Persist dynamically registered OAuth clients across sessions

[eleftherias]

Formalising this future enhancement into an issue

toolhive/docs/remote-mcp-authentication.md

Line 434 in 1f6ecc0

3. **Client Credential Caching**: Persist dynamically registered clients across sessions

Problem

When using Dynamic Client Registration (RFC 7591) for remote MCP servers, client credentials are not persisted across restarts. This causes:

1. New OAuth client registered on every thv run execution
2. Orphaned client registrations accumulate in OAuth providers
3. Risk of rate limiting from excessive registration requests

Acceptance Criteria

• DCR credentials (client_id, client_secret) persisted after registration
• DCR metadata (client_secret_expires_at, registration_access_token) stored
• Credentials reused across thv run restarts
• Expired credentials trigger automatic re-registration
• thv secret list shows persisted DCR secrets
• thv secret rm can remove persisted credentials
• Backward compatibility maintained for existing configs
• Documentation updated

References

• https://datatracker.ietf.org/doc/html/rfc7591

[carlos-gn]

@eleftherias actually this happened to me with the atlassian mcp. Assign it to me :)

[eleftherias]

Hey @carlos-gn, another contributor has created a PR for this issue. They already had a partial solution based on a previous issue they had worked on.
Sorry about the coordination issues here, I hope you didn't spend too much time implementing this already.

If you're still up for contributing, #995 and #883 have been bugging us for a while and could use some eyes.