Agentic Data Plane
beta

rpk ai oauth-client dcr

Manage the tenant’s Dynamic Client Registration policy.

When DCR is enabled, spec-conformant MCP clients (Claude, Cursor, …) self-register at the public /oauth/idp/register endpoint — no admin pre-provisioning. Admission is governed by the mode:

open                  anyone may register (rate limit + client cap still apply)
initial-access-token  callers must present an admin-minted one-shot bearer
software-statement    reserved; not yet supported

DCR is disabled per tenant by default; the gateway operator must also ship the binary with the global ingress.idp.dcr.global_enabled flag.

Usage

rpk ai oauth-client dcr [command]

Flags

Value Type Description

-h, --help

-

help for dcr.

-o, --format

string

output format: table|wide|json|yaml|markdown (env: RPAI_FORMAT) (default "table").

--no-color

-

disable colored output (env: NO_COLOR).

-c, --rpai-config

string

path to rpai config (env: RPAI_CONFIG) (default "/var/lib/redpanda/.rpai/config").

-s, --rpai-endpoint

string

override the selected environment’s AI Gateway URL for this invocation.

-p, --rpai-profile

string

rpai profile name (env: RPAI_PROFILE).

-v, --rpai-verbose

-

verbose debug logging to stderr (env: RPAI_VERBOSE).

--token

string

static bearer token override (ambient RPAI_TOKEN is ignored under rpk ai) Use "rpk ai oauth-client dcr [command] --help" for more information about a command.