Pushed Authorization Request (PAR)
Push an authorization request to Auth0 and receive a request URI to use in the authorization flow. PAR enhances security by moving authorization parameters from the front channel (browser) to the back channel (direct server-to-server).
Benefits:
- Prevents parameter tampering
- Keeps sensitive data out of browser history
- Required for FAPI (Financial-grade API) compliance
- Supports large authorization requests
How it works:
- POST authorization parameters to this endpoint
- Receive a
request_uriin response - Redirect user to
/authorizewith onlyclient_idandrequest_uri - Auth0 retrieves the parameters using the
request_uri
Documentation Index
Fetch the complete documentation index at: https://docs-staging.auth0-mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
The access token received from the authorization server in the OAuth 2.0 flow.
Body
Your application's Client ID
Must be 'code' for PAR
code Your application's Client Secret (required for confidential clients)
The redirect URI for your application
Space-delimited list of requested scopes
An opaque value to maintain state between request and callback
The unique identifier of the target API
The PKCE code challenge
The method used to generate the code challenge
S256 A random string value for ID Token validation
A JWT signed with your client secret or private key (for Private Key JWT authentication)
Must be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' when using client_assertion
urn:ietf:params:oauth:client-assertion-type:jwt-bearer