Optional ReadonlyallowedAudience values this client may receive tokens for. Grants that issue
tokens directly from the client record select the first entry as the
default aud; absence falls back to the issuer.
Optional ReadonlyallowedPer-client grant-type gate. Currently consumed only by
client_credentials (deny-by-absence semantics on the absent / empty
field). authorization_code / refresh_token continue to ignore this
field for backward compatibility with clients registered before the
field existed.
Optional ReadonlyallowedPer-client allowed scope ceiling. Grant handlers that issue tokens
directly from the client record (e.g., client_credentials, which has
no upstream RT/code carrying a scope claim) compare requested scopes
against this list and emit invalid_scope on disjoint sets.
ReadonlyclientOptional ReadonlysenderPer-client sender-constraint requirement. The /token route
propagates this from req.oauthClient; the shared grant-dispatch
path enforces the binding-method rules in spec §4.8 step 2 before
invoking the concrete grant handler.
Readonlytoken
The client identity established by RFC 6749 §2.3 token-endpoint authentication middleware (
clientAuthMw) before a grant handler is invoked.Every grant handler that gates on client identity (refresh, authorization code, token-exchange) MUST consult this slot rather than the raw request body — body parameters are attacker-controlled and may differ from the authenticated identity.
nullindicates the request did not pass throughclientAuthMw(e.g., a custom route, or a unit test invoking the handler directly with a hand-builtGrantContext).