Dynamic Client Registration: OAuth without hardcoded credentials
Skip the manual client setup. Use OAuth DCR so Cast registers itself automatically on the first connection.
What is Dynamic Client Registration?
Dynamic Client Registration (RFC 7591) lets an OAuth client register itself with an authorization server at runtime — no pre-configured client_id or client_secret needed. Cast supports two DCR modes:
- Cast DCR — Cast manages registration automatically. Select this and provide zero OAuth credentials.
- Your own DCR — Your auth server's DCR endpoint. Cast self-registers there and re-registers as needed.
This tutorial uses the test-server's oauth-dcr mode, which exposes a DCR endpoint at POST /auth/clients.
1. Start the test server in oauth-dcr mode
cd cast-mcp/test-server npx ts-node src/index.ts --mode oauth-dcr --port 3456
✚ Dynamic Client Registration: POST http://localhost:3456/auth/clients 🌐 Token endpoint : http://localhost:3456/auth/token 🌐 Metadata : http://localhost:3456/.well-known/oauth-authorization-server
2. Create a workspace and upload the spec
New workspace → Upload → http://localhost:3456/openapi.json.
3. Configure auth — OAuth 2.0 → Your own DCR
Switch to Configure. Click OAuth 2.0, then choose Your own DCR in the provider selector. A third URL field appears: DCR Endpoint URL. Fill it with your server's registration endpoint.
Notice: no Client ID or Client Secret fields — Cast obtains those from your DCR endpoint on the first client connection.
API Base URL
Bearer Token
Authorization: Bearer <token>
API Key Header
X-Api-Key: <key>
Custom Headers
Any header name + value
OAuth 2.0
PKCE · DCR support
OAuth / DCR Provider
Cast DCR
We handle Dynamic Client Registration automatically. Zero config.
Your own DCR
Use your OAuth server's DCR endpoint.
Custom OAuth
Provide client_id and client_secret directly.
Authorization URL
Token URL
DCR Endpoint URL
OAuth Scopes
With DCR, you never enter a client_id or client_secret. Cast generates credentials during registration and stores them encrypted. They are automatically rotated if the server indicates they've expired.
What Cast sends to the DCR endpoint
{
"client_name": "Cast MCP — workspace-name",
"redirect_uris": ["https://mcp.getcast.io/oauth/callback"],
"grant_types": ["authorization_code", "refresh_token"],
"response_types": ["code"],
"token_endpoint_auth_method": "client_secret_basic",
"scope": "read:items write:items read:users"
}The server responds with a client_id and client_secret. Cast stores them encrypted and uses them for the subsequent token exchange — all invisible to your MCP clients.
4. Enable tools
listItems
/api/items
createItem
/api/items
listUsers
/api/users
getItem
/api/items/{id}
5. Connect and test
Switch to the Connect tab. DCR fires on the first client connection — not at save time. Check the Logs tab to see the full trace: registration → token exchange → tool call.
{
"mcpServers": {
"test-oauth-dcr": {
"command": "npx",
"args": [
"-y",
"mcp-remote@latest",
"https://mcp.getcast.io/test-oauth-dcr-cmpqtghv8000a"
]
}
}
}Cast DCR vs. your own DCR
- Cast DCR — your API supports OAuth but has no DCR endpoint. Select this and Cast acts as the authorization intermediary.
- Your own DCR — your auth server already implements RFC 7591 and you want Cast to self-register there directly.