As discussed on the last FAPI call, there is a use case for signing API response payloads. For example of an FI could make a credit decision based on a user's transaction history it obtains from another FI. In such a case it would like to have that transaction history signed rather than storing it as a raw JSON payload.
We discussed on the call that using JWS is the best approach for this use case and should be recommended in the FAPI spec.
I suggest that this is added to Part 1, Section 6.
The questions I have are what would be the standard set of claims for such JWTs, e.g.
iat, etc? Should the resource server have the option to serve either plain JSON or JWTs depending on content negotiation?