settings / oauth-server

OAuth-2.1-Autorisierungsserver-Einstellungen (Schlüsselpfade, Token-Lebensdauer, Ratenlimits, dynamische Registrierung)

Signing key paths — Override in config/tcms.php.

Private key: /www/htdocs/v075328/sandbox.brockert.de/sandbox/public/tcms-data/.system/oauth-keys/private.key missing
Public key: /www/htdocs/v075328/sandbox.brockert.de/sandbox/public/tcms-data/.system/oauth-keys/public.key missing

Run tcms oauth:setup to generate the key pair.

Allow Dynamic Registration

Enable RFC 7591 self-registration at POST /oauth/register. Off by default — it's an unauthenticated endpoint that writes server state. MCP clients (Claude Desktop, Cursor) need this on to connect without manual setup. Left off, create admin static clients for each integration. Self-registration alone never grants data access (a registered client still needs admin consent), but an open endpoint invites client-record flooding and consent-phishing.

Access Token Lifetime

How long an access token is valid. PHP DateInterval spec — e.g. PT1H (1 hour), PT15M (15 minutes), P1D (1 day). Shorter = better security (revocation more effective) but more refresh round-trips. Default 1h is the OAuth common middle ground.

Refresh Token Lifetime

How long a refresh token can be used to obtain new access tokens. After this, the user must re-authorize via the consent screen. Common values: P30D (30 days), P90D (90 days), P1Y (1 year). Default 30 days.

Authorization Code Lifetime

How long an authorization code is valid before it must be exchanged for tokens. Short by design — the user is mid-flow. RFC 6749 §4.1.2 recommends 10 minutes maximum. PT10M default.

Token Endpoint Rate Limit (per minute)

Maximum requests to /oauth/token per minute from a single IP. Protects against brute-force code exchange and runaway refresh loops. Applies to all callers (admin requests are NOT exempt). Set to 0 to disable. Default 60.