Push Authorization Request (PAR)

POST 
/authz-srv/par

Pushed Authorization Request (PAR)

This API implements RFC 9126 - Pushed Authorization Request. It allows clients to push authorization request parameters to the authorization server via a direct request, rather than including them in the authorization URL. This improves security by:

• Avoiding long URLs with sensitive parameters
• Reducing exposure of authorization parameters
• Enabling better logging and audit trails

How it works:

1. Client sends all authorization request parameters to this endpoint via POST
2. Server validates the request and creates a unique request_uri
3. Client uses the request_uri in the authorization endpoint (/authz-srv/authz) instead of passing all parameters

PAR can be used with both Authorization Code Flow and PKCE Flow. The request_uri expires after the time specified in expires_in (typically 90 seconds), so it must be used promptly.

See PAR documentation for detailed implementation guide.

Request

Responses

201

Created - The authorization request has been successfully pushed and a request_uri has been created.

400

Bad Request - The request is invalid (e.g., missing required parameters, invalid parameter values).

401

Unauthorized - Client authentication failed.

403

Forbidden - The client is not authorized to use PAR.