Configure Pushed Authorization Requests (PAR)
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
The Auth0 Push Authorization Request (PAR) implementation is based on the OAuth RFC9126: Push Authorization Request specification. For more information, see Authorization Code Flow with Pushed Authorization Requests.
By default, PAR is not enabled by your tenant. You can enable it in the Auth0 Dashboard under your tenant settings. To learn more, read Enable PAR for a tenant.
After enabling PAR for your tenant, you can send authorization requests to both the /oauth/par and the /authorize endpoints. However, to fully secure your authorization flow, set PAR as required for an application via the Management API or Application Settings on the Auth0 Dashboard.
Enable PAR for a tenant
To enable PAR for a tenant, use the Auth0 Dashboard.
1. Navigate to Auth0 Dashboard > Settings > Advanced.
2. Scroll down to Settings and toggle on Allow Pushed Authorization Requests (PAR).
Require PAR for an application
Your tenant must have Allow Pushed Authorization Requests (PAR) enabled at the tenant-level before enabling PAR at the application-level.
Navigate to Auth0 Dashboard > Applications.
Select the application.
Select the Application Settings tab.
In the Authorization Requests section, enable the toggle Require Pushed Authorization Requests (PAR).
Your tenant must have Allow Pushed Authorization Requests (PAR) enabled at the tenant-level before enabling PAR at the application-level.
Use the following code sample to configure PAR for your application using the Management API:
curl -X PATCH --location 'https://TENANT.auth0.com/api/v2/clients/CLIENT_ID' \
--header 'Authorization: Bearer MANAGEMENT_ACCESS_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"require_pushed_authorization_requests": true
}'feedbackSection.helpful