Skip to main content
POST
/
api
/
{serviceId}
/
pushed_auth_req
Typescript (SDK)
import { Authlete } from "@authlete/typescript-sdk";

const authlete = new Authlete({
  bearer: process.env["AUTHLETE_BEARER"] ?? "",
});

async function run() {
  const result = await authlete.pushedAuthorization.create({
    serviceId: "<id>",
    pushedAuthorizationRequest: {
      parameters: "response_type=code%20id_token&client_id=5921531358155430&redirect_uri=https%3A%2F%2Fserver.example.com%2Fcb&state=SOME_VALUE_ABLE_TO_PREVENT_CSRF&scope=openid&nonce=SOME_VALUE_ABLE_TO_PREVENT_REPLAY_ATTACK&code_challenge=5ZWDQJiryK3eaLtSeFV8y1XySMCWtyITxICLaTwvK8g&code_challenge_method=S256",
      clientId: "5921531358155430",
      clientSecret: "P_FouxWlI7zcOep_9vBwR9qMAVJQiCiUiK1HrAP4GziOyezHQpqY0f5dHXK4JT4tnvI51OkbWVoEM9GnOyJViA",
    },
  });

  console.log(result);
}

run();
{
  "resultCode": "A245001",
  "resultMessage": "[A245001] Successfully registered a request object for client (5921531358155430), URI is urn:ietf:params:oauth:request_uri:CAK9YEtNorwXE3UwSyihsBOL0jFrqUup7yAACw5y5Zg.",
  "action": "CREATED",
  "requestUri": "urn:ietf:params:oauth:request_uri:CAK9YEtNorwXE3UwSyihsBOL0jFrqUup7yAACw5y5Zg",
  "responseContent": "{\"expires_in\":600,\"request_uri\":\"urn:ietf:params:oauth:request_uri:CAK9YEtNorwXE3UwSyihsBOL0jFrqUup7yAACw5y5Zg\"}"
}

Authorizations

Authorization
string
header
required

Authenticate every request with a Service Access Token or Organization Token. Set the token value in the Authorization: Bearer <token> header.

Service Access Token: Scoped to a single service. Use when automating service-level configuration or runtime flows.

Organization Token: Scoped to the organization; inherits permissions across services. Use for org-wide automation or when managing multiple services programmatically.

Both token types are issued by the Authlete console or provisioning APIs.

Path Parameters

serviceId
string
required

A service ID.

Body

parameters
string
required

The pushed authorization request body received from the client application.

The value of parameters is the entire entity body (which is formatted in application/x-www-form-urlencoded) of the request from the client application.

clientId
string

The client ID extracted from Authorization header of the pushed request from the client application.

clientSecret
string

The client secret extracted from Authorization header of the pushed authorization request from the client application.

clientCertificate
string

The client certificate from the MTLS connection to pushed authorization endpoint from the client application.

clientCertificatePath
string[]

The certificate path presented by the client during client authentication. These certificates are strings in PEM format.

dpop
string

DPoP Header

htm
string

HTTP Method (for DPoP validation).

htu
string

HTTP URL base (for DPoP validation).

oauthClientAttestation
string

The value of the OAuth-Client-Attestation HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

oauthClientAttestationPop
string

The value of the OAuth-Client-Attestation-PoP HTTP header, which is defined in the specification of OAuth 2.0 Attestation-Based Client Authentication.

dpopNonceRequired
boolean

The flag indicating whether to require the DPoP proof JWT to include the nonce claim. Even if the service's dpopNonceRequired property is false, calling the /pushed_auth_req API with this dpopNonceRequired parameter true will force the Authlete API to check whether the DPoP proof JWT includes the expected nonce value.

Response

resultCode
string

The code which represents the result of the API call.

resultMessage
string

A short message which explains the result of the API call.

action
enum<string>

The next action that the authorization server implementation should take. Any other value other than "CREATED" should be handled as unsuccessful result.

Available options:
CREATED,
BAD_REQUEST,
UNAUTHORIZED,
FORBIDDEN,
PAYLOAD_TOO_LARGE,
INTERNAL_SERVER_ERROR
requestUri
string

The request_uri created to the client to be used as request_uri on the authorize call.

responseContent
string

The content that the authorization server implementation is to return to the client application.

clientAuthMethod
enum<string>

The client authentication method that the client application declares that it uses at the token endpoint. This property corresponds to token_endpoint_auth_method in OpenID Connect Dynamic Client Registration 1.0, 2. Client Metadata.

Available options:
NONE,
CLIENT_SECRET_BASIC,
CLIENT_SECRET_POST,
CLIENT_SECRET_JWT,
PRIVATE_KEY_JWT,
TLS_CLIENT_AUTH,
SELF_SIGNED_TLS_CLIENT_AUTH,
ATTEST_JWT_CLIENT_AUTH
dpopNonce
string

Get the expected nonce value for DPoP proof JWT, which should be used as the value of the DPoP-Nonce HTTP header.