[BUG] Claude Code CIMD omits application_type, causing loopback redirect URI interoperability issues
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code appears to use a CIMD client metadata configuration that can cause interoperability problems when application_type is omitted.
Under RFC 7591, omitting application_type defaults the client to "web". At the same time, Claude Code uses loopback redirect URIs such as http://127.0.0.1 and http://localhost, which are described in RFC 8252 for native applications.
RFC 8252 also notes that the redirect URI alone is not enough to distinguish a public native app from a confidential web client, and that the client type needs to be recorded during client registration so the authorization server can determine how to treat the client.
As a result, omitting application_type and relying on the RFC 7591 default can leave Claude Code with client metadata that does not clearly record the intended client type. In practice, this appears to lead to interoperability problems across authorization servers.
Related standards discussion: oauth-wg/draft-ietf-oauth-client-id-metadata-document#75
What Should Happen?
Claude Code should record its intended client type explicitly when using loopback redirect URIs, rather than relying on an omitted application_type and the RFC 7591 default of "web".
This would make the client type unambiguous during registration and should reduce interoperability problems across authorization servers.
Error Messages/Logs
There is not necessarily a single Claude Code error message that captures the underlying issue.
The observable problem is that OAuth authorization or client registration can fail against some authorization servers when Claude Code uses loopback redirect URIs while omitting application_type.
Related reports that appear relevant:
Steps to Reproduce
- Configure Claude Code against an OAuth authorization server that records client type from registered metadata.
- Use a Claude Code client metadata configuration that omits
application_type. - Use loopback redirect URIs such as:
```text
http://127.0.0.1
http://localhost
4. Attempt OAuth authorization or client registration through Claude Code.
5. Observe that some authorization servers may reject the registration or subsequent authorization flow because the recorded client type is treated as `"web"` rather than native.
Relevant context:
* [RFC 7591](https://www.rfc-editor.org/rfc/rfc7591): omitted `application_type` defaults to `"web"`
* [RFC 8252](https://datatracker.ietf.org/doc/html/rfc8252) loopback redirect URIs are described for native applications, and client type should be recorded during registration
### Claude Model
Sonnet (default)
### Is this a regression?
No, this never worked
### Last Working Version
*No response*
### Claude Code Version
2.1.92 (Claude Code)
### Platform
Anthropic API
### Operating System
macOS
### Terminal/Shell
iTerm2
### Additional Information
*No response*This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗