rpk ai oauth-client dcr
Manage the tenant’s Dynamic Client Registration policy.
When DCR is enabled, spec-conformant MCP clients (Claude, Cursor, …) self-register at the public /oauth/idp/register endpoint — no admin pre-provisioning. Admission is governed by the mode:
open anyone may register (rate limit + client cap still apply) initial-access-token callers must present an admin-minted one-shot bearer software-statement reserved; not yet supported
DCR is disabled per tenant by default; the gateway operator must also ship the binary with the global ingress.idp.dcr.global_enabled flag.
Flags
| Value | Type | Description |
|---|---|---|
|
- |
help for dcr. |
|
string |
output format: table|wide|json|yaml|markdown (env: RPAI_FORMAT) (default "table"). |
|
- |
disable colored output (env: NO_COLOR). |
|
string |
path to rpai config (env: RPAI_CONFIG) (default "/var/lib/redpanda/.rpai/config"). |
|
string |
override the selected environment’s AI Gateway URL for this invocation. |
|
string |
rpai profile name (env: RPAI_PROFILE). |
|
- |
verbose debug logging to stderr (env: RPAI_VERBOSE). |
|
string |
static bearer token override (ambient RPAI_TOKEN is ignored under rpk ai) Use "rpk ai oauth-client dcr [command] --help" for more information about a command. |