Implement the PAR endpoint (POST /as/par or similar) that accepts the full authorization request parameters as an HTTP form POST with client authentication
Validate the request at PAR time: check redirect_uri, client_id, scope, code_challenge (required under FAPI 2.0 with S256 method), and any RAR authorization_details
Return a request_uri (urn:ietf:params:oauth:request-uri:<identifier>) and expires_in (should be short, e.g. 60–90 seconds) in the JSON response
Advertise par_endpoint_uri and require_pushed_authorization_requests: true in the AS metadata (.well-known/oauth-authorization-server) to signal that PAR is mandatory
At the authorization endpoint, accept only request_uri parameters — reject any direct parameter submission if require_pushed_authorization_requests is true
Bind the PAR request to the authenticated client; reject authorization requests where the client_id in the authorization endpoint call does not match the one used at the PAR endpoint
Known gotchas
FAPI 2.0 Security Profile (approved as Final Specification in February 2025) mandates PAR and PKCE together; implementing one without the other is not FAPI 2.0 conformant
The request_uri is single-use; once it has been used in an authorization request it must be invalidated — clients that retry the authorization with the same request_uri must get an error
PAR requests should be accepted only over mTLS or with private_key_jwt client authentication under FAPI 2.0 — client_secret_basic does not meet the security requirements
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp