> ## Documentation Index
> Fetch the complete documentation index at: https://auth0.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User Authorization with CIBA

> Learn how to use Rich Authorization Requests with the Client-Initiated Backchannel Flow. 

[Client-Initiated Backchannel Authentication (CIBA)](/docs/fr-ca/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow) is an <Tooltip href="/docs/fr-ca/glossary?term=oath2" tip="OAuth 2.0
Cadre d’applications d’autorisation qui définit les protocoles d’autorisation et les flux de production." cta="Voir le glossaire">OAuth 2.0</Tooltip> specification that allows a client application to initiate an authentication and/or <Tooltip href="/docs/fr-ca/glossary?term=authorization-flow" tip="Flux d’autorisation
Octroi d’autorisation (ou flux de production) indiqué dans le cadre d’applications OAuth 2.0." cta="Voir le glossaire">authorization flow</Tooltip> without requiring direct user interaction on the initiating application. [Rich Authorization Requests (RAR)](/docs/fr-ca/get-started/apis/configure-rich-authorization-requests) is an OAuth 2.0 extension that allows client applications to request for more complex permissions beyond standard OAuth 2.0 scopes in an authorization request.

You can use CIBA with RAR to pass <Tooltip href="/docs/fr-ca/glossary?term=fine-grained-auth" tip="Autorisation à granularité fine (FGA)
Produit Auth0 permettant à des utilisateurs individuels d’accéder à des objets ou ressources particulières." cta="Voir le glossaire">fine-grained authorization</Tooltip> data to the <Tooltip href="/docs/fr-ca/glossary?term=authorization-server" tip="Serveur d’autorisations :
Serveur centralisé qui contribue à définir les limites de l’accès d’un utilisateur. Par exemple, votre serveur d’autorisations peut contrôler les données, les tâches et les fonctionnalités accessibles à un utilisateur. Un serveur d’autorisation ne sert pas à authentifier les utilisateurs. Cette tâche incombe au serveur d’authentification, qui est chargé de vérifier l’identité d’un utilisateur." cta="Voir le glossaire">authorization server</Tooltip> in a backchannel request. The `authorization_details` parameter contains details about the request that you can customize in a consent prompt to show the user.

## Common use cases

Use RAR with the CIBA flow for use cases that require more fine-grained control over resource access. Common use cases include:

1. A payments app prompts the user to confirm a money transfer. The `authorization_details` can be customized to show the transaction details.
2. An AI agent prompts the user with details about a rescheduled doctor’s appointment. The `authorization_details` can be customized to show the new time and date.

## How it works

The User Authorization with CIBA flow is similar to the [User Authentication with CIBA flow](/docs/fr-ca/get-started/authentication-and-authorization-flow/client-initiated-backchannel-authentication-flow/user-authentication-with-ciba), where RAR support enables clients to pass the `authorization_details` to the authorization server via the `/bc-authorize` endpoint.

The following sequence diagram explains the end-to-end User Authorization with CIBA flow:

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/fr-ca/cdy7uua7fh8z/2i8E4sBBWhQueL4NTt9gz4/a05084a6fd6d39b017572e93c2c9c7b9/Screenshot_2025-06-02_at_1.20.07_PM.png" alt="" />
</Frame>

The sequence diagram defines two actors: an authorizing user and an initiating user. The authorizing and initiating user can be two different entities, such as an AI agent performing a task on a user's behalf. In other use cases, they can be the same entity, such as a user authorizing a transaction on a retail kiosk or another connected device.

* [Prerequisites](#prerequisites)
* [Step 1: Client application initiates a CIBA request](#step-1-client-application-initiates-a-ciba-request)
* [Step 2: Auth0 tenant acknowledges the CIBA request](#step-2-auth0-tenant-acknowledges-the-ciba-request)
* [Step 3: Client application polls for a response](#step-3-client-application-polls-for-a-response)
* [Step 4: Mobile application receives the push notification](#step-4-mobile-application-receives-the-push-notification)
* [Step 5: Mobile application retrieves the consent details](#step-5-mobile-application-retrieves-the-consent-details)
* [Step 6: Mobile application presents the consent details to the user](#step-6-mobile-application-presents-the-consent-details-to-the-user)
* [Step 7: Mobile application sends the user response back to Auth0](#step-7-mobile-application-sends-the-user-response-back-to-auth0)
* [Step 8: Auth0 receives user response after the flow completes](#step-8-auth0-receives-user-response-after-the-flow-completes)
* [Step 9: Auth0 returns access token to the client application](#step-9-auth0-returns-access-token-to-client-application)

### Prerequisites

To initiate a CIBA push request using Auth0, you must complete the following prerequisites:

* Integrate your custom mobile application with the [Guardian SDK](/docs/fr-ca/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications). To learn more, read [Configure Client-Initiated Backchannel Authentication](/docs/fr-ca/get-started/applications/configure-client-initiated-backchannel-authentication).
* [Enroll the authorizing user in MFA using push notifications via the Guardian SDK](/docs/fr-ca/secure/multi-factor-authentication/auth0-guardian#enroll-in-push-notifications). To verify in the <Tooltip href="/docs/fr-ca/glossary?term=auth0-dashboard" tip="Auth0 Dashboard
  Principal produit d’Auth0 pour configurer vos services." cta="Voir le glossaire">Auth0 Dashboard</Tooltip>, navigate to **User Management > Users** and click on the user:

<Frame>
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/auth0/docs/images/fr-ca/cdy7uua7fh8z/21qtk4F1cOQHMpbXxXYu75/51ba9c5fd1457ffee3f73893acf3c97f/Screenshot_2025-01-13_at_4.13.44_PM.png" alt="" />
</Frame>

If you have set <Tooltip href="/docs/fr-ca/glossary?term=multifactor-authentication" tip="Authentification multifacteur (MFA)
Processus d’authentification de l’utilisateur qui utilise un facteur en plus du nom d’utilisateur et du mot de passe, tel qu’un code par SMS." cta="Voir le glossaire">Multi-factor Authentication</Tooltip> as always required for your tenant, users are prompted to enroll for MFA at their next login. You can also use [Actions](https://auth0.com/blog/using-actions-to-customize-your-mfa-factors/) to prompt for MFA enrollment.

* [Configure Client-Initiated Backchannel Authentication](/docs/fr-ca/get-started/applications/configure-client-initiated-backchannel-authentication) for your tenant and application.
* [Configure Rich Authorization Requests](/docs/fr-ca/get-started/apis/configure-rich-authorization-requests) for your <Tooltip href="/docs/fr-ca/glossary?term=resource-server" tip="Serveur de ressources
  Serveur hébergeant des ressources protégées. Les serveurs de ressources traitent les requêtes pour des ressources sécurisées et y répondent." cta="Voir le glossaire">resource server</Tooltip>, which includes registering your `authorization_details` types.

### Step 1: Client application initiates a CIBA request

Use the [User Search APIs](https://auth0.com/docs/manage-users/user-search) to find the authorizing user for whom you’d like to initiate a CIBA request and obtain their user ID.

Once you have a user ID for the authorizing user, use the [Authentication API](https://auth0.com/docs/api/authentication/login/start-back-channel-login) to send a CIBA request with the `authorization_details` to the `/bc-authorize` endpoint:

```bash lines theme={null}
curl --location 'https://$tenant/bc-authorize' \
  --request POST \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'client_id=$client_id' \
  --data-urlencode 'client_secret=$client_secret' \
  --data-urlencode 'login_hint={ "format": "iss_sub", "iss": "https://$tenant/", "sub":"$user_id"}' \
  --data-urlencode 'audience=https://api.example.com' \
  --data-urlencode 'binding_message=$binding_message' \
  --data-urlencode 'authorization_details=[{
      "type": "money_transfer", 
      "instructedAmount": {
        "amount": 2500, 
        "currency": "USD"
      }, 
      "sourceAccount": "xxxxxxxxxxx1234", 
      "destinationAccount": "xxxxxxxxxxx9876", 
      "beneficiary": "Hanna Herwitz", 
      "subject": "A Lannister Always Pays His Debts"
    }]'
```

| Parameters              | Description                                                                                                                                                                                                                                                                                                                                                                                                                                               |
| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `tenant`                | Tenant name. It can also be a custom domain.                                                                                                                                                                                                                                                                                                                                                                                                              |
| `client_id`             | Client application identifier.                                                                                                                                                                                                                                                                                                                                                                                                                            |
| `client_secret`         | Client authentication method used for user authentication with CIBA, such as Client Secret, Private Key JWT, or mTLS Authentication. If you're using Private Key JWT or mTLS, you don't need to include the client secret.                                                                                                                                                                                                                                |
| `scope`                 | If the client needs to identify the user (i.e., obtain an `id_token`), `openid` must be included. If the client only needs an access token for authorization, `openid` is optional, but commonly included.<br /><br />The scope can optionally include `offline_access` to request a refresh token. However, for one-time authorization of a transaction with the CIBA Flow, a refresh token is not needed and does not have any meaning in this context. |
| `user_id`               | User ID for the authorizing user that is passed within the `login_hint` structure. If `iss_sub` format is used, then the user ID is passed within the `sub` claim.<br /><br />The user ID for a federated connection may have a different format.                                                                                                                                                                                                         |
| `requested_expiry`      | The CIBA flow's requested expiry is between 1 and 300 seconds, and it defaults to 300 seconds. Include the `requested_expiry` parameter to set a custom expiry for the CIBA flow.                                                                                                                                                                                                                                                                         |
| `binding_message`       | Human-readable message used to bind the CIBA flow across the authentication and consumption devices. The binding message is required and up to 64 characters. Use only alphanumeric and `+-_.,:#` characters                                                                                                                                                                                                                                              |
| `audience`              | Unique identifier of the audience for the issued token.                                                                                                                                                                                                                                                                                                                                                                                                   |
| `authorization_details` | An optional JSON array of objects that describes the permissions to be authorized. You should register each object’s `type` value on the resource server using the resource server’s `authorization_details` parameter. To learn more, read [Configure Rich Authorization Requests](/docs/fr-ca/get-started/apis/configure-rich-authorization-requests).                                                                                                  |

### Step 2: Auth0 tenant acknowledges the CIBA request

If the Auth0 tenant successfully receives the `POST` request, you should receive a response containing an `auth-req-id` that references the request:

```json lines theme={null}
{
    "auth_req_id": "eyJh...",
    "expires_in": 300,
    "interval": 5
}
```

The `auth_req_id` value is passed to the `/token` endpoint to poll for the completion of the CIBA flow.

### Step 3: Client application polls for a response

Use the [Authentication API](https://auth0.com/docs/api/authentication/login/start-back-channel-login) to call the `/token` endpoint using the `urn:openid:params:grant-type:ciba` grant type and the `auth_req_id` you received from the `/bc-authorize` endpoint:

<Tabs>
  <Tab title="cURL">
    ```bash lines theme={null}
    curl --location 'https://$tenant.auth0.com/oauth/token' \
      --header 'Content-Type: application/x-www-form-urlencoded' \
      --data-urlencode 'client_id=$client_id' \
      --data-urlencode 'client_secret=$client_secret' \
      --data-urlencode 'auth_req_id=$auth_req_id' \
      --data-urlencode 'grant_type=urn:openid:params:grant-type:ciba'
    ```
  </Tab>

  <Tab title="C#">
    ```csharp lines theme={null}
    var token = await authenticationApiClient.GetTokenAsync(
                new ClientInitiatedBackchannelAuthorizationTokenRequest()
                {
                    AuthRequestId = response.AuthRequestId,
                    ClientId = "your-client-id",
                    ClientSecret = "your-client-secret"
                }
            );
    ```
  </Tab>

  <Tab title="Go">
    ```go lines theme={null}
    token, err := authAPI.OAuth.LoginWithGrant(context.Background(),
    			"urn:openid:params:grant-type:ciba",
    			url.Values{
    				"auth_req_id":   []string{resp.AuthReqID},
    				"client_id":     []string{clientID},
    				"client_secret": []string{clientSecret},
    			},
    			oauth.IDTokenValidationOptions{})
    ```
  </Tab>

  <Tab title="Java">
    ```java lines theme={null}
    Request<BackChannelTokenResponse> tokenRequest = auth.getBackChannelLoginStatus(authReqId, "grant-type");

    BackChannelTokenResponse tokenResponse = tokenRequest.execute().getBody();
    ```
  </Tab>
</Tabs>

Until the authorizing user approves the transaction, you should receive the following response:

```json lines theme={null}
{
    "error": "authorization_pending",
    "error_description": "The end-user authorization is pending"
}
```

The polling interval is determined by the `interval` value received in the response from the `/bc-authorize` endpoint. If you poll too frequently, you will receive the following response, where the description varies depending on the backoff interval:

```json lines theme={null}
{
"error": "slow_down",
"error_description": "You are polling faster than allowed. Try again in 10 seconds."
}
```

You can inspect the `Retry-After` response header to determine the next wait interval (in seconds). To resolve the error, wait until the next interval to poll the `/token` endpoint.

### Step 4: Mobile application receives the push notification

Auth0 sends a push notification to the user's registered mobile app or device. The [Guardian SDK](/docs/fr-ca/secure/multi-factor-authentication/auth0-guardian) provides methods to parse the data received from the push notification and return a ready-to-use `Notification` instance. The `Notification` instance includes a transaction linking ID, or `txlinkid`, that the mobile application uses to retrieve the consent details from Auth0.

The following code samples are example iOS and Android mobile push notification implementations using the Guardian SDK:

<Tabs>
  <Tab title="iOS">
    ```swift lines theme={null}
    //implementing UNUserNotificationCenterDelegate
    func userNotificationCenter(_ center: UNUserNotificationCenter, willPresent notification: UNNotification, withCompletionHandler completionHandler: (UNNotificationPresentationOptions) -> Void) {
        let userInfo = notification.request.content.userInfo
        if let notification = Guardian.notification(from: userInfo) {
             // Implement this function to display the prompt and handle user's consent/rejection.
             handleGuardianNotification(notification: notification)
        }
    }
    ```
  </Tab>

  <Tab title="Android">
    ```java lines theme={null}
    // at the FCM listener you receive a RemoteMessage
    @Override
    public void onMessageReceived(RemoteMessage message) {
        Notification notification = Guardian.parseNotification(message.getData());
        if (notification != null) {
            // you received a Guardian notification, handle it
            handleGuardianNotification(notification);
            return;
        }
        /* handle other push notifications you might be using ... */
    }
    ```
  </Tab>
</Tabs>

### Step 5: Mobile application retrieves the consent details

Call the Guardian SDK from your mobile application to retrieve the consent details i.e. the contents of the `binding_message` from the Auth0 Consent API.

The following code samples are example iOS and Android implementations that retrieve data from the Auth0 Consent API:

<Tabs>
  <Tab title="iOS">
    ```swift lines theme={null}
    let device: AuthenticationDevice = // the object you obtained during the initial Guardian SDK enrollment process and stored locally
    if let consentId = notification.transactionLinkingId {
        Guardian
            .consent(forDomain: {yourTenantDomain}, device: device)
            .fetch(consentId: consentId, notificationToken: notification.transactionToken)
            .start{result in
                switch result {
                case .success(let payload):
                    // present consent details to the user
                case .failure(let cause):
                    // something went wrong
            }
        }
    }
    ```
  </Tab>

  <Tab title="Android">
    ```java lines theme={null}
    Enrollment enrollment = // the object you obtained during the initial Guardian SDK enrollment process and stored locally
    if (notification.getTransactionLinkingId() != null) {
        guardian
          .fetchConsent(notification, enrollment)
          .start(new Callback<Enrollment> {
            @Override
            void onSuccess(RichConsent consentDetails) {
                // present consent details to the user 
            }
            @Override
            void onFailure(Throwable exception) {
                // something went wrong 
            }
          });
    }
    ```
  </Tab>
</Tabs>

### Step 6: Mobile application presents the consent details to the user

The Auth0 Consent API responds to the mobile application with the consent details, including the `binding_message`, `scope`, `audience`, and `authorization_details` if configured. The scopes returned to the mobile application are filtered according to your RBAC policy. To learn more, read [Role-Based Access Control](/docs/fr-ca/manage-users/access-control/rbac).

The following code sample is an example response from the Auth0 Consent API:

```json lines theme={null}
{
  "id": "cns_2309dsfsd098",
  "requested_details": {
    "audience": "https://api.example.com",
    "scope": ["read:profile", "write:profile"],
    "binding_message": "abc123",
    "authorization_details": [
      {
        "type": "money_transfer",
        "instructedAmount": {
          "amount": 2500,
          "currency": "USD"
        },
        "sourceAccount": "xxxxxxxxxxx1234",
        "destinationAccount": "xxxxxxxxxxx9876",
        "beneficiary": "Hanna Herwitz",
        "subject": "A Lannister Always Pays His Debts"
      }
    ]
  },
  "created_at": 1632739200,
  "expires_at": 1632739200
}
```

The mobile application presents the authorization request and/or the consent details with the `authorization_details` to the user in a push notification via the Guardian SDK. The user can accept or decline the authorization request at this point.

### Step 7: Mobile application sends the user response back to Auth0

Depending on whether the user accepts or rejects the authorization request, the mobile application sends the user response back to Auth0.

The following code samples are example iOS and Android implementations that handle the user response:

#### User accepts the authorization request

<Tabs>
  <Tab title="iOS">
    ```swift lines theme={null}
    Guardian
        .authentication(forDomain: "{yourTenantDomain}", device: device)
        .allow(notification: notification)
        // or reject(notification: notification, withReason: "hacked")
        .start { result in
            switch result {
            case .success:
                // the auth request was successfully rejected
            case .failure(let cause):
                // something failed, check cause to see what went wrong
            }
        }
    ```
  </Tab>

  <Tab title="Android">
    ```java lines theme={null}
    guardian
        .allow(notification, enrollment)
        .execute(); // or start(new Callback<> ...)
    ```
  </Tab>
</Tabs>

#### User rejects the authorization request

<Tabs>
  <Tab title="iOS">
    ```swift lines theme={null}
    Guardian
            .authentication(forDomain: "{yourTenantDomain}", device: device)
            .reject(notification: notification)
            // or reject(notification: notification, withReason: "hacked")
            .start { result in
                switch result {
                case .success:
                    // the auth request was successfully rejected
                case .failure(let cause):
                    // something failed, check cause to see what went wrong
                }
            }
    ```
  </Tab>

  <Tab title="Android">
    ```java lines theme={null}
    guardian
        .reject(notification, enrollment) // or reject(notification, enrollment, reason)
        .execute(); // or start(new Callback<> ...)
    ```
  </Tab>
</Tabs>

### Step 8: Auth0 receives user response after the flow completes

The client application completes the polling upon receiving a response from the `/token` endpoint. A CIBA flow always requires a response, either an approval or decline, from the authorizing user, and existing grants are not checked. This means Auth0 treats every CIBA request as a fresh authorization for the authorizing user.

### Step 9: Auth0 returns access token to client application

If the user rejects the push request, Auth0 returns an error response like the following to the client application:

```json lines theme={null}
{
    "error": "access_denied",
    "error_description": "The end-user denied the authorization request or it has been expired"
}
```

If the user approves the push request, Auth0 returns an <Tooltip href="/docs/fr-ca/glossary?term=access-token" tip="Jeton d’accès
Identifiant d’autorisation, sous la forme d’une chaîne opaque ou d’un JWT, utilisé pour accéder à une API." cta="Voir le glossaire">access token</Tooltip> with the `authorization_details` like the following to the client application:

```json lines theme={null}
{
  "id_token": "...",
  "access_token": "...",
  "expires_in": "...",
  "scope": "$granted_scopes",
  "authorization_details": [{
      "type": "money_transfer", 
      "instructedAmount": {
        "amount": 2500, 
        "currency": "USD"
      }, 
      "sourceAccount": "xxxxxxxxxxx1234", 
      "destinationAccount": "xxxxxxxxxxx9876", 
      "beneficiary": "Hanna Herwitz", 
      "subject": "A Lannister Always Pays His Debts"
    }]
}
```

**Note:** The `id_token` will only be present if the `openid` scope was included in the initial `/bc-authorize` request.

## Query authorization\_details

At compile time, you can query the type and objects of `authorization_details` from the consent details in a strongly typed manner as you would dynamically query JSON:

<Tabs>
  <Tab title="iOS">
    ```swift lines theme={null}
    let requestedDetails: ConsentRequestedDetails = payload.requestedDetails
    let myAuthorizationDetailsTypes = requestedDetails.authorizationDetails[0].objectValue!;
    let type = myAuthorizationDetailsTypes["type"]?.stringValue // Your pre-registered type value
    let stringProperty = myAuthorizationDetailsTypes["string_property"]?.stringValue
    let boolProperty = myAuthorizationDetailsTypes["bool_property"]?.boolValue
    let numericProperty = myAuthorizationDetailsTypes["numeric_property"]?.doubleValue
    let nestedObjectProperty = myAuthorizationDetailsTypes["nested_property"]?.objectValue
    let nestedArrayProperty = myAuthorizationDetailsTypes["nested_array_property"]?.arrayValue
    ```
  </Tab>

  <Tab title="Android">
    ```java lines theme={null}
    RichConsentRequestedDetails requestedDetails = consentDetails.getRequestedDetails();
    Map<String, Object> authorizationDetails = requestedDetails.getAuthorizationDetails().get(0);
    String type = (String) myAuthorizationDetailsTypes.get("type");
    String stringProperty = (String) myAuthorizationDetailsTypes.get("string_property");
    boolean booleanProperty = (boolean) myAuthorizationDetailsTypes.get("boolean_property");
    int numericProperty = (int) myAuthorizationDetailsTypes.get("numeric_property");
    Object nestedObjectProperty = myAuthorizationDetailsTypes.get("nested_property");
    List<Object> nestedArrayProperty = (List<Object>) myAuthorizationDetailsTypes.get("nested_array_property");
    ```
  </Tab>
</Tabs>

If you define a custom type to represent your object, you can use the `filterAuthorizationDetailsByType()` function to return all `authorization_details` objects that match the desired type.

The following code sample queries `authorization_details` with the `payment` type:

<Tabs>
  <Tab title="iOS">
    ```swift lines theme={null}
    // Must implement AuthorizationDetailsType 
    struct Payment : AuthorizationDetailsType { 
    static let type = "payment"; 
    let amount: Double; 
    let currency: String; 
    } 

    ... 

    let requestedDetails: ConsentRequestedDetails = payload.requestedDetails 
    let payments = requestedDetails.filterAuthorizationDetailsByType(Payment.self) 
    let firstPayment = payments.first!
    let type: String = firstPayment.type // "payment" 
    let amount: Double = firstPayment.amount 
    let currency: String = firstPayment.currency
    ```
  </Tab>

  <Tab title="Android">
    ```java lines theme={null}
    @AuthorizatioDetailsType("payment")
    class Payment {
        private String type;
        private int amount;
        private String currency;

        public Payment(String type, int amount, String currency) {
            this.type = type;
            this.amount = amount;
            this.currency = currency;
        }

        public String getType() {
            return type;
        }

        public int getAmount() {
            return amount;
        }

        public String getCurrency() {
            return currency;
        }
    }

    ...

    RichConsentRequestedDetails requestedDetails = consentDetails.getRequestedDetails();
    List<Payment> payments = requestedDetails.filterAuthorizationDetailsByType(Payment.class);
    Payment firstPayment = payments.get(0);
    String type = firstPayment.getType();
    int amount = firstPayment.getAmount();
    String currency = firstPayment.getCurrency();
    ```
  </Tab>
</Tabs>

`filterAuthorizationDetailsByType()` only returns objects matching the specified `authorization_details` type. As a result, your mobile application should present all relevant `authorization_details` to the user for consent, regardless of their type, to ensure a complete understanding of the request

You can also query the `authorization_details` when the AI agent or application polls the `/oauth/token`endpoint for a response:

```bash lines theme={null}
POST https://$tenant/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:openid:params:grant-type:ciba&
client_id=$client_id&
client_secret=$client_secret&
auth_req_id=$auth_req_id
```

| Parameters      | Description                                                                                        |
| --------------- | -------------------------------------------------------------------------------------------------- |
| `grant_type`    | Set to the CIBA grant type: `urn:openid:params:grant-type:ciba`                                    |
| `client_id`     | Set to the application’s client ID.                                                                |
| `client_secret` | Set to the application’s client secret.                                                            |
| `auth_req_id`   | Returned from the Auth0 tenant when it acknowledges the CIBA request. References the CIBA request. |

When the authorizing user approves the request, Auth0 receives the user response, and the CIBA flow completes, returning an access token and `authorization_details` array:

```json lines theme={null}
{ 
  "access_token": "ey...ZQ", 
  "expires_in": 86400, 
  "authorization_details": [{ 
    "type": "money_transfer", 
    "instructedAmount": {
      "amount": 2500, 
      "currency": "USD"
    }, 
    "sourceAccount": "xxxxxxxxxxx1234", 
    "destinationAccount": "xxxxxxxxxxx9876", 
    "beneficiary": "Hanna Herwitz", 
    "subject": "A Lannister Always Pays His Debts" 
  }], 
  "token_type": "Bearer" 
}
```

## Limitations

Auth0 doesn’t support:

* Accessing or modifying RAR in Actions for CIBA flows.
* Advertising RAR types for clients to discover, which means you need to pre-register clients with the `authorization_details` types they can send.
* Validating RAR objects beyond checking that they have a `type` property that matches allowed types for the API. Your resource server is responsible for the granular validation of the content within `authorization_details`. For more information, see [Configure RAR](/docs/fr-ca/get-started/apis/configure-rich-authorization-requests).

## En savoir plus

* [Configurer les Demandes d’autorisation enrichies (RAR)](/docs/fr-ca/get-started/apis/configure-rich-authorization-requests)
* [Flux de code d’autorisation avec demandes d’autorisation poussées (RAR)](/docs/fr-ca/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-rar)
* [Configurer l’authentification par canal d’appui initiée par le client](/docs/fr-ca/get-started/applications/configure-client-initiated-backchannel-authentication)
