Financial-grade API 1.0 (FAPI 1) Advanced

Breaking Change

The changes will apply to all consent authorisation flows and endpoints. This will affect both existing and new consents.

The changes do not apply to authorisation URLs to which TPPs redirect their users for consent authorisation.

Update (9 April 2025)

Following the feedback we received, we’ve clarified the scope of URL changes:

The subdomain change applies only to API endpoints used by TPPs' applications. It does not apply to OAuth authorisation URLs to which TPPs redirect their users for consent authorisation. The authorisation URLs will remain unchanged:

  • Production: https://oba.revolut.com/ui/index.html
  • Sandbox: https://sandbox-oba.revolut.com/ui/index.html

On 10 July 2025, we will update our Open Banking API to the FAPI 1.0 Advanced standard, enhancing data security. This means that all TPPs using our Open Banking APIs will need to implement several changes.

New requirements for request JWTs

Starting from 10 July 2025, any request JSON Web Token used for consent authorisation must contain the nbf (not before), exp (expiration time) and aud (audience) claims:

  • The nbf claim must be a Unix timestamp, in seconds, before which the JWT is not valid.

  • The exp claim must be a Unix timestamp, in seconds, after which the JWT is no longer valid.
    Additionally, this value must be no more than 60 minutes later than the value of nbf.

  • The aud claim must contain the URI of the intended service. In this case, depending on your environment, this should be:

    • Production: https://oba-auth.revolut.com
    • Sandbox: https://sandbox-oba-auth.revolut.com

Read more about the JWT payload parameters.

New subdomains and mandatory mTLS

From 10 July 2025, we will enforce mutual TLS (mTLS) on all our Open Banking API endpoints. This also means new subdomains for most Open Banking API endpoints.

No change to authorisation URLs

The new subdomains only apply to the API endpoints used by TPPs in their applications to make server-to-server API calls. The authorisation URLs to which TPPs redirect their users remain unchanged:

  • Production: https://oba.revolut.com/ui/index.html
  • Sandbox: https://sandbox-oba.revolut.com/ui/index.html

To ensure a smooth transition, we will introduce a deprecation period from 10 March 2025 till 10 July 2025. Within this period, all TPPs must implement changes and start using the new subdomains:

  • For Production: oba.revolut.com -> oba-auth.revolut.com.
  • For Sandbox: sandbox-oba.revolut.com -> sandbox-oba-auth.revolut.com.
note

The subdomains oba-auth.revolut.com and sandbox-oba-auth.revolut.com are already used for the /token and /register endpoints. These endpoints will remain unaffected by this change, as they are already mTLS-secured.

caution

After the deprecation period, the old subdomains, oba.revolut.com and sandbox-oba.revolut.com, will stop working for server-to-server API calls, and all such requests made to these URLs will fail.

note

This does not apply to the authorisation URLs, which will remain unchanged and continue to function in the same way.

PreviousOpen Banking API Refresh Tokens
NextOpen Banking API SCA restrictions update