O Auth Client Register
RFC 7591 OAuth 2.0 Dynamic Client Registration. Allows clients such as MCP connectors to register themselves without prior administrator configuration. Dynamically registered clients are tenant-owned (they have no account owner), use the explicit scope policy, and are restricted to a conservative grant and scope allowlist. Authorization Code clients must use PKCE; Storyden enforces PKCE (S256) at the authorize and token endpoints for all clients. Public clients register with `token_endpoint_auth_method: none` and receive no client secret. Confidential clients register with `client_secret_basic` or `client_secret_post` and receive a one-time `client_secret` in the response. The registration endpoint is advertised as `registration_endpoint` by the authorization server metadata documents. This is an unauthenticated endpoint that creates server state, so it is heavily rate limited to prevent abuse.
/oauth/registerRFC 7591 OAuth 2.0 Dynamic Client Registration.
Allows clients such as MCP connectors to register themselves without prior administrator configuration. Dynamically registered clients are tenant-owned (they have no account owner), use the explicit scope policy, and are restricted to a conservative grant and scope allowlist.
Authorization Code clients must use PKCE; Storyden enforces PKCE (S256) at the authorize and token endpoints for all clients.
Public clients register with token_endpoint_auth_method: none and
receive no client secret. Confidential clients register with
client_secret_basic or client_secret_post and receive a one-time
client_secret in the response. The registration endpoint is advertised
as registration_endpoint by the authorization server metadata
documents.
This is an unauthenticated endpoint that creates server state, so it is heavily rate limited to prevent abuse.
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/json
application/json
curl -X POST "https://example.com/oauth/register" \ -H "Content-Type: application/json" \ -d '{}'{
"client_id": "string",
"client_secret": "string",
"client_id_issued_at": 0,
"client_secret_expires_at": 0,
"client_name": "string",
"redirect_uris": [
"http://example.com"
],
"grant_types": [
"string"
],
"response_types": [
"string"
],
"scope": "string",
"token_endpoint_auth_method": "string",
"application_type": "string",
"logo_uri": "http://example.com",
"client_uri": "http://example.com",
"tos_uri": "http://example.com",
"policy_uri": "http://example.com"
}{
"error": "string",
"error_description": "string"
}{
"type": "string",
"title": "string",
"detail": "string",
"trace_id": "string",
"metadata": {}
}O Auth Client List GET
List OAuth clients created by the authenticated account. This is the member-facing "apps I created" view. OAuth clients are application definitions: client ID, client type, redirect URIs, allowed scopes, and allowed grants. This does not list built-in first-party clients or third-party apps the member has merely authorised. Use `/auth/oauth/tokens` for the "apps I have authorised" view.
O Auth Client Update PATCH
Update an OAuth client created by the authenticated account. Allowed scopes must remain within the authenticated account's current permissions. If the account has `ADMINISTRATOR`, it may configure any Storyden permission scope because `ADMINISTRATOR` implicitly grants all permissions. Changing allowed scopes affects future grants and refreshes but does not immediately invalidate already-issued JWT access tokens.