In this whitepaper, we describe various aspects of OAuth and OpenID Connect that can be used to conform to the revised Directive on Payment Services (PSD2) and the General Data Protection Regulation (GDPR). Though these regulations are mandated by the European Union (EU), the applicability of the techniques described in this paper transcends regulatory regimes. For this reason, readers in other parts of the world who are building APIs that expose high-worth data will also find this paper useful.

Much of the content is industry agnostic, but various banking and finance examples are provided. Some of the techniques will be described in the context of PSD2 and GDPR, but an in-depth, or even introductory, knowledge of these regulations is not required.