Configure Pushed Authorization Requests (PAR)
The Auth0 Push Authorization Request (PAR) implementation is based on the OAuth RFC9126: Push Authorization Request specification. For more information, see Authorization Code Flow with Pushed Authorization Requests.
By default, PAR is not required by the authorization server. As a result, you can send authorization requests to the PAR endpoint and the /authorize
endpoint. However, to fully secure your authorization flow, set PAR as required for an application and/or a tenant via the Management API or Application Settings on the Auth0 Dashboard.
Set PAR for a tenant
To set PAR for a tenant, use the Auth0 Dashboard.
1. Navigate to Auth0 Dashboard > Settings > Advanced.
2. Scroll down to Settings and toggle on Allow Pushed Authorization Requests (PAR).
Set PAR for an application
Navigate to Auth0 Dashboard > Applications.
Select the application.
Select the Application Settings tab.
In the Authorization Requests section, enable the toggle Require Pushed Authorization Requests (PAR).
Use the following code sample to configure PAR for your application using the Management API:
curl -X PATCH --location 'https://TENANT.auth0.com/api/v2/clients/CLIENT_ID' \
--header 'Authorization: Bearer MANAGEMENT_ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"require_pushed_authorization_requests": true
}'
Was this helpful?