strapi-mcp-server 0.1.1

package/admin/src/translations/en.json

@@ -0,0 +1,8 @@
+{
+  "plugin.name": "MCP Server",
+  "page.dashboard": "Dashboard",
+  "page.clients": "OAuth Clients",
+  "page.tools": "Tools",
+  "page.audit": "Audit Log",
+  "page.settings": "Settings"
+}

package/package.json

@@ -0,0 +1,105 @@
+{
+  "name": "strapi-mcp-server",
+  "version": "0.1.1",
+  "description": "Expose Strapi v5 as a Model Context Protocol server with OAuth 2.1 + PKCE.",
+  "keywords": [
+    "strapi",
+    "strapi-plugin",
+    "mcp",
+    "model-context-protocol",
+    "oauth",
+    "ai",
+    "llm"
+  ],
+  "license": "MIT",
+  "author": "Temitayo Salaudeen",
+  "type": "commonjs",
+  "exports": {
+    "./strapi-admin": {
+      "source": "./admin/src/index.tsx",
+      "import": "./dist/admin/index.mjs",
+      "require": "./dist/admin/index.js",
+      "default": "./dist/admin/index.js"
+    },
+    "./strapi-server": {
+      "source": "./server/src/index.ts",
+      "import": "./dist/server/index.mjs",
+      "require": "./dist/server/index.js",
+      "default": "./dist/server/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "admin",
+    "server"
+  ],
+  "workspaces": [
+    "__tests__/fixtures/test-app"
+  ],
+  "scripts": {
+    "build": "strapi-plugin build",
+    "format": "prettier --write \"**/*.{ts,tsx,js,jsx,json,md}\"",
+    "test": "jest --selectProjects unit",
+    "test:unit": "jest --selectProjects unit",
+    "test:integration": "jest --selectProjects integration",
+    "test:all": "jest",
+    "test-app": "npm --workspace=strapi-mcp-server-test-app run develop",
+    "test-app:build": "npm --workspace=strapi-mcp-server-test-app run build",
+    "test-app:reset": "rm -f __tests__/fixtures/test-app/database.sqlite",
+    "dev": "concurrently -n plugin,test-app -c blue,green \"npm run watch\" \"npm run test-app\"",
+    "inspect": "npx @modelcontextprotocol/inspector",
+    "verify": "strapi-plugin verify",
+    "watch": "strapi-plugin watch",
+    "watch:link": "strapi-plugin watch:link",
+    "prepare": "husky"
+  },
+  "lint-staged": {
+    "*.{ts,tsx,js,jsx,json,md}": "prettier --write"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "@strapi/design-system": "^2.0.0",
+    "@strapi/icons": "^2.0.0",
+    "ioredis": "^5.4.1",
+    "jose": "^5.9.6",
+    "react-intl": "^6.6.2",
+    "zod": "^3.23.8"
+  },
+  "devDependencies": {
+    "@strapi/sdk-plugin": "^5.3.2",
+    "@strapi/strapi": "^5.0.0",
+    "@strapi/typescript-utils": "^5.0.0",
+    "@types/jest": "^29.5.13",
+    "@types/koa": "^2.15.0",
+    "@types/node": "^20.16.10",
+    "@types/react": "^18.3.11",
+    "@types/react-dom": "^18.3.0",
+    "concurrently": "^9.2.1",
+    "husky": "^9.1.7",
+    "jest": "^30.3.0",
+    "lint-staged": "^16.4.0",
+    "prettier": "^3.8.2",
+    "react": "^18.0.0",
+    "react-dom": "^18.0.0",
+    "react-router-dom": "^6.30.0",
+    "styled-components": "^6.0.0",
+    "supertest": "^7.0.0",
+    "ts-jest": "^29.4.11",
+    "typescript": "^5.6.2"
+  },
+  "peerDependencies": {
+    "@strapi/strapi": "^5.0.0",
+    "@strapi/utils": "^5.0.0",
+    "react": "^17.0.0 || ^18.0.0",
+    "react-dom": "^17.0.0 || ^18.0.0",
+    "react-router-dom": "^6.30.0",
+    "styled-components": "^6.0.0"
+  },
+  "strapi": {
+    "kind": "plugin",
+    "name": "mcp-server",
+    "displayName": "MCP Server",
+    "description": "Expose Strapi as a Model Context Protocol server with OAuth 2.1 + PKCE."
+  }
+}

package/server/src/bootstrap.ts

@@ -0,0 +1,118 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+import { getConfig } from './config';
+
+interface PluginRuntime {
+  sweepTimer?: NodeJS.Timeout;
+  auditTimer?: NodeJS.Timeout;
+}
+
+/**
+ * Stash runtime handles on the strapi instance so destroy() can clear them.
+ * Strapi's strapi.plugin('mcp-server') namespace would also work but is harder
+ * to type cleanly.
+ */
+function runtime(strapi: Core.Strapi): PluginRuntime {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const anyStrapi = strapi as any;
+  if (!anyStrapi.__mcpServerRuntime) anyStrapi.__mcpServerRuntime = {};
+  return anyStrapi.__mcpServerRuntime as PluginRuntime;
+}
+
+export async function bootstrap({ strapi }: { strapi: Core.Strapi }): Promise<void> {
+  const cfg = getConfig(strapi);
+  if (!cfg.enabled) return;
+
+  const rt = runtime(strapi);
+
+  // OAuth signing keys must exist before any token is issued.
+  await strapi.plugin('mcp-server').service('signing-keys').ensureActiveKey();
+
+  // Eagerly connect to Redis (if enabled) so configuration errors surface at
+  // boot instead of on the first request that triggers a rate-limit check.
+  if (cfg.redis?.enabled) {
+    const r = await strapi.plugin('mcp-server').service('redis').get();
+    if (!r) {
+      strapi.log.warn('[mcp-server] redis enabled but client unavailable — falling back to in-memory rate limiting');
+    } else if (cfg.redis.internalAddress) {
+      const id = strapi.plugin('mcp-server').service('instance-id').get();
+      strapi.log.info(
+        `[mcp-server] cluster instance id=${id} internal=${cfg.redis.internalAddress}`
+      );
+
+      // Start the heartbeat ticker so peers know we're alive.
+      await strapi.plugin('mcp-server').service('heartbeat').start();
+
+      // Subscribe to cluster-wide revocation events. Single channel keyed
+      // `mcp:revoke`; payload is the adminUserId whose sessions should die.
+      const sub = await strapi.plugin('mcp-server').service('redis').getSubscriber();
+      if (sub) {
+        const channel = strapi.plugin('mcp-server').service('redis').key('revoke');
+        try {
+          await sub.subscribe(channel);
+          sub.on('message', (...args: unknown[]) => {
+            const ch = args[0] as string;
+            const msg = args[1] as string;
+            if (ch !== channel || !msg) return;
+            void strapi
+              .plugin('mcp-server')
+              .service('session-store')
+              .closeForPrincipalLocal(msg)
+              .catch((err: Error) =>
+                strapi.log.warn(
+                  `[mcp-server] revocation handler failed for user=${msg}: ${err.message}`
+                )
+              );
+          });
+          strapi.log.info(`[mcp-server] subscribed to revocation channel ${channel}`);
+        } catch (err) {
+          strapi.log.warn(
+            `[mcp-server] failed to subscribe revocation channel: ${(err as Error).message}`
+          );
+        }
+      }
+    }
+  }
+
+  // Periodic session eviction (idle/hard TTLs).
+  const sessionStore = strapi.plugin('mcp-server').service('session-store');
+  rt.sweepTimer = setInterval(() => {
+    try {
+      sessionStore.sweep();
+    } catch (err) {
+      strapi.log.error('[mcp-server] session sweep failed', err as Error);
+    }
+  }, cfg.session.sweepIntervalMs);
+
+  // Audit log drainer (buffered async writes).
+  const audit = strapi.plugin('mcp-server').service('audit');
+  rt.auditTimer = setInterval(() => {
+    audit.drain().catch((err: Error) => strapi.log.error('[mcp-server] audit drain', err));
+  }, cfg.audit.drainIntervalMs);
+
+  // Daily cron: purge expired OAuth artifacts and old audit-log entries.
+  // Strapi v5 cron format expects a record keyed by cron expression or task name.
+  strapi.cron.add({
+    mcpServerNightlyCleanup: {
+      task: async ({ strapi: s }: { strapi: Core.Strapi }) => {
+        try {
+          await s.plugin('mcp-server').service('audit').purgeOlderThan(cfg.audit.retentionDays);
+          await s.plugin('mcp-server').service('tokens').purgeExpired();
+          // Drop DCR clients that never reached consent (no owner, no related
+          // codes/tokens/consents) and are older than 1h — a backstop for the
+          // immediate sweep at consent-grant time, in case a connect attempt
+          // is abandoned before consent.
+          await s.plugin('mcp-server').service('clients').purgeOrphans(60 * 60 * 1000);
+        } catch (err) {
+          s.log.error('[mcp-server] nightly cleanup failed', err as Error);
+        }
+      },
+      options: { rule: '0 3 * * *' },
+    },
+  });
+
+  strapi.log.info(
+    `[mcp-server] bootstrap complete (resource=${cfg.resourceUrl}, origins=${cfg.allowedOrigins.length})`
+  );
+}

package/server/src/config/index.ts

@@ -0,0 +1,290 @@
+'use strict';
+
+import type { Core } from '@strapi/strapi';
+
+export interface RateBucketConfig {
+  capacity: number;
+  refillPerSec: number;
+}
+
+export interface McpConfig {
+  enabled: boolean;
+  resourceUrl: string;
+  allowedOrigins: string[];
+  oauth: {
+    mode: 'embedded' | 'external';
+    accessTokenTtlSec: number;
+    refreshTokenTtlSec: number;
+    authCodeTtlSec: number;
+    ssoCookieTtlSec: number;
+    dcr: {
+      enabled: boolean;
+      ratelimitPerHour: number;
+    };
+    consent: { rememberDays: number };
+    introspection: { allowedIps: string[] };
+    external?: {
+      issuer: string;
+      jwksUri: string;
+      /** JWT claim used to look up the matching Strapi admin user. Default: 'email'. */
+      adminLookupClaim?: string;
+      /**
+       * When `false` (default), external mode treats a verified JWT as fully
+       * authorized — the IdP gates auth, and granular permissions come from
+       * Strapi RBAC + per-tool toggles. `strapi:*` scopes are NOT advertised
+       * to clients and NOT required on the JWT.
+       *
+       * Set `true` to require the JWT's `scope` claim to contain `strapi:*`
+       * scopes (you must define them as Client Scopes in your IdP).
+       */
+      enforceScopes?: boolean;
+    };
+  };
+  session: {
+    idleTtlMs: number;
+    hardTtlMs: number;
+    maxPerPrincipal: number;
+    maxTotal: number;
+    sweepIntervalMs: number;
+  };
+  rateLimit: {
+    perPrincipal: RateBucketConfig;
+    perIp: RateBucketConfig;
+  };
+  upload: {
+    maxBytes: number;
+    mimeAllowlist: string[];
+    allowSvg: boolean;
+  };
+  audit: {
+    retentionDays: number;
+    redactKeyPatterns: string[];
+    drainIntervalMs: number;
+    drainBatchSize: number;
+  };
+  tools: { enabled: Record<string, boolean> };
+  /**
+   * Optional Redis backend for horizontal scale. When `enabled: false`
+   * (default), the plugin uses process-local state and is single-instance.
+   *
+   * Two opt-in tiers:
+   *  - `enabled: true` alone shares only the rate limiter buckets across
+   *    instances. Sessions stay process-local — sticky LB is still required.
+   *  - `enabled: true` + `internalAddress` + `internalSecret` adds session
+   *    routing: any instance can serve any session by proxying to the owner.
+   */
+  redis?: {
+    enabled: boolean;
+    url: string;
+    keyPrefix?: string;
+    /** Override the auto-generated instance id (default: `${host}-${pid}-${rand}`). */
+    instanceId?: string;
+    /**
+     * Internal-facing URL of this instance (e.g. `http://10.0.0.5:1337`).
+     * Peers use this address to proxy requests for sessions this instance owns.
+     * When unset, session routing is disabled and Redis is only used for rate
+     * limiting.
+     */
+    internalAddress?: string;
+    /**
+     * Shared secret used to sign cross-instance proxy requests. Required when
+     * `internalAddress` is set. Must be at least 32 characters of high-entropy
+     * randomness — peers that don't share this secret cannot reach any
+     * session on this instance.
+     */
+    internalSecret?: string;
+    /** How often each instance refreshes its heartbeat key. Default 10s. */
+    heartbeatIntervalMs?: number;
+    /** TTL of the heartbeat key. Must be > intervalMs. Default 30s. */
+    heartbeatTtlMs?: number;
+  };
+}
+
+const defaultConfig: McpConfig = {
+  enabled: false,
+  resourceUrl: '',
+  allowedOrigins: [],
+  oauth: {
+    mode: 'embedded',
+    accessTokenTtlSec: 600,
+    refreshTokenTtlSec: 86400,
+    authCodeTtlSec: 60,
+    ssoCookieTtlSec: 900,
+    // DCR off by default — admins create clients via the Clients page in the
+    // admin UI and inject `client_id` + `client_secret` into the AI client's
+    // config. All major MCP clients (Claude Code, Claude web, Codex via
+    // mcp-remote, opencode, Cursor) support pre-registered credentials, so DCR
+    // is an opt-in convenience for self-registration rather than the default.
+    // Set `enabled: true` to allow self-registration via `/oauth/register`
+    // (still rate-limited per IP and audited; the admin consent screen is the
+    // real security gate either way).
+    dcr: { enabled: false, ratelimitPerHour: 60 },
+    consent: { rememberDays: 0 },
+    introspection: { allowedIps: ['127.0.0.1', '::1'] },
+  },
+  session: {
+    idleTtlMs: 30 * 60 * 1000,
+    hardTtlMs: 24 * 60 * 60 * 1000,
+    maxPerPrincipal: 10,
+    maxTotal: 1000,
+    sweepIntervalMs: 60 * 1000,
+  },
+  rateLimit: {
+    perPrincipal: { capacity: 60, refillPerSec: 1 },
+    perIp: { capacity: 120, refillPerSec: 2 },
+  },
+  upload: {
+    maxBytes: 10 * 1024 * 1024,
+    mimeAllowlist: ['image/png', 'image/jpeg', 'image/webp', 'image/gif', 'application/pdf'],
+    allowSvg: false,
+  },
+  audit: {
+    retentionDays: 90,
+    redactKeyPatterns: ['password', 'token', 'secret', 'authorization', 'cookie', 'apikey'],
+    drainIntervalMs: 2000,
+    drainBatchSize: 50,
+  },
+  tools: { enabled: {} },
+};
+
+/**
+ * Validate the merged plugin configuration. Throws on hard misconfiguration —
+ * Strapi will refuse to boot the plugin.
+ *
+ * Why: every check here is load-bearing for security. Don't soften without
+ * thinking through the threat model.
+ */
+function validator(config: McpConfig): void {
+  if (!config) throw new Error('[mcp-server] config is missing');
+  if (typeof config.enabled !== 'boolean') {
+    throw new Error('[mcp-server] config.enabled must be a boolean');
+  }
+  if (!config.enabled) return;
+
+  if (!config.resourceUrl || typeof config.resourceUrl !== 'string') {
+    throw new Error('[mcp-server] config.resourceUrl is required when enabled');
+  }
+  try {
+    // throws on invalid URL
+    // eslint-disable-next-line no-new
+    new URL(config.resourceUrl);
+  } catch {
+    throw new Error('[mcp-server] config.resourceUrl is not a valid URL');
+  }
+
+  if (!Array.isArray(config.allowedOrigins) || config.allowedOrigins.length === 0) {
+    throw new Error('[mcp-server] config.allowedOrigins must be a non-empty array');
+  }
+  const env = process.env.NODE_ENV;
+  const hasWildcard = config.allowedOrigins.includes('*');
+  if (env === 'production' && hasWildcard) {
+    throw new Error('[mcp-server] allowedOrigins cannot include "*" in production');
+  }
+
+  const resourceIsHttp = config.resourceUrl.startsWith('http://');
+  if (resourceIsHttp) {
+    const nonLoopback = config.allowedOrigins.some((o) => {
+      if (o === '*') return true;
+      try {
+        const u = new URL(o);
+        const h = u.hostname.toLowerCase();
+        return h !== 'localhost' && h !== '127.0.0.1' && h !== '::1';
+      } catch {
+        return false;
+      }
+    });
+    if (nonLoopback) {
+      throw new Error(
+        '[mcp-server] resourceUrl uses http:// but allowedOrigins contains non-loopback hosts — refuse to start'
+      );
+    }
+  }
+
+  if (config.oauth.accessTokenTtlSec < 60 || config.oauth.accessTokenTtlSec > 3600) {
+    throw new Error('[mcp-server] oauth.accessTokenTtlSec must be between 60 and 3600');
+  }
+  if (config.oauth.refreshTokenTtlSec < 300) {
+    throw new Error('[mcp-server] oauth.refreshTokenTtlSec must be >= 300');
+  }
+  if (config.oauth.authCodeTtlSec < 10 || config.oauth.authCodeTtlSec > 600) {
+    throw new Error('[mcp-server] oauth.authCodeTtlSec must be between 10 and 600');
+  }
+
+  if (config.redis?.enabled) {
+    if (!config.redis.url || typeof config.redis.url !== 'string') {
+      throw new Error('[mcp-server] redis.url is required when redis.enabled is true');
+    }
+    try {
+      // eslint-disable-next-line no-new
+      new URL(config.redis.url);
+    } catch {
+      throw new Error('[mcp-server] redis.url is not a valid URL (expected redis:// or rediss://)');
+    }
+    if (
+      !config.redis.url.startsWith('redis://') &&
+      !config.redis.url.startsWith('rediss://')
+    ) {
+      throw new Error('[mcp-server] redis.url must start with redis:// or rediss://');
+    }
+
+    if (config.redis.internalAddress || config.redis.internalSecret) {
+      if (!config.redis.internalAddress) {
+        throw new Error(
+          '[mcp-server] redis.internalAddress is required when redis.internalSecret is set'
+        );
+      }
+      if (!config.redis.internalSecret) {
+        throw new Error(
+          '[mcp-server] redis.internalSecret is required when redis.internalAddress is set'
+        );
+      }
+      try {
+        const u = new URL(config.redis.internalAddress);
+        if (u.protocol !== 'http:' && u.protocol !== 'https:') {
+          throw new Error('protocol');
+        }
+      } catch {
+        throw new Error('[mcp-server] redis.internalAddress must be a valid http(s) URL');
+      }
+      if (config.redis.internalSecret.length < 32) {
+        throw new Error(
+          '[mcp-server] redis.internalSecret must be at least 32 characters of random data'
+        );
+      }
+    }
+  }
+
+  if (config.oauth.mode === 'external') {
+    if (!config.oauth.external) {
+      throw new Error('[mcp-server] oauth.mode is "external" but oauth.external is missing');
+    }
+    if (!config.oauth.external.issuer || !config.oauth.external.jwksUri) {
+      throw new Error(
+        '[mcp-server] oauth.external.issuer and oauth.external.jwksUri are required when oauth.mode is "external"'
+      );
+    }
+    try {
+      // eslint-disable-next-line no-new
+      new URL(config.oauth.external.issuer);
+      // eslint-disable-next-line no-new
+      new URL(config.oauth.external.jwksUri);
+    } catch {
+      throw new Error('[mcp-server] oauth.external.issuer / jwksUri must be valid URLs');
+    }
+  }
+}
+
+/**
+ * Strapi reads `default` and `validator` from this module. The merged
+ * runtime config is then accessible via `strapi.config.get('plugin::mcp-server')`.
+ */
+export default {
+  default: defaultConfig,
+  validator(config: McpConfig) {
+    validator(config);
+  },
+};
+
+export function getConfig(strapi: Core.Strapi): McpConfig {
+  return strapi.config.get('plugin::mcp-server') as McpConfig;
+}

package/server/src/content-types/audit-log/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };

package/server/src/content-types/audit-log/schema.json

@@ -0,0 +1,32 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_audit_log",
+  "info": {
+    "singularName": "audit-log",
+    "pluralName": "audit-logs",
+    "displayName": "MCP Audit Log",
+    "description": "Append-only log of every MCP tool call."
+  },
+  "options": {
+    "draftAndPublish": false,
+    "comment": ""
+  },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "ts": { "type": "datetime", "required": true },
+    "principalType": { "type": "string", "required": true, "maxLength": 32 },
+    "principalId": { "type": "string", "required": true, "maxLength": 128 },
+    "sessionId": { "type": "string", "maxLength": 128 },
+    "clientId": { "type": "string", "maxLength": 128 },
+    "tool": { "type": "string", "required": true, "maxLength": 128 },
+    "params": { "type": "json" },
+    "resultStatus": { "type": "enumeration", "enum": ["ok", "error"], "required": true },
+    "errorCode": { "type": "string", "maxLength": 64 },
+    "ip": { "type": "string", "maxLength": 64 },
+    "userAgent": { "type": "string", "maxLength": 512 },
+    "durationMs": { "type": "integer" }
+  }
+}

package/server/src/content-types/index.ts

@@ -0,0 +1,19 @@
+'use strict';
+
+import auditLog from './audit-log';
+import oauthClient from './oauth-client';
+import oauthAuthCode from './oauth-auth-code';
+import oauthRefreshToken from './oauth-refresh-token';
+import oauthRevocation from './oauth-revocation';
+import oauthConsent from './oauth-consent';
+import oauthSigningKey from './oauth-signing-key';
+
+export default {
+  'audit-log': auditLog,
+  'oauth-client': oauthClient,
+  'oauth-auth-code': oauthAuthCode,
+  'oauth-refresh-token': oauthRefreshToken,
+  'oauth-revocation': oauthRevocation,
+  'oauth-consent': oauthConsent,
+  'oauth-signing-key': oauthSigningKey,
+};

package/server/src/content-types/oauth-auth-code/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };

package/server/src/content-types/oauth-auth-code/schema.json

@@ -0,0 +1,31 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_oauth_auth_codes",
+  "info": {
+    "singularName": "oauth-auth-code",
+    "pluralName": "oauth-auth-codes",
+    "displayName": "MCP OAuth Auth Code"
+  },
+  "options": { "draftAndPublish": false },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "codeHash": { "type": "string", "required": true, "maxLength": 128, "private": true },
+    "clientId": { "type": "string", "required": true, "maxLength": 128 },
+    "adminUserId": { "type": "string", "required": true, "maxLength": 64 },
+    "scope": { "type": "string", "required": true, "maxLength": 512 },
+    "redirectUri": { "type": "string", "required": true, "maxLength": 2048 },
+    "codeChallenge": { "type": "string", "required": true, "maxLength": 256 },
+    "codeChallengeMethod": {
+      "type": "enumeration",
+      "enum": ["S256"],
+      "required": true,
+      "default": "S256"
+    },
+    "resource": { "type": "string", "required": true, "maxLength": 2048 },
+    "used": { "type": "boolean", "default": false, "required": true },
+    "expiresAt": { "type": "datetime", "required": true }
+  }
+}

package/server/src/content-types/oauth-client/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };

package/server/src/content-types/oauth-client/schema.json

@@ -0,0 +1,33 @@
+{
+  "kind": "collectionType",
+  "collectionName": "mcp_oauth_clients",
+  "info": {
+    "singularName": "oauth-client",
+    "pluralName": "oauth-clients",
+    "displayName": "MCP OAuth Client"
+  },
+  "options": { "draftAndPublish": false },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "clientId": { "type": "uid", "required": true, "targetField": "clientName" },
+    "clientName": { "type": "string", "required": true, "maxLength": 200 },
+    "clientSecretHash": { "type": "string", "private": true, "maxLength": 128 },
+    "isConfidential": { "type": "boolean", "default": false, "required": true },
+    "redirectUris": { "type": "json", "required": true },
+    "grantTypes": { "type": "json", "required": true },
+    "scopes": { "type": "json", "required": true },
+    "tokenEndpointAuthMethod": {
+      "type": "enumeration",
+      "enum": ["none", "client_secret_basic", "client_secret_post"],
+      "required": true,
+      "default": "none"
+    },
+    "ownerAdminId": { "type": "string", "maxLength": 64 },
+    "createdByAdminId": { "type": "string", "maxLength": 64 },
+    "lastUsedAt": { "type": "datetime" },
+    "disabled": { "type": "boolean", "default": false, "required": true }
+  }
+}

package/server/src/content-types/oauth-consent/index.ts

@@ -0,0 +1,3 @@
+'use strict';
+import schema from './schema.json';
+export default { schema };