Pushed Authorization Request (PAR)

POST 
/authz-srv/par

Pushed Authorization Request (PAR)

This API implements RFC 9126 - Pushed Authorization Request. It allows clients to Pushed Authorization Request parameters to the authorization server via a direct request, rather than including them in the authorization URL. This improves security by:

• Avoiding long URLs with sensitive parameters
• Reducing exposure of authorization parameters
• Enabling better logging and audit trails

How it works:

1. Client sends all authorization request parameters to this endpoint via POST
2. Server validates the request and creates a unique request_uri
3. Client uses the request_uri in the authorization endpoint (/authz-srv/authz) instead of passing all parameters

PAR can be used with both Authorization Code Flow and PKCE Flow. The request_uri expires after the time specified in expires_in (typically 90 seconds), so it must be used promptly.

Session transfer (native to web): You can include the optional form field stt (Session Transfer Token) in this POST body together with PKCE (code_challenge, code_challenge_method). The same rules apply as on GET /authz-srv/authz: PKCE is required when stt is present; client_id must be the web client. The browser then opens /authz-srv/authz?client_id=...&request_uri=... only (no stt on that URL—the STT is already inside the pushed request). See Session transfer.

See PAR documentation for detailed implementation guide.

Request

Responses

201

Created - The authorization request has been successfully pushed and a request_uri has been created.

400

Bad Request - The request is invalid (e.g., missing required parameters, invalid parameter values).

401

Unauthorized - Client authentication failed.

403

Forbidden - The client is not authorized to use PAR.