Skip to main content
Version: v2.0 (latest)

Pushed Authorization Requests (PAR) — Recommended

PAR (RFC 9126) keeps the request parameters out of the browser URL entirely. You push them to OIDC Web over an authenticated back channel. OIDC Web returns a short-lived, single-use request_uri to put in the redirect.

Step 1 — Push the Request

Authenticate as your client. For the strongest guarantee, combine PAR with a signed request object from JAR:

curl -s -X POST "$BASE/oidc/v1/par" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d client_id=$CLIENT_ID \
-d request=<signed_request_jwt> # or the individual parameters

Response (HTTP 201):

{
"request_uri": "urn:ietf:params:oauth:request_uri:5f3c…",
"expires_in": 600
}

Step 2 — Redirect the Browser

Use only the opaque reference:

$BASE/oidc/v1/authorize?client_id=$CLIENT_ID&request_uri=urn:ietf:params:oauth:request_uri:5f3c…

The request_uri is single-use, short-lived, and bound to your client. Another party cannot reuse or replay it. A PAR request may not contain a request_uri of its own. For signed-request (FAPI) clients, PAR enforces response_type=code, a registered redirect_uri, and PKCE S256.