Skip to main content
When a server uses ezforge_managed auth, client applications must register as OAuth clients before they can request tokens. This follows RFC 7591 (Dynamic Client Registration). Required scope: Session authentication only.

List OAuth clients

GET /v1/servers/:serverId/clients
Returns all registered OAuth clients for the server. Response 200: 
{
  "data": [
    {
      "id": "oac_abc123",
      "clientId": "client_xyz...",
      "name": "My MCP Client",
      "redirectUris": ["https://myapp.example.com/callback"],
      "scopes": ["mcp:read"],
      "isDynamic": false,
      "createdAt": "2026-01-15T10:00:00Z"
    }
  ]
}

Register OAuth client

POST /v1/servers/:serverId/clients
Registers a new OAuth client for the server. Request body: 
{
  "name": "My MCP Client",
  "redirectUris": ["https://myapp.example.com/callback"],
  "scopes": ["mcp:read"]
}
FieldTypeRequiredDescription
namestringHuman-readable client name (max 255 chars)
redirectUrisstring[]One or more redirect URIs. Must use https except for loopback addresses (localhost, 127.0.0.1, [::1]). No fragment component (RFC 6749 §3.1.2). Max 20 entries.
scopesstring[]Requested scopes. Defaults to ["mcp:read"] if omitted.
Response 201: 
{
  "data": {
    "id": "oac_abc123",
    "clientId": "client_xyz...",
    "clientSecret": "secret_...",
    "name": "My MCP Client",
    "redirectUris": ["https://myapp.example.com/callback"],
    "scopes": ["mcp:read"],
    "isDynamic": false,
    "createdAt": "2026-01-15T10:00:00Z"
  }
}
The clientSecret is only returned once at registration time. Store it securely — it cannot be retrieved again.

Delete OAuth client

DELETE /v1/servers/:serverId/clients/:clientId
Revokes the client registration. Any tokens previously issued to this client remain valid until they expire. Response 204: No content.