Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Also on a side node from Security point of view I am seeking advice if I can make `<http://localhost:4445/admin/clients>` URL public or not.
MCP Specification dictates that:
```MCP auth implementations SHOULD support the OAuth 2.0 Dynamic Client Registration Protocol (RFC7591).```
<https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization#2-1-overview>

Do not expose the admin API publicly.
If you must expose specific endpoints for dynamic client registration, use an API Gateway or similar mechanism to restrict and secure access.

<@U011D3UQKNY> is it safe to expose only `admin/clients` endpoint with basic IP based rate limit? 

If you need to expose the `/admin/clients` endpoint to support OAuth 2.0 Dynamic Client Registration, you must secure it properly—rate limiting alone is not sufficient. Use an API Gateway or similar solution to enforce authentication and authorization.