Client ID Metadata Documents (CIMD) let OAuth clients identify themselves using a URL. No preregistration necessary.
CIMD reduces friction, supports dynamic ecosystems like MCP, and eliminates interoperability headaches.
How CIMD Works
Client hosts metadata at URL
The client creates a JSON document with their metadata and hosts it at an HTTPS URL.
Client uses URL as client_id
Instead of a pre-registered client ID, the client passes the metadata URL directly.
Server fetches and validates metadata
The authorization server fetches the JSON from the client_id URL and validates it.
• Ensures client_id matches the source URL
• Checks redirect URIs and other parameters
Server shows client info in consent screen
The server displays the client_name and client_uri to help users make informed consent decisions.
CIMD provides built-in protection against client impersonation because the authorization server can verify that the client_uri has the same origin as the CIMD URL.
https://dmic.dev/oauth/metadata.json but claims client_uri: "https://client.dev", the server can detect this mismatch and show appropriate warnings.Use Cases
Model Context Protocol
Connect AI tools and servers without the registration bottleneck. Every MCP client can authenticate dynamically.
Developer Tools
CLI tools, desktop apps, and developer utilities that need OAuth without complex setup flows.
Enterprise Platforms
SaaS platforms with hundreds of integrations that don't want to manage thousands of client registrations.
Learn More
Read the full technical specification and implementation details.
Learn about how Stytch implements CIMD in its product suite.
Discover the motivation behind CIMD from the Model Context Protocol team's perspective.