Dynamic Client Registration

This endpoint lets clients register themselves at LumoAuth programmatically instead of being created manually in the admin UI. It implements RFC 7591 — OAuth 2.0 Dynamic Client Registration: clients register themselves programmatically instead of being created manually in an admin UI.

POST /orgs/{orgId}/api/v1/connect/register

Configuration Required

Dynamic Client Registration must be enabled in your organization settings before clients can self-register. Contact your organization administrator.

When to Use This

Dynamic registration is useful for:

Marketplaces — third-party apps can register themselves.
CI/CD — automatically provision clients during deployment.
Mobile apps — register a unique client per device.
Multi-organization platforms — create clients programmatically.

Request

Parameter	Required	Description
`client_name`	No	Human-readable name for the application
`redirect_uris`	Yes	Array of allowed redirect URIs
`grant_types`	No	Array of grant types (default: `["authorization_code"]`)
`response_types`	No	Array of response types (default: `["code"]`)
`scope`	No	Space-separated list of requested scopes
`token_endpoint_auth_method`	No	`client_secret_basic`, `client_secret_post`, or `none`

Example Request

curl -X POST https://app.lumoauth.dev/orgs/acme-corp/api/v1/connect/register \
  -H "Content-Type: application/json" \
  -d '{
    "client_name": "My Mobile App",
    "redirect_uris": [
      "myapp://callback",
      "https://myapp.com/oauth/callback"
    ],
    "grant_types": ["authorization_code", "refresh_token"],
    "scope": "openid profile email"
  }'

Response

{
  "client_id": "dyn_abc123def456",
  "client_secret": "cs_live_xxxxxxxxxxxxxxxxxxxxxxxx",
  "client_id_issued_at": 1704063600,
  "client_secret_expires_at": 0,
  "client_name": "My Mobile App",
  "redirect_uris": [
    "myapp://callback",
    "https://myapp.com/oauth/callback"
  ],
  "grant_types": ["authorization_code", "refresh_token"],
  "response_types": ["code"],
  "scope": "openid profile email",
  "token_endpoint_auth_method": "client_secret_basic"
}

Store Your Secret

The client_secret is only returned once during registration. Store it securely — it cannot be retrieved later.

Response Fields

Field	Description
`client_id`	The unique identifier for the new client
`client_secret`	The secret for confidential clients (null for public clients)
`client_id_issued_at`	Unix timestamp when the client was created
`client_secret_expires_at`	When the secret expires (0 = never)

Managing a Registered Client

Once registered, a client can manage its own registration via RFC 7592 — Dynamic Client Registration Management Protocol: APIs for a registered client to read, update, or delete its own registration. See OAuth Clients for the admin-side management APIs.

OAuth Clients — admin API for clients
Scopes

When to Use This​

Request​

Example Request​

Response​

Response Fields​

Managing a Registered Client​

Related​