Pushed Authorization Request (PAR)

curl --request POST \ --url https://{yourDomain}/oauth/par \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data client_id=YOUR_CLIENT_ID \ --data client_secret=YOUR_CLIENT_SECRET \ --data response_type=code \ --data redirect_uri=https://your-app.com/callback \ --data 'scope=openid profile email' \ --data state=xyzABC123 \ --data code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM \ --data code_challenge_method=S256

Authorizations

Authorization

string

header

required

The access token received from the authorization server in the OAuth 2.0 flow.

Body

application/x-www-form-urlencoded

client_id

string

required

Your application's Client ID

response_type

enum<string>

required

Must be 'code' for PAR

Available options:

code

client_secret

string

Your application's Client Secret (required for confidential clients)

redirect_uri

string<uri>

The redirect URI for your application

scope

string

Space-delimited list of requested scopes

state

string

An opaque value to maintain state between request and callback

audience

string

The unique identifier of the target API

code_challenge

string

The PKCE code challenge

code_challenge_method

enum<string>

The method used to generate the code challenge

Available options:

S256

nonce

string

A random string value for ID Token validation

client_assertion

string

A JWT signed with your client secret or private key (for Private Key JWT authentication)

client_assertion_type

enum<string>

Must be 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer' when using client_assertion

Available options:

urn:ietf:params:oauth:client-assertion-type:jwt-bearer

Response

Request URI created successfully

request_uri

string<uri>

required

The request URI to use in the authorization request. Pass this to the /authorize endpoint.

expires_in

integer

required

The lifetime in seconds of the request URI (typically 90 seconds)