OAuth Clients
View and manage OAuth clients that connect AI assistants to oCore through the MCP authorization flow.
OAuth clients are registered when AI assistants (Claude Desktop, ChatGPT, custom tools) connect to oCore's MCP server through the OAuth 2.1 authorization flow. Each client gets a unique client_id and is tracked in the client registry.
OAuth Clients
View registered OAuth clients and their active token counts.
Client Types
OAuth clients are registered through three mechanisms:
| Type | Registration Method | Example |
|---|---|---|
| Dynamic | POST /oauth/register (RFC 7591) | Claude Desktop, ChatGPT, custom MCP tools |
| CIMD | Auto-registered when client_id is an HTTPS URL | Clients using Client ID Metadata Documents |
| Preregistered | Manually created in the database | First-party integrations, trusted partners |
Most clients will be Dynamic -- registered automatically when an AI tool first connects.
Viewing Registered Clients
Navigate to Admin > OAuth Clients to see all registered clients. Each entry shows:
- Client name and client ID
- Registration type (Dynamic, CIMD, Preregistered)
- Confidentiality (public or confidential)
- Redirect URIs registered for the client
- Active token count -- how many unexpired OAuth tokens this client has
- Created date
# List all OAuth clients via API
curl https://ocore.example.com/api/admin/oauth-clients \
-H "Authorization: Bearer $TOKEN"Client Details
Public vs Confidential Clients
| Property | Public Client | Confidential Client |
|---|---|---|
| Auth method | none | client_secret_post |
| Has client secret | No | Yes (SHA-256 hashed in DB) |
| Introspection access | Blocked | Allowed |
| Use case | Desktop apps, CLI tools | Server-side integrations |
Public clients are the default for MCP use cases. Desktop applications and CLI tools cannot securely store a client secret, so they use PKCE (S256) as the sole proof of authorization.
Grant Types
Clients specify which grant types they support during registration:
| Grant Type | Use Case |
|---|---|
authorization_code | Browser-based OAuth flow (default) |
refresh_token | Token renewal without re-authorization |
urn:ietf:params:oauth:grant-type:device_code | CLI tools and headless environments |
Deleting a Client
Deleting an OAuth client cascades to all associated tokens and authorization codes:
Navigate to Admin > OAuth Clients and find the client to delete.
Click Delete. Confirm the action in the dialog.
All OAuth tokens issued to this client are revoked immediately. Any auto-created API keys with no remaining active tokens are cleaned up.
# Delete a client via API
curl -X DELETE https://ocore.example.com/api/admin/oauth-clients/{clientId} \
-H "Authorization: Bearer $TOKEN"Deletion Is Immediate
Deleting a client immediately disconnects all AI assistants using it. The assistants will need to re-register and re-authorize to reconnect.
Monitoring Active Tokens
The Active Tokens count on each client shows how many unexpired, non-revoked OAuth tokens exist. A high count may indicate:
- Many users have connected the same AI tool (expected for popular clients like Claude Desktop)
- Token rotation is working correctly (each refresh creates a new token)
- Old tokens are not being cleaned up (check if users are revoking authorizations)
Use this count to identify stale clients that no longer have active connections and can be safely deleted.
Security Considerations
- Dynamic registration is rate-limited to 10 registrations per IP per minute to prevent abuse.
- CIMD clients are validated with SSRF protections -- oCore will not fetch metadata from internal/private IP addresses.
- Client secrets are stored as SHA-256 hashes and compared using constant-time comparison.
- Redirect URIs must use HTTPS (except
localhostand127.0.0.1for development). No wildcards or fragments are allowed.
Required Permissions
| Action | Permission |
|---|---|
| View OAuth clients | manage:org_settings |
| Delete OAuth clients | manage:org_settings |