Glossary / Authorization
Pushed Authorization Requests (PAR)
Pushed Authorization Requests (PAR) is an OAuth 2.0 extension that lets a client send the authorization request parameters directly to the server over a back channel before redirecting the user, improving security and reducing exposure of request data.
Also: PAR
Pushed Authorization Requests allow an OAuth 2.0 client to submit its authorization request parameters to the authorization server through an authenticated back-channel call before the user’s browser is involved. The server validates the parameters, stores them, and returns a request URI. The client then redirects the user to the authorization endpoint with only that short request URI, rather than the full set of parameters.
This approach keeps sensitive parameters such as scopes, redirect URIs, and custom claims out of the browser’s address bar and out of intermediary logs. It also lets the authorization server authenticate the client and validate the request before the user interaction begins, catching errors early.
PAR is a building block of high-security profiles. It pairs naturally with other hardening measures like PKCE and mutual TLS to reduce attack surface in the authorization flow.
For CIAM, PAR protects customer-facing authorization flows from parameter tampering and data leakage, making it valuable in regulated or high-assurance scenarios.
Sources
- IETF RFC 9126, OAuth 2.0 Pushed Authorization Requests: https://datatracker.ietf.org/doc/html/rfc9126
Related terms
Standards
- IETF RFC 9126