curl --request POST \
  --url https://api.hq.zone/v1/oauth/register \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_name": "<string>",
  "grant_types": [
    "<string>"
  ],
  "redirect_uris": [
    "<string>"
  ],
  "response_types": [
    "<string>"
  ],
  "scope": "<string>",
  "token_endpoint_auth_method": "<string>"
}
'

{
  "client_id": "<string>",
  "client_id_issued_at": 123,
  "client_name": "<string>",
  "grant_types": [
    "<string>"
  ],
  "redirect_uris": [
    "<string>"
  ],
  "registration_client_uri": "<string>",
  "response_types": [
    "<string>"
  ],
  "scope": "<string>",
  "token_endpoint_auth_method": "<string>",
  "client_secret": "<string>",
  "client_secret_expires_at": 123,
  "registration_access_token": "<string>"
}

Authentication

Register an OAuth client

OAuth 2.1 Dynamic Client Registration (RFC 7591). Registration is authenticated: the caller must present a valid HQ session or token, and the resulting client is owned by that user. Validates the submitted JSON metadata (redirect URIs must be https or http loopback with no fragment; scopes must be known capability scopes; token_endpoint_auth_method none yields a public client, client_secret_post/basic a confidential one). Returns 201 with the new client_id, a registration_access_token, and, for confidential clients, a client_secret (the secret and registration token are shown only once), plus a registration_client_uri for managing the client. Registered clients are always treated as third-party and shown the consent screen, and each account is capped on how many it may register.

POST

oauth

curl --request POST \
  --url https://api.hq.zone/v1/oauth/register \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "client_name": "<string>",
  "grant_types": [
    "<string>"
  ],
  "redirect_uris": [
    "<string>"
  ],
  "response_types": [
    "<string>"
  ],
  "scope": "<string>",
  "token_endpoint_auth_method": "<string>"
}
'

{
  "client_id": "<string>",
  "client_id_issued_at": 123,
  "client_name": "<string>",
  "grant_types": [
    "<string>"
  ],
  "redirect_uris": [
    "<string>"
  ],
  "registration_client_uri": "<string>",
  "response_types": [
    "<string>"
  ],
  "scope": "<string>",
  "token_endpoint_auth_method": "<string>",
  "client_secret": "<string>",
  "client_secret_expires_at": 123,
  "registration_access_token": "<string>"
}

Dynamic client registration (RFC 7591)

Registers a new OAuth client and returns its client_id and registration metadata. Public clients (e.g. browser apps) use PKCE and have no secret. Provide your redirect_uris and the scopes the client may request. Afterwards, manage the registration with Get / Update / Delete using the returned credentials.

Authorizations

Authorization

string

header

required

Personal Access Token. Send as Authorization: Bearer hq_pat_....

Body

application/json

client_name

string | null

grant_types

string[] | null

redirect_uris

string[]

response_types

string[] | null

scope

string | null

Space-delimited capability scopes the client may request.

token_endpoint_auth_method

string | null

Response

Registered client (client_id + one-time secret/registration token), RFC 7591

client_id

string

required

client_id_issued_at

integer<int64>

required

client_name

string

required

grant_types

string[]

required

redirect_uris

string[]

required

registration_client_uri

string

required

response_types

string[]

required

scope

string

required

token_endpoint_auth_method

string

required

client_secret

string | null

client_secret_expires_at

integer<int64> | null

registration_access_token

string | null

Revoke a token Get an OAuth client

⌘I

​Dynamic client registration (RFC 7591)

Authorizations

Body

Response

Dynamic client registration (RFC 7591)