Optional ReadonlyallowedAudience values this client may receive tokens for. Grants that issue
tokens directly from the client record select the first entry as the
default aud; absence falls back to the issuer.
Optional ReadonlyallowedPer-client grant-type gate. Currently consumed only by
client_credentials (deny-by-absence semantics on the absent / empty
field). authorization_code / refresh_token continue to ignore this
field for backward compatibility with clients registered before the
field existed.
Optional ReadonlyallowedPer-client allowed scope ceiling. Grant handlers that issue tokens
directly from the client record (e.g., client_credentials, which has
no upstream RT/code carrying a scope claim) compare requested scopes
against this list and emit invalid_scope on disjoint sets.
ReadonlyclientReadonlytoken
The client identity established by RFC 6749 §2.3 token-endpoint authentication middleware (
clientAuthMw) before a grant handler is invoked.Every grant handler that gates on client identity (refresh, authorization code, token-exchange) MUST consult this slot rather than the raw request body — body parameters are attacker-controlled and may differ from the authenticated identity.
nullindicates the request did not pass throughclientAuthMw(e.g., a custom route, or a unit test invoking the handler directly with a hand-builtGrantContext).