Dave Tonge

Open Standards, Open Finance, Open Source

Dave Tonge

I'm the CTO of Moneyhub, the co-chair of the Financial-Grade API Working Group at the Open ID Foundation and regularly contribute to the open standards, open finance and open source communities.

This site contains a summary of some of my work

Technical Standards


Client Initiated Backchannel Authentication This specification supports decoupled authorisation flows, for example allowing a smart phone to be used to authorise a payment at a point of sale device.


Financial Grade API - 1.0 and 2.0. This is a suite of API security profiles originally set-up to support "Open Banking" use cases, but that have now been adopted more widely.


OAuth 2.0 Pushed Authorization Requests This specification was inspired by earlier work in the FAPI WG and supports a more secure way of setting up an OAuth redirect flow.

RFC 8705

OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. This specification allows the use of mutual TLS in OAuth 2.0 deployments.

ISO/TS 23029:2020

Web-service-based application programming interface (WAPI) in financial services. This ISO standard provides guidelines for those implementing Financial APIs. I contributed the security section.


OAuth 2.0 Rich Authorization Requests. Inspired by the use of payments with OAuth 2.0, this specification provides a way for complex authorisation data to be conveyed from the Client to the AS.

    Open Finance

  • FAP WG Co-Chair, MODRNA WG Co-Editor
  • Technical Adviser
  • FAPI Liaison Officer & First Fintech Rep
  • TISA Open Savings & Investment Technical WG

    Trade Bodies & Regulators

  • FCA I sat on the FCA PSD2 Stakeholder Group
  • EBA I represented OpenID and FDATA in consultations with the EBA
  • ISO UK expert on ISO TC69 SC9



Washington, USA

CIBA - Pay with your phone

Financial APIs Workshop

Tokyo, Japan

The Great British Client Bake Off
Slides | Conference

3rd OAuth Security Workshop

Trento, Italy

Decoupled Flows in OAuth 2.0
Paper | Slides | Conference

4th OAuth Security Workshop

Stuttgart, Germany

Client Initiated Backchannel Authentication
Slides | Conference

API Days


Open Finance - It's already happening

Open Source


Ramda I contributed several methods to this popular functional toolkit for JavaScript


PDI - Minimal Promise based Dependency Injection framework This is a simple library that provides a powerful abstraction for dealing with dependency injection both for system start up and for complex async tasks.

Redux Tetris

Redux Tetris A Tetris clone build with Ramda, Redux and React in a point-free functional style. Play here

Backbone Query

Backbone Query. An older library written for the Backbone JS framework that kickstarted the SPA ecosystem.

Query Predicate

Query Predicate. A functional library that creates predicate functions from MongoDB queries.

React Spiral

React Spiral. A spiral chart component for React. Uses D3 for calculations, but all rendering directly in React. Demo here