Client ID Metadata Documents (CIMD) simplify OAuth client registration for decentralized systems by replacing insecure open systems with client-hosted URLs.

DeScope's resource offers insights, tutorials, and resources for software developers and IT professionals. Readers can learn about software architecture, cloud computing, and cybersecurity. With articles, tutorials, and best practices, DeScope provides  guidance and expertise for building and securing digital infrastructure.

Descope

Client ID Metadata Documents (CIMD) are a new OAuth mechanism where clients host their metadata as a JSON document at a stable HTTPS URL, using that URL as their client_id. This eliminates the need for pre-registration with every authorization server. CIMD addresses key flaws in Dynamic Client Registration (DCR): it prevents client impersonation via domain ownership verification, removes server-side registration database bloat, enables natural client expiry, and simplifies operational overhead. The Model Context Protocol (MCP) is adopting CIMD as the preferred default for client registration through SEP-991. Security risks like localhost impersonation and SSRF remain, but CIMD is positioned as a practical solution for decentralized, many-to-many client-server scenarios.

What is a Client ID Metadata Document (CIMD)?

What are Client ID Metadata Documents (CIMD)?

How MCP uses Client ID Metadata Documents (CIMD)

The path forward for client registration and MCP