O Auth Client List
List OAuth clients created by the authenticated account. This is the member-facing "apps I created" view. OAuth clients are application definitions: client ID, client type, redirect URIs, allowed scopes, and allowed grants. This does not list built-in first-party clients or third-party apps the member has merely authorised. Use `/auth/oauth/tokens` for the "apps I have authorised" view.
/auth/oauth/clientsList OAuth clients created by the authenticated account.
This is the member-facing "apps I created" view. OAuth clients are application definitions: client ID, client type, redirect URIs, allowed scopes, and allowed grants.
This does not list built-in first-party clients or third-party apps the
member has merely authorised. Use /auth/oauth/tokens for the
"apps I have authorised" view.
Authorization
browser In: cookie
Response Body
application/json
application/json
curl -X GET "https://example.com/auth/oauth/clients"{
"clients": [
{
"id": "cc5lnd2s1s4652adtu50",
"createdAt": "2019-08-24T14:15:22Z",
"updatedAt": "2019-08-24T14:15:22Z",
"account_id": "cc5lnd2s1s4652adtu50",
"client_id": "string",
"name": "string",
"type": "public",
"scope_policy": "explicit",
"redirect_uris": [
"http://example.com"
],
"allowed_scopes": [
"string"
],
"allowed_grants": [
"string"
]
}
]
}{
"type": "string",
"title": "string",
"detail": "string",
"trace_id": "string",
"metadata": {}
}O Auth Client Get GET
Read an OAuth client created by the authenticated account. Member-created clients are third-party application identities. They may be public or confidential but are never first-party inherited-permission clients.
O Auth Client Register POST
RFC 7591 OAuth 2.0 Dynamic Client Registration. Allows clients such as MCP connectors to register themselves without prior administrator configuration. Dynamically registered clients are tenant-owned (they have no account owner), use the explicit scope policy, and are restricted to a conservative grant and scope allowlist. Authorization Code clients must use PKCE; Storyden enforces PKCE (S256) at the authorize and token endpoints for all clients. Public clients register with `token_endpoint_auth_method: none` and receive no client secret. Confidential clients register with `client_secret_basic` or `client_secret_post` and receive a one-time `client_secret` in the response. The registration endpoint is advertised as `registration_endpoint` by the authorization server metadata documents. This is an unauthenticated endpoint that creates server state, so it is heavily rate limited to prevent abuse.