Skip to main content
To use Highly Regulated Identity features, you must have an Enterprise Plan with the Highly Regulated Identity add-on. Refer to Auth0 Pricing for details.
Using Rich Authorization Requests (RAR), clients can request and obtain data from , such as end users, during the Authorization Code Flow and Client-Initiated Backchannel Authentication Flow. In a Rich Authorization Request, the authorization_details parameter is a JSON array of objects. You can render the authorization_details, containing transaction details, in a consent prompt to the user in challenges. To configure Rich Authorization Requests for a , you must:
  1. Configure the consent policy for the resource server.
  2. Register authorization_details types for the resource server.
  3. Set the customized consent prompt to render the authorization_details.
The resource server’s consent policy determines when and how Auth0 renders the Rich Authorization Request and shows the consent prompt to the user. The table below summarizes Auth0’s standard consent policy behavior for a resource server that accepts Rich Authorization Requests:
Is it a Rich Authorization Request?MFA Required?Consent policy is standard or undefined
NoNoStandard consent is shown unless there is a grant that includes the requested access.
YesNoCustomized consent is shown.
YesYes, with an authentication factor that is not a push notificationCustomized consent is shown after the user fulfills the MFA challenge.
YesYes, with a push notification factorNo consent is shown. The consent is handled in the mobile application that receives the push notification challenge.
You can set the consent policy for a resource server with the Auth0 Dashboard or Management API.
  • Auth0 Dashboard
  • Management API
Set the consent policy in your API settings using the Auth0 Dashboard.
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the Settings tab.
  3. Under Access Settings, choose the Standard consent policy.
  4. Save your changes.
Dashboard > Applications > APIs > Settings > Access Settings

Register authorization_details types

The type field determines the customizable object fields. An authorization_details array may contain multiple entries of the same type. You must register authorization_details types for a resource server, which is similar to registering allowed scopes.

Auth0 Guardian app

If you’re using the Auth0 Guardian app, then the authorization_details types must use the Auth0 schema. The Auth0 schema has the following fields:
FieldDescriptionExample
typeSpecifies the type of authorization request:
  • urn:auth0:schemas:authorization-details: The Auth0 URN indicates that the request will use the Auth0 schema.
  • v1: The schema version.
  • user-profile: Customer-provided value indicating that the request is for user profile information.
urn:auth0:schemas:authorization-details:v1:user-profile
instructionA human-readable message to the user approving the request.Please approve the request
propertiesA JSON object containing the specific user attributes or claims being requested. Each key (e.g., email, full_name) represents a particular user profile field:
  • display: A boolean value that determines whether the property should be shown to the user in the consent dialog. If true, it will be displayed; if false, it’s an internal-only property not meant for user view.
  • name: The human-readable name for the property (e.g., “Email Address”).
  • display_order: An integer that dictates the order in which properties will be shown in the consent dialog.
  • description: An optional, short explanation of the property’s purpose.
  • value: The actual data value for the property (e.g., “user@example.com”, “John Doe”). The data type can vary (string, integer, boolean, etc.).
"properties": { "stringPropertyForDisplay": { "display": true, "name": "A String:", "display_order": "1", "value": "Value 1"} }

Other notification channels

If you’re not using the Auth0 Guardian app, then the authorization_details types does not need to use the Auth0 schema. Instead, they must follow these requirements:
  • Maximum 5Kb
  • Must be valid JSON
  • Must be an array of objects
  • Maximum of 5 entries in the array
  • Every object must have a type property (that is pre-registered on the API)
  • Maximum of 10 properties per object
  • Maximum character length of property names is 255
  • Maximum character length of property value is 255
  • Maximum of 5 levels of nested objects
  • Property names can only contain the following characters: a-zA-Z0-9_.-
The following is an example authorization_details of type money_transfer that does not use the Auth0 schema. It contains the following object fields:
  • instructedAmount: The amount of money in USD to be transferred.
  • sourceAccount: The source bank account from which the money will be transferred.
  • destinationAccount: The destination bank account to which the money will be transferred.
  • beneficiary: The recipient of the money transfer.
  • subject: The subject line of the money transfer.
You can register authorization_details types with the Auth0 Dashboard or Management API.
  • Auth0 Dashboard
  • Management API
To add authorization_details in the Auth0 Dashboard:
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the Permissions tab.
  3. Under Add an Authorization Details type, you can add multiple authorization_details types for your resource server. Enter an authorization_details type and then select the +Add option.
You can see the authorization_details types for your resource server under List of Authorization Details Types:
You can render the authorization_details of a Rich Authorization Request in the consent prompt. To do so, configure the customized-consent prompt with the appropriate template partials. You can set the customized consent prompt using the Management API or Auth0 CLI.

Auth0 CLI

To configure the customized consent partials, run the auth0 ul customize command with the appropriate flags in your terminal: 
auth0 ul customize
To learn more, read the auth0 universal-login customize documentation.

Management API

To configure the customized consent partials, make a PUT request to the /prompts/customized-consent/partials endpoint: 
curl --location --request PUT "https://$tenant/api/v2/prompts/customized-consent/partials" \
  --header "Authorization: Bearer $management_access_token" \
  --header "Content-Type: application/json" \
  --data '{
    "customized-consent": {
      "form-content": "<div style=\"font-size: 1.3em; font-weight: bold;\">Operation Details</div><hr style=\"margin: 10px 0;\"><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Transaction Type</div><div>{{ transaction.params.authorization_details[0].type }}</div><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Amount</div><div>{{ transaction.params.authorization_details[0].instructedAmount.amount }} {{ transaction.params.authorization_details[0].instructedAmount.currency }}</div><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Recipient</div><div>{{ transaction.params.authorization_details[0].beneficiary }}</div><div style=\"margin-bottom: 20px;\"></div><div style=\"font-weight: bold;\">Destination Account</div><div>{{ transaction.params.authorization_details[0].destinationAccount }}</div><div style=\"margin-bottom: 20px;\"></div>"
    }
  }'
The customized consent template renders the authorization_details in the following consent prompt that Auth0 shows to the end user:
In the email notifications with CIBA and RAR flow, you need to customize the consent prompt to show the approval or rejection screens to the user:
User accepts the authentication request
User accepts the authentication request
To learn more about how to customize the consent prompt, read: