/register

Create an OAuth client through the protected M7 dynamic registration endpoint.

Endpoint

  • Method: POST
  • URL: https://sso.user.m7.org/register
  • Content type: application/json
  • Response: JSON

Authentication

Required:

  • Authorization: Bearer <ACCESS_TOKEN>

Optional:

  • DPoP: <PROOF>

When to use it

Use this endpoint when you want to create a client registration from an authenticated user session or service token.

Current public model:

  • protected registration
  • owner is derived from the bearer token
  • create-only public surface

Supported metadata

The current public endpoint is designed around standard registration fields such as:

  • client_name
  • redirect_uris
  • post_logout_redirect_uris
  • grant_types
  • token_endpoint_auth_method
  • application_type
  • initiate_login_uri
  • scope

Example request

curl -sS https://sso.user.m7.org/register \
  -H 'Authorization: Bearer ACCESS_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "client_name": "Example App",
    "redirect_uris": ["https://app.example.com/callback"],
    "post_logout_redirect_uris": ["https://app.example.com/logout/callback"],
    "grant_types": ["authorization_code", "refresh_token"],
    "token_endpoint_auth_method": "client_secret_basic",
    "application_type": "web",
    "scope": "openid profile offline_access"
  }'

Example response

{
  "client_id": "CLIENT_ID",
  "client_secret": "CLIENT_SECRET",
  "client_id_issued_at": 1780000000,
  "client_secret_expires_at": 0,
  "client_name": "Example App",
  "redirect_uris": [
    "https://app.example.com/callback"
  ],
  "post_logout_redirect_uris": [
    "https://app.example.com/logout/callback"
  ],
  "grant_types": [
    "authorization_code",
    "refresh_token"
  ],
  "token_endpoint_auth_method": "client_secret_basic"
}

The exact response contains the effective metadata for the created client.

Common errors

  • invalid_client_metadata
  • invalid_redirect_uri
  • invalid_token
  • server_error

Current limitations

  • no registration_access_token
  • no registration_client_uri
  • no public registration-management read, update, or delete protocol

Notes

  • Content-Type: application/json is required.
  • The request body must be a JSON object.