Configure Pushed Authorization Requests (PAR)
The Auth0 Push Authorization Request (PAR) implementation is based on the OAuth RFC0126: Push Authorization Request specification. For more information, see Authorization Code Flow with Pushed Authorization Requests.
By default, PAR is not required by the authorization server. As a result, you can send authorization requests to the PAR endpoint and the /authorize
endpoint. However, to fully secure your authorization flow, set PAR as required for an application and/or a tenant via the Management API or Application Settings on the Auth0 Dashboard.
Set PAR for an application
Navigate to Auth0 Dashboard > Applications.
Select the application.
Select the Application Settings tab.
In the Authorization Requests section, enable the toggle Require Pushed Authorization Requests (PAR).
![Set application-level PAR with Auth0 Dashboard](http://images.ctfassets.net/cdy7uua7fh8z/2y2F8ydAHB1O8DbUMlu6vA/f1ed831a1f188bbd721ce4fc2a0207b5/Screenshot_2024-05-28_at_10.24.58_AM.png)
Use the following code sample to configure PAR for your application using the Management API:
curl -X PATCH --location 'https://TENANT.auth0.com/api/v2/clients/CLIENT_ID' \
--header 'Authorization: Bearer MANAGEMENT_ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"require_pushed_authorization_requests": true
}'
Was this helpful?
Set PAR for a tenant
To set PAR for a tenant, use the Auth0 Dashboard.
1. Navigate to Auth0 Dashboard > Settings > Advanced.
2. Scroll down to Settings and toggle on Allow Pushed Authorization Requests (PAR).
![Auth0 Dashboard > Settings > Advanced > Allow mTLS endpoint aliases](http://images.ctfassets.net/cdy7uua7fh8z/4FnQEF7eNEgDT5OLcH46c2/143ff959424a43ced788373ffc8d9ceb/Screenshot_2024-07-08_at_1.39.21_PM.png)