Skip to main content
Using Rich Authorization Requests (RAR), clients can request and obtain data from , such as end users, during the Authorization Code Flow with Pushed Authorization Requests (PAR) and Client-Initiated Backchannel Authentication Flow. Rich Authorization Requests use the authorization_details parameter. This parameter accepts a JSON array of objects which may include detailed information about the authorization being requested, such as the specific resources or actions the client wants to access on behalf of the user. You can render the requested authorization_details to the user using either: To configure Rich Authorization Requests for a , you must:
  1. Register authorization_details types for the resource server.
  2. Configure the API Access policies to allow your app to request those types.
  3. Set the customized consent prompt to render the authorization_details.
  4. Optional: Configure the consent policy for the resource server.

Register authorization_details types

Each object in the JSON array must have a type field, which describes the shape of the object. An authorization_details array may contain multiple entries of the same type.

Auth0 Guardian app

If you’re using the Auth0 Guardian app, then the authorization_details parameter value must have only one object in the array, and that object must conform to the following Auth0 schema: The following is an example authorization_details type with the Auth0 schema:

Other notification channels

The authorization_details type does not need to use the Auth0 schema if you aren’t using the Auth0 Guardian app. If you are displaying the authorization_details using a customized consent prompt or your own custom mobile app with the Auth0 Guardian SDK, then the following requirements apply:
  • Maximum 5Kb
  • Must be valid JSON
  • Must be an array of objects
  • Maximum of 5 entries in the array
  • Every object must have a type property (that is pre-registered on the API)
  • Maximum of 10 properties per object
  • Maximum character length of property names is 255
  • Maximum character length of property value is 255
  • Maximum of 5 levels of nested objects
  • Property names can only contain the following characters: a-zA-Z0-9_.-
The following is an example authorization_details of type money_transfer that does not use the Auth0 schema. It contains the following object fields:
  • instructedAmount: The amount of money in USD to be transferred.
  • sourceAccount: The source bank account from which the money will be transferred.
  • destinationAccount: The destination bank account to which the money will be transferred.
  • beneficiary: The recipient of the money transfer.
  • subject: The subject line of the money transfer.
You must register authorization_details types for a resource server, which is similar to registering allowed scopes. You can register authorization_details types with the Auth0 Dashboard or Management API.
To add authorization_details in the Auth0 Dashboard:
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the Permissions tab.
  3. Under Add an Authorization Details type, you can add multiple authorization_details types for your resource server. Enter an authorization_details type
  4. Select the +Add option.
You can see the authorization_details types for your resource server under List of Authorization Details Types:

Configure the API Access policies

API Access Policies for Applications control what applications can access your APIs and what scopes or authorization_details types they are allowed to access. You can check your API’s current policy using the Management API. Make a GET request to the Get a resource server endpoint and check the subject_type_authorization property in the response:
The subject_type_authorization property has values for client.policy and user.policy:
  • If the policy value is allow_all, then applications or users can request all authorization_details types registered for the API.
  • If the policy value is require_client_grant, then each type of authorization_details must be explicitly allowed by the client grant for that application.
  • If the policy value is deny_all, then no application or user can request any of the authorization_details types registered for the API.
To learn more on how to manage client grants for applications, read Application Access to APIs: Client Grants . You can render the authorization_details of a Rich Authorization Request in the consent prompt. To do so, configure the customized-consent prompt with the appropriate template partials. You can set the customized consent prompt using the Auth0 CLI or Management API.

Auth0 CLI

To configure the customized consent partials, run the auth0 ul customize command with the appropriate flags in your terminal:
To learn more, read the auth0 universal-login customize documentation.

Management API

To configure the customized consent partials, make a PUT request to the /prompts/customized-consent/partials endpoint:
The customized consent template renders the authorization_details in the following consent prompt that Auth0 shows to the end user:
In the email notifications with CIBA and RAR flow, you need to customize the consent prompt to show the approval or rejection screens to the user:
User accepts the authentication request
User accepts the authentication request
To learn more about how to customize the consent prompt, read: The resource server’s consent policy determines whether Auth0 stores the authorization_details values and makes them available to mobile applications when a push notification is sent. Review Auth0’s standard consent policy behavior for a request containing authorization_details: Customers can also set the consent_policy to transactional-authorization-with-mfa, which has the following behavior: You can set the consent policy for a resource server with the Auth0 Dashboard or Management API.
Set the consent policy in your API settings using the Auth0 Dashboard.
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the Settings tab.
  3. Under Access Settings, choose the Standard consent policy.
  4. Save your changes.
Dashboard > Applications > APIs > Settings > Access Settings