--- title: /oauth2/par description: The /oauth2/par endpoint is the OAuth 2.0 pushed authorization request (PAR) endpoint defined in RFC 9126. component: pingoneaic-api page_id: pingoneaic-api:am-oauth2:oauth2-par-endpoint canonical_url: https://developer.pingidentity.com/pingoneaic-api/am-oauth2/oauth2-par-endpoint.html keywords: ["OAuth 2.0", "OpenID Connect (OIDC)", "PAR", "Authorization", "Endpoints"] page_aliases: ["oauth2-guide:oauth2-par-endpoint.adoc"] --- # /oauth2/par The `/oauth2/par` endpoint is the OAuth 2.0 pushed authorization request (PAR) endpoint defined in [RFC 9126](https://www.rfc-editor.org/info/rfc9126). Use this endpoint to push an authorization request payload directly to the authorization server for the following flows: * Authorization code grant ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant.html)) * Authorization code grant with PKCE ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-pkce.html)) * Implicit grant ([OAuth 2.0 and OIDC](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-implicit-grant.html)) Specify the realm in the request URL; for example: ```none https:///am/oauth2/realms/root/realms/alpha/par ``` The PAR endpoint supports the following parameters: | Parameter | Description | Required | | ----------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `acr_values` | The OpenID Connect authentication context class reference values. | Yes, if [required by the OpenID Connect provider](https://docs.pingidentity.com/pingoneaic/latest/am-oidc1/oidc-authentication-requirements.html) | | `claims` | The user attributes to be returned in the ID token. | No | | `client_assertion` | A signed JSON Web Token (JWT) to use as client credentials. | Yes, for [JWT profile](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-jwt.html) authentication | | `client_assertion_type` | The type of assertion, `client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer`. | Yes, for [JWT profile](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-jwt.html) authentication | | `client_id` | Uniquely identifies the application making the request. | Yes, even when it is also included in a `request` object | | `client_secret` | The password for a confidential client. | Yes, when authenticating with [Form parameters (HTTP POST)](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/client-auth-form.html) | | `code_challenge` | The code verifier generated for the PKCE flow. | Yes, for confidential clients and for all clients using the [Authorization code grant with PKCE](https://docs.pingidentity.com/pingoneaic/latest/am-oauth2/oauth2-authz-grant-pkce.html) flow | | `code_challenge_method` | The method to derive the code challenge. | Yes, when the `code_challenge` is hashed (recommended) | | `csrf` | The SSO token string linking the request to the user session to protect against Cross-Site Request Forgery attacks. | Yes, when gathering consent without a remote consent service | | `decision` | Specifies whether the resource owner consents to the requested access. | Yes, when gathering consent unless consent is already saved for the scope | | `id_token_hint` | Previously issued ID token previously passed as a hint about the end user's session with the client. | No | | `login_hint` | String value that can be set to the ID the user uses to log in. | No | | `nonce` | String value that associates the client session with the ID token. | No | | `prompt` | Specifies whether to prompt the end user for authentication and consent. | No | | `redirect_uri` | The URI to return the resource owner to after authorization is complete. | No | | `request` | A base64url-encoded JWT with the claims required for PAR validation.(1) | Yes | | `response_mode` | Specifies the mechanism for returning response parameters. | No | | `response_type` | The type of response expected from the authorization server. | Yes | | `save_consent` | Specifies whether to store a resource owner's consented scopes. | No | | `scope` | The scopes linked to the permissions requested by the client from the resource owner. | No | | `service` | The authentication journey to use when authenticating the resource owner. | No | | `state` | The value to maintain state between the request and the callback. | No, but strongly recommended | | `ui_locales` | The end user's preferred languages for the user interface. | No | (1) When you use a `request` object, define all the request parameters as claims in the JWT. Use only the following client authentication parameters alongside the `request`: `client_assertion`\ `client_assertion_type`\ `client_id`\ `client_secret` Otherwise, the response is an `Invalid parameter scope` error. The following is an example of a PAR `request` object: ```json { "client_id": "myClient", "nbf": 1594140030, "redirect_uri": "https://www.example.com:8443", "scope" : "write", "exp": 1594140390, "response_type" : "code", "code_challenge" : "QR1D-7w1-rOQvlFe1CeqZigqaIpmZXatDMVvZ50o", "code_challenge_method" : "S256" } ```