Configuring OAuth dynamic client registration
OAuth Dynamic Client Registration (DCR) is a tenant-level OAuth capability that allows compatible OAuth client applications to register OAuth clients dynamically. In this context, a compatible OAuth client application is one that supports the OAuth 2.0 DCR protocol and meets your tenant policy requirements.
Use DCR when your tenant needs to onboard multiple OAuth clients with less manual setup while still applying tenant controls for authentication, user consent, and scope management. The primary use case for DCR is connecting Model Context Protocol (MCP) server clients, but you can also use it for other compatible third-party applications. If you prefer to create and maintain each client directly, use manual OAuth client setup instead. For details on manual setup, see Creating OAuth clients.
Publishing and consent are separate controls:
-
Publishing constrains whether an OAuth client can be used by other tenants in the same region.
-
Consent method (Required or Trusted) controls whether users are prompted during authorization.
For details on manual setup and consent behavior, including publication constraints, see Creating OAuth clients and Creating and managing OAuth clients.
Prerequisites and cautions
Prerequisites:
-
You are a tenant administrator in Qlik Cloud.
Cautions:
-
When DCR is enabled, compatible OAuth client applications can request OAuth client registration in your tenant according to your DCR policy. Review your allowed authentication methods and approval process before enabling DCR in production.
-
DCR-created clients are initially assigned the user_default, mcp:execute, and offline_access scopes. To learn more on these scopes, see a complete list of scopes on the Qlik Developer Portal Scopes.
-
Unapproved DCR clients are automatically deleted after one hour. If no tenant administrator approves the client in the third-party application within that period, the client is deleted and users must create the connection again.
Configuring DCR settings
Configure Dynamic Client Registration settings to control how OAuth client applications can register OAuth clients in your tenant.
Configuring DCR in Qlik Cloud
Do the following:
-
In the Administration activity center, click Settings.
-
Enable Dynamic client registration.
When DCR is disabled, no new clients can be registered dynamically. Existing dynamically registered clients remain functional until you manually remove them or revoke their approval.
-
Select the authentication methods that dynamically registered clients are allowed to use:
-
Client secret: For confidential clients (web applications with secure backends)
-
None: For public clients (single-page applications or native applications)
You can select multiple authentication methods. Applications attempting to register with a method not allowed by your policy are rejected.
For more information on these authentication methods, see the following section Authentication methods.
-
Configuring DCR in OAuth client app
After you configure DCR in Qlik Cloud, configure the DCR connection in your OAuth client application. The connection details differ by use case.
Do the following:
-
Use the connection URL for your use case when configuring the connection in the OAuth client application:
Use case Connection URL format MCP or GenAI clients https://<tenant-id>.<region>.qlikcloud.com/api/ai/mcp For more MCP configuration information, see Connecting to the Qlik MCP server.
Other OAuth client applications https://<tenant-id>.<region>.qlikcloud.com -
Review the approval and consent behavior for newly registered DCR clients:
-
Verify that new DCR clients require explicit tenant approval before they can be used. In the third-party application, grant approval when prompted.
-
The first approved connection uses Required consent.
-
After approval, edit the client in Qlik Cloud and change its consent method to Trusted if that matches your security policy.
Tenant approval establishes tenant-level trust between your Qlik Cloud tenant and the OAuth client application. After a tenant administrator connects, authenticates, and approves the consent request, other users can connect to Qlik Cloud through the same OAuth application without requiring their own consent approval.
The consent method is managed per client after approval. For more information, see Creating and managing OAuth clients.
-
Authentication methods
When configuring DCR settings, you can specify which authentication methods dynamically registered clients are allowed to use. The following authentication methods are available:
-
Client secret: Allows confidential clients that authenticate using a client secret. The client receives a client secret when registered. This includes both client_secret_basic and client_secret_post authentication methods.
-
None: Allows public clients that do not use a client secret. These clients use authorization code flow with PKCE (Proof Key for Code Exchange) for authentication.
By default, dynamically registered clients use the client_secret_basic authentication method unless specified otherwise during registration.
Managing DCR clients
Managing multiple registrations from vendors
Many OAuth client applications dynamically register a single OAuth client with Qlik Cloud. Users of the application share the same OAuth client.
Some OAuth client applications dynamically register multiple OAuth clients, one per user. This behavior has been observed with:
-
Anthropic Claude
-
Antigravity
If you see many DCR clients from the same vendor, review how that OAuth client application registers clients and whether a shared-connector option is available.
For Anthropic Claude, Qlik is exploring a dedicated Qlik Cloud MCP Connector for the Anthropic directory. If accepted by Anthropic, the connector can help address the multiple-registration issue. Until it becomes available, if multiple DCR registrations are a concern for you, follow the static Claude OAuth configuration in Connecting to Claude.
Deleting OAuth clients in bulk
If your tenant has many OAuth clients, do the following:
-
Use filtering in the OAuth clients list to find clients by vendor or naming pattern.
-
Select the matching clients.
-
Delete the selected clients in bulk.
Identifying dynamically registered clients
Dynamically registered clients can be distinguished from manually created clients in the following ways:
-
In the Administration, the OAuth clients list displays a Source column. DCR clients have a source value of DCR, and manually created clients have a source value of User.
-
API responses include a createdByType field set to dcr for dynamically registered clients and user for manually created clients.
MCP access example
One use case for DCR is onboarding OAuth clients for Qlik MCP server integrations. DCR is not limited to MCP and can be used by other compatible OAuth client applications. For MCP-based connections, the tenant administrator usually creates the first connection and approves the client before other users connect.
For MCP administration and connection guidance, see: