McpOAuthClient
McpOAuthClient stores OAuth 2.0 clients dynamically registered via RFC 7591 Dynamic Client Registration (DCR). Each record represents one MCP client application (e.g. mcp-remote, Claude Code) that has registered to use Well's OAuth proxy for a specific MCP provider slug. It is written exclusively by the POST /v1/mcps/:slug/oauth/register DCR endpoint and subsequently looked up at authorize time. The entity has no workspace association, no soft-delete, and no relationships declared โ it is a global, append-only registry of DCR client identities scoped to a provider slug.
| Naming | Value |
|---|---|
| Object | McpOAuthClient |
Resource type (JSON:API type) | mcp_oauth_client |
| Collection / records root | โ (not a records root) |
| REST base | /v1/mcp-oauth-clients |
| Entity class | McpOAuthClient |
Internal object. Not currently exposed on the public REST API. The operations below describe the intended contract.
API operations
| Operation | Method & path | Status |
|---|---|---|
| List | GET /v1/mcp-oauth-clients | ๐ก Planned |
| Retrieve | GET /v1/mcp-oauth-clients/{id} | ๐ก Planned |
| Create | POST /v1/mcp-oauth-clients | ๐ก Planned |
| Update | PATCH /v1/mcp-oauth-clients/{id} | ๐ก Planned |
| Delete | DELETE /v1/mcp-oauth-clients/{id} | ๐ก Planned |
Data model
Attributes
| Field | Type | Required | Constraints | Allowed values | Description |
|---|---|---|---|---|---|
| client_id | ๐ system โ UUID | โ Yes | UNIQUE (mcp_oauth_clients_client_id_unique); default gen_random_uuid() | Any valid UUID | Public identifier for the registered OAuth client. Generated by the database on insert. This is the value returned to the MCP client at DCR time and presented on subsequent authorize requests. |
| client_name | string | โ Yes | varchar(255); NOT NULL | Any non-empty string โค 255 chars | Human-readable name of the registering MCP client as supplied in the RFC 7591 registration request body (e.g. 'mcp-remote', 'Claude Code'). |
| redirect_uris | jsonb (string[]) | โ Yes | jsonb NOT NULL | JSON array of URI strings | Array of allowed redirect URIs registered by the client. Used during the authorization code flow to validate the redirect_uri parameter. |
| grant_types | jsonb (string[]) | โ Yes | jsonb NOT NULL | JSON array โ e.g. ["authorization_code"] | OAuth 2.0 grant types supported by this client, as declared at registration time (RFC 7591 ยง2). |
| response_types | jsonb (string[]) | โ Yes | jsonb NOT NULL | JSON array โ e.g. ["code"] | OAuth 2.0 response types supported by this client (RFC 7591 ยง2). Typically ["code"] for authorization code flow. |
| token_endpoint_auth_method | string | โ Yes | varchar(255); NOT NULL | Standard OAuth 2.0 auth method strings โ e.g. 'none', 'client_secret_basic', 'client_secret_post' | Authentication method the client uses at the token endpoint (RFC 7591 ยง2). Public clients (e.g. mcp-remote) use 'none'. |
| slug | string | โ Yes | varchar(255); NOT NULL | Any registered MCP provider slug present in the registry (e.g. 'pennylane', 'wise', 'spiko') | The MCP provider slug this client was registered against. Scopes the DCR entry to a specific external service OAuth proxy. Set from the :slug route parameter at registration time. |
| created_at | ๐ system โ timestamptz | โ Yes | NOT NULL; default now(); set via @Property({ onCreate: () => new Date() }) | ISO 8601 timestamp | Timestamp when the DCR registration occurred. Set by the entity's onCreate hook and by the database default. Also exposed as client_id_issued_at (Unix epoch) in the RFC 7591 response. |
System-computed
- client_id โ generated by gen_random_uuid() at INSERT time; unique across the table
- created_at โ set by the database default (now()) and the MikroORM onCreate hook; never updated after creation
- No updated_at column โ the entity is immutable after creation; there is no soft-delete (no deleted_at column)
- No workspace association โ global registry shared across all tenants, scoped only by slug
- slug โ derived from the :slug URL route parameter at DCR time; not user-supplied in the request body
Example
{
"data": {
"type": "mcp_oauth_client",
"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"attributes": {
"client_name": "mcp-remote",
"redirect_uris": ["http://localhost:3334/oauth/callback"],
"grant_types": ["authorization_code"],
"response_types": ["code"],
"token_endpoint_auth_method": "none",
"slug": "pennylane",
"created_at": "2026-03-23T14:55:00.000Z"
}
}
}apps/api/src/database/entities/McpOAuthClient.ts ยท domain: platform ยท tier: Platform