# OAuth HQ can act as an OAuth 2.0 Authorization Server (AS). It is embedded -- no external AS is required. The implementation lives in internal/oauth2/ and follows the Authorization Code grant flow (RFC 6749 Section 4.1), with optional PKCE (RFC 7636) and support towards OAuth 2.1. ## Discovery & Registration 1. Server Metadata (RFC 8414): Clients discover HQ's OAuth endpoints via GET /.well-known/oauth-authorization-server, which returns the issuer URL, endpoint URLs, supported grant types, scopes, token endpoint auth methods, and PKCE support. 2. Dynamic Client Registration (RFC 7591): When the dcr config flag is enabled, clients can self-register via POST /oauth2/register. DCR-created apps are placed into a configured default org. Each registered app receives a client\_id and client\_secret (bcrypt-hashed at rest). 3. Manual Registration: Apps can also be created via the HQ API (provenance "api" vs "dcr"). ## Configuration Add to the [HQ config](/latest/deployment/configuration/hq.md#authconfig). {% code overflow="wrap" %} ``` auth: oauth2: authorizationServer: enabled: true issuerURL: "https://hq.example.com" ``` {% endcode %} {% hint style="info" %} ``` issuerURL is the only field that's conditionally required (when enabled is true) ``` {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.lenses.io/latest/deployment/configuration/authentication/oauth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.