Security of client requests follows a profile of the mechanisms defined in the GNAP specification.
Open Payments does not support bearer tokens and only supports a sub-set of key formats and methods for proving key possession.
All client requests in Open Payments are signed using a key that identifies the client to the authorization server or resource server. All requests to the RS, and most requests to the AS, also carry an access token that is bound to the key used to sign the request. The exception is requests to the AS to initiate a new grant request, these will have no access token initially, but any continuation request MUST use the access token provided by the AS.
Updated 7 months ago