STANDARD

Pushed Authorization Requests (PAR) — Primer

Pushed Authorization Requests (RFC 9126) move large/structured authorization requests to a back‑channel, returning a short‑lived request_uri.

Visual representation of Pushed Authorization Requests (PAR) standard

← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

Gateway: pre‑execution gating (plan/schema pins, params/egress)
Shield: inline budgets/stream caps/content checks
PDP: decisions with constraints/obligations/TTL
IdP: passports, token exchange, consent/DPoP

How it works (high level)

PAR (RFC 9126) moves large/structured requests to the back‑channel. Client authentication is REQUIRED. The returned request_uri has a short TTL and is used at /authorize.

mermaid
sequenceDiagram
  autonumber
  participant Client
  participant AS
  Client->>AS: POST /par (client auth)
  AS-->>Client: {request_uri, expires_in}
  Client->>AS: /authorize?request_uri=...&response_mode=jwt
  AS-->>Client: JARM JWT

References

RFC 9126: PAR

← Rich Authorization Requests (RAR)

All standards

JARM →