> ## Documentation Index
> Fetch the complete documentation index at: https://auth0-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Push Authorization Requests (PAR)

> Send authorization parameters via a secure backend POST request to protect sensitive values from browser exposure.

export const ResponseSchema = ({statusCode, type = "{}", children}) => {
  const [open, setOpen] = useState(false);
  return <div className="border border-gray-100 dark:border-gray-800 rounded-lg mb-3 overflow-hidden">
      <div className={`flex items-center gap-2.5 px-4 py-2.5 cursor-pointer select-none ${open ? "bg-gray-50 dark:bg-gray-800" : ""}`} onClick={() => setOpen(!open)}>
        {statusCode && <span className="border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 font-mono text-xs px-1.5 py-0.5 rounded">
            {statusCode.startsWith("default") ? "default" : statusCode}
          </span>}
        <span className="text-gray-500 dark:text-gray-400 text-sm font-mono">
          {type}
        </span>
        <span className="text-gray-400 dark:text-gray-500 text-sm italic">
          application/json
        </span>
        <svg className={`ml-auto opacity-50 transition-transform duration-200 ${open ? "rotate-180" : ""}`} width="16" height="16" viewBox="0 0 16 16" fill="none">
          <path d="M4 6l4 4 4-4" stroke="currentColor" strokeWidth="1.5" strokeLinecap="round" strokeLinejoin="round" />
        </svg>
      </div>
      {open && <div className="px-4 pt-1 pb-3 border-t border-gray-100 dark:border-gray-800">
          {children}
        </div>}
    </div>;
};

## Endpoint

`POST /oauth/par`

<Note>
  To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing) for details.
</Note>

Authorization Code Flow with [Pushed Authorization Requests (PAR)](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par) uses the `/oauth/par` endpoint to allow applications to send the authorization parameters usually sent in a `GET` request to `/authorize`. PAR uses a POST method from the backend to keep parameter values secure. The `/oauth/par` endpoint accepts all authorization parameters which can be provided to `/authorize`. Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value that can be used as a parameter for the `/authorize` endpoint.

Assuming the call to the `/oauth/par` endpoint is valid, Auth0 will respond with a `redirect_uri` value also used as a parameter for the `/authorize` endpoint. To learn more about configuring PAR, read [Configure Pushed Authorization Requests (PAR)](https://auth0.com/docs/get-started/applications/configure-par).

### Remarks

* To make a call to the PAR endpoint, you must:
  * Set the request content type as `application/x-www-form-urlencoded`
  * Use `strings` for all passed parameters
  * Include an additional parameter for application authentication in the request (e.g. `client_secret`, or `client_assertion` and `client_assertion_type` for JSON Web Token Client Authentication, or pass a `client-certificate` and `client-certificate-ca-verified` header when using Mutual TLS).
* Use the `authorization_details` parameter to request permission for each resource. For example, you can specify an array of JSON objects to convey fine-grained information on the authorization. Each JSON object must contain a `type` attribute. The rest is up to you to define.

## Headers

<ParamField header="DPoP" type="string">
  A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.
</ParamField>

## Body Parameters

<ParamField body="authorization_details" type="string">
  Requested permissions for each resource, similar to scopes.
</ParamField>

<ParamField body="audience" type="string">
  The unique identifier of the target API you want to access.
</ParamField>

<ParamField body="resource" type="string">
  The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to `audience` when the tenant's [Resource Parameter Compatibility Profile](https://auth0.com/docs/get-started/tenant-settings#settings-advanced) is set to `compatibility`.
</ParamField>

<ParamField body="response_type" type="string" required>
  Specifies the token type, e.g., `code` or `code id_token`. Required.
</ParamField>

<ParamField body="client_id" type="string" required>
  The `client_id` of your application. Required.
</ParamField>

<ParamField body="redirect_uri" type="string" required>
  The URL to which Auth0 will redirect after authorization is granted. Required.
</ParamField>

<ParamField body="state" type="string">
  An opaque value used to prevent CSRF attacks. Recommended.
</ParamField>

<ParamField body="scope" type="string">
  OIDC scopes and custom API scopes. Recommended.
</ParamField>

<ParamField body="code_challenge" type="string">
  Challenge generated from `code_verifier`. Recommended.
</ParamField>

<ParamField body="code_challenge_method" type="string">
  Method used to generate the challenge, typically `S256`. Recommended.
</ParamField>

<ParamField body="nonce" type="string">
  Used to prevent token replay attacks. Recommended for `response_type=id_token`.
</ParamField>

<ParamField body="connection" type="string">
  The name of the connection configured for your application.
</ParamField>

<ParamField body="prompt" type="string">
  Used to force a specific prompt, e.g., `prompt=consent`.
</ParamField>

<ParamField body="organization" type="string">
  ID of the organization to use when authenticating a user.
</ParamField>

<ParamField body="dpop_jkt" type="string">
  The JWK Thumbprint [RFC7638](https://www.rfc-editor.org/rfc/rfc7638.html) of the proof-of-possession public key using the SHA-256 hash function. Only when using Demonstrating Proof-of-Possession (DPoP).
</ParamField>

## Response Schema

<ResponseSchema>
  <ResponseField name="request_uri" type="string">
    The URI to use at the authorization endpoint.
  </ResponseField>

  <ResponseField name="expires_in" type="integer">
    Number of seconds the `request_uri` is valid.
  </ResponseField>
</ResponseSchema>

## Response Messages

| Status | Description                                                      |
| ------ | ---------------------------------------------------------------- |
| 201    | Request successful; returns the request URI and expiration time. |