CreateOAuth2PublicClient
Dynamically registers an OAuth 2.0 public client for use with AWS Sign-In.
Implements RFC 7591 (OAuth 2.0 Dynamic Client Registration) for MCP-compatible agents. Only redirect URIs matching the allowlisted patterns are accepted during registration.
Registered clients receive an ARN in the format
arn:aws:signin:{region}::external-client/dcr/{uuid}.
Client registrations have a 90-day lifetime.
Request Syntax
POST /v1/register HTTP/1.1
Content-type: application/json
{
"grant_types": [ "string" ],
"redirect_uris": [ "string" ],
"response_types": [ "string" ],
"token_endpoint_auth_method": "string"
}URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- grant_types
The grant types that this client will use. Supported values:
authorization_code,refresh_token. Defaults to both if omitted. Theclient_credentialsgrant type is not supported. Therefresh_tokengrant type cannot be specified alone withoutauthorization_code.Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 5 items.
Required: No
- redirect_uris
The redirect URIs that this client will use for OAuth callbacks. Only redirect URIs matching the allowlisted patterns are accepted. Maximum of 10 URIs.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 10 items.
Length Constraints: Minimum length of 1. Maximum length of 2048.
Required: Yes
- response_types
The response types that this client will use. Only
codeis supported. Defaults to["code"]if omitted.Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 5 items.
Required: No
- token_endpoint_auth_method
The client authentication method for the token endpoint. Only
noneis supported (public clients). Defaults tononeif omitted.Type: String
Pattern:
noneRequired: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"client_id": "string",
"client_id_issued_at": number,
"grant_types": [ "string" ],
"redirect_uris": [ "string" ],
"response_types": [ "string" ],
"token_endpoint_auth_method": "string"
}Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- client_id
The unique client identifier (ARN) assigned to this client. Format:
arn:aws:signin:{region}::external-client/dcr/{uuid}.Type: String
- client_id_issued_at
The time at which the client identifier was issued, as a NumericDate (Unix epoch seconds).
Type: Long
- grant_types
The grant types registered for this client.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 5 items.
- redirect_uris
The redirect URIs registered for this client.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 10 items.
Length Constraints: Minimum length of 1. Maximum length of 2048.
- response_types
The response types registered for this client.
Type: Array of strings
Array Members: Minimum number of 1 item. Maximum number of 5 items.
- token_endpoint_auth_method
The client authentication method. Always
nonefor public clients.Type: String
Pattern:
none
Errors
For information about the errors that are common to all actions, see Common Error Types.
- AccessDeniedException
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- InternalServerException
The request processing has failed because of an unknown error, exception or failure with an internal server.
HTTP Status Code: 500
- TooManyRequestsError
Indicates that the principal has exceeded the limit of requests to this API operation.
HTTP Status Code: 429
- ValidationException
The request failed because it contains a syntax error.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: