Pushed Authorization Requests (PAR)
PAR is defined by RFC 9126 — Pushed Authorization Requests: the client POSTs the authorization parameters to a back-channel endpoint first, receiving a request_uri that it then uses in the front-channel redirect. This avoids URL-length limits, keeps sensitive parameters off the front channel, and prevents tampering.
POST /orgs/{orgId}/api/v1/oauth/par
PAR is required for FAPI 2.0 clients. Use it for any flow involving sensitive parameters (e.g., claims, acr_values, or large scope strings).
PAR Request
Submit all authorization parameters to the PAR endpoint using client authentication. The request body is application/x-www-form-urlencoded.
| Parameter | Required | Description |
|---|---|---|
response_type | ✅ | e.g., code |
client_id | ✅ | Your client ID |
redirect_uri | ✅ | Pre-registered redirect URI |
scope | ✅ | Requested scopes |
state | recommended | CSRF protection value |
code_challenge | PKCE | S256 code challenge |
code_challenge_method | PKCE | S256 |
| Any other authorization parameter | nonce, prompt, max_age, claims, etc. |
PKCE (RFC 7636 — Proof Key for Code Exchange) requires the client to generate a random code verifier and send a hash of it when starting the flow, then the verifier itself when exchanging the code. See PKCE.
curl -X POST https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/par \
-u "your_client_id:your_client_secret" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "response_type=code" \
-d "client_id=your_client_id" \
-d "redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback" \
-d "scope=openid+profile+email" \
-d "state=abc123" \
-d "code_challenge=E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM" \
-d "code_challenge_method=S256"
PAR Response
{
"request_uri": "urn:ietf:params:oauth:request_uri:6esc_11ACC5bwc014ltc14eY22c",
"expires_in": 60
}
| Field | Description |
|---|---|
request_uri | Opaque URI referencing the pushed request. Single-use and short-lived. |
expires_in | Seconds until request_uri expires (typically 60) |
Using the request_uri
Pass the request_uri to the Authorization Endpoint instead of inline parameters:
GET https://app.lumoauth.dev/orgs/acme-corp/api/v1/oauth/authorize?
client_id=your_client_id&
request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3A6esc_11ACC5bwc014ltc14eY22c
Do not include other authorization parameters alongside request_uri — they will be ignored (or rejected for FAPI 2.0 clients).
Related
- FAPI 2.0 — profile where PAR is mandatory
- Authorization endpoint
- PKCE