Skip to main content

PAR

The Pushed Authorization Requests (PAR) service implements RFC 9126, enabling OAuth 2.0 clients to pre-register their authorization request parameters with the authorization server over a secure back-channel before initiating the user agent redirect. This is particularly valuable for large or security-sensitive requests because the parameters are transmitted server-to-server via a direct POST rather than being exposed in browser redirect URIs. nevisAuth validates the request parameters and client credentials, stores the request in its out-of-context data store, and returns a short-lived request_uri reference bounded by a configurable lifetime between 5 and 600 seconds. The client then presents this request_uri at the authorization endpoint in place of the full parameter set, keeping the user-facing URL compact and tamper-resistant. PAR is required by high-security OAuth 2.0 profiles such as FAPI 2.0.

Last updated on