using Private Key JWT and PAR.
  • FAPI 1 Advanced profile using mTLS and PAR: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using mTLS and PAR.
  • FAPI 2.0 Security Profile with Private Key JWT and certificate binding: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using Private Key JWT Client Authentication and mTLS Token Sender-Constraining.
  • FAPI 2.0 Security Profile with mTLS and certificate binding: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using mTLS Client Authentication and mTLS Token Sender-Constraining.

Learn more