Key Standards

Consent 3.0 introduces a modernized consent architecture built on well-established OAuth and FAPI 2.0 standards. These standards replace legacy elements from Consent 2.0 / Consent 2.0 with CaaS, such as PermissionIds and username validation, with secure and interoperable mechanisms. Together, they form the technical foundation for the new consent model.

PAR (Pushed Authorization Requests)

PAR is mandatory in Consent 3.0.

PAR moves authorization request parameters from the front channel to a direct request between the client and the authorization server. The browser subsequently carries only a request_uri in the authorization step.

Why PAR?

Reduces tampering risk for authorization request parameters
Reduces exposure of request details in browser redirects, logs, and history
Supports a more robust and FAPI-aligned authorization flow

PKCE (Proof Key for Code Exchange)

PKCE is mandatory for all authorization code flows in Consent 3.0.

PKCE protects the authorization code flow against authorization code interception and replay by requiring the client to prove possession of a code_verifier during the token request.

Why PKCE?

Mitigates authorization code interception attacks
Removes the need for proprietary security workarounds such as username validation
Aligns the authorization code flow with modern OAuth and FAPI security practices

PKCE is a foundational upgrade that strengthens the ecosystem and supports flows built on PAR and Grant Management.

PAR (Pushed Authorization Requests)​

Why PAR?​

PKCE (Proof Key for Code Exchange)​

Why PKCE?​

PAR (Pushed Authorization Requests)

Why PAR?

PKCE (Proof Key for Code Exchange)

Why PKCE?