diff --git a/ra/proto/ra.pb.go b/ra/proto/ra.pb.go
index f7910695d85..25e9e56ad70 100644
--- a/ra/proto/ra.pb.go
+++ b/ra/proto/ra.pb.go
@@ -535,6 +535,53 @@ func (x *NewOrderRequest) GetIsRenewal() bool {
 	return false
 }
 
+type GetAuthorizationRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Id int64 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+}
+
+func (x *GetAuthorizationRequest) Reset() {
+	*x = GetAuthorizationRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_ra_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetAuthorizationRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetAuthorizationRequest) ProtoMessage() {}
+
+func (x *GetAuthorizationRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_ra_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetAuthorizationRequest.ProtoReflect.Descriptor instead.
+func (*GetAuthorizationRequest) Descriptor() ([]byte, []int) {
+	return file_ra_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *GetAuthorizationRequest) GetId() int64 {
+	if x != nil {
+		return x.Id
+	}
+	return 0
+}
+
 type FinalizeOrderRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -547,7 +594,7 @@ type FinalizeOrderRequest struct {
 func (x *FinalizeOrderRequest) Reset() {
 	*x = FinalizeOrderRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_ra_proto_msgTypes[8]
+		mi := &file_ra_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -560,7 +607,7 @@ func (x *FinalizeOrderRequest) String() string {
 func (*FinalizeOrderRequest) ProtoMessage() {}
 
 func (x *FinalizeOrderRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_ra_proto_msgTypes[8]
+	mi := &file_ra_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -573,7 +620,7 @@ func (x *FinalizeOrderRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use FinalizeOrderRequest.ProtoReflect.Descriptor instead.
 func (*FinalizeOrderRequest) Descriptor() ([]byte, []int) {
-	return file_ra_proto_rawDescGZIP(), []int{8}
+	return file_ra_proto_rawDescGZIP(), []int{9}
 }
 
 func (x *FinalizeOrderRequest) GetOrder() *proto.Order {
@@ -602,7 +649,7 @@ type UnpauseAccountRequest struct {
 func (x *UnpauseAccountRequest) Reset() {
 	*x = UnpauseAccountRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_ra_proto_msgTypes[9]
+		mi := &file_ra_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -615,7 +662,7 @@ func (x *UnpauseAccountRequest) String() string {
 func (*UnpauseAccountRequest) ProtoMessage() {}
 
 func (x *UnpauseAccountRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_ra_proto_msgTypes[9]
+	mi := &file_ra_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -628,7 +675,7 @@ func (x *UnpauseAccountRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use UnpauseAccountRequest.ProtoReflect.Descriptor instead.
 func (*UnpauseAccountRequest) Descriptor() ([]byte, []int) {
-	return file_ra_proto_rawDescGZIP(), []int{9}
+	return file_ra_proto_rawDescGZIP(), []int{10}
 }
 
 func (x *UnpauseAccountRequest) GetRegistrationID() int64 {
@@ -650,7 +697,7 @@ type UnpauseAccountResponse struct {
 func (x *UnpauseAccountResponse) Reset() {
 	*x = UnpauseAccountResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_ra_proto_msgTypes[10]
+		mi := &file_ra_proto_msgTypes[11]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -663,7 +710,7 @@ func (x *UnpauseAccountResponse) String() string {
 func (*UnpauseAccountResponse) ProtoMessage() {}
 
 func (x *UnpauseAccountResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_ra_proto_msgTypes[10]
+	mi := &file_ra_proto_msgTypes[11]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -676,7 +723,7 @@ func (x *UnpauseAccountResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use UnpauseAccountResponse.ProtoReflect.Descriptor instead.
 func (*UnpauseAccountResponse) Descriptor() ([]byte, []int) {
-	return file_ra_proto_rawDescGZIP(), []int{10}
+	return file_ra_proto_rawDescGZIP(), []int{11}
 }
 
 func (x *UnpauseAccountResponse) GetCount() int64 {
@@ -758,78 +805,85 @@ var file_ra_proto_rawDesc = []byte{
 	0x52, 0x16, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f,
 	0x66, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x69, 0x73, 0x52, 0x65,
 	0x6e, 0x65, 0x77, 0x61, 0x6c, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x52,
-	0x65, 0x6e, 0x65, 0x77, 0x61, 0x6c, 0x22, 0x4b, 0x0a, 0x14, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69,
-	0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x21,
-	0x0a, 0x05, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0b, 0x2e,
-	0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x05, 0x6f, 0x72, 0x64, 0x65,
-	0x72, 0x12, 0x10, 0x0a, 0x03, 0x63, 0x73, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03,
-	0x63, 0x73, 0x72, 0x22, 0x3f, 0x0a, 0x15, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63,
-	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e,
-	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x03, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x49, 0x44, 0x22, 0x2e, 0x0a, 0x16, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41,
-	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14,
-	0x0a, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x63,
-	0x6f, 0x75, 0x6e, 0x74, 0x32, 0xf8, 0x06, 0x0a, 0x15, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x3b,
-	0x0a, 0x0f, 0x4e, 0x65, 0x77, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
-	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x49, 0x0a, 0x12, 0x55,
-	0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f,
-	0x6e, 0x12, 0x1d, 0x2e, 0x72, 0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67,
-	0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x65, 0x6e, 0x65, 0x77, 0x61, 0x6c, 0x22, 0x29, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74,
+	0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x02, 0x69,
+	0x64, 0x22, 0x4b, 0x0a, 0x14, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64,
+	0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x21, 0x0a, 0x05, 0x6f, 0x72, 0x64,
+	0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e,
+	0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x05, 0x6f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x10, 0x0a, 0x03,
+	0x63, 0x73, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x03, 0x63, 0x73, 0x72, 0x22, 0x3f,
+	0x0a, 0x15, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x26, 0x0a, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73,
+	0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52,
+	0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x49, 0x44, 0x22,
+	0x2e, 0x0a, 0x16, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e,
+	0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6f, 0x75,
+	0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x32,
+	0xc0, 0x07, 0x0a, 0x15, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x12, 0x3b, 0x0a, 0x0f, 0x4e, 0x65, 0x77,
+	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x63,
+	0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
 	0x1a, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x11, 0x50, 0x65, 0x72, 0x66, 0x6f, 0x72,
-	0x6d, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x2e, 0x72, 0x61,
-	0x2e, 0x50, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69,
+	0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x49, 0x0a, 0x12, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
+	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1d, 0x2e, 0x72,
+	0x61, 0x2e, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x63, 0x6f,
+	0x72, 0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22,
+	0x00, 0x12, 0x48, 0x0a, 0x11, 0x50, 0x65, 0x72, 0x66, 0x6f, 0x72, 0x6d, 0x56, 0x61, 0x6c, 0x69,
+	0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x2e, 0x72, 0x61, 0x2e, 0x50, 0x65, 0x72, 0x66,
+	0x6f, 0x72, 0x6d, 0x56, 0x61, 0x6c, 0x69, 0x64, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, 0x68,
+	0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x16, 0x44,
+	0x65, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72,
+	0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x52, 0x65, 0x67,
+	0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
+	0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74,
+	0x79, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x17, 0x44, 0x65, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74,
+	0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x13,
+	0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x53, 0x0a,
+	0x15, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x42, 0x79, 0x41, 0x70, 0x70,
+	0x6c, 0x69, 0x63, 0x61, 0x6e, 0x74, 0x12, 0x20, 0x2e, 0x72, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f,
+	0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x42, 0x79, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x6e,
+	0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x22, 0x00, 0x12, 0x47, 0x0a, 0x0f, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74,
+	0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x2e, 0x72, 0x61, 0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b,
+	0x65, 0x43, 0x65, 0x72, 0x74, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x6b, 0x0a, 0x21, 0x41,
+	0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x76, 0x65, 0x6c, 0x79, 0x52,
+	0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
+	0x12, 0x2c, 0x2e, 0x72, 0x61, 0x2e, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61,
+	0x74, 0x69, 0x76, 0x65, 0x6c, 0x79, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16,
+	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
+	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x2e, 0x0a, 0x08, 0x4e, 0x65, 0x77, 0x4f,
+	0x72, 0x64, 0x65, 0x72, 0x12, 0x13, 0x2e, 0x72, 0x61, 0x2e, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64,
+	0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65,
+	0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x41,
+	0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1b, 0x2e, 0x72,
+	0x61, 0x2e, 0x47, 0x65, 0x74, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69,
 	0x6f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65,
 	0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x00,
-	0x12, 0x46, 0x0a, 0x16, 0x44, 0x65, 0x61, 0x63, 0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x52, 0x65,
-	0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x2e, 0x63, 0x6f, 0x72,
-	0x65, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x16,
-	0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66,
-	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x48, 0x0a, 0x17, 0x44, 0x65, 0x61, 0x63,
-	0x74, 0x69, 0x76, 0x61, 0x74, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x7a, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x12, 0x13, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x6f,
-	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
-	0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x22, 0x00, 0x12, 0x53, 0x0a, 0x15, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74,
-	0x42, 0x79, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x6e, 0x74, 0x12, 0x20, 0x2e, 0x72, 0x61,
-	0x2e, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x42, 0x79, 0x41, 0x70, 0x70,
-	0x6c, 0x69, 0x63, 0x61, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e,
-	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
-	0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x47, 0x0a, 0x0f, 0x52, 0x65, 0x76, 0x6f, 0x6b,
-	0x65, 0x43, 0x65, 0x72, 0x74, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x2e, 0x72, 0x61, 0x2e,
-	0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x42, 0x79, 0x4b, 0x65, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00,
-	0x12, 0x6b, 0x0a, 0x21, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69,
-	0x76, 0x65, 0x6c, 0x79, 0x52, 0x65, 0x76, 0x6f, 0x6b, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66,
-	0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x2c, 0x2e, 0x72, 0x61, 0x2e, 0x41, 0x64, 0x6d, 0x69, 0x6e,
-	0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x69, 0x76, 0x65, 0x6c, 0x79, 0x52, 0x65, 0x76, 0x6f, 0x6b,
-	0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x2e, 0x0a,
-	0x08, 0x4e, 0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x13, 0x2e, 0x72, 0x61, 0x2e, 0x4e,
-	0x65, 0x77, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b,
-	0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x38, 0x0a,
-	0x0d, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x12, 0x18,
-	0x2e, 0x72, 0x61, 0x2e, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65,
-	0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e,
-	0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65, 0x6e, 0x65, 0x72,
-	0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x17, 0x2e, 0x72, 0x61, 0x2e, 0x47, 0x65, 0x6e,
-	0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x10, 0x2e, 0x63, 0x61, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x00, 0x12, 0x49, 0x0a, 0x0e, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41,
-	0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x19, 0x2e, 0x72, 0x61, 0x2e, 0x55, 0x6e, 0x70, 0x61,
-	0x75, 0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x1a, 0x2e, 0x72, 0x61, 0x2e, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63,
-	0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42,
-	0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6c, 0x65,
-	0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75, 0x6c, 0x64, 0x65,
-	0x72, 0x2f, 0x72, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
+	0x12, 0x38, 0x0a, 0x0d, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f, 0x72, 0x64, 0x65,
+	0x72, 0x12, 0x18, 0x2e, 0x72, 0x61, 0x2e, 0x46, 0x69, 0x6e, 0x61, 0x6c, 0x69, 0x7a, 0x65, 0x4f,
+	0x72, 0x64, 0x65, 0x72, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x0b, 0x2e, 0x63, 0x6f,
+	0x72, 0x65, 0x2e, 0x4f, 0x72, 0x64, 0x65, 0x72, 0x22, 0x00, 0x12, 0x3b, 0x0a, 0x0c, 0x47, 0x65,
+	0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x17, 0x2e, 0x72, 0x61, 0x2e,
+	0x47, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x10, 0x2e, 0x63, 0x61, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x49, 0x0a, 0x0e, 0x55, 0x6e, 0x70, 0x61, 0x75,
+	0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x19, 0x2e, 0x72, 0x61, 0x2e, 0x55,
+	0x6e, 0x70, 0x61, 0x75, 0x73, 0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x1a, 0x2e, 0x72, 0x61, 0x2e, 0x55, 0x6e, 0x70, 0x61, 0x75, 0x73,
+	0x65, 0x41, 0x63, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x00, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
+	0x2f, 0x6c, 0x65, 0x74, 0x73, 0x65, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x2f, 0x62, 0x6f, 0x75,
+	0x6c, 0x64, 0x65, 0x72, 0x2f, 0x72, 0x61, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -844,7 +898,7 @@ func file_ra_proto_rawDescGZIP() []byte {
 	return file_ra_proto_rawDescData
 }
 
-var file_ra_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
+var file_ra_proto_msgTypes = make([]protoimpl.MessageInfo, 12)
 var file_ra_proto_goTypes = []interface{}{
 	(*GenerateOCSPRequest)(nil),                      // 0: ra.GenerateOCSPRequest
 	(*UpdateRegistrationRequest)(nil),                // 1: ra.UpdateRegistrationRequest
@@ -854,49 +908,52 @@ var file_ra_proto_goTypes = []interface{}{
 	(*RevokeCertByKeyRequest)(nil),                   // 5: ra.RevokeCertByKeyRequest
 	(*AdministrativelyRevokeCertificateRequest)(nil), // 6: ra.AdministrativelyRevokeCertificateRequest
 	(*NewOrderRequest)(nil),                          // 7: ra.NewOrderRequest
-	(*FinalizeOrderRequest)(nil),                     // 8: ra.FinalizeOrderRequest
-	(*UnpauseAccountRequest)(nil),                    // 9: ra.UnpauseAccountRequest
-	(*UnpauseAccountResponse)(nil),                   // 10: ra.UnpauseAccountResponse
-	(*proto.Registration)(nil),                       // 11: core.Registration
-	(*proto.Authorization)(nil),                      // 12: core.Authorization
-	(*proto.Challenge)(nil),                          // 13: core.Challenge
-	(*proto.Order)(nil),                              // 14: core.Order
-	(*emptypb.Empty)(nil),                            // 15: google.protobuf.Empty
-	(*proto1.OCSPResponse)(nil),                      // 16: ca.OCSPResponse
+	(*GetAuthorizationRequest)(nil),                  // 8: ra.GetAuthorizationRequest
+	(*FinalizeOrderRequest)(nil),                     // 9: ra.FinalizeOrderRequest
+	(*UnpauseAccountRequest)(nil),                    // 10: ra.UnpauseAccountRequest
+	(*UnpauseAccountResponse)(nil),                   // 11: ra.UnpauseAccountResponse
+	(*proto.Registration)(nil),                       // 12: core.Registration
+	(*proto.Authorization)(nil),                      // 13: core.Authorization
+	(*proto.Challenge)(nil),                          // 14: core.Challenge
+	(*proto.Order)(nil),                              // 15: core.Order
+	(*emptypb.Empty)(nil),                            // 16: google.protobuf.Empty
+	(*proto1.OCSPResponse)(nil),                      // 17: ca.OCSPResponse
 }
 var file_ra_proto_depIdxs = []int32{
-	11, // 0: ra.UpdateRegistrationRequest.base:type_name -> core.Registration
-	11, // 1: ra.UpdateRegistrationRequest.update:type_name -> core.Registration
-	12, // 2: ra.UpdateAuthorizationRequest.authz:type_name -> core.Authorization
-	13, // 3: ra.UpdateAuthorizationRequest.response:type_name -> core.Challenge
-	12, // 4: ra.PerformValidationRequest.authz:type_name -> core.Authorization
-	14, // 5: ra.FinalizeOrderRequest.order:type_name -> core.Order
-	11, // 6: ra.RegistrationAuthority.NewRegistration:input_type -> core.Registration
+	12, // 0: ra.UpdateRegistrationRequest.base:type_name -> core.Registration
+	12, // 1: ra.UpdateRegistrationRequest.update:type_name -> core.Registration
+	13, // 2: ra.UpdateAuthorizationRequest.authz:type_name -> core.Authorization
+	14, // 3: ra.UpdateAuthorizationRequest.response:type_name -> core.Challenge
+	13, // 4: ra.PerformValidationRequest.authz:type_name -> core.Authorization
+	15, // 5: ra.FinalizeOrderRequest.order:type_name -> core.Order
+	12, // 6: ra.RegistrationAuthority.NewRegistration:input_type -> core.Registration
 	1,  // 7: ra.RegistrationAuthority.UpdateRegistration:input_type -> ra.UpdateRegistrationRequest
 	3,  // 8: ra.RegistrationAuthority.PerformValidation:input_type -> ra.PerformValidationRequest
-	11, // 9: ra.RegistrationAuthority.DeactivateRegistration:input_type -> core.Registration
-	12, // 10: ra.RegistrationAuthority.DeactivateAuthorization:input_type -> core.Authorization
+	12, // 9: ra.RegistrationAuthority.DeactivateRegistration:input_type -> core.Registration
+	13, // 10: ra.RegistrationAuthority.DeactivateAuthorization:input_type -> core.Authorization
 	4,  // 11: ra.RegistrationAuthority.RevokeCertByApplicant:input_type -> ra.RevokeCertByApplicantRequest
 	5,  // 12: ra.RegistrationAuthority.RevokeCertByKey:input_type -> ra.RevokeCertByKeyRequest
 	6,  // 13: ra.RegistrationAuthority.AdministrativelyRevokeCertificate:input_type -> ra.AdministrativelyRevokeCertificateRequest
 	7,  // 14: ra.RegistrationAuthority.NewOrder:input_type -> ra.NewOrderRequest
-	8,  // 15: ra.RegistrationAuthority.FinalizeOrder:input_type -> ra.FinalizeOrderRequest
-	0,  // 16: ra.RegistrationAuthority.GenerateOCSP:input_type -> ra.GenerateOCSPRequest
-	9,  // 17: ra.RegistrationAuthority.UnpauseAccount:input_type -> ra.UnpauseAccountRequest
-	11, // 18: ra.RegistrationAuthority.NewRegistration:output_type -> core.Registration
-	11, // 19: ra.RegistrationAuthority.UpdateRegistration:output_type -> core.Registration
-	12, // 20: ra.RegistrationAuthority.PerformValidation:output_type -> core.Authorization
-	15, // 21: ra.RegistrationAuthority.DeactivateRegistration:output_type -> google.protobuf.Empty
-	15, // 22: ra.RegistrationAuthority.DeactivateAuthorization:output_type -> google.protobuf.Empty
-	15, // 23: ra.RegistrationAuthority.RevokeCertByApplicant:output_type -> google.protobuf.Empty
-	15, // 24: ra.RegistrationAuthority.RevokeCertByKey:output_type -> google.protobuf.Empty
-	15, // 25: ra.RegistrationAuthority.AdministrativelyRevokeCertificate:output_type -> google.protobuf.Empty
-	14, // 26: ra.RegistrationAuthority.NewOrder:output_type -> core.Order
-	14, // 27: ra.RegistrationAuthority.FinalizeOrder:output_type -> core.Order
-	16, // 28: ra.RegistrationAuthority.GenerateOCSP:output_type -> ca.OCSPResponse
-	10, // 29: ra.RegistrationAuthority.UnpauseAccount:output_type -> ra.UnpauseAccountResponse
-	18, // [18:30] is the sub-list for method output_type
-	6,  // [6:18] is the sub-list for method input_type
+	8,  // 15: ra.RegistrationAuthority.GetAuthorization:input_type -> ra.GetAuthorizationRequest
+	9,  // 16: ra.RegistrationAuthority.FinalizeOrder:input_type -> ra.FinalizeOrderRequest
+	0,  // 17: ra.RegistrationAuthority.GenerateOCSP:input_type -> ra.GenerateOCSPRequest
+	10, // 18: ra.RegistrationAuthority.UnpauseAccount:input_type -> ra.UnpauseAccountRequest
+	12, // 19: ra.RegistrationAuthority.NewRegistration:output_type -> core.Registration
+	12, // 20: ra.RegistrationAuthority.UpdateRegistration:output_type -> core.Registration
+	13, // 21: ra.RegistrationAuthority.PerformValidation:output_type -> core.Authorization
+	16, // 22: ra.RegistrationAuthority.DeactivateRegistration:output_type -> google.protobuf.Empty
+	16, // 23: ra.RegistrationAuthority.DeactivateAuthorization:output_type -> google.protobuf.Empty
+	16, // 24: ra.RegistrationAuthority.RevokeCertByApplicant:output_type -> google.protobuf.Empty
+	16, // 25: ra.RegistrationAuthority.RevokeCertByKey:output_type -> google.protobuf.Empty
+	16, // 26: ra.RegistrationAuthority.AdministrativelyRevokeCertificate:output_type -> google.protobuf.Empty
+	15, // 27: ra.RegistrationAuthority.NewOrder:output_type -> core.Order
+	13, // 28: ra.RegistrationAuthority.GetAuthorization:output_type -> core.Authorization
+	15, // 29: ra.RegistrationAuthority.FinalizeOrder:output_type -> core.Order
+	17, // 30: ra.RegistrationAuthority.GenerateOCSP:output_type -> ca.OCSPResponse
+	11, // 31: ra.RegistrationAuthority.UnpauseAccount:output_type -> ra.UnpauseAccountResponse
+	19, // [19:32] is the sub-list for method output_type
+	6,  // [6:19] is the sub-list for method input_type
 	6,  // [6:6] is the sub-list for extension type_name
 	6,  // [6:6] is the sub-list for extension extendee
 	0,  // [0:6] is the sub-list for field type_name
@@ -1005,7 +1062,7 @@ func file_ra_proto_init() {
 			}
 		}
 		file_ra_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*FinalizeOrderRequest); i {
+			switch v := v.(*GetAuthorizationRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1017,7 +1074,7 @@ func file_ra_proto_init() {
 			}
 		}
 		file_ra_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UnpauseAccountRequest); i {
+			switch v := v.(*FinalizeOrderRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1029,6 +1086,18 @@ func file_ra_proto_init() {
 			}
 		}
 		file_ra_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UnpauseAccountRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_ra_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*UnpauseAccountResponse); i {
 			case 0:
 				return &v.state
@@ -1047,7 +1116,7 @@ func file_ra_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_ra_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   11,
+			NumMessages:   12,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/ra/proto/ra.proto b/ra/proto/ra.proto
index b440b56fe61..b21dc6cd256 100644
--- a/ra/proto/ra.proto
+++ b/ra/proto/ra.proto
@@ -17,6 +17,7 @@ service RegistrationAuthority {
   rpc RevokeCertByKey(RevokeCertByKeyRequest) returns (google.protobuf.Empty) {}
   rpc AdministrativelyRevokeCertificate(AdministrativelyRevokeCertificateRequest) returns (google.protobuf.Empty) {}
   rpc NewOrder(NewOrderRequest) returns (core.Order) {}
+  rpc GetAuthorization(GetAuthorizationRequest) returns (core.Authorization) {}
   rpc FinalizeOrder(FinalizeOrderRequest) returns (core.Order) {}
   // Generate an OCSP response based on the DB's current status and reason code.
   rpc GenerateOCSP(GenerateOCSPRequest) returns (ca.OCSPResponse) {}
@@ -80,6 +81,10 @@ message NewOrderRequest {
   bool isRenewal = 6;
 }
 
+message GetAuthorizationRequest {
+  int64 id = 1;
+}
+
 message FinalizeOrderRequest {
   core.Order order = 1;
   bytes csr = 2;
diff --git a/ra/proto/ra_grpc.pb.go b/ra/proto/ra_grpc.pb.go
index 88a8ce823db..a5ce32e923a 100644
--- a/ra/proto/ra_grpc.pb.go
+++ b/ra/proto/ra_grpc.pb.go
@@ -31,6 +31,7 @@ const (
 	RegistrationAuthority_RevokeCertByKey_FullMethodName                   = "/ra.RegistrationAuthority/RevokeCertByKey"
 	RegistrationAuthority_AdministrativelyRevokeCertificate_FullMethodName = "/ra.RegistrationAuthority/AdministrativelyRevokeCertificate"
 	RegistrationAuthority_NewOrder_FullMethodName                          = "/ra.RegistrationAuthority/NewOrder"
+	RegistrationAuthority_GetAuthorization_FullMethodName                  = "/ra.RegistrationAuthority/GetAuthorization"
 	RegistrationAuthority_FinalizeOrder_FullMethodName                     = "/ra.RegistrationAuthority/FinalizeOrder"
 	RegistrationAuthority_GenerateOCSP_FullMethodName                      = "/ra.RegistrationAuthority/GenerateOCSP"
 	RegistrationAuthority_UnpauseAccount_FullMethodName                    = "/ra.RegistrationAuthority/UnpauseAccount"
@@ -49,6 +50,7 @@ type RegistrationAuthorityClient interface {
 	RevokeCertByKey(ctx context.Context, in *RevokeCertByKeyRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	AdministrativelyRevokeCertificate(ctx context.Context, in *AdministrativelyRevokeCertificateRequest, opts ...grpc.CallOption) (*emptypb.Empty, error)
 	NewOrder(ctx context.Context, in *NewOrderRequest, opts ...grpc.CallOption) (*proto.Order, error)
+	GetAuthorization(ctx context.Context, in *GetAuthorizationRequest, opts ...grpc.CallOption) (*proto.Authorization, error)
 	FinalizeOrder(ctx context.Context, in *FinalizeOrderRequest, opts ...grpc.CallOption) (*proto.Order, error)
 	// Generate an OCSP response based on the DB's current status and reason code.
 	GenerateOCSP(ctx context.Context, in *GenerateOCSPRequest, opts ...grpc.CallOption) (*proto1.OCSPResponse, error)
@@ -153,6 +155,16 @@ func (c *registrationAuthorityClient) NewOrder(ctx context.Context, in *NewOrder
 	return out, nil
 }
 
+func (c *registrationAuthorityClient) GetAuthorization(ctx context.Context, in *GetAuthorizationRequest, opts ...grpc.CallOption) (*proto.Authorization, error) {
+	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
+	out := new(proto.Authorization)
+	err := c.cc.Invoke(ctx, RegistrationAuthority_GetAuthorization_FullMethodName, in, out, cOpts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *registrationAuthorityClient) FinalizeOrder(ctx context.Context, in *FinalizeOrderRequest, opts ...grpc.CallOption) (*proto.Order, error) {
 	cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...)
 	out := new(proto.Order)
@@ -196,6 +208,7 @@ type RegistrationAuthorityServer interface {
 	RevokeCertByKey(context.Context, *RevokeCertByKeyRequest) (*emptypb.Empty, error)
 	AdministrativelyRevokeCertificate(context.Context, *AdministrativelyRevokeCertificateRequest) (*emptypb.Empty, error)
 	NewOrder(context.Context, *NewOrderRequest) (*proto.Order, error)
+	GetAuthorization(context.Context, *GetAuthorizationRequest) (*proto.Authorization, error)
 	FinalizeOrder(context.Context, *FinalizeOrderRequest) (*proto.Order, error)
 	// Generate an OCSP response based on the DB's current status and reason code.
 	GenerateOCSP(context.Context, *GenerateOCSPRequest) (*proto1.OCSPResponse, error)
@@ -234,6 +247,9 @@ func (UnimplementedRegistrationAuthorityServer) AdministrativelyRevokeCertificat
 func (UnimplementedRegistrationAuthorityServer) NewOrder(context.Context, *NewOrderRequest) (*proto.Order, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method NewOrder not implemented")
 }
+func (UnimplementedRegistrationAuthorityServer) GetAuthorization(context.Context, *GetAuthorizationRequest) (*proto.Authorization, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetAuthorization not implemented")
+}
 func (UnimplementedRegistrationAuthorityServer) FinalizeOrder(context.Context, *FinalizeOrderRequest) (*proto.Order, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method FinalizeOrder not implemented")
 }
@@ -418,6 +434,24 @@ func _RegistrationAuthority_NewOrder_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RegistrationAuthority_GetAuthorization_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetAuthorizationRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RegistrationAuthorityServer).GetAuthorization(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: RegistrationAuthority_GetAuthorization_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RegistrationAuthorityServer).GetAuthorization(ctx, req.(*GetAuthorizationRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RegistrationAuthority_FinalizeOrder_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(FinalizeOrderRequest)
 	if err := dec(in); err != nil {
@@ -515,6 +549,10 @@ var RegistrationAuthority_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "NewOrder",
 			Handler:    _RegistrationAuthority_NewOrder_Handler,
 		},
+		{
+			MethodName: "GetAuthorization",
+			Handler:    _RegistrationAuthority_GetAuthorization_Handler,
+		},
 		{
 			MethodName: "FinalizeOrder",
 			Handler:    _RegistrationAuthority_FinalizeOrder_Handler,
diff --git a/ra/ra.go b/ra/ra.go
index 534e5fdc993..0f1d8e84365 100644
--- a/ra/ra.go
+++ b/ra/ra.go
@@ -2815,6 +2815,29 @@ func (ra *RegistrationAuthorityImpl) UnpauseAccount(ctx context.Context, request
 	return &rapb.UnpauseAccountResponse{Count: count.Count}, nil
 }
 
+func (ra *RegistrationAuthorityImpl) GetAuthorization(ctx context.Context, req *rapb.GetAuthorizationRequest) (*corepb.Authorization, error) {
+	if core.IsAnyNilOrZero(req, req.Id) {
+		return nil, errIncompleteGRPCRequest
+	}
+
+	authz, err := ra.SA.GetAuthorization2(ctx, &sapb.AuthorizationID2{Id: req.Id})
+	if err != nil {
+		return nil, fmt.Errorf("getting authz from SA: %w", err)
+	}
+
+	// Filter out any challenges which are currently disabled, so that the client
+	// doesn't attempt them.
+	challs := []*corepb.Challenge{}
+	for _, chall := range authz.Challenges {
+		if ra.PA.ChallengeTypeEnabled(core.AcmeChallenge(chall.Type)) {
+			challs = append(challs, chall)
+		}
+	}
+
+	authz.Challenges = challs
+	return authz, nil
+}
+
 func (ra *RegistrationAuthorityImpl) DrainFinalize() {
 	ra.finalizeWG.Wait()
 }
diff --git a/ra/ra_test.go b/ra/ra_test.go
index f9d6782db92..e0f00283e71 100644
--- a/ra/ra_test.go
+++ b/ra/ra_test.go
@@ -2396,6 +2396,15 @@ func (msa *mockSAWithAuthzs) GetAuthorizations2(ctx context.Context, req *sapb.G
 	return resp, nil
 }
 
+func (msa *mockSAWithAuthzs) GetAuthorization2(ctx context.Context, req *sapb.AuthorizationID2, _ ...grpc.CallOption) (*corepb.Authorization, error) {
+	for _, authz := range msa.authzs {
+		if authz.ID == fmt.Sprintf("%d", req.Id) {
+			return bgrpc.AuthzToPB(*authz)
+		}
+	}
+	return nil, berrors.NotFoundError("no such authz")
+}
+
 // NewOrderAndAuthzs is a mock which just reflects the incoming request back,
 // pretending to have created new db rows for the requested newAuthzs.
 func (msa *mockSAWithAuthzs) NewOrderAndAuthzs(ctx context.Context, req *sapb.NewOrderAndAuthzsRequest, _ ...grpc.CallOption) (*corepb.Order, error) {
@@ -4585,3 +4594,46 @@ func TestUnpauseAccount(t *testing.T) {
 	test.AssertNotError(t, err, "Should have been able to unpause account")
 	test.AssertEquals(t, res.Count, int64(50001))
 }
+
+func TestGetAuthorization(t *testing.T) {
+	_, _, ra, _, cleanup := initAuthorities(t)
+	defer cleanup()
+
+	ra.SA = &mockSAWithAuthzs{
+		authzs: map[string]*core.Authorization{
+			"example.com": {
+				ID:         "1",
+				Identifier: identifier.DNSIdentifier("example.com"),
+				Status:     "valid",
+				Challenges: []core.Challenge{
+					{
+						Type:   core.ChallengeTypeHTTP01,
+						Status: core.StatusValid,
+					},
+				},
+			},
+		},
+	}
+
+	// With HTTP01 enabled, GetAuthorization should pass the mock challenge through.
+	pa, err := policy.New(map[core.AcmeChallenge]bool{
+		core.ChallengeTypeHTTP01: true,
+		core.ChallengeTypeDNS01:  true,
+	}, blog.NewMock())
+	test.AssertNotError(t, err, "Couldn't create PA")
+	ra.PA = pa
+	authz, err := ra.GetAuthorization(context.Background(), &rapb.GetAuthorizationRequest{Id: 1})
+	test.AssertNotError(t, err, "should not fail")
+	test.AssertEquals(t, len(authz.Challenges), 1)
+	test.AssertEquals(t, authz.Challenges[0].Type, string(core.ChallengeTypeHTTP01))
+
+	// With HTTP01 disabled, GetAuthorization should filter out the mock challenge.
+	pa, err = policy.New(map[core.AcmeChallenge]bool{
+		core.ChallengeTypeDNS01: true,
+	}, blog.NewMock())
+	test.AssertNotError(t, err, "Couldn't create PA")
+	ra.PA = pa
+	authz, err = ra.GetAuthorization(context.Background(), &rapb.GetAuthorizationRequest{Id: 1})
+	test.AssertNotError(t, err, "should not fail")
+	test.AssertEquals(t, len(authz.Challenges), 0)
+}