Deepak Gupta

Pushed Authorization Requests

PAR.

An OAuth 2.0 extension (RFC 9126) that moves the authorization request from URL parameters to a backend POST, returning a one-time request_uri for the redirect.

PAR is recommended but not required by OAuth 2.1. FAPI 2.0 makes it mandatory for financial-grade flows. Curity and Ory ship PAR with strong defaults; Auth0 ships it on enterprise tiers; smaller CIAM increasingly add it as fintech customers ask. For non-FAPI consumer apps, PAR is a worth-having defense against URL-tampering at modest implementation cost.

Common questions

Is PAR mandatory in OAuth 2.1?

What does FAPI require?

Which CIAM ship PAR?

Related terms

In the guides

OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.