The OpenID Foundation is proud to spotlight a significant achievement in secure healthcare ecosystems: the implementation of the FAPI 2.0 security profile across the entire Norwegian Health Network (NHN) via the new HelseID service. The OpenID Foundation is also very pleased to share that the NHN has decided to become a member of its community. 

Owned by the Norwegian state under the Ministry of Health and Care Services, NHN is a national service provider within e-health, responsible for ensuring a secure and appropriate infrastructure for efficient interaction between all areas of the health and care services. 

Never before has FAPI been adopted at such scale or outside of financial services. HelseID’s journey, from bespoke security requirements toward a unified, mandatory FAPI 2.0 profile for all participants, offers invaluable lessons for any sector grappling with large-scale API security and standardization.

HelseID and why it matters

HelseID is the central identity and access management platform operated by NHN, the organization that unites every healthcare provider in Norway, from the country’s largest hospitals to single-practitioner clinics, pharmacies, dental offices, and municipal health services. The use of any national e-health service requires membership to NHN, ensuring universal coverage. At full rollout, HelseID will support secure access across Norway’s healthcare system, enabling scalable authentication for solutions used by up to 50,000 healthcare organizations and approximately six million Norwegians. 

Historically, various projects within Norway’s health sector had developed their own security profiles, resulting in fragmented requirements and costly, duplicated effort by vendors. HelseID replaces these disparate solutions with the FAPI 2.0 profile, a robust OAuth 2.0 and OpenID Connect-based standard. By aligning on FAPI 2.0, HelseID not only raises the bar for confidentiality, integrity, and authentication, but also taps into a mature ecosystem of libraries, conformance tools, and global best practices.

From custom profiles to mandatory FAPI 2.0

The transition began with NHN recognizing the unsustainable burden its proprietary security profiles placed on implementers and vendors. Rather than continue with a variety of incompatible implementations, NHN elected to adopt FAPI 2.0 wholesale, knowing that standardization would ultimately streamline development and maintenance, improve confidence in security controls and reduce the challenges of integrating so many organisations . This strategic shift required significant upfront work, rewriting internal guidance, training both NHN staff and external implementers, and developing client libraries tailored to HelseID’s specific needs. Despite these challenges, the NHN team remained steadfast in their belief that a shared standard would yield long-term benefits far exceeding the cost.

Understanding that an abrupt change could disrupt critical healthcare services, NHN is rolling out FAPI 2.0 in phases. All new APIs are required to support the profile from day one. Existing services are being migrated over time, often triggered by vendors releasing new feature versions or responding to deprecation notices. Importantly, NHN has adopted a firm ‘no-exceptions’ policy. Carve-outs were not permitted, and vendors were informed that any non-compliant services would eventually be phased out. This approach ensured momentum and kept security top-of-mind for implementers, while avoiding the chaos of a ‘big-bang’ switchover.

Scaling security and realizing the power of automated conformance testing

With 100 APIs in its view and 1800 clients that can access them, NHN faced a daunting challenge. They needed to verify that every relying party and identity provider adhered to FAPI 2.0’s exacting requirements. Manual testing, previously the norm, is time-consuming, costly, and unable to keep pace with the network’s expansion. The introduction of an automated conformance testing tool is transforming NHN’s security operations.

Implementers and vendors will receive immediate feedback on pass/fail criteria, drastically shortening development cycles. NHN’s own team uses the tooling to test its identity provider, uncovering minor gaps and collaborating with software providers and library maintainers to enhance compliance. As the network grows, the testing infrastructure needs to scale eliminating the need for proportional increases in security personnel. This automated approach not only accelerates the journey to full compliance, but also empowers implementers to build higher-quality, interoperable FAPI 2.0 implementations.

Importantly, while NHN’s current approach through automated testing has already elevated the quality of its implementations, there is a forward looking ambition. Both the OpenID Foundation and NHN team see additional opportunities to collaborate on certification and self-certification. By exploring and potentially adopting the OpenID Foundation’s conformance capabilities, NHN aims to further lower compliance burdens while aligning with global best practices and strengthening its security framework.

Real-world security gains and a transformative ‘aha’ moment

Perhaps the most compelling testament to FAPI 2.0’s value came from NHN’s own risk assessments. In one parallel health service project, the team conducted an initial assessment before implementing FAPI 2.0’s DPoP option and associated measures, and then repeated the assessment afterward.

The results were striking. Both the probability of token theft and the potential impact of any breach dropped dramatically. With DPoP, a stolen token becomes entirely unusable. It does not grant any access to data at all, rather than merely restricting access to a limited subset. This complete neutralization of the threat provided a transformative ‘aha’ moment, powerfully demonstrating to technical teams and organizational leadership that the investment in FAPI 2.0 was more valuable than originally anticipated.

In a system that handles such sensitive data and serves six million citizens, even modest decreases in breach likelihood and impact translate into significant real-world benefits.

The strategic value of standardization

Custom security profiles can offer early gains, but at scale they fragment ecosystems and multiply costs. By anchoring on FAPI 2.0, NHN has enabled its implementer community to leverage existing open-source and commercial client/server libraries, avoiding the need to build bespoke code for every new deployment. 

More significantly, HelseID benefits from the collective vigilance of the global OpenID Foundation  community. This means that vulnerabilities discovered in similar implementations regardless of  sector are disclosed and patched, alerting NHN to potential risks before they become public crises. This shared responsibility, underpinned by responsible disclosure procedures, reinforces HelseID’s resilience and reduces the burden on NHN to independently uncover every possible threat.

Building community and capacity

Security is not a one-off project, but an ongoing journey requiring people, process, and technology. NHN has cultivated a vibrant community around HelseID. A dedicated Slack channel offers real time support, enabling vendors to ask questions, share solutions, and learn from one another. 

Academic partnerships have brought fresh talent and research into the fold, with two master’s students having contributed to library development and documentation, bolstering NHN’s capacity. A concerted effort to involve diverse voices, particularly women product owners and implementers, has ensured broad representation in decision-making. 

Furthermore, NHN has already held meetings with the Brazilian banking ecosystem to share experiences, and it collaborates closely with other public agencies in Norway. These interactions ensure that security, especially the use of OpenID Connect and OAuth2, is approached in a unified manner and that best practices are exchanged across borders.

The decision for NHN to join the OpenID Foundation is a further development of the effort to build community and capacity and will give the Norwegian Healthcare community greater access to the OpenID Foundation’s international community allowing the NHN team to benefit from that, and to give the benefit of their experiences back to the OpenID Foundation membership and contributors - essentially building a much bigger team. 

Preparing for the next vulnerability

In late 2024, security researchers involved with the OpenID Foundation uncovered a theoretical vulnerability that presented a potential risk in HelseID’s DPoP implementation. Although no exploitation occurred, NHN seized the opportunity to refine its processes. By transparently communicating the issue, coordinating mitigating changes with clients, and documenting lessons learned, NHN practiced the procedures required for more urgent future fixes. 

This proactive stance underscores a critical truth: an ecosystem must be ready to respond swiftly. Because HelseID adheres to a standardized profile, coordinated upgrades are not just possible, they become routine exercises.

From HelseID to other ecosystems - lessons learned

HelseID’s full-scale adoption of FAPI 2.0 offers a roadmap for any sector seeking robust, scalable API security. The keys to success include selecting a mature, community-backed profile; planning a phased migration with clear, enforceable mandates; investing in automated conformance testing; and measuring tangible security gains to secure stakeholder buy-in. 

Fostering a collaborative community through support channels, academic partnerships, and cross-sector dialogues, also builds the capacity and resilience required for ongoing improvement. 

A final lesson in this journey has been to embrace transparency around vulnerabilities and response preparations, in order to turn potential crises into opportunities for collective learning.

HelseID’s pioneering journey demonstrates that, with thoughtful planning, shared tooling, and an unwavering commitment to open standards, ecosystems of any size can achieve remarkable security improvements. The Norwegian Health Network’s embrace of FAPI 2.0 proves that the FAPI 2.0 profile is ready to safeguard patient records, emergency services, and every corner of a nationwide health system. 

The OpenID Foundation congratulates NHN on this achievement and looks forward to supporting other ecosystems as they follow in HelseID’s footsteps toward stronger, more interoperable API security whatever the sector they are in.

About the OpenID Foundation

The OpenID Foundation (OIDF) is a global open standards body committed to helping people assert their identity wherever they choose. Founded in 2007, we are a community of technical experts leading the creation of open identity standards that are secure, interoperable, and privacy preserving. The Foundation’s OpenID Connect standard is now used by billions of people across millions of applications. In the last five years, FAPI has become the standard of choice for Open Banking and Open Data implementations, allowing people to access and share data across entities. Today, the OpenID Foundation’s standards are the connective tissue to enable people to assert their identity and access their data at scale, the scale of the internet, enabling ‘networks of networks’ to interoperate globally. Individuals, companies, governments and non-profits are encouraged to join or participate. Find out more at openid.net.