> ## Documentation Index
> Fetch the complete documentation index at: https://agenticadvertisingorg-feature-feedback.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Save OAuth 2.0 client-credentials for an agent

> Store a machine-to-machine OAuth 2.0 client-credentials configuration (RFC 6749 §4.4) for this agent. The SDK exchanges at the token endpoint before every call and refreshes on 401. `client_secret` may be a `$ENV:VAR_NAME` reference — the SDK resolves at exchange time, the server stores it as written (encrypted uniformly). Requires authentication and ownership.



## OpenAPI

````yaml /static/openapi/registry.yaml put /api/registry/agents/{encodedUrl}/oauth-client-credentials
openapi: 3.1.0
info:
  title: AgenticAdvertising.org Registry API
  description: >-
    REST API for the AgenticAdvertising.org registry. Resolve brands,

    discover properties, look up agents, and validate authorization in the

    AdCP ecosystem.


    Most endpoints are public and require no authentication. Endpoints marked

    with a lock icon accept either an organization API key or a user JWT

    obtained via the OAuth 2.1 flow — see
    [Authentication](https://agenticadvertising.org/docs/registry/index#authentication).


    **Base URL:** `https://agenticadvertising.org`
  version: 1.0.0
  contact:
    name: AgenticAdvertising.org
    url: https://agenticadvertising.org
servers:
  - url: https://agenticadvertising.org
    description: Production
security: []
tags:
  - name: Onboarding
    description: >-
      Explicitly bootstrap a third-party integration into the AAO registry. Most
      callers don't need this tag — `POST /api/me/agents` auto-creates the org
      (for fresh users) and the member profile (for first-time agent
      registration) without a separate round trip. Use `POST /api/organizations`
      only when you need to override the auto-derived org name / company_type /
      revenue_tier. Tier transitions happen via the billing flow only; the
      Stripe webhook is the sole writer of `organizations.membership_tier`.
  - name: Member Agents
    description: >-
      Register, list, update, and remove agents on the caller's organization
      member profile. Authenticated programmatic surface for CI / scripts that
      don't want to round-trip the full member profile.
  - name: Brand Resolution
    description: Resolve advertiser domains to canonical brand identities.
  - name: Property Resolution
    description: >-
      Resolve publisher domains to their property configurations and authorized
      agents.
  - name: Agent Discovery
    description: >-
      Browse the federated agent network, search agent inventory profiles,
      publisher index, and registry statistics.
  - name: Change Feed
    description: Poll cursor-based registry change events for local sync.
  - name: Lookups & Authorization
    description: >-
      Look up agents by domain or property, and validate ad-serving
      authorization.
  - name: Validation Tools
    description: >-
      Validate publisher adagents.json files and generate compliant
      configurations.
  - name: Community Mirrors
    description: >-
      Publish, fetch, list, and retire catalog-only adagents.json mirrors for
      platforms that have not adopted AdCP.
  - name: Search
    description: Cross-entity search across brands, publishers, agents, and properties.
  - name: Agent Probing
    description: >-
      Connect to live agents and inspect their capabilities, formats, and
      inventory.
  - name: Brand Discovery
    description: Discover and crawl brand.json files across domains.
  - name: Agent Compliance
    description: Agent compliance status, storyboard test results, and compliance history.
  - name: Policy Registry
    description: >-
      Browse, resolve, and contribute governance policies for campaign
      compliance.
paths:
  /api/registry/agents/{encodedUrl}/oauth-client-credentials:
    put:
      tags:
        - Agent Compliance
      summary: Save OAuth 2.0 client-credentials for an agent
      description: >-
        Store a machine-to-machine OAuth 2.0 client-credentials configuration
        (RFC 6749 §4.4) for this agent. The SDK exchanges at the token endpoint
        before every call and refreshes on 401. `client_secret` may be a
        `$ENV:VAR_NAME` reference — the SDK resolves at exchange time, the
        server stores it as written (encrypted uniformly). Requires
        authentication and ownership.
      operationId: saveAgentOAuthClientCredentials
      parameters:
        - schema:
            type: string
            description: URL-encoded agent URL
          required: true
          description: URL-encoded agent URL
          name: encodedUrl
          in: path
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                token_endpoint:
                  type: string
                  maxLength: 2048
                  description: >-
                    Token endpoint URL (HTTPS required; localhost allowed in
                    dev).
                client_id:
                  type: string
                  maxLength: 2048
                  description: OAuth client ID. May be a `$ENV:VAR_NAME` reference.
                client_secret:
                  type: string
                  maxLength: 8192
                  description: >-
                    OAuth client secret. May be a `$ENV:VAR_NAME` reference.
                    Stored encrypted at rest.
                scope:
                  type: string
                  maxLength: 1024
                  description: Space-separated OAuth scope values.
                resource:
                  type: string
                  maxLength: 2048
                  description: RFC 8707 resource indicator.
                audience:
                  type: string
                  maxLength: 2048
                  description: >-
                    Audience parameter for audience-validating authorization
                    servers.
                auth_method:
                  type: string
                  enum:
                    - basic
                    - body
                  description: >-
                    Client-credentials placement: basic (HTTP Basic header, RFC
                    6749 §2.3.1 preferred) or body (form fields). SDK default is
                    basic.
              required:
                - token_endpoint
                - client_id
                - client_secret
      responses:
        '200':
          description: Credentials saved
          content:
            application/json:
              schema:
                type: object
                properties:
                  connected:
                    type: boolean
                    enum:
                      - true
                  has_auth:
                    type: boolean
                    enum:
                      - true
                  agent_context_id:
                    type: string
                  auth_type:
                    type: string
                    enum:
                      - oauth_client_credentials
                required:
                  - connected
                  - has_auth
                  - agent_context_id
                  - auth_type
        '400':
          description: >-
            Invalid parameters — response carries `code` and `field` pointing to
            the rejection cause.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CredentialSaveValidationError'
        '401':
          description: Authentication required
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '403':
          description: Not authorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
        '500':
          description: Server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
      security:
        - bearerAuth: []
        - oauth2: []
components:
  schemas:
    CredentialSaveValidationError:
      type: object
      properties:
        error:
          type: string
        code:
          type: string
          enum:
            - invalid_blob_shape
            - missing_field
            - invalid_field_type
            - field_too_long
            - invalid_url
            - invalid_env_reference
            - invalid_auth_method_value
          description: Stable rejection tag. UI maps this to operator-friendly prose.
        field:
          type: string
          enum:
            - oauth_client_credentials
            - token_endpoint
            - client_id
            - client_secret
            - scope
            - resource
            - audience
            - auth_method
          description: Field the UI should scroll to + highlight.
      required:
        - error
        - code
        - field
    Error:
      type: object
      properties:
        error:
          type: string
      required:
        - error
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >-
        Bearer token in the `Authorization` header. Two token types are
        accepted:


        - **Organization API key** (`sk_...`) issued via the dashboard.
        Org-scoped, long-lived, for server-to-server use.

        - **User JWT** obtained via the OAuth 2.1 authorization code flow with
        PKCE. User-scoped, short-lived. Discover the authorization server at
        `/.well-known/oauth-authorization-server` and the protected-resource
        metadata at `/.well-known/oauth-protected-resource/api`.
    oauth2:
      type: oauth2
      description: >-
        OAuth 2.1 authorization code flow with PKCE. Users authenticate via
        AuthKit and clients receive a Bearer JWT that authorizes both the MCP
        endpoint and this REST API. Dynamic client registration is supported at
        `/register`.
      flows:
        authorizationCode:
          authorizationUrl: https://agenticadvertising.org/authorize
          tokenUrl: https://agenticadvertising.org/token
          refreshUrl: https://agenticadvertising.org/token
          scopes:
            openid: User identifier
            profile: User profile information
            email: User email address

````