Client Initiated Backchannel Authentication
CIBA.
An OIDC extension where the client (not the user's browser) initiates authentication, and the user approves on a separate device, common in IVR, call-center, and decoupled flows.
CIBA support in 2026 clusters at the standards-purist enterprise tier, Curity, Auth0 (Enterprise), Ping Identity, ForgeRock. For most B2C and B2B SaaS, Authorization Code with PKCE covers the same use cases more simply. Reach for CIBA when the architecture genuinely separates the client from the user's authentication device.
Common questions
When does CIBA make sense over Authorization Code?
Which CIAM platforms support CIBA?
Is CIBA the same as device code flow?
Related terms
In the guides
AI Agent Identity and MCP: Authenticating Non-Human Identities
How CIAM evolves for AI agents in 2026: MCP, OAuth 2.1 Dynamic Client Registration, scoped agent tokens, and patterns separating agent from human identity.
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.