Storyden
Auth

O Auth Client Update

Update an OAuth client created by the authenticated account. Allowed scopes must remain within the authenticated account's current permissions. If the account has `ADMINISTRATOR`, it may configure any Storyden permission scope because `ADMINISTRATOR` implicitly grants all permissions. Changing allowed scopes affects future grants and refreshes but does not immediately invalidate already-issued JWT access tokens.

PATCH/auth/oauth/clients/{oauth_client_id}

Update an OAuth client created by the authenticated account.

Allowed scopes must remain within the authenticated account's current permissions. If the account has ADMINISTRATOR, it may configure any Storyden permission scope because ADMINISTRATOR implicitly grants all permissions.

Changing allowed scopes affects future grants and refreshes but does not immediately invalidate already-issued JWT access tokens.

storyden-session<token>

In: cookie

Path Parameters

oauth_client_id*string

OAuth client ID.

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

curl -X PATCH "https://example.com/auth/oauth/clients/cc5lnd2s1s4652adtu50" \  -H "Content-Type: application/json" \  -d '{}'
{
  "id": "cc5lnd2s1s4652adtu50",
  "createdAt": "2019-08-24T14:15:22Z",
  "updatedAt": "2019-08-24T14:15:22Z",
  "account_id": "cc5lnd2s1s4652adtu50",
  "client_id": "string",
  "name": "string",
  "type": "public",
  "scope_policy": "explicit",
  "redirect_uris": [
    "http://example.com"
  ],
  "allowed_scopes": [
    "string"
  ],
  "allowed_grants": [
    "string"
  ]
}
Empty
Empty
Empty
{
  "type": "string",
  "title": "string",
  "detail": "string",
  "trace_id": "string",
  "metadata": {}
}

O Auth Client Register POST

RFC 7591 OAuth 2.0 Dynamic Client Registration. Allows clients such as MCP connectors to register themselves without prior administrator configuration. Dynamically registered clients are tenant-owned (they have no account owner), use the explicit scope policy, and are restricted to a conservative grant and scope allowlist. Authorization Code clients must use PKCE; Storyden enforces PKCE (S256) at the authorize and token endpoints for all clients. Public clients register with `token_endpoint_auth_method: none` and receive no client secret. Confidential clients register with `client_secret_basic` or `client_secret_post` and receive a one-time `client_secret` in the response. The registration endpoint is advertised as `registration_endpoint` by the authorization server metadata documents. This is an unauthenticated endpoint that creates server state, so it is heavily rate limited to prevent abuse.

O Auth Device Authorisation POST

Start the OAuth 2.0 Device Authorization Grant for clients that cannot receive a browser redirect directly, such as CLIs, terminals, and desktop tools. The `scope` parameter follows OAuth 2.0 and is optional. Storyden applies additional client policy after parsing the request: - Built-in first-party device clients, such as the default Storyden CLI client, must request exactly `openid profile offline_access`. On approval Storyden expands the issued scope to the approving account's current permissions. - Third-party explicit-scope clients may omit `scope`; omitted scope means no requested scopes. `verification_uri` and `verification_uri_complete` point at the configured frontend consent page, not at an API-rendered HTML page. Custom frontends can change this URL with `OAUTH_DEVICE_AUTHORISATION_CONSENT_URL`.