RFC 7592 — OAuth 2.0 Dynamic Client Registration Management

Spec: datatracker.ietf.org/doc/html/rfc7592Status: Full

RFC 7592 extends RFC 7591 with endpoints for a client to read, update, and delete its own registration using a Registration Access Token (RAT).

Implemented

• Read — GET /oidc/register/{client_id} returns the current client metadata.
• Update — PUT /oidc/register/{client_id} replaces the client metadata document, subject to any constraints carried over from the original Initial Access Token.
• Delete — DELETE /oidc/register/{client_id} soft-deletes the client.
• RAT authentication — every management request must present the Registration Access Token returned at registration time as Authorization: Bearer <rat>.
• IAT constraint immutability — fields that were constrained by the original IAT (allowed grant types, redirect URI patterns, scopes) cannot be widened on update.
• Error responses — missing or invalid RATs yield 401 / 403 with the standard RFC 7592 error bodies.

Related AuthHero documentation

• RFC 7591 — Dynamic Client Registration
• Applications