---
title: FapiWellKnownFilterChain
description: A filter chain to validate requests to well-known endpoints and make sure they produce OAuth 2.0 clients that comply with the following FAPI specifications:
component: pinggateway
version: 2026
page_id: pinggateway:reference:FapiWellKnownFilterChain
canonical_url: https://docs.pingidentity.com/pinggateway/2026/reference/FapiWellKnownFilterChain.html
revdate: 2025-06-29T17:30:28Z
section_ids:
  usage: Usage
  properties: Properties
  example: Example
  more_information: More information
---

# FapiWellKnownFilterChain

A filter chain to validate requests to well-known endpoints and make sure they produce OAuth 2.0 clients that comply with the following FAPI specifications:

* [Financial-grade API Security Profile 1.0 - Part 1: Baseline](https://openid.net/specs/openid-financial-api-part-1-1_0.html#authorization-server)

* [Financial-grade API Security Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html)

Put this filter before other filters to reject requests that would result in creating an OAuth 2.0 client that doesn't comply with the FAPI specifications.

## Usage

```none
{
    "name": string,
    "type": "FapiWellKnownFilterChain",
    "config": {
        "forwardedHost": string,
        "mtlsEndpoints": {
            "endpointNames": [ configuration expression<string>, ... ],
            "mtlsHostname": string
        }
        "supportedTokenEndpointAuthMethods": [ configuration expression<string>, ... ]
    }
}
```

## Properties

* `"forwardedHost"`: *[string](preface.html#definition-string), required*

  The forwarded host added to the endpoint request.

* `"mtlsEndpoints"`: *object, required*

  Well-known endpoints to reconfigure to use mTLS.

  * `"endpointNames"`: *array of configuration expression<[strings](preface.html#definition-string)>, required*

    The well-known endpoint names to update.

  * `"mtlsHostname"`: *[string](preface.html#definition-string), required*

    The mTLS hostname to use.

* `"supportedTokenEndpointAuthMethods"`: *array of configuration expression<[strings](preface.html#definition-string)>, optional*

  The supported OAuth 2.0 `token_endpoint_auth_method` values.

  Default: `private_key_jwt`, `self_signed_tls_client_auth`, `tls_client_auth`

## Example

```json
{
    "name": "FapiWellKnownFilterChain",
    "type": "FapiWellKnownFilterChain",
    "config": {
        "forwardedHost" : "&{as.fqdn}",
        "mtlsEndpoints" : {
            "endpointNames" : [ "authorization_endpoint", "registration_endpoint", "token_endpoint" ],
            "mtlsHostname" : "&{as.mtls.fqdn}"
        }
    }
}
```

## More information

[org.forgerock.openig.fapi.wellknown.FapiWellKnownFilterChainHeaplet](../_attachments/apidocs/org/forgerock/openig/fapi/wellknown/FapiWellKnownFilterChainHeaplet.html)