feat: implement dynamic client registration

[Zaimwa9]

Thanks for submitting a PR! Please check the boxes below:

• I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• I have filled in the "Changes" section below.
• I have filled in the "How did you test this code" section below.

Changes

Closes #7033

Implements POST /o/register/ for DCR OAuth Dynamic Client Registration to enable MCP clients to self-register their application.

• Added DCR endpoint that
  • accepts client_name and redirect_uris
  • creates a public DOT Application
  • returns a client_id
• Redirect URI validation: HTTPS required (localhost/127.0.0.1 exception), no wildcards, no fragments, max 5 URIs
• XSS on consent screen protection with client name sanitisation
• Dedicated DCR_THROTTLE_RATE throttle scope at 10/min per IP
• RFC 7591 compliant error responses (error + error_description format)
• Daily recurring task to clean up stale applications (registered > 14 days ago, never used)

How did you test this code?

https://www.loom.com/share/8f821fda00cd48cbbc4673a509047364

1. Start the dev server: make docker-up django-migrate && make serve
2. Register a client:

curl -s -X POST http://localhost:8000/o/register/ \
  -H 'Content-Type: application/json' \
  -d '{"client_name": "OAuth Test Server", "redirect_uris": ["http://localhost:3000/oauth/callback"]}' \
  | python3 -m json.tool

3. Update CLIENT_ID in api/oauth2_test_server.mjs with the returned client_id
4. Run node api/oauth2_test_server.mjs and open http://localhost:3000
5. Log in via the Django admin page, then authorise the application on the consent screen
6. Verify the token response is returned (access_token, refresh_token, scope: mcp)

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs	Ignored	Preview	Apr 2, 2026 9:15am
flagsmith-frontend-preview	Ignored	Preview	Apr 2, 2026 9:15am
flagsmith-frontend-staging	Ignored	Preview	Apr 2, 2026 9:15am

[github-actions]

Docker builds report

Image	Build Status	Security report
ghcr.io/flagsmith/flagsmith-e2e:pr-7096	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-api-test:pr-7096	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-7096	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-api:pr-7096	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith:pr-7096	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-private-cloud:pr-7096	Finished ✅	Results ✅

[github-actions]

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 43.8 seconds
 38ed2b9
 🔄 Run: #15615 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 51.5 seconds
 2783d3e
 🔄 Run: #15614 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 26.8 seconds
 2783d3e
 🔄 Run: #15614 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 11.8 seconds
 38ed2b9
 🔄 Run: #15615 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 1 passed

Details

 1 test across 1 suite
 1 minute, 10 seconds
 2783d3e
 🔄 Run: #15614 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 53.9 seconds
 2783d3e
 🔄 Run: #15614 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 10.5 seconds
 610acbd
 🔄 Run: #15617 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 54.8 seconds
 610acbd
 🔄 Run: #15617 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 55.5 seconds
 610acbd
 🔄 Run: #15617 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 1 minute, 2 seconds
 610acbd
 🔄 Run: #15617 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 40.8 seconds
 6806acb
 🔄 Run: #15618 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 41.6 seconds
 6a98fa6
 🔄 Run: #15619 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 9.6 seconds
 6806acb
 🔄 Run: #15618 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 49.1 seconds
 6a98fa6
 🔄 Run: #15619 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 16 passed

Details

 16 tests across 13 suites
 1 minute, 2 seconds
 6806acb
 🔄 Run: #15618 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 53.1 seconds
 6806acb
 🔄 Run: #15618 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 41 seconds
 910765b
 🔄 Run: #15620 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 48.2 seconds
 910765b
 🔄 Run: #15620 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 16 passed

Details

 16 tests across 13 suites
 57.3 seconds
 910765b
 🔄 Run: #15620 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 1 passed

Details

 1 test across 1 suite
 52.1 seconds
 910765b
 🔄 Run: #15620 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 25.4 seconds
 a1fea8e
 🔄 Run: #15621 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 47.7 seconds
 779b0eb
 🔄 Run: #15622 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 40.9 seconds
 779b0eb
 🔄 Run: #15622 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 11.9 seconds
 a1fea8e
 🔄 Run: #15621 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 16 passed

Details

 16 tests across 13 suites
 1 minute, 14 seconds
 a1fea8e
 🔄 Run: #15621 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 45.8 seconds
 a1fea8e
 🔄 Run: #15621 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 25.2 seconds
 0dcd6b7
 🔄 Run: #15634 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 11 seconds
 0dcd6b7
 🔄 Run: #15634 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 1 passed

Details

 1 test across 1 suite
 43.8 seconds
 0dcd6b7
 🔄 Run: #15634 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 1 passed

Details

 1 test across 1 suite
 1 minute, 7 seconds
 0dcd6b7
 🔄 Run: #15634 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 9.3 seconds
 a10dfd8
 🔄 Run: #15635 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 52.3 seconds
 a10dfd8
 🔄 Run: #15635 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 1 passed

Details

 1 test across 1 suite
 44 seconds
 a10dfd8
 🔄 Run: #15635 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 1 minute, 12 seconds
 a10dfd8
 🔄 Run: #15635 (attempt 1)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.27%. Comparing base (ec0b067) to head (a10dfd8).

Additional details and impacted files

@@                       Coverage Diff                        @@
##           feat/setup-dot-and-as-metadata    #7096    +/-   ##
================================================================
  Coverage                           98.27%   98.27%            
================================================================
  Files                                1344     1347     +3     
  Lines                               50126    50349   +223     
================================================================
+ Hits                                49259    49482   +223     
  Misses                                867      867            

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gagantrivedi]

I think the window of this shoulld be much bigger? something like 500/month?

[gagantrivedi]

Should this live in a different test file? oauth2_metadata/test_service.py?