stackgenhq · sks · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026
diff --git a/server/handlers.go b/server/handlers.go
@@ -79,6 +79,7 @@ type discoveryOIDC struct {
 	UserInfo          string   `json:"userinfo_endpoint"`
 	DeviceEndpoint    string   `json:"device_authorization_endpoint"`
 	Introspect        string   `json:"introspection_endpoint"`
+	Registration      string   `json:"registration_endpoint,omitempty"`
 	GrantTypes        []string `json:"grant_types_supported"`
 	ResponseTypes     []string `json:"response_types_supported"`
 	Subjects          []string `json:"subject_types_supported"`
@@ -96,6 +97,7 @@ type discoveryOAuth2 struct {
 	Keys              string   `json:"jwks_uri"`
 	DeviceEndpoint    string   `json:"device_authorization_endpoint,omitempty"`
 	Introspect        string   `json:"introspection_endpoint,omitempty"`
+	Registration      string   `json:"registration_endpoint,omitempty"`
 	GrantTypes        []string `json:"grant_types_supported"`
 	ResponseTypes     []string `json:"response_types_supported"`
 	CodeChallengeAlgs []string `json:"code_challenge_methods_supported,omitempty"`
@@ -116,7 +118,7 @@ func (s *Server) discoveryHandler(ctx context.Context, t DiscoveryType) (http.Ha
 	switch t {
 	case DiscoveryOAuth2:
 		d = s.constructDiscoveryOAuth2()
-	default:
+	case DiscoveryOIDC:
 		d = s.constructDiscoveryOIDC(ctx)
 	}
 
@@ -141,6 +143,7 @@ func (s *Server) constructDiscoveryOIDC(ctx context.Context) discoveryOIDC {
 		UserInfo:          s.absURL("/userinfo"),
 		DeviceEndpoint:    s.absURL("/device/code"),
 		Introspect:        s.absURL("/token/introspect"),
+		Registration:      s.absURL("/register"),
 		Subjects:          []string{"public"},
 		IDTokenAlgs:       []string{string(jose.RS256)},
 		CodeChallengeAlgs: []string{codeChallengeMethodS256, codeChallengeMethodPlain},
@@ -177,6 +180,7 @@ func (s *Server) constructDiscoveryOAuth2() discoveryOAuth2 {
 		Keys:              s.absURL("/keys"),
 		DeviceEndpoint:    s.absURL("/device/code"),
 		Introspect:        s.absURL("/token/introspect"),
+		Registration:      s.absURL("/register"),
 		CodeChallengeAlgs: []string{codeChallengeMethodS256, codeChallengeMethodPlain},
 		Scopes:            []string{"offline_access"},
 		AuthMethods:       []string{"client_secret_basic", "client_secret_post"},

diff --git a/server/handlers_test.go b/server/handlers_test.go
@@ -60,6 +60,7 @@ func TestHandleDiscoveryOIDC(t *testing.T) {
 		UserInfo:       fmt.Sprintf("%s/userinfo", httpServer.URL),
 		DeviceEndpoint: fmt.Sprintf("%s/device/code", httpServer.URL),
 		Introspect:     fmt.Sprintf("%s/token/introspect", httpServer.URL),
+		Registration:   fmt.Sprintf("%s/register", httpServer.URL),
 		GrantTypes: []string{
 			"authorization_code",
 			"refresh_token",
@@ -107,48 +108,49 @@ func TestHandleDiscoveryOIDC(t *testing.T) {
 }
 
 func TestHandleDiscoveryOAuth2(t *testing.T) {
-    httpServer, server := newTestServer(t, nil)
-    defer httpServer.Close()
-
-    rr := httptest.NewRecorder()
-    server.ServeHTTP(rr, httptest.NewRequest("GET", "/.well-known/oauth-authorization-server", nil))
-
-    if rr.Code != http.StatusOK {
-        t.Errorf("expected 200 got %d", rr.Code)
-    }
-
-    var res discoveryOAuth2
-    err := json.NewDecoder(rr.Result().Body).Decode(&res)
-    require.NoError(t, err)
-
-    require.Equal(t, discoveryOAuth2{
-        Issuer:         httpServer.URL,
-        Auth:           fmt.Sprintf("%s/auth", httpServer.URL),
-        Token:          fmt.Sprintf("%s/token", httpServer.URL),
-        Keys:           fmt.Sprintf("%s/keys", httpServer.URL),
-        DeviceEndpoint: fmt.Sprintf("%s/device/code", httpServer.URL),
-        Introspect:     fmt.Sprintf("%s/token/introspect", httpServer.URL),
-        GrantTypes: []string{
-            "authorization_code",
-            "refresh_token",
-            "urn:ietf:params:oauth:grant-type:device_code",
-            "urn:ietf:params:oauth:grant-type:token-exchange",
-        },
-        ResponseTypes: []string{
-            "code",
-        },
-        CodeChallengeAlgs: []string{
-            "S256",
-            "plain",
-        },
-        Scopes: []string{
-            "offline_access",
-        },
-        AuthMethods: []string{
-            "client_secret_basic",
-            "client_secret_post",
-        },
-    }, res)
+	httpServer, server := newTestServer(t, nil)
+	defer httpServer.Close()
+
+	rr := httptest.NewRecorder()
+	server.ServeHTTP(rr, httptest.NewRequest("GET", "/.well-known/oauth-authorization-server", nil))
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("expected 200 got %d", rr.Code)
+	}
+
+	var res discoveryOAuth2
+	err := json.NewDecoder(rr.Result().Body).Decode(&res)
+	require.NoError(t, err)
+
+	require.Equal(t, discoveryOAuth2{
+		Issuer:         httpServer.URL,
+		Auth:           fmt.Sprintf("%s/auth", httpServer.URL),
+		Token:          fmt.Sprintf("%s/token", httpServer.URL),
+		Keys:           fmt.Sprintf("%s/keys", httpServer.URL),
+		DeviceEndpoint: fmt.Sprintf("%s/device/code", httpServer.URL),
+		Introspect:     fmt.Sprintf("%s/token/introspect", httpServer.URL),
+		Registration:   fmt.Sprintf("%s/register", httpServer.URL),
+		GrantTypes: []string{
+			"authorization_code",
+			"refresh_token",
+			"urn:ietf:params:oauth:grant-type:device_code",
+			"urn:ietf:params:oauth:grant-type:token-exchange",
+		},
+		ResponseTypes: []string{
+			"code",
+		},
+		CodeChallengeAlgs: []string{
+			"S256",
+			"plain",
+		},
+		Scopes: []string{
+			"offline_access",
+		},
+		AuthMethods: []string{
+			"client_secret_basic",
+			"client_secret_post",
+		},
+	}, res)
 }
 
 func TestHandleHealthFailure(t *testing.T) {