STANDARD
Pushed Authorization Requests (PAR) — Primer
Pushed Authorization Requests (RFC 9126) move large/structured authorization requests to a back‑channel, returning a short‑lived request_uri.
Why it matters
Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.
Where it’s enforced
- Gateway: pre‑execution gating (plan/schema pins, params/egress)
- Shield: inline budgets/stream caps/content checks
- PDP: decisions with constraints/obligations/TTL
- IdP: passports, token exchange, consent/DPoP
How it works (high level)
PAR (RFC 9126) moves large/structured requests to the back‑channel. Client authentication is REQUIRED. The returned request_uri has a short TTL and is used at /authorize.
sequenceDiagram
autonumber
participant Client
participant AS
Client->>AS: POST /par (client auth)
AS-->>Client: {request_uri, expires_in}
Client->>AS: /authorize?request_uri=...&response_mode=jwt
AS-->>Client: JARM JWT