OAuth 2.1 + Dynamic Client Registration

OAuth 2.1 + Dynamic Client Registration

Niyra implements the OAuth 2.1 authorization-server role for third-party clients — Claude Desktop, Cursor, ChatGPT, anything that wants to call /mcp or /v1/public/ on behalf of a Niyra user.

If you don't need OAuth (you only need your own scripts to call Niyra), use Personal Access Tokens instead.

Discovery

Returns the standard RFC 8414 metadata document, including:

- authorizationendpoint — /oauth/authorize
- tokenendpoint — /oauth/token
- registrationendpoint — /oauth/register
- revocationendpoint — /oauth/revoke
- introspectionendpoint — /oauth/introspect
- jwksuri — /.well-known/jwks.json
- scopessupported — full catalog
- codechallengemethodssupported — ["S256"]

Step 1 — Register your client (DCR, RFC 7591)

Response:

Public clients (CLIs, desktop apps, mobile) MUST use tokenendpointauthmethod: none and PKCE.

Step 2 — Authorization code with PKCE

Generate a code verifier + challenge:

Send the user to:

The resource parameter is RFC 8707 — it binds the resulting access token to a specific audience.

After consent, Niyra redirects to:

Step 3 — Exchange code for tokens

Response:

Step 4 — Use the token

Refresh rotation

Refresh tokens rotate on every use — the response includes a new refresh token and the old one is marked rotated. Replaying a rotated refresh token triggers OAuth 2.1 §6.1 cascade revocation: the entire token chain is invalidated, so a stolen refresh can be used at most once before the legitimate client discovers the theft.

Revoking tokens

Per RFC 7009, the endpoint always returns 200, regardless of whether the token existed.

Related

- Scope catalog
- Rate limits