# `AshAuthentication.Oauth2Server.Register`
[🔗](https://github.com/team-alembic/ash_authentication_oauth2_server/blob/v0.1.0/lib/ash_authentication/oauth2_server/register.ex#L5)

Protocol-pure logic for `/oauth/register` (RFC 7591 Dynamic Client
Registration).

v1 supports public clients only (PKCE, `token_endpoint_auth_method: "none"`).
Confidential clients (`client_secret_basic`) are deferred.

Registration is open by default — the standard RFC 7591 mode. To gate
it, set `:initial_access_token` on your `Oauth2Server` module and pass
the request's bearer token via `opts[:initial_access_token]` when
calling `register/3` (RFC 7591 §3).

# `register`

```elixir
@spec register(server :: module(), params :: map(), opts :: keyword()) ::
  {:ok, Ash.Resource.record(), map()}
  | {:error, :dcr_disabled}
  | {:error, :invalid_initial_access_token}
  | {:error, String.t(), String.t()}
```

Register a new OAuth client from RFC 7591-shaped parameters.

`opts` may include:

  * `:initial_access_token` — the bearer token the request presented
    (or `nil`). When the server has `:initial_access_token` configured,
    this MUST match (constant-time) or registration is rejected.

Returns:

  * `{:ok, client_record, response_body}` on success.
  * `{:error, :dcr_disabled}` when the server has `dcr_enabled?: false`
    (the library default). Controllers should treat this as a 404 —
    the endpoint is not exposed.
  * `{:error, :invalid_initial_access_token}` when the bearer was
    missing or didn't match. Per RFC 7591 §3.2.2 this is a Bearer-auth
    failure — controllers should emit `401` with
    `WWW-Authenticate: Bearer error="invalid_token"`, not 400.
  * `{:error, code, description}` for any other validation failure —
    a 400 DCR error response per RFC 7591 §3.2.2.

---

*Consult [api-reference.md](api-reference.md) for complete listing*