# MCP audience client. RFC 7591 dynamic-registration capable MCP clients (e.g.,
# Claude Desktop) discover this via /.well-known/oauth-protected-resource and
# request tokens with aud=https://mcp.drop-k8s.hackathon.forteapps.net/mcp.
apiVersion: v1
kind: Secret
metadata:
  name: keycloak-client-forte-drop-mcp
  namespace: forte-drop
  labels:
    keycloak.forteapps.net/client-config: "true"
stringData:
  client.json: |
    {
      "clientId": "forte-drop-mcp",
      "name": "Forte Drop (MCP)",
      "enabled": true,
      "protocol": "openid-connect",
      "clientAuthenticatorType": "client-secret",
      "standardFlowEnabled": false,
      "directAccessGrantsEnabled": false,
      "serviceAccountsEnabled": false,
      "publicClient": false,
      "defaultClientScopes": ["openid","profile","email"],
      "attributes": {
        "access.token.lifespan": "3600"
      }
    }