Question

In the CDS HTTP headers section, x-fapi-auth-date and x-cds-client-headers are classified as conditional for Accredited Data Recipients (ADRs).

However, within the Banking APIs, under Get Accounts, x-fapi-auth-date and x-cds-client-headers are classified as optional for Data Holders (DHs).

What is the DH's role in validating these FAPI headers, and what are the obligations of a DH participating in open banking, as far as the FAPI headers are concerned?

Answer

Use of the client x-fapi headersis at the discretion of the DH.

The only exception is the x-fapi-interaction-id. DHs must respond with an x-fapi-interaction-id value, either with the value provided by the client, or, if the value has not been provided then with a specifically generated value.

Additionally, DHs must validate that the mandatory headers are provided or return an error code.

Some x-fapi headers are conditionally required. Please refer to the FAPI specifications Part 1 and Part 2 for guidelines on DH obligations for FAPI headers.