OAuth Client ID Metadata Document

This specification defines a mechanism through which an OAuth client can identify itself to authorization servers, without prior dynamic client registration or other existing registration. This is through the usage of a URL as a client_id in an OAuth flow, where the URL refers to a document containing the necessary client metadata, enabling the authorization server to fetch the metadata about the client as needed.

An OAuth client identifying itself to authorization servers.

In order for an OAuth 2.0 [RFC6749] client to utilize an OAuth 2.0 authorization server, the client needs to establish a unique identifier, and needs to to provide the server with metadata about the application, such as the application name, icon and redirect URIs. In cases where a client is interacting with authorization servers that it has no relationship with, manual registration is impossible.

While Dynamic Client Registration [RFC7591] can provide a method for a previously unknown client to establish itself at an authorization server and obtain a client identifier, this is not always practical in some deployments and can create additional challenges around management of the registration data and cleanup of inactive clients.

This specification describes how an OAuth 2.0 client can publish its own registration information and avoid the need for pre-registering at each authorization server.

License: BSD License

Tags: Authentication, OAuth, Security

Properties: client_id, client_name, client_uri, logo_uri, redirect_uris, token_endpoint_auth_method, grant_types, response_types, scope, jwks_uri, jwks, contacts, software_id, software_version, client_id_metadata_document_supported

Website: https://www.ietf.org/archive/id/draft-parecki-oauth-client-id-metadata-document-00.html

Standards: OAuth

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified January 2, 2026: update (871c07bef)