OCPI security layers are the technical and operational controls used to protect OCPI (Open Charge Point Interface) communications between EV charging platforms (typically CPO and eMSP systems). These layers ensure that roaming data (locations, tariffs, tokens, sessions, CDRs) is exchanged securely, with strong authentication, confidentiality, integrity, and auditability.
Why OCPI security matters
OCPI connects business-critical systems that affect charging access and billing:
– Prevents unauthorized access to roaming endpoints and customer-related data
– Protects tariff and billing integrity (avoids manipulated prices or forged CDRs)
– Reduces fraud risk from stolen tokens or abused authorization flows
– Supports compliance expectations (security audits, incident response, data protection)
– Improves platform availability by limiting abuse and attack surface
Core security layers in an OCPI integration
OCPI security is typically implemented as multiple layers that work together:
Transport security
– TLS encryption (HTTPS) for all OCPI API traffic to protect data in transit
– Certificate validation and modern cipher configuration to prevent downgrade attacks
– Optional mutual trust hardening via certificate pinning or strict CA policies (implementation-dependent)
Authentication and credential management
– OCPI Credentials module used to exchange and rotate access tokens for API calls
– Unique credentials per partner (no shared “global” tokens)
– Credential rotation policies and rapid revocation procedures when compromise is suspected
– Separation of environments (test vs production) with different keys and endpoints
Authorization and least privilege
– Restrict partner access to only the required OCPI modules and endpoints
– Apply least privilege at the API gateway (read-only vs write/commands)
– Enforce per-tenant/per-partner boundaries so one partner cannot access another’s data
– Limit or disable higher-risk capabilities (e.g., remote commands) unless needed contractually
Network and perimeter controls
– IP allow-listing (where feasible) to limit who can reach OCPI endpoints
– API gateways or reverse proxies with request validation and threat filtering
– Network segmentation to isolate OCPI services from internal admin and finance systems
– Rate limiting and DDoS protection to maintain availability
Message integrity and validation
– Strict schema validation for incoming/outgoing payloads (IDs, currencies, timestamps, VAT fields)
– Idempotency and replay protection patterns (avoid duplicate CDR processing)
– Business-rule validation to detect anomalies (negative kWh, impossible durations, wrong EVSE IDs)
– Reconciliation checks between sessions and CDRs to catch manipulation or corruption
Logging, monitoring, and auditability
– Centralized logs for authentication events, token usage, and data changes
– Monitoring for unusual patterns (spikes, repeated failures, unexpected endpoints)
– Alerts for credential misuse, high error rates, or suspicious CDR volumes
– Audit trails supporting dispute handling and incident investigation
Data protection and privacy controls
– Minimize personal data shared via OCPI (follow data minimization principles)
– Protect token identifiers and any user-linked references as sensitive data
– Retention policies for logs and CDRs aligned with legal and contractual requirements
– Secure handling of exports to billing and analytics systems
Operational security practices
– Clear partner onboarding checklist (endpoint verification, credential exchange, test cases)
– Defined SLAs and runbooks for incident response and data correction workflows
– Regular security reviews, penetration testing, and dependency patching for OCPI services
– Enforce MFA and RBAC for admin access to OCPI configuration and logs
Common risks and pitfalls
– Long-lived tokens that are not rotated or revoked quickly
– Exposing OCPI endpoints directly without an API gateway or rate limiting
– Weak separation between test and production credentials
– Insufficient validation causing billing disputes or acceptance of malformed CDRs
– Poor logging that prevents root-cause analysis during roaming failures
Related glossary terms
OCPI
OCPI integration
OCPI roaming
OCPI billing
Charge Detail Record (CDR)
Network segmentation
Data encryption
Multi-factor authentication (MFA)
Role-based access control (RBAC)
Incident response plan