@lti-tool/core 0.11.1 → 0.12.0

package/src/interfaces/index.ts

@@ -1,6 +1,7 @@
 export type { LTIClient } from './ltiClient.js';
 export type { LTIConfig } from './ltiConfig.js';
 export type { LTIDeployment } from './ltiDeployment.js';
+export type { LTIDynamicRegistrationSession } from './ltiDynamicRegistrationSession.js';
 export type { LTILaunchConfig } from './ltiLaunchConfig.js';
 export type { LTISession } from './ltiSession.js';
 export type { LTIStorage } from './ltiStorage.js';

package/src/interfaces/ltiConfig.ts

@@ -2,6 +2,28 @@ import type { Logger } from 'pino';
 
 import type { LTIStorage } from './ltiStorage.js';
 
+/** Dynamic registration configuration for LTI 1.3 tool registration */
+export interface DynamicRegistrationConfig {
+  /** Base URL of the LTI tool (e.g., 'https://my-tool.com') */
+  url: string;
+  /** Display name shown to users in the LMS (e.g., 'My Learning Tool') */
+  name: string;
+  /** Optional description of the tool's functionality */
+  description?: string;
+  /** Optional URL to tool logo image for LMS display */
+  logo?: string;
+  /** Additional redirect URIs beyond the default /lti/launch endpoint */
+  redirectUris?: string[];
+  /** Optional custom deep linking content selection endpoint (defaults to {url}/lti/deep-linking) */
+  deepLinkingUri?: string;
+  /** Optional custom login endpoint (defaults to {url}/lti/login) */
+  loginUri?: string;
+  /** Optional custom launch endpoint (defaults to {url}/lti/launch) */
+  launchUri?: string;
+  /** Optional custom JWKS endpoint (defaults to {url}/lti/jwks) */
+  jwksUri?: string;
+}
+
 /**
  * Configuration object for initializing an LTI Tool instance.
  * Contains cryptographic keys, secrets, and storage adapter.
@@ -28,4 +50,7 @@ export interface LTIConfig {
     /** Nonce expiration time in seconds (defaults to 600 = 10 minutes) */
     nonceExpirationSeconds?: number;
   };
+
+  /** Dynamic registration configuration for LTI 1.3 tool registration */
+  dynamicRegistration?: DynamicRegistrationConfig;
 }

package/src/interfaces/ltiDynamicRegistrationSession.ts

@@ -0,0 +1,14 @@
+import type { OpenIDConfiguration } from '../schemas/lti13/dynamicRegistration/openIDConfiguration.schema';
+
+/**
+ * Temporary session data stored during LTI 1.3 dynamic registration flow.
+ * Used to maintain state between the registration initiation and completion steps.
+ */
+export interface LTIDynamicRegistrationSession {
+  /** Platform's OpenID Connect configuration retrieved during registration initiation */
+  openIdConfiguration: OpenIDConfiguration;
+  /** Registration token provided by the platform for this registration attempt */
+  registrationToken?: string;
+  /** Unix timestamp (milliseconds) when this session expires and should be cleaned up */
+  expiresAt: number;
+}

package/src/interfaces/ltiStorage.ts

@@ -1,5 +1,6 @@
 import type { LTIClient } from './ltiClient.js';
 import type { LTIDeployment } from './ltiDeployment.js';
+import type { LTIDynamicRegistrationSession } from './ltiDynamicRegistrationSession.js';
 import type { LTILaunchConfig } from './ltiLaunchConfig.js';
 import type { LTISession } from './ltiSession.js';
 
@@ -158,4 +159,35 @@ export interface LTIStorage {
    * @param launchConfig - Complete launch configuration with auth URLs and keys
    */
   saveLaunchConfig(launchConfig: LTILaunchConfig): Promise<void>;
+
+  // Dynamic Registration
+
+  /**
+   * Stores a temporary registration session during LTI 1.3 dynamic registration flow.
+   * Sessions have a TTL and are automatically cleaned up when expired.
+   *
+   * @param sessionId - Unique session identifier (typically a UUID)
+   * @param session - Registration session data including platform config and tokens
+   */
+  setRegistrationSession(
+    sessionId: string,
+    session: LTIDynamicRegistrationSession,
+  ): Promise<void>;
+
+  /**
+   * Retrieves a registration session by its ID for validation during completion.
+   *
+   * @param sessionId - Unique session identifier
+   * @returns Registration session if found and not expired, undefined otherwise
+   */
+  getRegistrationSession(
+    sessionId: string,
+  ): Promise<LTIDynamicRegistrationSession | undefined>;
+
+  /**
+   * Removes a registration session from storage (cleanup after completion or expiration).
+   *
+   * @param sessionId - Unique session identifier to delete
+   */
+  deleteRegistrationSession(sessionId: string): Promise<void>;
 }

package/src/ltiTool.ts

@@ -5,12 +5,15 @@ import type { JWKS } from './interfaces/jwks.js';
 import type { LTIClient } from './interfaces/ltiClient.js';
 import type { LTIConfig } from './interfaces/ltiConfig.js';
 import type { LTIDeployment } from './interfaces/ltiDeployment.js';
+import type { LTIDynamicRegistrationSession } from './interfaces/ltiDynamicRegistrationSession.js';
 import type { LTISession } from './interfaces/ltiSession.js';
 import { AddClientSchema, UpdateClientSchema } from './schemas/client.schema.js';
 import {
+  type DynamicRegistrationForm,
   HandleLoginParamsSchema,
   type LTI13JwtPayload,
   LTI13JwtPayloadSchema,
+  type RegistrationRequest,
   SessionIdSchema,
   VerifyLaunchParamsSchema,
 } from './schemas/index.js';
@@ -24,11 +27,13 @@ import {
 } from './schemas/lti13/ags/lineItem.schema.js';
 import { type Results, ResultsSchema } from './schemas/lti13/ags/result.schema.js';
 import { type ScoreSubmission } from './schemas/lti13/ags/scoreSubmission.schema.js';
+import { type OpenIDConfiguration } from './schemas/lti13/dynamicRegistration/openIDConfiguration.schema.js';
 import {
   type Member,
   NRPSContextMembershipResponseSchema,
 } from './schemas/lti13/nrps/contextMembership.schema.js';
 import { AGSService } from './services/ags.service.js';
+import { DynamicRegistrationService } from './services/dynamicRegistration.service.js';
 import { NRPSService } from './services/nrps.service.js';
 import { createSession } from './services/session.service.js';
 import { TokenService } from './services/token.service.js';
@@ -64,6 +69,7 @@ export class LTITool {
   private tokenService: TokenService;
   private agsService: AGSService;
   private nrpsService: NRPSService;
+  private dynamicRegistrationService?: DynamicRegistrationService;
 
   /**
    * Creates a new LTI Tool instance.
@@ -90,6 +96,13 @@ export class LTITool {
       this.config.storage,
       this.logger,
     );
+    if (this.config.dynamicRegistration) {
+      this.dynamicRegistrationService = new DynamicRegistrationService(
+        this.config.storage,
+        this.config.dynamicRegistration,
+        this.logger,
+      );
+    }
   }
 
   /**
@@ -444,7 +457,6 @@ export class LTITool {
 
     const response = await this.nrpsService.getMembers(session);
     const data = await response.json();
-    console.log(data);
     const validated = NRPSContextMembershipResponseSchema.parse(data);
 
     // Transform to clean camelCase format
@@ -462,6 +474,76 @@ export class LTITool {
     }));
   }
 
+  /**
+   * Fetches and validates the OpenID Connect configuration from an LTI platform during dynamic registration.
+   * Validates that the OIDC endpoint and issuer have matching hostnames for security.
+   *
+   * @param registrationRequest - Registration request containing openid_configuration URL and optional registration_token
+   * @returns Validated OpenID configuration with platform endpoints and supported features
+   * @throws {Error} When the configuration fetch fails, validation fails, or hostname mismatch detected
+   *
+   * @example
+   * ```typescript
+   * const config = await ltiTool.fetchPlatformConfiguration({
+   *   openid_configuration: 'https://platform.edu/.well-known/openid_configuration',
+   *   registration_token: 'optional-bearer-token'
+   * });
+   * console.log('Platform issuer:', config.issuer);
+   * ```
+   */
+  async fetchPlatformConfiguration(
+    registrationRequest: RegistrationRequest,
+  ): Promise<OpenIDConfiguration> {
+    if (!this.dynamicRegistrationService) {
+      throw new Error('Dynamic registration service is not configured');
+    }
+    return await this.dynamicRegistrationService.fetchPlatformConfiguration(
+      registrationRequest,
+    );
+  }
+
+  /**
+   * Initiates LTI 1.3 dynamic registration by fetching platform configuration and generating registration form.
+   * Creates a temporary session and returns vendor-specific HTML form for service selection.
+   *
+   * @param registrationRequest - Registration request containing openid_configuration URL and optional registration_token
+   * @param requestPath - Current request path used to build form action URLs
+   * @returns HTML form for service selection and registration completion
+   * @throws {Error} When dynamic registration service is not configured or platform configuration fails
+   */
+  async initiateDynamicRegistration(
+    registrationRequest: RegistrationRequest,
+    requestPath: string,
+  ): Promise<string> {
+    if (!this.dynamicRegistrationService) {
+      throw new Error('Dynamic registration service is not configured');
+    }
+    return await this.dynamicRegistrationService.initiateDynamicRegistration(
+      registrationRequest,
+      requestPath,
+    );
+  }
+
+  /**
+   * Completes LTI 1.3 dynamic registration by processing form submission and storing client configuration.
+   * Validates session, registers with platform, stores client/deployment data, and returns success page.
+   *
+   * @param dynamicRegistrationForm - Validated form data containing selected services and session token
+   * @returns HTML success page with registration details and close button
+   * @throws {Error} When dynamic registration service is not configured or registration process fails
+   */
+  async completeDynamicRegistration(
+    dynamicRegistrationForm: DynamicRegistrationForm,
+  ): Promise<string> {
+    if (!this.dynamicRegistrationService) {
+      throw new Error('Dynmaic registration service is not configured');
+    }
+
+    return await this.dynamicRegistrationService.completeDynamicRegistration(
+      dynamicRegistrationForm,
+    );
+  }
+
   // Client management
 
   /**
@@ -581,4 +663,43 @@ export class LTITool {
   async deleteDeployment(clientId: string, deploymentId: string): Promise<void> {
     return await this.config.storage.deleteDeployment(clientId, deploymentId);
   }
+
+  // Dynamic Registration Session Management
+
+  /**
+   * Stores a temporary registration session during LTI 1.3 dynamic registration flow.
+   * Sessions automatically expire after the configured TTL period.
+   *
+   * @param sessionId - Unique session identifier (typically a UUID)
+   * @param session - Registration session data including platform config and tokens
+   */
+  async setRegistrationSession(
+    sessionId: string,
+    session: LTIDynamicRegistrationSession,
+  ): Promise<void> {
+    return await this.config.storage.setRegistrationSession(sessionId, session);
+  }
+
+  /**
+   * Retrieves a registration session by its ID for validation during completion.
+   * Returns undefined if the session is not found or has expired.
+   *
+   * @param sessionId - Unique session identifier
+   * @returns Registration session if found and not expired, undefined otherwise
+   */
+  async getRegistrationSession(
+    sessionId: string,
+  ): Promise<LTIDynamicRegistrationSession | undefined> {
+    return await this.config.storage.getRegistrationSession(sessionId);
+  }
+
+  /**
+   * Removes a registration session from storage after completion or expiration.
+   * Used for cleanup to prevent session accumulation.
+   *
+   * @param sessionId - Unique session identifier to delete
+   */
+  async deleteRegistrationSession(sessionId: string): Promise<void> {
+    return await this.config.storage.deleteRegistrationSession(sessionId);
+  }
 }

package/src/schemas/index.ts

@@ -1,4 +1,21 @@
 export { SessionIdSchema } from './common.schema.js';
+export {
+  DynamicRegistrationFormSchema,
+  type DynamicRegistrationForm,
+} from './lti13/dynamicRegistration/ltiDynamicRegistration.schema.js';
+export {
+  LTIMessagesArraySchema,
+  type LTIMessage,
+} from './lti13/dynamicRegistration/ltiMessages.schema.js';
+export { type OpenIDConfiguration } from './lti13/dynamicRegistration/openIDConfiguration.schema.js';
+export {
+  RegistrationRequestSchema,
+  type RegistrationRequest,
+} from './lti13/dynamicRegistration/registrationRequest.schema.js';
+export {
+  RegistrationResponseSchema,
+  type RegistrationResponse,
+} from './lti13/dynamicRegistration/registrationResponse.schema.js';
 export {
   LTI13JwtPayloadSchema,
   type LTI13JwtPayload,

package/src/schemas/lti13/dynamicRegistration/ltiDynamicRegistration.schema.ts

@@ -0,0 +1,31 @@
+import * as z from 'zod';
+
+/**
+ * Zod schema for validating LTI 1.3 dynamic registration form submissions.
+ * Represents the service selections and session data submitted by an administrator during tool registration.
+ *
+ * @property services - Optional array of LTI Advantage services the admin chooses to enable:
+ *   - 'ags': Assignment and Grade Services for grade passback
+ *   - 'nrps': Names and Role Provisioning Services for roster access
+ *   - 'deep_linking': Deep Linking for content selection
+ *   - 'tool_settings': Tool Settings service for configuration storage
+ *   - 'basic_outcome': Basic Outcome service for simple grade reporting
+ * @property sessionToken - Security token to validate the registration session and prevent CSRF attacks
+ *
+ * @example
+ * ```typescript
+ * const formData = {
+ *   services: ['ags', 'nrps', 'deep_linking'],
+ *   sessionToken: 'uuid-session-token'
+ * };
+ * const validated = DynamicRegistrationFormSchema.parse(formData);
+ * ```
+ */
+export const DynamicRegistrationFormSchema = z.object({
+  services: z
+    .array(z.enum(['ags', 'nrps', 'deep_linking', 'tool_settings', 'basic_outcome']))
+    .optional(),
+  sessionToken: z.string(),
+});
+
+export type DynamicRegistrationForm = z.infer<typeof DynamicRegistrationFormSchema>;

package/src/schemas/lti13/dynamicRegistration/ltiMessages.schema.ts

@@ -0,0 +1,59 @@
+import * as z from 'zod';
+
+/**
+ * Zod schema for LTI 1.3 Resource Link Request message configuration.
+ * Represents the standard tool launch message type for accessing tool content.
+ * This is the most common LTI message type for regular tool launches.
+ */
+const LTIResourceLinkMessageSchema = z.object({
+  type: z.literal('LtiResourceLinkRequest'),
+});
+
+/**
+ * Zod schema for LTI 1.3 Deep Linking Request message configuration.
+ * Represents the message type used when the tool supports content selection/authoring.
+ * Allows instructors to select or create content that will be linked back to the LMS.
+ *
+ * @property type - Always 'LtiDeepLinkingRequest' for deep linking messages
+ * @property target_link_uri - Optional URL where deep linking requests should be sent
+ * @property label - Optional human-readable label for the deep linking option
+ * @property placements - Optional array of where the tool can be placed in the LMS UI
+ * @property supported_types - Optional array of content types the tool can create/select
+ * @property supported_media_types - Optional array of MIME types the tool supports
+ * @property roles - Optional array of LIS role URIs that can access deep linking
+ * @property custom_parameters - Optional custom parameters for deep linking configuration
+ */
+const LTIDeepLinkingMessageSchema = z.object({
+  type: z.literal('LtiDeepLinkingRequest'),
+  target_link_uri: z.url().optional(),
+  label: z.string().optional(),
+  placements: z
+    .array(z.enum(['ContentArea', 'RichTextEditor', 'CourseNavigation']))
+    .optional(),
+  supported_types: z
+    .array(z.enum(['ltiResourceLink', 'file', 'html', 'link', 'image']))
+    .optional(),
+  supported_media_types: z.array(z.string()).optional(), // e.g., ['image/*', 'video/*']
+  roles: z.array(z.string()).optional(), // LIS role URIs
+  custom_parameters: z.record(z.string(), z.string()).optional(),
+});
+
+/**
+ * Discriminated union schema for all supported LTI 1.3 message types.
+ * Used during dynamic registration to declare which message types the tool supports.
+ * The platform uses this to determine what launch options to provide to users.
+ */
+export const LTIMessageSchema = z.discriminatedUnion('type', [
+  LTIResourceLinkMessageSchema,
+  LTIDeepLinkingMessageSchema,
+]);
+
+/**
+ * Schema for validating arrays of LTI message configurations.
+ * Used in tool registration payloads to declare multiple supported message types.
+ */
+export const LTIMessagesArraySchema = z.array(LTIMessageSchema);
+
+export type LTIMessage = z.infer<typeof LTIMessageSchema>;
+export type LTIResourceLinkMessage = z.infer<typeof LTIResourceLinkMessageSchema>;
+export type LTIDeepLinkingMessage = z.infer<typeof LTIDeepLinkingMessageSchema>;

package/src/schemas/lti13/dynamicRegistration/openIDConfiguration.schema.ts

@@ -0,0 +1,60 @@
+import * as z from 'zod';
+
+/**
+ * Zod schema for LTI platform-specific configuration within OpenID Connect Discovery.
+ * Contains LTI-specific metadata about the platform's capabilities and supported features.
+ *
+ * @property product_family_code - Platform identifier (e.g., 'moodle', 'canvas', 'sakai')
+ * @property version - Platform version string
+ * @property messages_supported - Array of LTI message types the platform supports
+ * @property variables - Optional array of custom variable names the platform supports
+ */
+export const ltiPlatformConfigurationSchema = z.object({
+  product_family_code: z.string(),
+  version: z.string(),
+  messages_supported: z.array(
+    z
+      .object({
+        type: z.string(),
+        placements: z.array(z.string()).optional(),
+      })
+      .loose(),
+  ),
+  variables: z.array(z.string()).optional(),
+});
+
+/**
+ * Zod schema for validating OpenID Connect Discovery configuration from LTI 1.3 platforms.
+ * This configuration is fetched during dynamic registration to discover platform endpoints,
+ * supported features, and security requirements. Used to validate the response from the
+ * platform's /.well-known/openid_configuration endpoint.
+ *
+ * @property issuer - Platform's issuer URL (must match hostname of configuration endpoint)
+ * @property authorization_endpoint - OAuth 2.0 authorization endpoint for LTI launches
+ * @property registration_endpoint - Dynamic registration endpoint for tool registration
+ * @property jwks_uri - JSON Web Key Set endpoint for signature verification
+ * @property token_endpoint - OAuth 2.0 token endpoint for service access tokens
+ * @property scopes_supported - Array of OAuth scopes the platform supports (AGS, NRPS, etc.)
+ * @property https://purl.imsglobal.org/spec/lti-platform-configuration - LTI-specific platform metadata
+ */
+export const openIDConfigurationSchema = z
+  .object({
+    issuer: z.url(),
+    authorization_endpoint: z.url(),
+    registration_endpoint: z.url(),
+    jwks_uri: z.url(),
+    token_endpoint: z.url(),
+    token_endpoint_auth_methods_supported: z.array(z.string()),
+    token_endpoint_auth_signing_alg_values_supported: z.array(z.string()),
+    scopes_supported: z.array(z.string()),
+    response_types_supported: z.array(z.string()),
+    id_token_signing_alg_values_supported: z.array(z.string()),
+    claims_supported: z.array(z.string()),
+    subject_types_supported: z.array(z.string()),
+    authorization_server: z.string().optional(),
+    'https://purl.imsglobal.org/spec/lti-platform-configuration':
+      ltiPlatformConfigurationSchema,
+  })
+  .loose();
+
+export type OpenIDConfiguration = z.infer<typeof openIDConfigurationSchema>;

package/src/schemas/lti13/dynamicRegistration/registrationRequest.schema.ts

@@ -0,0 +1,8 @@
+import * as z from 'zod';
+
+export const RegistrationRequestSchema = z.object({
+  openid_configuration: z.url(),
+  registration_token: z.string().optional(),
+});
+
+export type RegistrationRequest = z.infer<typeof RegistrationRequestSchema>;

package/src/schemas/lti13/dynamicRegistration/registrationResponse.schema.ts

@@ -0,0 +1,67 @@
+import * as z from 'zod';
+
+import { LTIMessagesArraySchema } from './ltiMessages.schema';
+
+/**
+ * Zod schema for LTI tool configuration within dynamic registration response.
+ * Contains tool-specific metadata returned by the platform after successful registration.
+ *
+ * @property domain - Tool's domain name for security validation
+ * @property target_link_uri - Optional default launch URL for the tool
+ * @property custom_parameters - Optional custom parameters passed to the tool
+ * @property claims - Array of JWT claims the tool requires (e.g., 'iss', 'sub', 'name', 'email')
+ * @property messages - Array of LTI message types the tool supports
+ * @property version - Optional tool version string
+ * @property deployment_id - Optional deployment identifier assigned by the platform
+ */
+const LTIToolConfigurationResponseSchema = z.object({
+  domain: z.string(),
+  target_link_uri: z.url().optional(),
+  custom_parameters: z.record(z.string(), z.string()).optional(),
+  claims: z.array(z.string()),
+  messages: LTIMessagesArraySchema,
+  version: z.string().optional(),
+  deployment_id: z.string().optional(),
+});
+
+/**
+ * Zod schema for validating LTI 1.3 dynamic registration response from platforms.
+ * This response is returned after successfully registering a tool with an LTI platform.
+ * Contains the registered client credentials and configuration that the tool needs to store.
+ *
+ * @property client_id - Unique client identifier assigned by the platform
+ * @property registration_client_uri - Optional URI for managing this registration
+ * @property registration_access_token - Optional token for registration management
+ * @property application_type - Always 'web' for LTI tools
+ * @property response_types - OAuth response types, always ['id_token'] for LTI
+ * @property grant_types - OAuth grant types supported ('implicit', 'client_credentials')
+ * @property initiate_login_uri - Tool's login initiation endpoint
+ * @property redirect_uris - Array of valid redirect URIs for the tool
+ * @property client_name - Human-readable name of the registered tool
+ * @property jwks_uri - Tool's JSON Web Key Set endpoint for signature verification
+ * @property logo_uri - Optional URL to the tool's logo image
+ * @property token_endpoint_auth_method - Always 'private_key_jwt' for LTI 1.3
+ * @property contacts - Optional array of contact email addresses
+ * @property scope - Optional OAuth scopes granted to the tool
+ * @property https://purl.imsglobal.org/spec/lti-tool-configuration - LTI-specific tool configuration
+ */
+export const RegistrationResponseSchema = z.object({
+  client_id: z.string(),
+  registration_client_uri: z.url().optional(),
+  registration_access_token: z.string().optional(),
+  application_type: z.literal('web'),
+  response_types: z.array(z.literal('id_token')),
+  grant_types: z.array(z.enum(['implicit', 'client_credentials'])), // Note: "implicit" not "implict"
+  initiate_login_uri: z.url(),
+  redirect_uris: z.array(z.url()),
+  client_name: z.string(),
+  jwks_uri: z.url(),
+  logo_uri: z.url().optional().or(z.literal('')),
+  token_endpoint_auth_method: z.literal('private_key_jwt'),
+  contacts: z.array(z.email()).optional(),
+  scope: z.string().optional().or(z.literal('')),
+  'https://purl.imsglobal.org/spec/lti-tool-configuration':
+    LTIToolConfigurationResponseSchema,
+});
+
+export type RegistrationResponse = z.infer<typeof RegistrationResponseSchema>;

package/src/schemas/lti13/dynamicRegistration/toolRegistrationPayload.schema.ts

@@ -0,0 +1,55 @@
+import * as z from 'zod';
+
+import { LTIMessagesArraySchema } from './ltiMessages.schema';
+
+/**
+ * Zod schema for LTI tool configuration section within tool registration payload.
+ * Contains LTI-specific metadata about the tool being registered with the platform.
+ *
+ * @property domain - Tool's domain name for security validation and CORS policies
+ * @property description - Optional human-readable description of the tool's purpose
+ * @property target_link_uri - Default launch URL where the platform should send LTI requests
+ * @property claims - Array of JWT claims the tool requires from launch requests (e.g., 'iss', 'sub', 'name', 'email')
+ * @property messages - Array of LTI message types the tool supports (ResourceLink, DeepLinking, etc.)
+ */
+const LTIToolConfigurationSchema = z.object({
+  domain: z.string(),
+  description: z.string().optional(),
+  target_link_uri: z.url(),
+  claims: z.array(z.string()),
+  messages: LTIMessagesArraySchema,
+});
+
+/**
+ * Zod schema for validating LTI 1.3 dynamic registration payload sent to platforms.
+ * This payload is constructed by the tool and sent to the platform's registration endpoint
+ * to register the tool and request specific OAuth scopes and LTI services.
+ *
+ * @property application_type - Always 'web' for LTI tools
+ * @property response_types - OAuth response types, always ['id_token'] for LTI 1.3
+ * @property grant_types - OAuth grant types requested ('implicit' for launches, 'client_credentials' for services)
+ * @property initiate_login_uri - Tool's login initiation endpoint for OIDC flow
+ * @property redirect_uris - Array of valid redirect URIs where the platform can send responses
+ * @property client_name - Human-readable name of the tool being registered
+ * @property jwks_uri - Tool's JSON Web Key Set endpoint for signature verification
+ * @property logo_uri - Optional URL to the tool's logo image
+ * @property scope - Optional OAuth scopes being requested (AGS, NRPS, etc.)
+ * @property token_endpoint_auth_method - Always 'private_key_jwt' for LTI 1.3 security
+ * @property https://purl.imsglobal.org/spec/lti-tool-configuration - LTI-specific tool configuration
+ */
+export const ToolRegistrationPayloadSchema = z.object({
+  application_type: z.literal('web'),
+  response_types: z.array(z.literal('id_token')),
+  grant_types: z.array(z.enum(['implicit', 'client_credentials'])),
+  initiate_login_uri: z.url(),
+  redirect_uris: z.array(z.url()),
+  client_name: z.string(),
+  jwks_uri: z.url(),
+  logo_uri: z.url().optional(),
+  scope: z.string().optional(),
+  token_endpoint_auth_method: z.literal('private_key_jwt'),
+  'https://purl.imsglobal.org/spec/lti-tool-configuration': LTIToolConfigurationSchema,
+});
+
+export type ToolRegistrationPayload = z.infer<typeof ToolRegistrationPayloadSchema>;
+export type LTIToolConfiguration = z.infer<typeof LTIToolConfigurationSchema>;