Over the last decade, digital financial services have transformed how we interact with money. From budgeting apps to cross-border payments, the financial industry has moved swiftly into the digital age — enabling seamless, secure experiences that many of us now take for granted.
But behind this smooth user experience lies an essential — and often invisible — foundation: interoperable, secure APIs, made possible by rigorous, shared security standards like the Financial-grade API (FAPI) profile.
Now, the digital identity world is catching up, and a similar transformation is underway — powered by the emerging High Assurance Interoperability Profile (HAIP) profile.
Profiles vs. Specifications — What’s the Difference?
In digital identity and API security, a profile is like a recipe. It takes broad, flexible technical standards and specifications and says, “Here’s how to use these securely in a specific context.”
Because base protocols like OAuth, OpenID Connect, OID4VCI or OID4VP are intentionally flexible — they’re made to support lots of different use cases. But flexibility can lead to inconsistency and gaps if people implement them differently. A profile narrows the options and provides clear rules to ensure secure, interoperable implementations — especially in high-assurance environments, defining the right way to implement the spec securely and in an interoperable manner.
This is exactly what FAPI did for banking, and what HAIP is now doing for digital credentials.
How FAPI Unlocked Secure Digital Banking
FAPI is a security profile built on top of OAuth 2.0 and OpenID Connect. It emerged in response to the global push for open banking — a model where banks securely expose APIs to third-party apps.
At the time, OAuth provided the framework but intentionally left many security decisions open-ended.
FAPI tightened the rules, requiring:
- Strong client authentication (e.g., mutual TLS)
- Signed requests and tokens to prevent tampering
- Secure handling of sensitive scopes and user consent
FAPI ensures that only apps you trust — and that are strongly authenticated — can access sensitive APIs. The result? A globally interoperable model that has enabled new digital financial services to flourish without compromising on user security or regulatory compliance. Countries like the UK, Australia, and Brazil adopted FAPI in their open banking frameworks, making it a de facto foundation for secure financial APIs.
In the European Union, while the Revised Payment Services Directive (PSD2) does not mandate specific technologies, FAPI provides a practical way to implement key requirements, such as strong customer authentication (SCA). As such, FAPI has become an important enabler for meeting regulatory expectations — even where it is not explicitly prescribed.
HAIP: Doing for Digital Identity What FAPI Did for Finance
Just like FAPI enabled OAuth to become viable for financial transactions, OID4VCI and OID4VP — the protocols for issuing and presenting verifiable credentials — need something similar for identity use cases where the stakes are high. Enter HAIP: the High Assurance Interoperability Profile.
Developed by the OpenID Foundation, HAIP is a profile of OID4VCI and OID4VP, designed for regulated and high-trust environments. It defines how to use these protocols securely, consistently, and interoperably — especially when issuing or verifying sensitive credentials like personal identification data (PID), driving licenses, or healthcare records.
HAIP takes the flexible foundation of OID4VC and adds guardrails — making sure implementers don’t accidentally create insecure or incompatible systems. Here’s what it mandates:
- Credential binding: Ensures that credentials are cryptographically tied to the rightful holder, preventing copying or misuse.
E.g., A digital driver’s license that only works from your wallet, not someone else’s.
- Standardized proof formats: Supports privacy-preserving formats like ISO mDocs and SD-JWT, enabling selective disclosure of information.
E.g., Proving you're over 18 without revealing your full ID.
- Wallet attestations: Requires the wallet to authenticate with the issuer using dedicated wallet attestations during issuance.
E.g., Ensuring a token for credential issuance isn’t issued to a malicious app or an app that does not comply with the security requirements of the issuer.
- Signed requests: In redirect-based flows, it requires the verifier to sign the request.
E.g., Ensuring the wallet accepts request only from authentic and/or trusted verifiers.
- Sender-constrained access tokens: Prevents access tokens from being reused by attackers if intercepted.
E.g., Ensuring a token for credential issuance can’t be hijacked by a malicious app.
- Interoperability defaults: Locks in consistent parameters to ensure wallets, issuers, and verifiers work together out of the box.
E.g., A wallet built in Canada can present a credential issued in Germany to a verifier in Singapore — and it just works.
As of April 2025, HAIP has been approved as an Implementer’s Draft by the OpenID Foundation — a strong signal that it’s moving toward maturity. The final version of HAIP is expected to be published in the coming months.
What It Means for Stakeholders
How MATTR Supports the HAIP Vision
At MATTR, we’re helping shape a digital world where trust is embedded, privacy is preserved, and everything just works — securely, at scale, and across borders. Profiles like HAIP represent a major step toward that vision, and we’ve aligned our products and practices to help customers lead with confidence:
- HAIP-aligned APIs: Our issuance and verification APIs support the credential formats, proof mechanisms, and token protections defined in HAIP — enabling out-of-the-box compliance with high-assurance requirements.
- Secure-by-default holder SDKs: Our holder SDKs implement core HAIP features, including holder binding and privacy-preserving credentials, giving implementers a strong foundation for trusted digital identity.
- Active standards leadership: We don’t just follow the standards — we help define them. MATTR actively contributes to the OpenID Foundation’s work, including HAIP, and participates in interoperability testing to ensure real-world compatibility.
Just as FAPI enabled secure digital transformation in financial services, HAIP is positioned to unlock trusted, scalable identity systems — from eID programs to healthcare credentials and digital travel documents.
Yet for many organizations, the evolving landscape of standards, compliance, and interoperability can feel overwhelming. We take that complexity off your plate — giving you digital credential capabilities that are secure, standards-aligned, and interoperable right out of the box.
By building with MATTR, you're not just implementing specifications — you're implementing them the right way. Whether you're issuing credentials, verifying them, or building user experiences that rely on digital trust, we give you a future-proof, standards-aligned platform to deliver confidently and securely.
Let’s make digital identity work — for everyone, everywhere.
