Interface Client

Audience URIs this client may receive tokens for.

Consumers:

• Token Exchange (RFC 8693) audience parameter selection — when this list is empty or undefined, only the client's own clientId is accepted as an audience target.
• client_credentials grant default aud claim — selects the first entry (allowedAudiences[0]); when absent, falls back to the issuer (and ultimately omits aud when no issuer is configured).

When true, this client MAY call POST /oauth/federation/:name/token to retrieve the user's upstream federation access_token. Deny-by-default (deny-by-absence); must be explicitly opted in per client.

Why default false: federation access_tokens grant access to the user's external resources (Google Calendar, GitHub API, etc.) — high blast radius. Opt-in prevents accidentally granting this power to a generic OAuth client registration that only needs auth.

Grant types this client is explicitly permitted to use.

Consumed only by grant handlers that opt in to this gate. As of Wave 1, only client_credentials consults the field:

• undefined (absent) → the grant is denied. Existing clients that omit this field cannot redeem client_credentials, preventing accidental machine-to-machine access on legacy registrations.
• [] (empty) → the grant is also denied (no grant_type can match an empty allowlist).
• non-empty array → the grant is allowed iff its grant_type string appears in the list.

Other grants (authorization_code, refresh_token) ignore this field; they continue to work for clients with or without it.

Required when tokenEndpointAuthMethod is "client_secret_basic" or "client_secret_post". MUST be absent (undefined) when the method is "none". The ClientEntrySchema superRefine enforces both directions.

Token-endpoint authentication method. REQUIRED — the schema rejects client entries that omit it; deployments upgrading from v0.5.0 must add the field explicitly per the v0.5.1 migration guide.

Public clients ("none") MUST present PKCE/S256 at /authorize; confidential clients ("client_secret_basic" / "client_secret_post") MUST present a clientSecret and use the matching transport at /token.