To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
Using Rich Authorization Requests (RAR), clients can request and obtain data from , such as end users, during the Authorization Code Flow and Client-Initiated Backchannel Authentication Flow. In a Rich Authorization Request, the authorization_details parameter is a JSON array of objects. You can render the authorization_details, containing transaction details, in a consent prompt to the user in challenges. To configure Rich Authorization Requests for a , you must:
  1. Configure the consent policy for the resource server.
  2. Register authorization_details types for the resource server.
  3. Configure the resource server to accept Rich Authorization Requests.
The resource server’s consent policy determines when and how Auth0 renders the Rich Authorization Request and shows the consent prompt to the user. The table below summarizes Auth0’s standard consent policy behavior for a resource server that accepts Rich Authorization Requests:
Is it a Rich Authorization Request?MFA Required?Consent policy is standard or undefined
NoNoStandard consent is shown unless there is a grant that includes the requested access.
YesNoCustomized consent is shown.
YesYes, with an authentication factor that is not a push notificationCustomized consent is shown after the user fulfills the MFA challenge.
YesYes, with a push notification factorNo consent is shown. The consent is handled in the mobile application that receives the push notification challenge.
Set the consent policy in your API settings using the Auth0 Dashboard.
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the Settings tab.
  3. Under Access Settings, choose the Standard consent policy.
  4. Save your changes.
Dashboard > Applications > APIs > Settings > Access Settings

Register authorization_details types

The type field determines the customizable object fields. An authorization_details array may contain multiple entries of the same type. You must register authorization_details types for a resource server, which is similar to registering allowed scopes. The authorization_details types must follow these requirements:
  • Maximum 5Kb
  • Must be valid JSON
  • Must be an array of objects
  • Maximum of 5 entries in the array
  • Every object must have a type property (that is pre-registered on the API)
  • Maximum of 10 properties per object
  • Maximum character length of property names is 255
  • Maximum character length of property value is 255
  • Maximum of 5 levels of nested objects
  • Property names can only contain the following characters: a-zA-Z0-9_.-
You can register authorization_details types with the Auth0 Dashboard or Management API.
You can add authorization_details in the Auth0 Dashboard.
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the Permissions tab.
  3. Under Add an Authorization Details type, you can add multiple authorization_details types for your resource server. Enter an authorization_details type and then select the +Add option.
You can see the authorization_details types for your resource server under List of Authorization Details Types:

Create a new resource server with authorization_details types

The following POST request creates a new resource server with authorization_details type payment_initiation: 
curl --location --request POST 'https://$tenant/api/v2/resource-servers' \
  --header 'Authorization: Bearer $management_access_token' \
  --header 'Content-Type: application/json' \
  --data-raw '{
  "name": "Payments API",
  "identifier": "https://payments.api/",
  "consent_policy": "standard",
  "authorization_details": [{"type": "payment_initiation"}]
  }'