Configure Pushed Authorization Requests (PAR)
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
The Auth0 Push Authorization Request (PAR) implementation is based on the OAuth RFC9126: Push Authorization Request specification. For more information, see Authorization Code Flow with Pushed Authorization Requests.
By default, PAR is not required by the authorization server. As a result, you can send authorization requests to the PAR endpoint and the /authorize endpoint. However, to fully secure your authorization flow, set PAR as required for an application and/or a tenant via the Management API or Application Settings on the Auth0 Dashboard.
Set PAR for a tenant
To set PAR for a tenant, use the Auth0 Dashboard.
1. Navigate to Auth0 Dashboard > Settings > Advanced.
2. Scroll down to Settings and toggle on Allow Pushed Authorization Requests (PAR).
Set PAR for an application
Your tenant must have Allow Pushed Authorization Requests (PAR) enabled at the tenant-level before enabling PAR at the application-level.
Navigate to Auth0 Dashboard > Applications.
Select the application.
Select the Application Settings tab.
In the Authorization Requests section, enable the toggle Require Pushed Authorization Requests (PAR).
Your tenant must have Allow Pushed Authorization Requests (PAR) enabled at the tenant-level before enabling PAR at the application-level.
Use the following code sample to configure PAR for your application using the Management API:
curl -X PATCH --location 'https://TENANT.auth0.com/api/v2/clients/CLIENT_ID' \
--header 'Authorization: Bearer MANAGEMENT_ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"require_pushed_authorization_requests": true
}'Was this helpful?