Skip to main content

Documentation Index

Fetch the complete documentation index at: https://auth0-feat-authentication-api-migration.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

POST /oauth/par
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
Authorization Code Flow with Pushed Authorization Requests (PAR) uses the /oauth/par endpoint to allow applications to send the authorization parameters usually sent in a GET request to /authorize. PAR uses a POST method from the backend to keep parameter values secure. The /oauth/par endpoint accepts all authorization parameters which can be provided to /authorize. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value that can be used as a parameter for the /authorize endpoint. Assuming the call to the /oauth/par endpoint is valid, Auth0 will respond with a redirect_uri value also used as a parameter for the /authorize endpoint. To learn more about configuring PAR, read Configure Pushed Authorization Requests (PAR).

Remarks

  • To make a call to the PAR endpoint, you must:
    • Set the request content type as application/x-www-form-urlencoded
    • Use strings for all passed parameters
    • Include an additional parameter for application authentication in the request (e.g. client_secret, or client_assertion and client_assertion_type for JSON Web Token Client Authentication, or pass a client-certificate and client-certificate-ca-verified header when using Mutual TLS).
  • Use the authorization_details parameter to request permission for each resource. For example, you can specify an array of JSON objects to convey fine-grained information on the authorization. Each JSON object must contain a type attribute. The rest is up to you to define.

Parameters

DPoP
string
A DPoP proof for the request. This is optional and only required if your application uses Demonstrating Proof-of-Possession.

Request Body

authorization_details
string
Requested permissions for each resource, similar to scopes.
audience
string
The unique identifier of the target API you want to access.
resource
string
The identifier of the target API (resource server) you want to access. Must match an API Identifier registered in your Auth0 tenant. Used as an alternative to audience when the tenant’s Resource Parameter Compatibility Profile is set to compatibility.
response_type
string
required
Specifies the token type, e.g., code or code id_token. Required.
client_id
string
required
The client_id of your application. Required.
redirect_uri
string
required
The URL to which Auth0 will redirect after authorization is granted. Required.
state
string
An opaque value used to prevent CSRF attacks. Recommended.
scope
string
OIDC scopes and custom API scopes. Recommended.
code_challenge
string
Challenge generated from code_verifier. Recommended.
code_challenge_method
string
Method used to generate the challenge, typically S256. Recommended.
nonce
string
Used to prevent token replay attacks. Recommended for response_type=id_token.
connection
string
The name of the connection configured for your application.
prompt
string
Used to force a specific prompt, e.g., prompt=consent.
organization
string
ID of the organization to use when authenticating a user.
dpop_jkt
string
The JWK Thumbprint RFC7638 of the proof-of-possession public key using the SHA-256 hash function. Only when using Demonstrating Proof-of-Possession (DPoP).

Response

StatusDescription
201Request successful; returns the request URI and expiration time.