Client ID Metadata Documents (CIMD) are a new OAuth mechanism where clients host their metadata as a JSON document at a stable HTTPS URL, using that URL as their client_id. This eliminates the need for pre-registration with every authorization server. CIMD addresses key flaws in Dynamic Client Registration (DCR): it prevents client impersonation via domain ownership verification, removes server-side registration database bloat, enables natural client expiry, and simplifies operational overhead. The Model Context Protocol (MCP) is adopting CIMD as the preferred default for client registration through SEP-991. Security risks like localhost impersonation and SSRF remain, but CIMD is positioned as a practical solution for decentralized, many-to-many client-server scenarios.
Table of contents
What are Client ID Metadata Documents (CIMD)?How CIMD addresses problems with DCRHow MCP uses Client ID Metadata Documents (CIMD)Security challenges with CIMDThe path forward for client registration and MCPFAQs about Client ID Metadata DocumentsSort: