---
title: FapiParFilterChain
description: Configure FapiParFilterChain in PingGateway to validate PAR requests and enforce FAPI Baseline and Advanced security profile compliance
component: pinggateway
version: 2026
page_id: pinggateway:reference:FapiParFilterChain
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/FapiParFilterChain.html
revdate: 2025-10-13T08:54:33Z
section_ids:
  usage: Usage
  properties: Properties
  example: Example
  get_the_client_certificate: Get the client certificate
  from_https: From HTTPS
  from_a_client_cert_trusted_header: From a Client-Cert trusted header
  from_an_nginx_trusted_header: From an NGINX trusted header
  from_an_envoy_or_istio_trusted_header: From an Envoy or Istio trusted header
  more_information: More information
---

# FapiParFilterChain

A filter chain to validate PAR requests and make sure they comply with the following FAPI specifications:

* [Financial-grade API Security Profile 1.0 - Part 1: Baseline](https://openid.net/specs/openid-financial-api-part-1-1_0.html#authorization-server)

* [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html)

Put this filter before other filters to reject requests that would result in creating an OAuth 2.0 client that doesn't comply with the FAPI specifications.

## Usage

```none
{
    "name": string,
    "type": "FapiParFilterChain",
    "config": {
        "forwardedHost": string,
        "clientCertificate": runtime expression<certificate>,
        "apiClientService": ApiClientService reference,
        "auditService": AuditService reference
    }
}
```

## Properties

* `"forwardedHost"`: *[string](preface.html#definition-string), required*

  The forwarded host added to the endpoint request.

* `"clientCertificate"`: *runtime expression<[certificate](preface.html#definition-certificate)>, required*

  The client TLS certificate, often found in the request as shown in the examples that follow. The filter evaluates this for every request.

* `"apiClientService"`: *ApiClientService [reference](preface.html#definition-reference), required*

  The `ApiClientService` to retrieve the API client, such as an [IdmApiClientService](IdmApiClientService.html).

* `"auditService"`: *AuditService [reference](preface.html#definition-reference), optional*

  The [AuditService](AuditService.html) to record audit events. Provide either the name of an AuditService object defined in the heap or an inline AuditService configuration object.

  Default: No audit service.

## Example

The following example uses the authorization server as the forwarded host and gets the client certificate from an `ssl-client-cert` header:

```json
{
    "name": "fapiParFilterChain",
    "type": "FapiParFilterChain",
    "config": {
        "forwardedHost" : "&{as.fqdn}",
        "clientCertificate": "${pemCertificate(urlDecode(request.headers['ssl-client-cert'][0]))}"
    }
}
```

### Get the client certificate

This section shows how to get the client certificate in various situations.

#### From HTTPS

When PingGateway terminates transport layer security (TLS), use the certificate associated with the incoming HTTPS connection:

```none
"clientCertificate": "${contexts.client.certificates[0]}"
```

#### From a `Client-Cert` trusted header

When a proxy using the `Client-Cert` header fronts PingGateway and terminates TLS, it sends the client certificate with distinguished encoding rules (DER).

The following example gets the certificate from the header:

```none
"clientCertificate": "${derCertificate(request.headers['Client-Cert'][0])}"
```

Learn more in [RFC 9440, Client-Cert HTTP Header Field](https://www.rfc-editor.org/rfc/rfc9440).

#### From an NGINX trusted header

When NINGX fronts PingGateway and terminates TLS, it can send the client certificate in a trusted header.

The following example uses `x-ssl-cert` as the trusted header. NGINX encodes the certificate in PEM format and URL-encodes the result:

```none
"clientCertificate": "${pemCertificate(urlDecode(request.headers['x-ssl-cert'][0]))}"
```

Learn more in the NGINX [Module ngx\_http\_ssl\_module](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) documentation.

#### From an Envoy or Istio trusted header

When Envoy or Istio fronts PingGateway and terminates TLS, it can send the client certificate in a field in a trusted header.

The following example uses `x-forwarded-client-cert` as the trusted header. Envoy puts the client certificate in the `Cert` field of the header value. Envoy encodes the certificate in privacy enhanced mail (PEM) format and URL-encodes the result:

```none
"clientCertificate": "${pemCertificate(urlDecode(findGroups(request.headers['x-forwarded-client-cert'][0], 'Cert=([^;]+);?')[1]))}"
```

Learn more in the Envoy [x-forwarded-client-cert](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-client-cert) documentation.

## More information

[org.forgerock.openig.fapi.authorization.par.FapiParFilterChainHeaplet](../_attachments/apidocs/org/forgerock/openig/fapi/authorization/par/FapiParFilterChainHeaplet.html)