Dynamic Client Registration

Dynamic Client Registration (DCR)

DCR allows Gemini Enterprise to programmatically register as an OAuth 2.0 client. This eliminates the need for manual credential exchange.

URL: https://agent.stactize.com/dcr

Method: POST

Authentication: None (public endpoint; security is via JWT validation)

Gemini Enterprise sends a POST request containing a software_statement JWT signed by Google
The agent validates the JWT:
- Verifies the RS256 signature using Google's public keys
- Confirms the issuer is Google's Marketplace service account
- Checks the JWT hasn't expired
- Validates the audience matches the agent's provider URL
- Extracts the Marketplace Order ID and Procurement Account ID
On successful validation, the agent returns pre-configured OAuth 2.0 credentials

{
  "software_statement": "<google_signed_jwt>"
}

Claim	Description
`iss`	Google's service account URL for key verification
`iat`	Token issue timestamp
`exp`	Token expiration timestamp
`aud`	Agent provider URL (`https://agent.stactize.com`)
`sub`	Marketplace Procurement Account ID
`auth_app_redirect_uris`	OAuth redirect URIs for the flow
`google.order`	Marketplace Order ID

{
  "client_id": "<oauth_client_id>",
  "client_secret": "<oauth_client_secret>",
  "client_secret_expires_at": 0
}

Status	Error	Description
400	`invalid_request`	Missing or malformed software_statement
401	`invalid_request`	JWT validation failed (expired, bad signature, wrong audience)
500	`server_error`	OAuth credentials not configured on server

Getting Started

Integration Methods

Prerequisites & Security

Authentication & Authorization

OAuth 2.0 Authentication