Self-contained access tokens, typically JWT access tokens, contain associated data in themselves. If the following conditions meet, as a logical consequence, personal information leaks directly from such access tokens.

“Stateless” here means that an access token does not have any…

This article explains technical details of Open Banking Brasil (OBB), especially differences between OBB extensions and global standard specifications.

July 24, 2021: I greatly appreciate Carol Morais and Skalena translating this article into Portuguese and publishing it at “Notas de um implementador sobre Open Banking Brasil”.

OBB Financial-grade API Security Profile

Specification Stack

OBB published “Open Banking…


This article explains X.509 certificate.

1. Digital Signature (Prior Knowledge)

To read this article, knowledge about digital signature is needed. That is, this article assumes that you understand “By verifying signature with the public key which is paired with the private key used to generate the signature, you can confirm that the target data has…

What happens if ID tokens issued by external OpenID providers (IdP) are used for API protection? The following diagram is my understanding.

If I’m missing something, please correct me.

Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store