auth.isdocs
Concepts

Clients

A client is an OAuth/OIDC registration under an issuer — the client_id, credentials, redirect URIs, and grant types your application uses to send users to the issuer and get tokens back. You register clients with create_client and manage them with the client tools; all mutations are owner only.

Confidential vs. public

The single most important choice is how the client authenticates at the token endpoint, set by token_endpoint_auth_method:

ConfidentialPublic / PKCE
token_endpoint_auth_methodclient_secret_basic or client_secret_postnone
SecretGenerated once by create_client, returned onceNone
ForServers that can keep a secret (web backends, M2M)SPAs and native/mobile apps
Proof at token exchangeThe client secret (plus PKCE)PKCE only

PKCE is required for every client, confidential or public — the issuer enforces it globally. A confidential client sends both its secret and the PKCE verifier; a public client sends only the verifier.

Redirect URIs

For the authorization-code flow, redirect_uris lists the exact callback URLs the issuer will return codes to. update_client_redirect_uris replaces the whole set — it is not additive, so any URI you omit is removed and stops being accepted immediately.

Grant types

Choose the grant_types your client needs:

  • authorization_code — the interactive login flow (needs redirect_uris).
  • refresh_token — long-lived sessions via refresh. Also requires the offline_access scope, and per OIDC Core that scope only yields a refresh token when the authorization request carries prompt=consent.
  • client_credentials — machine-to-machine, no user, no browser.

End-user self-signup

By default a client's login page only lets existing users sign in. To offer a "Create account" option, two flags must both be on:

  1. The client's registration_enabled set to true (via create_client or update_client).
  2. The issuer's registrationMode set to open (not invite_only) — see Issuers.

Focused mutations

Beyond create_client/update_client/delete_client, each sensitive area has its own tool so a change is deliberate:

ToolChanges
update_client_redirect_urisThe redirect-URI set (full replace)
rotate_client_secretIssues a new confidential secret (old one dies)
toggle_client_passkeysThe passkey second-factor offer
set_client_providersWhich federation providers this client shows
update_client_token_ttlsid_token (60–14,400 s) and refresh_token (60–4,838,400 s) lifetimes
apply_client_themeA per-client theme override

Token-TTL bounds mirror the issuer exactly — a value outside the range is rejected, not silently clamped.

Dynamic client registration

The OIDC dynamic-client-registration endpoint (RFC 7591 / 7592) exists only on the root issuer (login.auth.is), where MCP hosts self-register to connect. It is deliberately limited:

  • Rate-limited to 5 registrations per hour per IP.
  • Privileged properties (first_party, passkeys_enabled, enabled_providers, resource_scopes, registration_enabled) are stripped, not honored — a DCR client can never self-elevate.
  • In production, http/loopback redirect URIs are rejected.

Your own tenant issuers do not expose DCR at all. Register your applications with the owner-only create_client tool, which has none of these restrictions.

Next steps