0Pricing
OAuth2 & OpenID Connect Deep Dive · Lesson

Pushed Authorization Requests (PAR)

Learn how Pushed Authorization Requests (RFC 9126) move authorization parameters to a secure back-channel call, improving integrity and confidentiality for advanced OAuth2 deployments.

The Front-Channel Problem

Normally authorization parameters travel in the browser URL to /authorize. They are visible, can be tampered with, and get long when requests are rich (claims, multiple resources). PAR moves them to a trusted back-channel.

What PAR Does

With Pushed Authorization Requests (RFC 9126), the client first POSTs all authorization parameters directly to a new pushed_authorization_request endpoint. The server stores them and returns a request_uri handle.

All lessons in this course

  1. FAPI & Financial-grade APIs
  2. DPoP (Demonstrating Proof-of-Possession)
  3. Continuous Access Evaluation Protocol (CAEP)
  4. Pushed Authorization Requests (PAR)
← Back to OAuth2 & OpenID Connect Deep Dive