RFC 7591 Dynamic Client Registration
const url = 'https://example.com/api/oauth/register';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"redirect_uris":["https://example.com"],"client_name":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/oauth/register \ --header 'Content-Type: application/json' \ --data '{ "redirect_uris": [ "https://example.com" ], "client_name": "example" }'Idempotent proxy for Supabase Management API client registration.
Strict input (per RFC 7591 §2 + §3.2.2): redirect_uris is REQUIRED and must
be a non-empty array. The endpoint refuses registration with
invalid_redirect_uri instead of silently substituting a default.
Each redirect_uris entry must be one of:
https://…http://localhost,http://127.0.0.1, orhttp://[::1](loopback only)- any other RFC 3986 custom scheme (e.g.
cursor://,claude://), EXCEPTjavascript:,data:,file:,vbscript:(denylisted).
Request Body required
Section titled “Request Body required ”object
Non-empty array of valid redirect URIs.
Optional human-readable client name. Control characters are stripped.
Responses
Section titled “ Responses ”Client registered (or existing client returned for idempotent re-registration)
object
RFC 7591 error envelope ({ error, error_description }). Error codes:
invalid_client_metadata— body is not valid JSONinvalid_redirect_uri—redirect_urismissing/empty/contains invalid entry
object
Server error
object
Human-readable error message
Stable machine-readable error code for client branching
First validation message per field path
object
Structured validation issues (Zod)
object
Seconds until rate limit resets (429 responses)