Why PKI (Public/Private Key Infrastructure)?
Empower is starting to use PKI (Public/Private Key Infrastructure) to ensure latest security standards in the financial industry are used to protect client data. This additional security layer ensures that integration with Empower APIs are only permitted where the public and private keys are managed and installed.
Establishing trust relationship using Public Key Infrastructure, PKI:
Empower uses OAuth2 and OpenID Connect standards to protect our APIs. OAuth2 specifications define several client authentication methods (e.g., password, public/private key pair) suitable for various security requirements. For B2B integration with 3rd-party partners without the needs of end users delegated authorization (a.k.a. user consents), "client_credentials" authorization grant is used for confidential data, and access to protected resources behind APIs can be previously arranged between Empower and 3rd-party partners.
While classic OAuth2 client authentication uses shared "client_secret" key, private key, "private_key_jwt" client authentication uses digitally signed JWT assertion with asymmetric key pairs to exchange an access token for access protected APIs. When asymmetric methods for client authentication are used, Empower Authorization Server do not need to store sensitive symmetric keys, making those methods more robust against several attacks.
Starting Q4 2024 – in support of higher API security required for Financial-grade APIs (FAPI), Empower APIs will be requiring the use asymmetric (public-key based) method, a.k.a., "public_key_jwt" for client authentication method. For Read Only APIs, while our clients are building the infrastructure needed for asymmetric methods for client authentication (preferred approach for all APIs), the classic symmetric method (client_secret based) can be enabled upon individual API client requests and security reviews.
After submission and approval of API access request, additional documentation and instructions will be provided.
