> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Learn how to configure FAPI compliance for an Auth0 tenant.
# Configure FAPI Compliance
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
To help customers configure their Auth0 tenant to adhere to one of the Financial-grade API (FAPI) profiles, the Application model includes a `compliance_level` property that can be set to one of three values:
* `null` or undefined: No compliance level is required. This is the default.
* `fapi1_adv_mtls_par`: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [mTLS](/docs/get-started/applications/configure-mtls) and [PAR](/docs/get-started/applications/configure-par).
* `fapi1_adv_pkj_par`: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) and [PAR](/docs/get-started/applications/configure-par).
* `fapi2_sp_pkj_mtls`: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using [Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining).
* `fapi2_sp_mtls_mtls`: The customer would like this client to behave in accordance with the FAPI 2.0 Security Profile using [mTLS Client Authentication](/docs/get-started/applications/configure-mtls) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining).
Complying with a FAPI profile requires a number of configuration changes. Setting the `compliance_level` ensures that no authorization request can succeed unless the request and the configuration is compliant with the selected standard.
For example, both the `fapi1_adv_pkj_par` and `fapi1_adv_mtls_par` compliance levels require PAR. If either of these compliance levels are selected, PAR is required regardless of the value of the `require_pushed_authorization_requests` setting. Attempting an authorization without using PAR results in the following error response:
```json lines theme={null}
{
“error”: “invalid_request”,
“error_description”: “Pushed Authorization Requests are required by the configured compliance level”
}
```
In some cases, setting a compliance level also changes Auth0’s behavior. For example, both the `fapi1_adv_pkj_par` and `fapi1_adv_mtls_par` compliance levels cause Auth0 to include a `s_hash` claim in the returned ID token containing a SHA256 hash of the state value. This allows the ID tokens to act as a detached signature.
The following tables summarize the additional validation rules and changes to Auth0’s behavior that each compliance level enables:
| Validation | `fapi1_adv_pkj_par` | `fapi1_adv_mtls_par` | `fapi2_sp_pkj_mtls` | `fapi2_sp_mtls_mtls` |
| ---------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -------------------- | ------------------- | -------------------- |
| Prevents the use of access tokens in the URL query when calling `/userinfo`. Access tokens must be placed in the Authorization header instead. | Y | Y | Y | Y |
| Requires PAR. | Y | Y | Y | Y |
| Requires PKCE with the S256 challenge method. | Y | Y | Y | Y |
| Prevents the use of wildcards in the allowed callbacks on a client. | Y | Y | N | N |
| Enforces the use of JAR. | Y | Y | N | N |
| Ensures the JAR payload is signed using the PS256 algorithm. | Y | Y | N | N |
| Ensures the JAR payload contains the nbf claim and it is no longer than 60 minutes in the past. | Y | Y | N | N |
| Ensures the JAR payload contains the exp claim and that it is no more than 60 minutes after the nbf claim. | Y | Y | N | N |
| Ensures the client has set the `oidc_conformant` property to true. | Y | Y | Y | Y |
| Requires the use of `x-fapi-*` headers | Y | Y | N | N |
| Requires the use of Private Key JWT for client authentication. | Y | N | Y | N |
| Requires the use of mTLS for client authentication. | N | Y | N | Y |
| Allowed response types. | code `id_token` | code `id_token` | code | code |
| Requires `aud` claim to strictly match issuer in Private Key JWT assertion. | N | N/A | Y | N/A |
| Requires `redirect_uri` parameter in Pushed Authorization Requests. | N | N | Y | Y |
| Auth0 updated behavior | `fapi1_adv_pkj_par` | `fapi1_adv_mtls_par` | `fapi2_sp_pkj_mtls` | `fapi2_sp_mtls_mtls` |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------- | -------------------- | ------------------- | -------------------- |
| Adds s\_hash claim to ID tokens. | Y | Y | N | N |
| When the profile scope is requested, the `update_at` claim contains an OIDC Conformant unix timestamp rather than a string. | Y | Y | Y | Y |
| Returns only OIDC conformant error codes. In some cases, Auth0 may return additional error codes, but enabling this compliance level ensures that Auth0 only uses error codes defined in the OpenID standards. | Y | Y | Y | Y |
| Returns issuer as `iss` parameter in code responses. | N | N | Y | Y |
| Reduces maximum lifetime of authorization code to 60 seconds. | N | N | Y | Y |
## Configure FAPI Compliance for a client
To perform this using the Auth0 Dashboard:
1. Navigate to **Auth0 Dashboard > Applications**.
2. Select the application.
3. Select the **Application Settings** tab.
4. Open the **Advanced Settings** section.
5. In the **OAuth tab**, select the **FAPI Compliance Enforcement Level**.
The options to configure FAPI compliance are:
* **None**: No compliance level is required. This is the default.
* **FAPI 1 Advanced profile using Private Key JWT and PAR**: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [Private Key JWT](/docs/get-started/applications/configure-private-key-jwt) and [PAR](/docs/get-started/applications/configure-par).
* **FAPI 1 Advanced profile using mTLS and PAR**: The customer would like this client to behave in accordance with the FAPI1 Advanced profile using [mTLS](/docs/get-started/applications/configure-mtls) and [PAR](/docs/get-started/applications/configure-par).
* **FAPI 2.0 Security Profile with Private Key JWT and certificate binding**: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using [Private Key JWT Client Authentication](/docs/get-started/applications/configure-private-key-jwt) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining).
* **FAPI 2.0 Security Profile with mTLS and certificate binding**: The customer would like this client to behave in accordance with the FAPI2.0 Security Profile using [mTLS Client Authentication](/docs/get-started/applications/configure-mtls) and [mTLS Token Sender-Constraining](/docs/secure/sender-constraining/mtls-sender-constraining).
Use the [Management API](https://auth0.com/docs/api/management/v2) to set the `compliance_level` property with a `POST` or `PATCH` request:
```bash lines theme={null}
curl --location --request PATCH 'https://{YOUR_DOMAIN}/api/v2/clients/$client_id' \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}' \
--header 'Content-Type: application/json' \
--data '{
"compliance_level": "fapi1_adv_mtls_par"
}'
```
To return the `compliance_level` property, use a `GET` request:
```bash lines theme={null}
curl --location 'https://{YOUR_DOMAIN}/api/v2/clients/{YOUR_CLIENT_ID} \
--header 'Authorization: Bearer {YOUR_MANAGEMENT_API_ACCESS_TOKEN}'
```
For FAPI 2.0 compliance, you can configure the expiry on pushed authorization requests to a value that is less than 600 seconds, with a default of 30 seconds. You can set the expiry value using the Management API.
## Learn more
* [Configure Private Key JWT Authentication](/docs/get-started/applications/configure-private-key-jwt)
* [Configure Pushed Authorization Requests (PAR)](/docs/get-started/applications/configure-par)
* [Configure mTLS Authentication](/docs/get-started/applications/configure-mtls)