Problem
OAuth and MCP access can outlive the initial consent event. Admins and users need visibility into which clients have access, what scopes were granted, and when access was last used.
Proposed solution
Add a connected-apps page for OAuth/MCP clients. Include client name, client ID, redirect URIs, granted scopes, offline access status, created date, last used date, consenting user, and revoke controls.
Acceptance criteria
- Users can view and revoke their own OAuth/MCP grants.
- Admins can view all registered clients and active grants.
- Admins can disable dynamic client registration.
- Admins can revoke a client globally.
- Offline access is labeled clearly as persistent access.
- Revocation invalidates refresh tokens and active access where supported.
Problem
OAuth and MCP access can outlive the initial consent event. Admins and users need visibility into which clients have access, what scopes were granted, and when access was last used.
Proposed solution
Add a connected-apps page for OAuth/MCP clients. Include client name, client ID, redirect URIs, granted scopes, offline access status, created date, last used date, consenting user, and revoke controls.
Acceptance criteria