Skip to main content
Version: latest

Configure Dynamic Client Registration (DCR)

Dynamic Client Registration (DCR) allows developers to register OAuth 2.0 clients programmatically through the Developer Portal, without manually creating clients in the identity provider. When a developer creates an OAuth credential, the portal automatically registers a client with the configured DCR provider and returns the client ID and secret.

DCR Provider Types

API7 supports two types of DCR providers:

OIDC

The OIDC provider type uses standard RFC 7591 and RFC 7592 protocols. The portal discovers the registration endpoint from the identity provider's .well-known/openid-configuration endpoint.

Supported operations:

OperationProtocolDescription
Register clientRFC 7591POST to the registration endpoint.
Update clientRFC 7592PUT to the registration_client_uri with registration_access_token.
Delete clientRFC 7592DELETE to the registration_client_uri.
Rotate secretNot supportedOIDC providers do not support secret rotation.

HTTP Bridge

The HTTP Bridge provider type uses a custom API to communicate with identity providers that do not support standard DCR protocols. You deploy an HTTP bridge service that translates between the portal's API and your identity provider.

Supported operations:

OperationMethodEndpoint
Register clientPOST{base_url}/clients
Update clientPUT{base_url}/clients/{client_id}
Delete clientDELETE{base_url}/clients/{client_id}
Rotate secretPOST{base_url}/clients/{client_id}/rotate-secret

Create a DCR Provider

OIDC Provider

curl "https://{ADMIN_API_URL}/api/dcr_providers" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Keycloak Production",
    "provider_type": "oidc",
    "issuer": "https://keycloak.example.com/realms/my-realm",
    "headers": {
      "Authorization": "Bearer <initial-access-token>"
    },
    "desc": "Production Keycloak instance for OAuth client registration"
  }'
ParameterRequiredDescription
nameYesUnique display name for the provider.
provider_typeYesoidc or http_bridge.
issuerYes (for OIDC)The OIDC issuer URL. The portal appends /.well-known/openid-configuration to discover the registration endpoint.
headersNoCustom HTTP headers sent with every DCR request. Use this for authentication (for example, an initial access token for Keycloak).
descNoDescription of the provider.

HTTP Bridge Provider

curl "https://{ADMIN_API_URL}/api/dcr_providers" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Custom OAuth Bridge",
    "provider_type": "http_bridge",
    "provider_config": {
      "base_url": "https://oauth-bridge.internal.example.com"
    },
    "headers": {
      "X-API-Key": "<bridge-api-key>"
    }
  }'
ParameterRequiredDescription
provider_config.base_urlYes (for HTTP Bridge)The base URL of your HTTP bridge service.

Configure an API Product with DCR

After creating a DCR provider, reference it in an API product's authentication configuration:

curl -X PUT "https://{ADMIN_API_URL}/api/portals/{portal_id}/api_products/{product_id}" \
  -H "Authorization: Bearer $API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "auth": {
      "dcr": {
        "dcr_provider_id": "<dcr-provider-id>"
      }
    }
  }'

You can enable DCR alongside other authentication types (key auth, basic auth).

Example: Keycloak Integration

The following steps demonstrate integrating Keycloak as a DCR provider:

  1. Create an initial access token in Keycloak:

    • Log in to the Keycloak Admin Console.
    • Navigate to your realm's Clients > Initial Access Tokens.
    • Create a token with the desired expiration and maximum client count.

  2. Create the DCR provider in API7:

    curl "https://{ADMIN_API_URL}/api/dcr_providers" \
      -H "Authorization: Bearer $API_TOKEN" \
      -H "Content-Type: application/json" \
      -d '{
        "name": "Keycloak",
        "provider_type": "oidc",
        "issuer": "https://keycloak.example.com/realms/my-realm",
        "headers": {
          "Authorization": "Bearer <keycloak-initial-access-token>"
        }
      }'

  3. Create an API product with DCR authentication and publish it.

  4. Developers create OAuth credentials in the Developer Portal. Each credential creation registers a new client in Keycloak.

  5. Developers request access tokens from Keycloak using the client ID and secret, then use the tokens to call APIs through the gateway.

Deletion Protection

A DCR provider cannot be deleted if:

  • Any API product references it in its authentication configuration.
  • Any developer credential is associated with it.

Remove all references before deleting the provider.

OIDC Discovery Caching

For OIDC providers, the portal caches the OpenID Connect discovery document (containing the registration endpoint URL). The cache uses an LRU policy with a 24-hour TTL and up to 128 entries. This minimizes the number of discovery requests sent to the identity provider.

Additional Resources

API7.ai Logo

The digital world is connected by APIs,
API7.ai exists to make APIs more efficient, reliable, and secure.

Sign up for API7 newsletter

Product

API7 Gateway
API7 AI Gateway
API7 API Portal

Learn

API Gateway Guide
Plugin Hub
API Gateway Comparison
Customers

Resources

API Gateway Docs
Blog
Demo Hub
APISIX vs Kong

Company

About
Contact
Compliance Standards
Partners
Terms & Privacy
SOC2 Type IIISO 27001HIPAAGDPRRed Herring

Copyright © APISEVEN PTE. LTD 2019 – 2026. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the Apache Software Foundation