> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use JWT-Secured Authorization Requests (JAR) with the Authorization Code Flow.

# Authorization Code Flow with JWT-Secured Authorization Requests (JAR)

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to [Auth0 Pricing](https://auth0.com/pricing/) for details.
</Callout>

[JWT-Secured Authorization Request (JAR)](https://datatracker.ietf.org/doc/html/rfc9101) is an extension of the OAuth 2.0 protocol that protects the integrity and authenticity of authorization request parameters. By wrapping parameters in a signed [JSON Web Token (JWT)](/docs/secure/tokens/json-web-tokens), you prevent intermediaries from tampering with or viewing sensitive request data.

## Prerequisites

Before using JAR, you must:

1. [Generate a RSA key pair](/docs/secure/application-credentials/generate-rsa-key-pair)
2. Register the public key by uploading it to the Auth0 Dashboard as described in [Configure JWT-Secured Authorization Requests](/docs/get-started/applications/configure-jar)

## How it works

Instead of passing parameters like `scope` or `redirect_uri` as plain text in a URL, the client application wraps them into a signed [JSON Web Token (JWT)](/docs/secure/tokens/json-web-tokens) as the request object:

* Signing: The client application signs the JWT using its private key.
* Verification: The Auth0 Authorization Server receives the JWT and verifies the signature using the public key you registered.
* Processing: If valid, the Auth0 Authorization Server extracts the parameters. If a parameter exists in both the JAR and the query string, the value inside the JAR takes precedence.

## Generate the JAR request

Use the [Auth0 JWT library](https://jwt.io/libraries) to generate a <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JWT">JWT</Tooltip> in your preferred language.

### Header

The JWT header tells Auth0 which key and algorithm to use for verification. It must have the following parameters:

* `alg`: The algorithm used to sign the JWT. Must be either RS256, RS384, or PS256.
* `typ`: The type of JWT. Must be either `jwt` or `oauth-authz-req+jwt`.

The header may also contain a `kid` field that identifies the key used to sign the JWT. If a `kid` is present, Auth0 will look for a public key registered during [JAR configuration](/docs/get-started/applications/configure-jar) that has a matching key ID and use that key to verify the JWT’s signature.

### Payload

The payload contains the authorization parameters. It must contain the following claims:

* `iss`: This must contain your app’s `client_id`
* `aud`: This must be your tenant’s domain, with the protocol and a trailing forward slash. For example, `https://{YOUR_DOMAIN}.auth0.com/`

The JWT must also contain any mandatory parameters for the call to `/authorize`. For example:

* `client_id`: This must also contain your app’s `client_id`
* `response_type`: Indicates to Auth0 which <Tooltip tip="OAuth 2.0: Authorization framework that defines authorization protocols and workflows." cta="View Glossary" href="/docs/glossary?term=OAuth+2.0">OAuth 2.0</Tooltip> flow you want to perform. Use `code` for Authorization Code Grant Flow.

The JWT may contain any of the optional parameters for the <Tooltip tip="Authorization Flow: Authorization grant (or workflow) specified in the OAuth 2.0 framework." cta="View Glossary" href="/docs/glossary?term=authorization+flow">authorization flow</Tooltip> that is being requested, such as `audience`, `scope`, `state`, `redirect_uri`, among others.

In addition, the JWT may contain the following optional claims:

* `iat`: Must be a numeric date.
* `nbf`: Must be a numeric date, representing a time in the past.
* `exp`: Must be a numeric date, representing a time in the future.
* `jti`: Must be a string no longer than 64 bytes.

## Code sample: Generate and sign JAR

The following Node.js example uses the [jsonwebtoken library](https://www.npmjs.com/package/jsonwebtoken?activeTab=readme) to generate and sign a JAR:

```javascript lines expandable theme={null}
const jwt = require('jsonwebtoken');
const crypto = require("crypto");
const fs = require('fs');

const privateKey = fs.readFileSync('{PATH_TO_YOUR_PEM_FILE}');
const client_id = '{YOUR_CLIENT_ID}';
const nonce = crypto.randomBytes(16).toString('hex');

const requestObject = jwt.sign(
{
  iss: client_id,    
  aud: 'https://your_tenant.auth0.com/', // your tenant's domain
  client_id,
  response_type: "code",
  scope: "openid profile",
  redirect_uri : "https://myapp.com/callback", // your app's callback URL
  nonce
},
privateKey,
{
  keyid: '{YOUR_KID}', // optional key id (kid) value from your public key
  algorithm: 'RS256',
  header: {
    typ: 'oauth-authz-req+jwt',
  },
});

console.log(requestObject);
```

## Call the authorization endpoint

You can send the JAR to the Auth0 Authorization Server in the following ways:

1. [Standard JAR request](#standard-jar-request): Pass the signed JWT as a URL-encoded string in the request parameter.
2. [Pushed Authorization Request](#pushed-authorization-request): For enhanced security and to avoid URL length constraints, use PAR.

### Standard JAR request

To call the `/authorize` endpoint using a standard JAR request:

1. Open a new browser window.
2. Pass your <Tooltip tip="Client ID: Identification value given to your registered resource from Auth0." cta="View Glossary" href="/docs/glossary?term=Client+ID">client ID</Tooltip> as the `client_id` parameter and the signed and URL-encoded JWT as the `request` parameter.

```bash lines theme={null}
# MacOS
open "https://{YOUR_DOMAIN}.auth0.com/authorize?client_id={YOUR_CLIENT_ID}&request={URL_ENCODED_JWT}"

# Windows
explorer "https://{YOUR_DOMAIN}.auth0.com/authorize?client_id={YOUR_CLIENT_ID}&request={URL_ENCODED_JWT}"
```

### Pushed Authorization Request

To call the `/authorize` endpoint with a pushed authorization request:

1. Send the JAR to the `/oauth/par` endpoint via a back-channel `POST` request.
2. Auth0 will return a `request_uri`, which you can then use to call the `/authorize` endpoint as in a [regular PAR flow](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow/authorization-code-flow-with-par).

The following cURL request uses PAR and JAR together:

```bash lines theme={null}
curl --location 'https://{YOUR_DOMAIN}.auth0.com/oauth/par' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={YOUR_CLIENT_ID}' \
--data-urlencode 'client_secret={YOUR_CLIENT_SECRET}' \
--data-urlencode 'request={JWT}'
```

## Learn more

* [Configure JWT-secured Authorization Requests (JAR)](/docs/get-started/applications/configure-jar)