Merge pull request #42 from versia-pub/refactor/openid

Rewrite old authentication code and go OpenID-only
2025-12-06 00:18:19 +01:00 · 2025-11-21 07:21:01 +01:00 · 2025-11-21 07:21:01 +01:00 · f2e9c862a6
parent c93071666a 82bb92768c
commit f2e9c862a6
56 changed files with 5726 additions and 2793 deletions
--- a/.deepsource.toml
+++ b/.deepsource.toml
@ -1,16 +1,18 @@
 version = 1
 test_patterns = ["**/*.test.ts"]
 [[analyzers]]
 name = "shell"
 [[analyzers]]
 name = "javascript"
-  [analyzers.meta]
+[analyzers.meta]
-  environment = ["nodejs"]
+environment = ["nodejs"]
 [[analyzers]]
 name = "docker"
-  [analyzers.meta]
+[analyzers.meta]
-  dockerfile_paths = ["Dockerfile"]
+dockerfile_paths = ["Dockerfile"]
--- a/.github/config.workflow.toml
+++ b/.github/config.workflow.toml
@ -453,17 +453,8 @@ log_level = "info" # For console output
 # log_level = "info"
 [authentication]
-# If enabled, Versia will require users to log in with an OpenID provider
+# Run Versia Server with this value missing to generate a new key
-forced_openid = false
+key = "ZWcwanRaQAqY3ChUro/Jey9XGQjzsxEed5iqTp4yFr8W6vEnXdz91F/Pu/uf7HBMbNeIK7V6aHsM0lq9onrO8Q=="
 # Allow registration with OpenID providers
 # If signups.registration is false, it will only be possible to register with OpenID
 openid_registration = true
 [authentication.keys]
 # Run Versia Server with those values missing to generate a new key
 public = "MCowBQYDK2VwAyEAfyZx8r98gVHtdH5EF1NYrBeChOXkt50mqiwKO2TX0f8="
 private = "MC4CAQAwBQYDK2VwBCIEILDi1g7+bwNjBBvL4CRWHZpCFBR2m2OPCot62Wr+TCbq"
 # The provider MUST support OpenID Connect with .well-known discovery
 # Most notably, GitHub does not support this
--- a/bun.lock
+++ b/bun.lock
@ -39,7 +39,6 @@
        "ioredis": "catalog:",
        "ip-matching": "catalog:",
        "iso-639-1": "catalog:",
        "jose": "catalog:",
        "linkify-html": "catalog:",
        "linkify-string": "catalog:",
        "linkifyjs": "catalog:",
@ -51,7 +50,6 @@
        "markdown-it-toc-done-right": "catalog:",
        "mime-types": "catalog:",
        "mitata": "catalog:",
        "oauth4webapi": "catalog:",
        "ora": "catalog:",
        "qs": "catalog:",
        "sharp": "catalog:",
@ -108,8 +106,7 @@
        "hono-rate-limiter": "catalog:",
        "ip-matching": "catalog:",
        "iso-639-1": "catalog:",
-        "jose": "catalog:",
+        "openid-client": "catalog:",
        "oauth4webapi": "catalog:",
        "qs": "catalog:",
        "sharp": "catalog:",
        "string-comparison": "catalog:",
@ -270,7 +267,6 @@
    "ioredis": "^5.6.1",
    "ip-matching": "^2.1.2",
    "iso-639-1": "^3.1.5",
    "jose": "^6.0.11",
    "linkify-html": "^4.3.1",
    "linkify-string": "^4.3.1",
    "linkifyjs": "^4.3.1",
@ -284,7 +280,7 @@
    "mime-types": "^3.0.1",
    "mitata": "^1.0.34",
    "mitt": "^3.0.1",
-    "oauth4webapi": "^3.5.5",
+    "openid-client": "^6.6.3",
    "ora": "^8.2.0",
    "qs": "^6.14.0",
    "sharp": "^0.34.2",
@ -1133,7 +1129,7 @@
    "jake": ["jake@10.9.2", "", { "dependencies": { "async": "^3.2.3", "chalk": "^4.0.2", "filelist": "^1.0.4", "minimatch": "^3.1.2" }, "bin": { "jake": "bin/cli.js" } }, "sha512-2P4SQ0HrLQ+fw6llpLnOaGAvN2Zu6778SJMrCUwns4fOoG9ayrTiZk3VV8sCPkVZF8ab0zksVpS8FDY5pRCNBA=="],
-    "jose": ["jose@6.0.11", "", {}, "sha512-QxG7EaliDARm1O1S8BGakqncGT9s25bKL1WSf6/oa17Tkqwi8D2ZNglqCF+DsYF88/rV66Q/Q2mFAy697E1DUg=="],
+    "jose": ["jose@6.0.12", "", {}, "sha512-T8xypXs8CpmiIi78k0E+Lk7T2zlK4zDyg+o1CZ4AkOHgDg98ogdP2BeZ61lTFKFyoEwJ9RgAgN+SdM3iPgNonQ=="],
    "js-tokens": ["js-tokens@4.0.0", "", {}, "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ=="],
@ -1277,7 +1273,7 @@
    "nth-check": ["nth-check@2.1.1", "", { "dependencies": { "boolbase": "^1.0.0" } }, "sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w=="],
-    "oauth4webapi": ["oauth4webapi@3.5.5", "", {}, "sha512-1K88D2GiAydGblHo39NBro5TebGXa+7tYoyIbxvqv3+haDDry7CBE1eSYuNbOSsYCCU6y0gdynVZAkm4YPw4hg=="],
+    "oauth4webapi": ["oauth4webapi@3.6.2", "", {}, "sha512-hwWLiyBYuqhVdcIUJMJVKdEvz+DCweOcbSfqDyIv9PuUwrNfqrzfHP2bypZgZdbYOS67QYqnAnvZa2BJwBBrHw=="],
    "object-inspect": ["object-inspect@1.13.4", "", {}, "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew=="],
@ -1287,6 +1283,8 @@
    "openapi-types": ["openapi-types@12.1.3", "", {}, "sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw=="],
    "openid-client": ["openid-client@6.6.3", "", { "dependencies": { "jose": "^6.0.12", "oauth4webapi": "^3.6.1" } }, "sha512-sYYFJsyN21bjf/QepIU/t6w22tEUT+rYVPf1VZOSQwC+s1hAkyZpvAbFNLMrnrYMS/H74MctEHna2jPLvWbkCA=="],
    "ora": ["ora@8.2.0", "", { "dependencies": { "chalk": "^5.3.0", "cli-cursor": "^5.0.0", "cli-spinners": "^2.9.2", "is-interactive": "^2.0.0", "is-unicode-supported": "^2.0.0", "log-symbols": "^6.0.0", "stdin-discarder": "^0.2.2", "string-width": "^7.2.0", "strip-ansi": "^7.1.0" } }, "sha512-weP+BZ8MVNnlCm8c0Qdc1WSWq4Qn7I+9CJGm7Qali6g44e/PUzbjNqJX5NJ9ljlNMosfJvg1fKEGILklK9cwnw=="],
    "package-json-from-dist": ["package-json-from-dist@1.0.1", "", {}, "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw=="],
--- a/cli/user/token.ts
+++ b/cli/user/token.ts
@ -1,4 +1,4 @@
-import { Token } from "@versia-server/kit/db";
+import { Client, Token } from "@versia-server/kit/db";
 import { randomUUIDv7 } from "bun";
 import chalk from "chalk";
 // @ts-expect-error - Root import is required or the Clec type definitions won't work
@ -22,13 +22,24 @@ export const generateTokenCommand = defineCommand(
            throw new Error(`User ${chalk.gray(username)} not found.`);
        }
        const application = await Client.insert({
            id:
                user.id +
                Buffer.from(
                    crypto.getRandomValues(new Uint8Array(32)),
                ).toString("base64"),
            name: "Versia",
            redirectUris: [],
            scopes: ["openid", "profile", "email"],
            secret: "",
        });
        const token = await Token.insert({
            id: randomUUIDv7(),
            accessToken: randomString(64, "base64url"),
-            code: null,
+            scopes: ["read", "write", "follow"],
            scope: "read write follow",
            tokenType: "Bearer",
            userId: user.id,
            clientId: application.id,
        });
        console.info(
--- a/config/config.example.toml
+++ b/config/config.example.toml
@ -459,17 +459,8 @@ log_level = "info" # For console output
 # log_level = "info"
 [authentication]
-# If enabled, Versia will require users to log in with an OpenID provider
+# Run Versia Server with this value missing to generate a new key
-forced_openid = false
+# key = ""
 # Allow registration with OpenID providers
 # If signups.registration is false, it will only be possible to register with OpenID
 openid_registration = true
 # [authentication.keys]
 # Run Versia Server with those values missing to generate a new key
 # public = ""
 # private = ""
 # The provider MUST support OpenID Connect with .well-known discovery
 # Most notably, GitHub does not support this
--- a/docs/frontend/auth.md
+++ b/docs/frontend/auth.md
@ -3,7 +3,7 @@
 Multiple API routes are exposed for authentication, to be used by frontend developers.
 > [!INFO]
-> 
+>
 > These are different from the Client API routes, which are used by clients to interact with the Mastodon API.
 A frontend is a web application that is designed to be the primary user interface for an instance. It is used also used by clients to perform authentication.
@ -48,58 +48,6 @@ Frontend configuration.
 }
 ```
 ## Sign In
 ```http
 POST /api/auth/login
 ```
 Allows users to sign in to the instance. This is the first step in the authentication process.
 - **Returns**: `302 Found` with a `Location` header to redirect the user to the next step, as well as a `Set-Cookie` header with the session JWT.
 - **Authentication**: Not required
 - **Permissions**: None
 - **Version History**:
  - `0.7.0`: First documented.
 ### Request
 - `identifier` (string, required): The username or email of the user. Case-insensitive.
 - `password` (string, required): The password of the user.
 #### Query Parameters
 - `client_id` (string, required): Client ID of the [application](https://docs.joinmastodon.org/entities/Application/) that is making the request.
 - `redirect_uri` (string, required): Redirect URI of the [application](https://docs.joinmastodon.org/entities/Application/) that is making the request. Must match the saved value.
 - `response_type` (string, required): Must be `code`.
 - `scope` (string, required): OAuth2 scopes. Must match the value indicated in the [application](https://docs.joinmastodon.org/entities/Application/).
 #### Example
 ```http
 POST /api/auth/login?client_id=123&redirect_uri=https%3A%2F%2Fexample.com%2Fauth&response_type=code&scope=read%20write
 Content-Type: application/json
 {
    "identifier": "bobjones@gmail.com",
    "password": "hunter2"
 }
 ```
 ### Response
 #### `302 Found`
 Redirects the user to the consent page with some query parameters. The frontend should redirect the user to this URL.
 This response also has a `Set-Cookie` header with a [JSON Web Token](https://jwt.io/) that contains the user's session information. This JWT is signed with the instance's secret key, and must be included in all subsequent authentication requests.
 ```http
 HTTP/2.0 302 Found
 Location: /oauth/consent?client_id=123&redirect_uri=https%3A%2F%2Fexample.com%2Fauth&response_type=code&scope=read%20write
 Set-Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c; Path=/; HttpOnly; Secure; SameSite=Strict; Max-Age=3600
 ```
 ## SSO Sign In
 ```http
@ -136,4 +84,4 @@ Redirects the user to the OpenID Connect provider's login page.
 ```http
 HTTP/2.0 302 Found
 Location: https://accounts.google.com/o/oauth2/auth?client_id=123&redirect_uri=https%3A%2F%2Fexample.com%2Fauth&response_type=code&scope=openid%20email&state=123
-```
+```
--- a/docs/frontend/routes.md
+++ b/docs/frontend/routes.md
@ -12,7 +12,7 @@ GET /oauth/authorize
 This route should display a login form for the user to enter their username and password, as well as a list of OpenID providers to use if available.
-The form should submit to [`POST /api/auth/login`](./auth.md#sign-in), or to the OpenID Connect flow.
+The form should submit to the OpenID Connect flow.
 Configurable in the Versia Server configuration at `frontend.routes.login`.
--- a/drizzle.config.ts
+++ b/drizzle.config.ts
@ -7,8 +7,8 @@ import type { Config } from "drizzle-kit";
 */
 export default {
    dialect: "postgresql",
-    out: "./drizzle/migrations",
+    out: "./packages/kit/tables/migrations",
-    schema: "./drizzle/schema.ts",
+    schema: "./packages/kit/tables/schema.ts",
    dbCredentials: {
        /* host: "localhost",
        port: 40000,
--- a/nix/package.nix
+++ b/nix/package.nix
@ -54,7 +54,7 @@ in
      # Required else we get errors that our fixed-output derivation references store paths
      dontFixup = true;
-      outputHash = "sha256-aG54v3luuJTmb/eonoILv3KBKW6mulk3xOpxLA6V5L8=";
+      outputHash = "sha256-geahFpkyWgHXKMxLp46AJW3TVWFm6jM4QZO0Z10mBWY=";
      outputHashAlgo = "sha256";
      outputHashMode = "recursive";
    };
--- a/package.json
+++ b/package.json
@ -58,6 +58,7 @@
            "@logtape/otel": "^1.0.0",
            "@scalar/hono-api-reference": "^0.9.7",
            "@sentry/bun": "^9.35.0",
            "openid-client": "^6.6.3",
            "altcha-lib": "^1.3.0",
            "blurhash": "^2.0.5",
            "bullmq": "^5.56.1",
@ -73,7 +74,6 @@
            "ioredis": "^5.6.1",
            "ip-matching": "^2.1.2",
            "iso-639-1": "^3.1.5",
            "jose": "^6.0.11",
            "linkify-html": "^4.3.1",
            "linkify-string": "^4.3.1",
            "linkifyjs": "^4.3.1",
@ -85,7 +85,6 @@
            "markdown-it-toc-done-right": "^4.2.0",
            "mime-types": "^3.0.1",
            "mitata": "^1.0.34",
            "oauth4webapi": "^3.5.5",
            "ora": "^8.2.0",
            "qs": "^6.14.0",
            "sharp": "^0.34.2",
@ -191,7 +190,6 @@
        "ioredis": "catalog:",
        "ip-matching": "catalog:",
        "iso-639-1": "catalog:",
        "jose": "catalog:",
        "linkify-html": "catalog:",
        "linkify-string": "catalog:",
        "linkifyjs": "catalog:",
@ -203,7 +201,6 @@
        "markdown-it-toc-done-right": "catalog:",
        "mime-types": "catalog:",
        "mitata": "catalog:",
        "oauth4webapi": "catalog:",
        "ora": "catalog:",
        "qs": "catalog:",
        "sharp": "catalog:",
--- a/packages/api/package.json
+++ b/packages/api/package.json
@ -55,6 +55,7 @@
        "@versia-server/logging": "workspace:*",
        "@versia/client": "workspace:*",
        "@versia/sdk": "workspace:*",
        "openid-client": "catalog:",
        "youch": "catalog:",
        "hono": "catalog:",
        "hono-openapi": "catalog:",
@ -66,7 +67,6 @@
        "unicode-emoji-json": "catalog:",
        "sharp": "catalog:",
        "iso-639-1": "catalog:",
        "jose": "catalog:",
        "zod-openapi": "catalog:",
        "@scalar/hono-api-reference": "catalog:",
        "hono-rate-limiter": "catalog:",
@ -75,7 +75,6 @@
        "altcha-lib": "catalog:",
        "@hono/standard-validator": "catalog:",
        "zod-validation-error": "catalog:",
-        "confbox": "catalog:",
+        "confbox": "catalog:"
        "oauth4webapi": "catalog:"
    }
 }
--- a/packages/api/plugins/openid/errors.ts
+++ b/packages/api/plugins/openid/errors.ts
@ -1,45 +0,0 @@
 import type { Context, TypedResponse } from "hono";
 export const errors = {
    InvalidJWT: ["invalid_request", "Invalid JWT: could not verify"],
    MissingJWTFields: [
        "invalid_request",
        "Invalid JWT: missing required fields (aud, sub, exp, iss)",
    ],
    InvalidSub: ["invalid_request", "Invalid JWT: sub is not a valid user ID"],
    UserNotFound: [
        "invalid_request",
        "Invalid JWT, could not find associated user",
    ],
    MissingOauthPermission: [
        "unauthorized",
        "User missing required 'oauth' permission",
    ],
    MissingApplication: [
        "invalid_request",
        "Invalid client_id: no associated API application found",
    ],
    InvalidRedirectUri: [
        "invalid_request",
        "Invalid redirect_uri: does not match API application's redirect_uri",
    ],
    InvalidScope: [
        "invalid_request",
        "Invalid scope: not a subset of the application's scopes",
    ],
 };
 export const errorRedirect = (
    context: Context,
    error: (typeof errors)[keyof typeof errors],
    extraParams?: URLSearchParams,
 ): Response & TypedResponse<undefined, 302, "redirect"> => {
    const errorSearchParams = new URLSearchParams(extraParams);
    errorSearchParams.append("error", error[0]);
    errorSearchParams.append("error_description", error[1]);
    return context.redirect(
        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
    );
 };
--- a/packages/api/plugins/openid/utils.ts
+++ b/packages/api/plugins/openid/utils.ts
@ -1,217 +0,0 @@
 import { type Application, db } from "@versia-server/kit/db";
 import type { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { eq, type InferSelectModel, type SQL } from "drizzle-orm";
 import {
    type AuthorizationResponseError,
    type AuthorizationServer,
    authorizationCodeGrantRequest,
    ClientSecretPost,
    discoveryRequest,
    expectNoState,
    getValidatedIdTokenClaims,
    processAuthorizationCodeResponse,
    processDiscoveryResponse,
    processUserInfoResponse,
    type ResponseBodyError,
    type TokenEndpointResponse,
    type UserInfoResponse,
    userInfoRequest,
    validateAuthResponse,
 } from "oauth4webapi";
 export const oauthDiscoveryRequest = (
    issuerUrl: URL,
 ): Promise<AuthorizationServer> => {
    return discoveryRequest(issuerUrl, {
        algorithm: "oidc",
    }).then((res) => processDiscoveryResponse(issuerUrl, res));
 };
 export const oauthRedirectUri = (baseUrl: URL, issuer: string): URL =>
    new URL(`/oauth/sso/${issuer}/callback`, baseUrl);
 const getFlow = (
    flowId: string,
 ): Promise<
    | (InferSelectModel<typeof OpenIdLoginFlows> & {
          application?: typeof Application.$type | null;
      })
    | undefined
 > => {
    return db.query.OpenIdLoginFlows.findFirst({
        where: (flow): SQL | undefined => eq(flow.id, flowId),
        with: {
            application: true,
        },
    });
 };
 const getAuthServer = (issuerUrl: URL): Promise<AuthorizationServer> => {
    return discoveryRequest(issuerUrl, {
        algorithm: "oidc",
    }).then((res) => processDiscoveryResponse(issuerUrl, res));
 };
 const getParameters = (
    authServer: AuthorizationServer,
    clientId: string,
    currentUrl: URL,
 ): URLSearchParams => {
    return validateAuthResponse(
        authServer,
        {
            client_id: clientId,
        },
        currentUrl,
        expectNoState,
    );
 };
 const getOIDCResponse = (
    authServer: AuthorizationServer,
    clientId: string,
    clientSecret: string,
    redirectUri: URL,
    codeVerifier: string,
    parameters: URLSearchParams,
 ): Promise<Response> => {
    return authorizationCodeGrantRequest(
        authServer,
        {
            client_id: clientId,
        },
        ClientSecretPost(clientSecret),
        parameters,
        redirectUri.toString(),
        codeVerifier,
    );
 };
 const processOIDCResponse = (
    authServer: AuthorizationServer,
    clientId: string,
    oidcResponse: Response,
 ): Promise<TokenEndpointResponse> => {
    return processAuthorizationCodeResponse(
        authServer,
        {
            client_id: clientId,
        },
        oidcResponse,
    );
 };
 const getUserInfo = (
    authServer: AuthorizationServer,
    clientId: string,
    accessToken: string,
    sub: string,
 ): Promise<UserInfoResponse> => {
    return userInfoRequest(
        authServer,
        {
            client_id: clientId,
        },
        accessToken,
    ).then(
        async (res) =>
            await processUserInfoResponse(
                authServer,
                {
                    client_id: clientId,
                },
                sub,
                res,
            ),
    );
 };
 export const automaticOidcFlow = async (
    issuer: {
        url: string;
        client_id: string;
        client_secret: string;
    },
    flowId: string,
    currentUrl: URL,
    redirectUrl: URL,
    errorFn: (
        error: string,
        message: string,
        flow:
            | (InferSelectModel<typeof OpenIdLoginFlows> & {
                  application?: typeof Application.$type | null;
              })
            | null,
    ) => Response,
 ): Promise<
    | Response
    | {
          userInfo: UserInfoResponse;
          flow: InferSelectModel<typeof OpenIdLoginFlows> & {
              application?: typeof Application.$type | null;
          };
          claims: Record<string, unknown>;
      }
 > => {
    const flow = await getFlow(flowId);
    if (!flow) {
        return errorFn("invalid_request", "Invalid flow", null);
    }
    try {
        const issuerUrl = new URL(issuer.url);
        const authServer = await getAuthServer(issuerUrl);
        const parameters = getParameters(
            authServer,
            issuer.client_id,
            currentUrl,
        );
        const oidcResponse = await getOIDCResponse(
            authServer,
            issuer.client_id,
            issuer.client_secret,
            redirectUrl,
            flow.codeVerifier,
            parameters,
        );
        const result = await processOIDCResponse(
            authServer,
            issuer.client_id,
            oidcResponse,
        );
        const { access_token } = result;
        const claims = getValidatedIdTokenClaims(result);
        if (!claims) {
            return errorFn("invalid_request", "Invalid claims", flow);
        }
        const { sub } = claims;
        // Validate `sub`
        // Later, we'll use this to automatically set the user's data
        const userInfo = await getUserInfo(
            authServer,
            issuer.client_id,
            access_token,
            sub,
        );
        return {
            userInfo,
            flow,
            claims,
        };
    } catch (e) {
        const error = e as ResponseBodyError | AuthorizationResponseError;
        return errorFn(error.error, error.error_description || "", flow);
    }
 };
--- a/packages/api/routes/api/auth/login/index.test.ts
+++ b/packages/api/routes/api/auth/login/index.test.ts
@ -1,229 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { config } from "@versia-server/config";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { randomString } from "@/math";
 const { users, deleteUsers, passwords } = await getTestUsers(1);
 // Create application
 const application = await Application.insert({
    id: randomUUIDv7(),
    name: "Test Application",
    clientId: randomString(32, "hex"),
    secret: "test",
    redirectUri: "https://example.com",
    scopes: "read write",
 });
 afterAll(async () => {
    await deleteUsers();
    await application.delete();
 });
 // /api/auth/login
 describe("/api/auth/login", () => {
    test("should get a JWT with email", async () => {
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.email ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
            application.data.clientId,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
        );
        expect(locationHeader.searchParams.get("response_type")).toBe("code");
        expect(locationHeader.searchParams.get("scope")).toBe("read write");
        expect(response.headers.get("Set-Cookie")).toMatch(/jwt=[^;]+;/);
    });
    test("should get a JWT with username", async () => {
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.username ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
            application.data.clientId,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
        );
        expect(locationHeader.searchParams.get("response_type")).toBe("code");
        expect(locationHeader.searchParams.get("scope")).toBe("read write");
        expect(response.headers.get("Set-Cookie")).toMatch(/jwt=[^;]+;/);
    });
    test("should have state in the URL", async () => {
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.email ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write&state=abc`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
            application.data.clientId,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
        );
        expect(locationHeader.searchParams.get("response_type")).toBe("code");
        expect(locationHeader.searchParams.get("scope")).toBe("read write");
        expect(locationHeader.searchParams.get("state")).toBe("abc");
        expect(response.headers.get("Set-Cookie")).toMatch(/jwt=[^;]+;/);
    });
    describe("should reject invalid credentials", () => {
        // Redirects to /oauth/authorize on invalid
        test("invalid email", async () => {
            const formData = new FormData();
            formData.append("identifier", "ababa@gmail.com");
            formData.append("password", "password");
            const response = await fakeRequest(
                `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
                {
                    method: "POST",
                    body: formData,
                },
            );
            expect(response.status).toBe(302);
            expect(response.headers.get("location")).toBeDefined();
            const locationHeader = new URL(
                response.headers.get("Location") ?? "",
                "",
            );
            expect(locationHeader.pathname).toBe("/oauth/authorize");
            expect(locationHeader.searchParams.get("error")).toBe(
                "invalid_grant",
            );
            expect(locationHeader.searchParams.get("error_description")).toBe(
                "Invalid identifier or password",
            );
            expect(response.headers.get("Set-Cookie")).toBeNull();
        });
        test("invalid username", async () => {
            const formData = new FormData();
            formData.append("identifier", "ababa");
            formData.append("password", "password");
            const response = await fakeRequest(
                `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
                {
                    method: "POST",
                    body: formData,
                },
            );
            expect(response.status).toBe(302);
            expect(response.headers.get("location")).toBeDefined();
            const locationHeader = new URL(
                response.headers.get("Location") ?? "",
                "",
            );
            expect(locationHeader.pathname).toBe("/oauth/authorize");
            expect(locationHeader.searchParams.get("error")).toBe(
                "invalid_grant",
            );
            expect(locationHeader.searchParams.get("error_description")).toBe(
                "Invalid identifier or password",
            );
            expect(response.headers.get("Set-Cookie")).toBeNull();
        });
        test("invalid password", async () => {
            const formData = new FormData();
            formData.append("identifier", users[0]?.data.email ?? "");
            formData.append("password", "password");
            const response = await fakeRequest(
                `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
                {
                    method: "POST",
                    body: formData,
                },
            );
            expect(response.status).toBe(302);
            expect(response.headers.get("location")).toBeDefined();
            const locationHeader = new URL(
                response.headers.get("Location") ?? "",
                "",
            );
            expect(locationHeader.pathname).toBe("/oauth/authorize");
            expect(locationHeader.searchParams.get("error")).toBe(
                "invalid_grant",
            );
            expect(locationHeader.searchParams.get("error_description")).toBe(
                "Invalid identifier or password",
            );
            expect(response.headers.get("Set-Cookie")).toBeNull();
        });
    });
 });
--- a/packages/api/routes/api/auth/login/index.ts
+++ b/packages/api/routes/api/auth/login/index.ts
@ -1,197 +0,0 @@
 import { config } from "@versia-server/config";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { Application, User } from "@versia-server/kit/db";
 import { Users } from "@versia-server/kit/tables";
 import { password as bunPassword } from "bun";
 import { eq, or } from "drizzle-orm";
 import type { Context } from "hono";
 import { setCookie } from "hono/cookie";
 import { describeRoute, validator } from "hono-openapi";
 import { SignJWT } from "jose";
 import { z } from "zod/v4";
 const returnError = (
    context: Context,
    error: string,
    description: string,
 ): Response => {
    const searchParams = new URLSearchParams();
    // Add all data that is not undefined except email and password
    for (const [key, value] of Object.entries(context.req.query())) {
        if (key !== "email" && key !== "password" && value !== undefined) {
            searchParams.append(key, value);
        }
    }
    searchParams.append("error", error);
    searchParams.append("error_description", description);
    return context.redirect(
        new URL(
            `${config.frontend.routes.login}?${searchParams.toString()}`,
            config.http.base_url,
        ).toString(),
    );
 };
 export default apiRoute((app) =>
    app.post(
        "/api/auth/login",
        describeRoute({
            summary: "Login",
            description: "Login to the application",
            responses: {
                302: {
                    description: "Redirect to OAuth authorize, or error",
                    headers: {
                        "Set-Cookie": {
                            description: "JWT cookie",
                            required: false,
                        },
                    },
                },
            },
        }),
        validator(
            "query",
            z.object({
                scope: z.string().optional(),
                redirect_uri: z.url().optional(),
                response_type: z.enum([
                    "code",
                    "token",
                    "none",
                    "id_token",
                    "code id_token",
                    "code token",
                    "token id_token",
                    "code token id_token",
                ]),
                client_id: z.string(),
                state: z.string().optional(),
                code_challenge: z.string().optional(),
                code_challenge_method: z.enum(["plain", "S256"]).optional(),
                prompt: z
                    .enum(["none", "login", "consent", "select_account"])
                    .optional()
                    .default("none"),
                max_age: z
                    .number()
                    .int()
                    .optional()
                    .default(60 * 60 * 24 * 7),
            }),
            handleZodError,
        ),
        validator(
            "form",
            z.object({
                identifier: z
                    .email()
                    .toLowerCase()
                    .or(z.string().toLowerCase()),
                password: z.string().min(2).max(100),
            }),
            handleZodError,
        ),
        async (context) => {
            if (config.authentication.forced_openid) {
                return returnError(
                    context,
                    "invalid_request",
                    "Logging in with a password is disabled by the administrator. Please use a valid OpenID Connect provider.",
                );
            }
            const { identifier, password } = context.req.valid("form");
            const { client_id } = context.req.valid("query");
            // Find user
            const user = await User.fromSql(
                or(
                    eq(Users.email, identifier.toLowerCase()),
                    eq(Users.username, identifier.toLowerCase()),
                ),
            );
            if (
                !(
                    user &&
                    (await bunPassword.verify(
                        password,
                        user.data.password || "",
                    ))
                )
            ) {
                return returnError(
                    context,
                    "invalid_grant",
                    "Invalid identifier or password",
                );
            }
            if (user.data.passwordResetToken) {
                return context.redirect(
                    `${config.frontend.routes.password_reset}?${new URLSearchParams(
                        {
                            token: user.data.passwordResetToken ?? "",
                            login_reset: "true",
                        },
                    ).toString()}`,
                );
            }
            // Generate JWT
            const jwt = await new SignJWT({
                sub: user.id,
                iss: config.http.base_url.origin,
                aud: client_id,
                exp: Math.floor(Date.now() / 1000) + 60 * 60,
                iat: Math.floor(Date.now() / 1000),
                nbf: Math.floor(Date.now() / 1000),
            })
                .setProtectedHeader({ alg: "EdDSA" })
                .sign(config.authentication.keys.private);
            const application = await Application.fromClientId(client_id);
            if (!application) {
                throw new ApiError(400, "Invalid application");
            }
            const searchParams = new URLSearchParams({
                application: application.data.name,
            });
            if (application.data.website) {
                searchParams.append("website", application.data.website);
            }
            // Add all data that is not undefined except email and password
            for (const [key, value] of Object.entries(context.req.query())) {
                if (
                    key !== "email" &&
                    key !== "password" &&
                    value !== undefined
                ) {
                    searchParams.append(key, String(value));
                }
            }
            // Redirect to OAuth authorize with JWT
            setCookie(context, "jwt", jwt, {
                httpOnly: true,
                secure: true,
                sameSite: "Strict",
                path: "/",
                // 2 weeks
                maxAge: 60 * 60 * 24 * 14,
            });
            return context.redirect(
                `${config.frontend.routes.consent}?${searchParams.toString()}`,
            );
        },
    ),
 );
--- a/packages/api/routes/api/auth/redirect/index.ts
+++ b/packages/api/routes/api/auth/redirect/index.ts
@ -1,75 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { db } from "@versia-server/kit/db";
 import { Applications, Tokens } from "@versia-server/kit/tables";
 import { and, eq } from "drizzle-orm";
 import { describeRoute, validator } from "hono-openapi";
 import { z } from "zod/v4";
 /**
 * OAuth Code flow
 */
 export default apiRoute((app) =>
    app.get(
        "/api/auth/redirect",
        describeRoute({
            summary: "OAuth Code flow",
            description:
                "Redirects to the application, or back to login if the code is invalid",
            tags: ["OpenID"],
            responses: {
                302: {
                    description:
                        "Redirects to the application, or back to login if the code is invalid",
                },
            },
        }),
        validator(
            "query",
            z.object({
                redirect_uri: z.url(),
                client_id: z.string(),
                code: z.string(),
            }),
            handleZodError,
        ),
        async (context) => {
            const { redirect_uri, client_id, code } =
                context.req.valid("query");
            const redirectToLogin = (error: string): Response =>
                context.redirect(
                    `${config.frontend.routes.login}?${new URLSearchParams({
                        ...context.req.query,
                        error: encodeURIComponent(error),
                    }).toString()}`,
                );
            const foundToken = await db
                .select()
                .from(Tokens)
                .leftJoin(
                    Applications,
                    eq(Tokens.applicationId, Applications.id),
                )
                .where(
                    and(
                        eq(Tokens.code, code),
                        eq(Applications.clientId, client_id),
                    ),
                )
                .limit(1);
            if (!foundToken || foundToken.length <= 0) {
                return redirectToLogin("Invalid code");
            }
            // Redirect back to application
            return context.redirect(
                `${redirect_uri}?${new URLSearchParams({
                    code,
                }).toString()}`,
            );
        },
    ),
 );
--- a/packages/api/routes/api/auth/reset/index.test.ts
+++ b/packages/api/routes/api/auth/reset/index.test.ts
@ -1,124 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { config } from "@versia-server/config";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { randomString } from "@/math";
 const { users, deleteUsers, passwords } = await getTestUsers(1);
 const token = randomString(32, "hex");
 const newPassword = randomString(16, "hex");
 // Create application
 const application = await Application.insert({
    id: randomUUIDv7(),
    name: "Test Application",
    clientId: randomString(32, "hex"),
    secret: "test",
    redirectUri: "https://example.com",
    scopes: "read write",
 });
 afterAll(async () => {
    await deleteUsers();
    await application.delete();
 });
 // /api/auth/reset
 describe("/api/auth/reset", () => {
    test("should login with normal password", async () => {
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.username ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
    });
    test("should reset password and refuse login with old password", async () => {
        await users[0]?.update({
            passwordResetToken: token,
        });
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.username ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/reset");
        expect(locationHeader.searchParams.get("token")).toBe(token);
    });
    test("should reset password and login with new password", async () => {
        const formData = new FormData();
        formData.append("token", token);
        formData.append("password", newPassword);
        formData.append("password2", newPassword);
        const response = await fakeRequest("/api/auth/reset", {
            method: "POST",
            body: formData,
        });
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const loginFormData = new FormData();
        loginFormData.append("identifier", users[0]?.data.username ?? "");
        loginFormData.append("password", newPassword);
        const loginResponse = await fakeRequest(
            `/api/auth/login?client_id=${application.data.clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: loginFormData,
            },
        );
        expect(loginResponse.status).toBe(302);
        expect(loginResponse.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            loginResponse.headers.get("Location") ?? "",
            config.http.base_url,
        );
        expect(locationHeader.pathname).toBe("/oauth/consent");
        expect(locationHeader.searchParams.get("client_id")).toBe(
            application.data.clientId,
        );
        expect(locationHeader.searchParams.get("redirect_uri")).toBe(
            "https://example.com",
        );
        expect(locationHeader.searchParams.get("response_type")).toBe("code");
        expect(locationHeader.searchParams.get("scope")).toBe("read write");
        expect(loginResponse.headers.get("Set-Cookie")).toMatch(/jwt=[^;]+;/);
    });
 });
--- a/packages/api/routes/api/auth/reset/index.ts
+++ b/packages/api/routes/api/auth/reset/index.ts
@ -1,80 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { User } from "@versia-server/kit/db";
 import { Users } from "@versia-server/kit/tables";
 import { password as bunPassword } from "bun";
 import { eq } from "drizzle-orm";
 import type { Context } from "hono";
 import { describeRoute, validator } from "hono-openapi";
 import { z } from "zod/v4";
 const returnError = (
    context: Context,
    token: string,
    error: string,
    description: string,
 ): Response => {
    const searchParams = new URLSearchParams();
    searchParams.append("error", error);
    searchParams.append("error_description", description);
    searchParams.append("token", token);
    return context.redirect(
        new URL(
            `${
                config.frontend.routes.password_reset
            }?${searchParams.toString()}`,
            config.http.base_url,
        ).toString(),
    );
 };
 export default apiRoute((app) =>
    app.post(
        "/api/auth/reset",
        describeRoute({
            summary: "Reset password",
            description: "Reset password",
            responses: {
                302: {
                    description:
                        "Redirect to the password reset page with a message",
                },
            },
        }),
        validator(
            "form",
            z.object({
                token: z.string().min(1),
                password: z.string().min(3).max(100),
            }),
            handleZodError,
        ),
        async (context) => {
            const { token, password } = context.req.valid("form");
            const user = await User.fromSql(
                eq(Users.passwordResetToken, token),
            );
            if (!user) {
                return returnError(
                    context,
                    token,
                    "invalid_token",
                    "Invalid token",
                );
            }
            await user.update({
                password: await bunPassword.hash(password),
                passwordResetToken: null,
            });
            return context.redirect(
                `${config.frontend.routes.password_reset}?success=true`,
            );
        },
    ),
 );
--- a/packages/api/routes/api/oauth/authorize.test.ts
+++ b/packages/api/routes/api/oauth/authorize.test.ts
@ -1,394 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { RolePermission } from "@versia/client/schemas";
 import { config } from "@versia-server/config";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { SignJWT } from "jose";
 import { randomString } from "@/math";
 const { deleteUsers, tokens, users } = await getTestUsers(1);
 const application = await Application.insert({
    id: randomUUIDv7(),
    clientId: "test-client-id",
    redirectUri: "https://example.com/callback",
    scopes: "openid profile email",
    name: "Test Application",
    secret: "test-secret",
 });
 afterAll(async () => {
    await deleteUsers();
    await application.delete();
 });
 describe("/oauth/authorize", () => {
    test("should authorize and redirect with valid inputs", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(location.origin + location.pathname).toBe(
            application.data.redirectUri,
        );
        expect(params.get("code")).toBeTruthy();
        expect(params.get("state")).toBe("test-state");
    });
    test("should return error for invalid JWT", async () => {
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: "jwt=invalid-jwt",
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT: could not verify",
        );
    });
    test("should return error for missing required fields in JWT", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT: missing required fields (aud, sub, exp, iss)",
        );
    });
    test("should return error for user not found", async () => {
        const jwt = await new SignJWT({
            sub: "non-existent-user",
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iss: config.http.base_url.origin,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid JWT: sub is not a valid user ID",
        );
        const jwt2 = await new SignJWT({
            sub: "23e42862-d5df-49a8-95b5-52d8c6a11aea",
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iss: config.http.base_url.origin,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response2 = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt2}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response2.status).toBe(302);
        const location2 = new URL(
            response2.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params2 = new URLSearchParams(location2.search);
        expect(params2.get("error")).toBe("invalid_request");
        expect(params2.get("error_description")).toBe(
            "Invalid JWT, could not find associated user",
        );
    });
    test("should return error for user missing required permissions", async () => {
        const oldPermissions = config.permissions.default;
        config.permissions.default = [];
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("unauthorized");
        expect(params.get("error_description")).toBe(
            `User missing required '${RolePermission.OAuth}' permission`,
        );
        config.permissions.default = oldPermissions;
    });
    test("should return error for invalid client_id", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            aud: "invalid-client-id",
            iss: config.http.base_url.origin,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: "invalid-client-id",
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid client_id: no associated API application found",
        );
    });
    test("should return error for invalid redirect_uri", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: "https://invalid.com/callback",
                response_type: "code",
                scope: application.data.scopes,
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid redirect_uri: does not match API application's redirect_uri",
        );
    });
    test("should return error for invalid scope", async () => {
        const jwt = await new SignJWT({
            sub: users[0].id,
            iss: config.http.base_url.origin,
            aud: application.data.clientId,
            exp: Math.floor(Date.now() / 1000) + 60 * 60,
            iat: Math.floor(Date.now() / 1000),
            nbf: Math.floor(Date.now() / 1000),
        })
            .setProtectedHeader({ alg: "EdDSA" })
            .sign(config.authentication.keys.private);
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${tokens[0].data.accessToken}`,
                "Content-Type": "application/json",
                Cookie: `jwt=${jwt}`,
            },
            body: JSON.stringify({
                client_id: application.data.clientId,
                redirect_uri: application.data.redirectUri,
                response_type: "code",
                scope: "invalid-scope",
                state: "test-state",
                code_challenge: randomString(43),
                code_challenge_method: "S256",
            }),
        });
        expect(response.status).toBe(302);
        const location = new URL(
            response.headers.get("Location") ?? "",
            config.http.base_url,
        );
        const params = new URLSearchParams(location.search);
        expect(params.get("error")).toBe("invalid_request");
        expect(params.get("error_description")).toBe(
            "Invalid scope: not a subset of the application's scopes",
        );
    });
 });
--- a/packages/api/routes/api/oauth/authorize.ts
+++ b/packages/api/routes/api/oauth/authorize.ts
@ -1,277 +0,0 @@
 import { RolePermission } from "@versia/client/schemas";
 import { config } from "@versia-server/config";
 import {
    apiRoute,
    auth,
    handleZodError,
    jsonOrForm,
 } from "@versia-server/kit/api";
 import { Application, Token, User } from "@versia-server/kit/db";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, validator } from "hono-openapi";
 import { type JWTPayload, jwtVerify, SignJWT } from "jose";
 import { JOSEError } from "jose/errors";
 import { z } from "zod/v4";
 import { randomString } from "@/math";
 import { errorRedirect, errors } from "../../../plugins/openid/errors.ts";
 export default apiRoute((app) =>
    app.post(
        "/oauth/authorize",
        describeRoute({
            summary: "Main OpenID authorization endpoint",
            tags: ["OpenID"],
            responses: {
                302: {
                    description: "Redirect to the application",
                },
            },
        }),
        auth({
            auth: false,
        }),
        jsonOrForm(),
        validator(
            "query",
            z.object({
                prompt: z
                    .enum(["none", "login", "consent", "select_account"])
                    .optional()
                    .default("none"),
                max_age: z.coerce
                    .number()
                    .int()
                    .optional()
                    .default(60 * 60 * 24 * 7),
            }),
            handleZodError,
        ),
        validator(
            "json",
            z
                .object({
                    scope: z.string().optional(),
                    redirect_uri: z
                        .url()
                        .optional()
                        .or(z.literal("urn:ietf:wg:oauth:2.0:oob")),
                    response_type: z.enum([
                        "code",
                        "token",
                        "none",
                        "id_token",
                        "code id_token",
                        "code token",
                        "token id_token",
                        "code token id_token",
                    ]),
                    client_id: z.string(),
                    state: z.string().optional(),
                    code_challenge: z.string().optional(),
                    code_challenge_method: z.enum(["plain", "S256"]).optional(),
                })
                .refine(
                    // Check if redirect_uri is valid for code flow
                    (data) =>
                        data.response_type.includes("code")
                            ? data.redirect_uri
                            : true,
                    "redirect_uri is required for code flow",
                ),
            // Disable for Mastodon API compatibility
            /* .refine(
                    // Check if code_challenge is valid for code flow
                    (data) =>
                        data.response_type.includes("code")
                            ? data.code_challenge
                            : true,
                    "code_challenge is required for code flow",
                ), */
            handleZodError,
        ),
        validator(
            "cookie",
            z.object({
                jwt: z.string(),
            }),
            handleZodError,
        ),
        async (context) => {
            const { scope, redirect_uri, client_id, state } =
                context.req.valid("json");
            const { jwt } = context.req.valid("cookie");
            const errorSearchParams = new URLSearchParams(
                context.req.valid("json"),
            );
            const result = await jwtVerify(
                jwt,
                config.authentication.keys.public,
                {
                    algorithms: ["EdDSA"],
                    audience: client_id,
                    issuer: new URL(context.get("config").http.base_url).origin,
                },
            ).catch((error) => {
                if (error instanceof JOSEError) {
                    return null;
                }
                throw error;
            });
            if (!result) {
                return errorRedirect(
                    context,
                    errors.InvalidJWT,
                    errorSearchParams,
                );
            }
            const {
                payload: { aud, sub, exp },
            } = result;
            if (!(aud && sub && exp)) {
                return errorRedirect(
                    context,
                    errors.MissingJWTFields,
                    errorSearchParams,
                );
            }
            if (!z.uuid().safeParse(sub).success) {
                return errorRedirect(
                    context,
                    errors.InvalidSub,
                    errorSearchParams,
                );
            }
            const user = await User.fromId(sub);
            if (!user) {
                return errorRedirect(
                    context,
                    errors.UserNotFound,
                    errorSearchParams,
                );
            }
            if (!user.hasPermission(RolePermission.OAuth)) {
                return errorRedirect(
                    context,
                    errors.MissingOauthPermission,
                    errorSearchParams,
                );
            }
            const application = await Application.fromClientId(client_id);
            if (!application) {
                return errorRedirect(
                    context,
                    errors.MissingApplication,
                    errorSearchParams,
                );
            }
            if (application.data.redirectUri !== redirect_uri) {
                return errorRedirect(
                    context,
                    errors.InvalidRedirectUri,
                    errorSearchParams,
                );
            }
            // Check that scopes are a subset of the application's scopes
            if (
                scope &&
                !scope
                    .split(" ")
                    .every((s) => application.data.scopes.includes(s))
            ) {
                return errorRedirect(
                    context,
                    errors.InvalidScope,
                    errorSearchParams,
                );
            }
            const code = randomString(256, "base64url");
            let payload: JWTPayload = {};
            if (scope) {
                if (scope.split(" ").includes("openid")) {
                    payload = {
                        ...payload,
                        sub: user.id,
                        iss: new URL(context.get("config").http.base_url)
                            .origin,
                        aud: client_id,
                        exp: Math.floor(Date.now() / 1000) + 60 * 60,
                        iat: Math.floor(Date.now() / 1000),
                        nbf: Math.floor(Date.now() / 1000),
                    };
                }
                if (scope.split(" ").includes("profile")) {
                    payload = {
                        ...payload,
                        name: user.data.displayName,
                        preferred_username: user.data.username,
                        picture: user.getAvatarUrl().href,
                        updated_at: new Date(user.data.updatedAt).toISOString(),
                    };
                }
                if (scope.split(" ").includes("email")) {
                    payload = {
                        ...payload,
                        email: user.data.email,
                        // TODO: Add verification system
                        email_verified: true,
                    };
                }
            }
            const idToken = await new SignJWT(payload)
                .setProtectedHeader({ alg: "EdDSA" })
                .sign(config.authentication.keys.private);
            await Token.insert({
                id: randomUUIDv7(),
                accessToken: randomString(64, "base64url"),
                code,
                scope: scope ?? application.data.scopes,
                tokenType: "Bearer",
                applicationId: application.id,
                redirectUri: redirect_uri ?? application.data.redirectUri,
                expiresAt: new Date(
                    Date.now() + 60 * 60 * 24 * 14,
                ).toISOString(),
                idToken: ["profile", "email", "openid"].some((s) =>
                    scope?.split(" ").includes(s),
                )
                    ? idToken
                    : null,
                clientId: client_id,
                userId: user.id,
            });
            const redirectUri =
                redirect_uri === "urn:ietf:wg:oauth:2.0:oob"
                    ? new URL(
                          "/oauth/code",
                          context.get("config").http.base_url,
                      )
                    : new URL(redirect_uri ?? application.data.redirectUri);
            redirectUri.searchParams.append("code", code);
            state && redirectUri.searchParams.append("state", state);
            return context.redirect(redirectUri.toString());
        },
    ),
 );
--- a/packages/api/routes/api/oauth/sso.ts
+++ b/packages/api/routes/api/oauth/sso.ts
@ -1,130 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { Application, db } from "@versia-server/kit/db";
 import { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, validator } from "hono-openapi";
 import {
    calculatePKCECodeChallenge,
    discoveryRequest,
    generateRandomCodeVerifier,
    processDiscoveryResponse,
 } from "oauth4webapi";
 import { z } from "zod/v4";
 import { oauthRedirectUri } from "../../../plugins/openid/utils.ts";
 export default apiRoute((app) => {
    app.get(
        "/oauth/sso",
        describeRoute({
            summary: "Initiate SSO login flow",
            tags: ["OpenID"],
            responses: {
                302: {
                    description:
                        "Redirect to SSO login, or redirect to login page with error",
                },
            },
        }),
        validator(
            "query",
            z.object({
                issuer: z.string(),
                client_id: z.string().optional(),
                redirect_uri: z.url().optional(),
                scope: z.string().optional(),
                response_type: z.enum(["code"]).optional(),
            }),
            handleZodError,
        ),
        async (context) => {
            // This is the Versia client's client_id, not the external OAuth provider's client_id
            const { issuer: issuerId, client_id } = context.req.valid("query");
            const errorSearchParams = new URLSearchParams(
                context.req.valid("query"),
            );
            if (!client_id || client_id === "undefined") {
                errorSearchParams.append("error", "invalid_request");
                errorSearchParams.append(
                    "error_description",
                    "client_id is required",
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            const issuer = config.authentication.openid_providers.find(
                (provider) => provider.id === issuerId,
            );
            if (!issuer) {
                errorSearchParams.append("error", "invalid_request");
                errorSearchParams.append(
                    "error_description",
                    "issuer is invalid",
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            const issuerUrl = new URL(issuer.url);
            const authServer = await discoveryRequest(issuerUrl, {
                algorithm: "oidc",
            }).then((res) => processDiscoveryResponse(issuerUrl, res));
            const codeVerifier = generateRandomCodeVerifier();
            const application = await Application.fromClientId(client_id);
            if (!application) {
                errorSearchParams.append("error", "invalid_request");
                errorSearchParams.append(
                    "error_description",
                    "client_id is invalid",
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            // Store into database
            const newFlow = (
                await db
                    .insert(OpenIdLoginFlows)
                    .values({
                        id: randomUUIDv7(),
                        codeVerifier,
                        applicationId: application.id,
                        issuerId,
                    })
                    .returning()
            )[0];
            const codeChallenge =
                await calculatePKCECodeChallenge(codeVerifier);
            return context.redirect(
                `${authServer.authorization_endpoint}?${new URLSearchParams({
                    client_id: issuer.client_id,
                    redirect_uri: `${oauthRedirectUri(
                        context.get("config").http.base_url,
                        issuerId,
                    )}?flow=${newFlow.id}`,
                    response_type: "code",
                    scope: "openid profile email",
                    // PKCE
                    code_challenge_method: "S256",
                    code_challenge: codeChallenge,
                }).toString()}`,
            );
        },
    );
 });
--- a/packages/api/routes/api/oauth/token.ts
+++ b/packages/api/routes/api/oauth/token.ts
@ -1,190 +0,0 @@
 import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
 import { Application, Token } from "@versia-server/kit/db";
 import { Tokens } from "@versia-server/kit/tables";
 import { and, eq } from "drizzle-orm";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { z } from "zod/v4";
 export default apiRoute((app) => {
    app.post(
        "/oauth/token",
        describeRoute({
            summary: "Get token",
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "Token",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    access_token: z.string(),
                                    token_type: z.string(),
                                    expires_in: z
                                        .number()
                                        .optional()
                                        .nullable(),
                                    id_token: z.string().optional().nullable(),
                                    refresh_token: z
                                        .string()
                                        .optional()
                                        .nullable(),
                                    scope: z.string().optional(),
                                    created_at: z.number(),
                                }),
                            ),
                        },
                    },
                },
                401: {
                    description: "Authorization error",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    error: z.string(),
                                    error_description: z.string(),
                                }),
                            ),
                        },
                    },
                },
            },
        }),
        jsonOrForm(),
        validator(
            "json",
            z.object({
                code: z.string().optional(),
                code_verifier: z.string().optional(),
                grant_type: z
                    .enum([
                        "authorization_code",
                        "refresh_token",
                        "client_credentials",
                        "password",
                        "urn:ietf:params:oauth:grant-type:device_code",
                        "urn:ietf:params:oauth:grant-type:token-exchange",
                        "urn:ietf:params:oauth:grant-type:saml2-bearer",
                        "urn:openid:params:grant-type:ciba",
                    ])
                    .default("authorization_code"),
                client_id: z.string().optional(),
                client_secret: z.string().optional(),
                username: z.string().trim().optional(),
                password: z.string().trim().optional(),
                redirect_uri: z.url().optional(),
                refresh_token: z.string().optional(),
                scope: z.string().optional(),
                assertion: z.string().optional(),
                audience: z.string().optional(),
                subject_token_type: z.string().optional(),
                subject_token: z.string().optional(),
                actor_token_type: z.string().optional(),
                actor_token: z.string().optional(),
                auth_req_id: z.string().optional(),
            }),
            handleZodError,
        ),
        async (context) => {
            const { grant_type, code, redirect_uri, client_id, client_secret } =
                context.req.valid("json");
            switch (grant_type) {
                case "authorization_code": {
                    if (!code) {
                        return context.json(
                            {
                                error: "invalid_request",
                                error_description: "Code is required",
                            },
                            401,
                        );
                    }
                    if (!redirect_uri) {
                        return context.json(
                            {
                                error: "invalid_request",
                                error_description: "Redirect URI is required",
                            },
                            401,
                        );
                    }
                    if (!client_id) {
                        return context.json(
                            {
                                error: "invalid_request",
                                error_description: "Client ID is required",
                            },
                            401,
                        );
                    }
                    // Verify the client_secret
                    const client = await Application.fromClientId(client_id);
                    if (!client || client.data.secret !== client_secret) {
                        return context.json(
                            {
                                error: "invalid_client",
                                error_description: "Invalid client credentials",
                            },
                            401,
                        );
                    }
                    const token = await Token.fromSql(
                        and(
                            eq(Tokens.code, code),
                            eq(Tokens.redirectUri, decodeURI(redirect_uri)),
                            eq(Tokens.clientId, client_id),
                        ),
                    );
                    if (!token) {
                        return context.json(
                            {
                                error: "invalid_grant",
                                error_description: "Code not found",
                            },
                            401,
                        );
                    }
                    // Invalidate the code
                    await token.update({ code: null });
                    return context.json(
                        {
                            ...token.toApi(),
                            expires_in: token.data.expiresAt
                                ? Math.floor(
                                      (new Date(
                                          token.data.expiresAt,
                                      ).getTime() -
                                          Date.now()) /
                                          1000,
                                  )
                                : null,
                            id_token: token.data.idToken,
                            refresh_token: null,
                        },
                        200,
                    );
                }
                default:
            }
            return context.json(
                {
                    error: "unsupported_grant_type",
                    error_description: "Unsupported grant type",
                },
                401,
            );
        },
    );
 });
--- a/packages/api/routes/api/v1/apps/index.ts
+++ b/packages/api/routes/api/v1/apps/index.ts
@ -4,8 +4,7 @@ import {
 } from "@versia/client/schemas";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
-import { Application } from "@versia-server/kit/db";
+import { Client } from "@versia-server/kit/db";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { z } from "zod/v4";
 import { randomString } from "@/math";
@ -63,15 +62,14 @@ export default apiRoute((app) =>
            const { client_name, redirect_uris, scopes, website } =
                context.req.valid("json");
-            const app = await Application.insert({
+            const app = await Client.insert({
-                id: randomUUIDv7(),
+                id: randomString(32, "base64url"),
                name: client_name,
-                redirectUri: Array.isArray(redirect_uris)
+                redirectUris: Array.isArray(redirect_uris)
-                    ? redirect_uris.join("\n")
+                    ? redirect_uris
-                    : redirect_uris,
+                    : [redirect_uris],
-                scopes,
+                scopes: scopes.split(" "),
                website: website || undefined,
                clientId: randomString(32, "base64url"),
                secret: randomString(64, "base64url"),
            });
--- a/packages/api/routes/api/v1/apps/verify_credentials/index.ts
+++ b/packages/api/routes/api/v1/apps/verify_credentials/index.ts
@ -4,7 +4,7 @@ import {
 } from "@versia/client/schemas";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, auth } from "@versia-server/kit/api";
-import { Application } from "@versia-server/kit/db";
+import { Client } from "@versia-server/kit/db";
 import { describeRoute, resolver } from "hono-openapi";
 export default apiRoute((app) =>
@ -38,7 +38,7 @@ export default apiRoute((app) =>
        async (context) => {
            const { token } = context.get("auth");
-            const application = await Application.getFromToken(
+            const application = await Client.getFromToken(
                token.data.accessToken,
            );
--- a/packages/api/routes/api/v1/instance/index.ts
+++ b/packages/api/routes/api/v1/instance/index.ts
@ -111,7 +111,6 @@ export default apiRoute((app) =>
                version: "4.3.0-alpha.3+glitch",
                versia_version: version,
                sso: {
                    forced: config.authentication.forced_openid,
                    providers: config.authentication.openid_providers.map(
                        (p) => ({
                            name: p.name,
--- a/packages/api/routes/api/v1/sso/index.ts
+++ b/packages/api/routes/api/v1/sso/index.ts
@ -2,19 +2,13 @@ import { RolePermission } from "@versia/client/schemas";
 import { config } from "@versia-server/config";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, auth, handleZodError } from "@versia-server/kit/api";
-import { Application, db } from "@versia-server/kit/db";
+import { Client, db } from "@versia-server/kit/db";
 import { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, resolver, validator } from "hono-openapi";
-import {
+import * as client from "openid-client";
    calculatePKCECodeChallenge,
    generateRandomCodeVerifier,
 } from "oauth4webapi";
 import { z } from "zod/v4";
-import {
+import { oauthRedirectUri } from "@/lib";
    oauthDiscoveryRequest,
    oauthRedirectUri,
 } from "../../../../plugins/openid/utils.ts";
 export default apiRoute((app) => {
    app.get(
@ -105,25 +99,39 @@ export default apiRoute((app) => {
                );
            }
-            const authServer = await oauthDiscoveryRequest(new URL(issuer.url));
+            const oidcConfig = await client.discovery(
                issuer.url,
                issuer.client_id,
                issuer.client_secret,
            );
            const codeVerifier = client.randomPKCECodeVerifier();
            const codeChallenge =
                await client.calculatePKCECodeChallenge(codeVerifier);
-            const codeVerifier = generateRandomCodeVerifier();
+            const parameters: Record<string, string> = {
                scope: "openid profile email",
                code_challenge: codeChallenge,
                code_challenge_method: "S256",
            };
            if (!oidcConfig.serverMetadata().supportsPKCE()) {
                parameters.state = client.randomState();
            }
            const redirectUri = oauthRedirectUri(
                context.get("config").http.base_url,
                issuerId,
            );
-            const application = await Application.insert({
+            const application = await Client.insert({
-                id: randomUUIDv7(),
+                id:
                clientId:
                    user.id +
                    Buffer.from(
                        crypto.getRandomValues(new Uint8Array(32)),
                    ).toString("base64"),
                name: "Versia",
-                redirectUri: redirectUri.toString(),
+                redirectUris: [redirectUri.href],
-                scopes: "openid profile email",
+                scopes: ["openid", "profile", "email"],
                secret: "",
            });
@ -134,30 +142,28 @@ export default apiRoute((app) => {
                    .values({
                        id: randomUUIDv7(),
                        codeVerifier,
                        state: parameters.state,
                        issuerId,
-                        applicationId: application.id,
+                        clientId: application.id,
                    })
                    .returning()
            )[0];
-            const codeChallenge =
+            parameters.redirect_uri = `${oauthRedirectUri(
-                await calculatePKCECodeChallenge(codeVerifier);
+                config.http.base_url,
                issuerId,
            )}?${new URLSearchParams({
                flow: newFlow.id,
                link: "true",
                user_id: user.id,
            })}`;
-            return context.redirect(
+            const redirectTo = client.buildAuthorizationUrl(
-                `${authServer.authorization_endpoint}?${new URLSearchParams({
+                oidcConfig,
-                    client_id: issuer.client_id,
+                parameters,
                    redirect_uri: `${redirectUri}?${new URLSearchParams({
                        flow: newFlow.id,
                        link: "true",
                        user_id: user.id,
                    })}`,
                    response_type: "code",
                    scope: "openid profile email",
                    // PKCE
                    code_challenge_method: "S256",
                    code_challenge: codeChallenge,
                }).toString()}`,
            );
            return context.redirect(redirectTo);
        },
    );
 });
--- a/packages/api/routes/api/v1/statuses/index.ts
+++ b/packages/api/routes/api/v1/statuses/index.ts
@ -249,7 +249,7 @@ export default apiRoute((app) =>
                spoilerText: sanitizedSpoilerText,
                replyId: in_reply_to_id ?? undefined,
                quotingId: quote_id ?? undefined,
-                applicationId: application?.id,
+                clientId: application?.id,
                contentSource: status,
                contentType: content_type,
            });
--- a/packages/api/routes/api/v2/instance/index.ts
+++ b/packages/api/routes/api/v2/instance/index.ts
@ -151,7 +151,6 @@ export default apiRoute((app) =>
                    hint: r.hint,
                })),
                sso: {
                    forced: config.authentication.forced_openid,
                    providers: config.authentication.openid_providers.map(
                        (p) => ({
                            name: p.name,
--- a/packages/api/routes/oauth.test.ts
+++ b/packages/api/routes/oauth.test.ts
@ -1,28 +1,17 @@
 import { afterAll, describe, expect, test } from "bun:test";
-import type { Token } from "@versia/client/schemas";
+import { generateClient, getTestUsers } from "@versia-server/tests";
 import {
    fakeRequest,
    generateClient,
    getTestUsers,
 } from "@versia-server/tests";
 import type { z } from "zod/v4";
-let clientId: string;
+const { users, deleteUsers } = await getTestUsers(1);
 let clientSecret: string;
 let code: string;
 let jwt: string;
 let token: z.infer<typeof Token>;
 const { users, passwords, deleteUsers } = await getTestUsers(1);
 afterAll(async () => {
    await deleteUsers();
 });
 describe("Login flow", () => {
-    test("should create an application", async () => {
+    test("should create a client", async () => {
        const client = await generateClient(users[0]);
-        const { ok, data } = await client.createApp("Test Application", {
+        const { ok, data } = await client.createApp("Test Client", {
            redirect_uris: "https://example.com",
            website: "https://example.com",
            scopes: ["read", "write"],
@ -30,7 +19,7 @@ describe("Login flow", () => {
        expect(ok).toBe(true);
        expect(data).toEqual({
-            name: "Test Application",
+            name: "Test Client",
            website: "https://example.com",
            client_id: expect.any(String),
            client_secret: expect.any(String),
@ -39,110 +28,7 @@ describe("Login flow", () => {
            redirect_uris: ["https://example.com"],
            scopes: ["read", "write"],
        });
        clientId = data.client_id;
        clientSecret = data.client_secret;
    });
-    test("should get a JWT", async () => {
+    // TODO: Test full flow including OpenID part
        const formData = new FormData();
        formData.append("identifier", users[0]?.data.email ?? "");
        formData.append("password", passwords[0]);
        const response = await fakeRequest(
            `/api/auth/login?client_id=${clientId}&redirect_uri=https://example.com&response_type=code&scope=read+write`,
            {
                method: "POST",
                body: formData,
            },
        );
        expect(response.status).toBe(302);
        jwt =
            response.headers.get("Set-Cookie")?.match(/jwt=([^;]+);/)?.[1] ??
            "";
    });
    test("should get a code", async () => {
        const response = await fakeRequest("/oauth/authorize", {
            method: "POST",
            headers: {
                Cookie: `jwt=${jwt}`,
            },
            body: new URLSearchParams({
                client_id: clientId,
                client_secret: clientSecret,
                redirect_uri: "https://example.com",
                response_type: "code",
                scope: "read write",
                max_age: "604800",
            }),
        });
        expect(response.status).toBe(302);
        expect(response.headers.get("location")).toBeDefined();
        const locationHeader = new URL(
            response.headers.get("Location") ?? "",
            "",
        );
        expect(locationHeader.origin).toBe("https://example.com");
        code = locationHeader.searchParams.get("code") ?? "";
    });
    test("should get an access token", async () => {
        const response = await fakeRequest("/oauth/token", {
            method: "POST",
            headers: {
                Authorization: `Bearer ${jwt}`,
                "Content-Type": "application/x-www-form-urlencoded",
            },
            body: new URLSearchParams({
                grant_type: "authorization_code",
                code,
                redirect_uri: "https://example.com",
                client_id: clientId,
                client_secret: clientSecret,
                scope: "read write",
            }),
        });
        const json = await response.json();
        expect(response.status).toBe(200);
        expect(response.headers.get("content-type")).toContain(
            "application/json",
        );
        expect(json).toEqual({
            access_token: expect.any(String),
            token_type: "Bearer",
            scope: "read write",
            created_at: expect.any(Number),
            expires_in: expect.any(Number),
            id_token: null,
            refresh_token: null,
        });
        token = json;
    });
    test("should return the authenticated application's credentials", async () => {
        const client = await generateClient(users[0]);
        const { ok, data } = await client.verifyAppCredentials({
            headers: {
                Authorization: `Bearer ${token.access_token}`,
            },
        });
        expect(ok).toBe(true);
        const credentials = data;
        expect(credentials.name).toBe("Test Application");
        expect(credentials.website).toBe("https://example.com");
    });
 });
--- a/packages/api/routes/api/oauth/revoke.test.ts
+++ b/packages/api/routes/api/oauth/revoke.test.ts
@ -1,31 +1,26 @@
 import { afterAll, describe, expect, test } from "bun:test";
-import { Application, Token } from "@versia-server/kit/db";
+import { Client, Token } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 const { deleteUsers, users } = await getTestUsers(1);
-const application = await Application.insert({
+const application = await Client.insert({
    id: randomUUIDv7(),
-    clientId: "test-client-id",
+    redirectUris: ["https://example.com/callback"],
-    redirectUri: "https://example.com/callback",
+    scopes: ["openid", "profile", "email"],
    scopes: "openid profile email",
    secret: "test-secret",
    name: "Test Application",
 });
 const token = await Token.insert({
    id: randomUUIDv7(),
-    code: "test-code",
+    clientId: application.id,
    redirectUri: application.data.redirectUri,
    clientId: application.data.clientId,
    accessToken: "test-access-token",
    expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
    createdAt: new Date().toISOString(),
-    tokenType: "Bearer",
+    scopes: application.data.scopes,
    scope: application.data.scopes,
    userId: users[0].id,
    applicationId: application.id,
 });
 afterAll(async () => {
@ -42,7 +37,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
                token: "test-access-token",
            }),
@ -60,7 +55,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
@ -80,7 +75,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: "invalid-secret",
                token: "test-access-token",
            }),
@ -101,7 +96,7 @@ describe("/oauth/revoke", () => {
                "Content-Type": "application/json",
            },
            body: JSON.stringify({
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
                token: "invalid-token",
            }),
--- a/packages/api/routes/api/oauth/revoke.ts
+++ b/packages/api/routes/api/oauth/revoke.ts
@ -68,7 +68,7 @@ export default apiRoute((app) => {
            }
            // Check if the client secret is correct
-            if (foundToken.data.application?.secret !== client_secret) {
+            if (foundToken.data.client?.secret !== client_secret) {
                return context.json(
                    {
                        error: "unauthorized_client",
--- a/packages/api/routes/api/oauth/sso/[issuer]/callback.ts
+++ b/packages/api/routes/api/oauth/sso/[issuer]/callback.ts
@ -6,17 +6,21 @@ import {
 import { config } from "@versia-server/config";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
-import { db, Media, Token, User } from "@versia-server/kit/db";
+import { db, Media, User } from "@versia-server/kit/db";
 import { searchManager } from "@versia-server/kit/search";
-import { OpenIdAccounts, Users } from "@versia-server/kit/tables";
+import {
    AuthorizationCodes,
    OpenIdAccounts,
    Users,
 } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { and, eq, isNull, type SQL } from "drizzle-orm";
 import { setCookie } from "hono/cookie";
 import { sign } from "hono/jwt";
 import { describeRoute, validator } from "hono-openapi";
-import { SignJWT } from "jose";
+import * as client from "openid-client";
 import { z } from "zod/v4";
 import { randomString } from "@/math.ts";
 import { automaticOidcFlow } from "../../../../../plugins/openid/utils.ts";
 export default apiRoute((app) => {
    app.get(
@ -31,6 +35,7 @@ export default apiRoute((app) => {
                    description:
                        "Redirect to frontend's consent route, or redirect to login page with error",
                },
                422: ApiError.validationFailed().schema,
            },
        }),
        validator(
@ -43,103 +48,94 @@ export default apiRoute((app) => {
        validator(
            "query",
            z.object({
                client_id: z.string().optional(),
                flow: z.string(),
-                link: zBoolean.optional(),
+                link: zBoolean.default(false),
                user_id: z.uuid().optional(),
            }),
            handleZodError,
        ),
        async (context) => {
-            const currentUrl = new URL(context.req.url);
+            const { issuer: issuerId } = context.req.valid("param");
            const redirectUrl = new URL(context.req.url);
            // Correct some reverse proxies incorrectly setting the protocol as http, even if the original request was https
            // Looking at you, Traefik
            if (
                new URL(context.get("config").http.base_url).protocol ===
                    "https:" &&
                currentUrl.protocol === "http:"
            ) {
                currentUrl.protocol = "https:";
                redirectUrl.protocol = "https:";
            }
            // Remove state query parameter from URL
            currentUrl.searchParams.delete("state");
            redirectUrl.searchParams.delete("state");
            // Remove issuer query parameter from URL (can cause redirect URI mismatches)
            redirectUrl.searchParams.delete("iss");
            redirectUrl.searchParams.delete("code");
            const { issuer: issuerParam } = context.req.valid("param");
            const { flow: flowId, user_id, link } = context.req.valid("query");
            const issuer = config.authentication.openid_providers.find(
-                (provider) => provider.id === issuerParam,
+                (provider) => provider.id === issuerId,
            );
            if (!issuer) {
-                throw new ApiError(404, "Issuer not found");
+                throw new ApiError(422, "Unknown or invalid issuer");
            }
-            const userInfo = await automaticOidcFlow(
+            const flow = await db.query.OpenIdLoginFlows.findFirst({
-                issuer,
+                where: (flow): SQL | undefined => eq(flow.id, flowId),
-                flowId,
+                with: {
-                currentUrl,
+                    client: true,
-                redirectUrl,
+                },
-                (error, message, flow) => {
+            });
                    const errorSearchParams = new URLSearchParams(
                        Object.entries({
                            redirect_uri: flow?.application?.redirectUri,
                            client_id: flow?.application?.clientId,
                            response_type: "code",
                            scope: flow?.application?.scopes,
                        }).filter(([_, value]) => value !== undefined) as [
                            string,
                            string,
                        ][],
                    );
-                    errorSearchParams.append("error", error);
+            const redirectWithMessage = (
-                    errorSearchParams.append("error_description", message);
+                parameters: Record<string, string | undefined>,
                route = config.frontend.routes.login,
            ) => {
                const searchParams = new URLSearchParams(
                    Object.entries(parameters).filter(
                        ([_, value]) => value !== undefined,
                    ) as [string, string][],
                );
-                    return context.redirect(
+                return context.redirect(`${route}?${searchParams.toString()}`);
-                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
+            };
-                    );
+
            if (!flow) {
                return redirectWithMessage({
                    error: "invalid_request",
                    error_description: "Invalid flow",
                });
            }
            const oidcConfig = await client.discovery(
                issuer.url,
                issuer.client_id,
                issuer.client_secret,
            );
            const tokens = await client.authorizationCodeGrant(
                oidcConfig,
                context.req.raw,
                {
                    pkceCodeVerifier: flow.codeVerifier,
                    expectedState: flow.state ?? undefined,
                    idTokenExpected: true,
                },
            );
-            if (userInfo instanceof Response) {
+            const claims = tokens.claims();
-                return userInfo;
+
            if (!claims) {
                return redirectWithMessage({
                    error: "invalid_request",
                    error_description: "Missing or invalid ID token",
                });
            }
-            const { sub, email, preferred_username, picture } =
+            const userInfo = await client.fetchUserInfo(
-                userInfo.userInfo;
+                oidcConfig,
-            const flow = userInfo.flow;
+                tokens.access_token,
-
+                claims.sub,
            const errorSearchParams = new URLSearchParams(
                Object.entries({
                    redirect_uri: flow.application?.redirectUri,
                    client_id: flow.application?.clientId,
                    response_type: "code",
                    scope: flow.application?.scopes,
                }).filter(([_, value]) => value !== undefined) as [
                    string,
                    string,
                ][],
            );
            const { sub, email, preferred_username, picture } = userInfo;
            // If linking account
            if (link && user_id) {
                // Check if userId is equal to application.clientId
-                if (!flow.application?.clientId.startsWith(user_id)) {
+                if (!flow.client?.id.startsWith(user_id)) {
-                    return context.redirect(
+                    return redirectWithMessage(
-                        `${context.get("config").http.base_url}${
+                        {
                            context.get("config").frontend.routes.home
                        }?${new URLSearchParams({
                            oidc_account_linking_error: "Account linking error",
-                            oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.application?.clientId})`,
+                            oidc_account_linking_error_message: `User ID does not match application client ID (${user_id} != ${flow.client?.id})`,
-                        })}`,
+                        },
                        config.frontend.routes.home,
                    );
                }
@ -153,15 +149,14 @@ export default apiRoute((app) => {
                });
                if (account) {
-                    return context.redirect(
+                    return redirectWithMessage(
-                        `${context.get("config").http.base_url}${
+                        {
                            context.get("config").frontend.routes.home
                        }?${new URLSearchParams({
                            oidc_account_linking_error:
                                "Account already linked",
                            oidc_account_linking_error_message:
                                "This account has already been linked to this OpenID Connect provider.",
-                        })}`,
+                        },
                        config.frontend.routes.home,
                    );
                }
@ -244,71 +239,55 @@ export default apiRoute((app) => {
                    userId = user.id;
                } else {
-                    errorSearchParams.append("error", "invalid_request");
+                    return redirectWithMessage({
-                    errorSearchParams.append(
+                        error: "invalid_request",
-                        "error_description",
+                        error_description: "No user found with that account",
-                        "No user found with that account",
+                    });
                    );
                    return context.redirect(
                        `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                    );
                }
            }
            const user = await User.fromId(userId);
            if (!user) {
-                errorSearchParams.append("error", "invalid_request");
+                return redirectWithMessage({
-                errorSearchParams.append(
+                    error: "invalid_request",
-                    "error_description",
+                    error_description: "No user found with that account",
-                    "No user found with that account",
+                });
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
            if (!user.hasPermission(RolePermission.OAuth)) {
-                errorSearchParams.append("error", "invalid_request");
+                return redirectWithMessage({
-                errorSearchParams.append(
+                    error: "invalid_request",
-                    "error_description",
+                    error_description: `User does not have the '${RolePermission.OAuth}' permission`,
-                    `User does not have the '${RolePermission.OAuth}' permission`,
+                });
                );
                return context.redirect(
                    `${context.get("config").frontend.routes.login}?${errorSearchParams.toString()}`,
                );
            }
-            if (!flow.application) {
+            if (!flow.client) {
                throw new ApiError(500, "Application not found");
            }
            const code = randomString(32, "hex");
-            await Token.insert({
+            await db.insert(AuthorizationCodes).values({
-                id: randomUUIDv7(),
+                clientId: flow.client.id,
                accessToken: randomString(64, "base64url"),
                code,
-                scope: flow.application.scopes,
+                expiresAt: new Date(Date.now() + 60 * 1000).toISOString(), // 1 minute
-                tokenType: "Bearer",
+                redirectUri: flow.clientRedirectUri ?? undefined,
                userId: user.id,
-                applicationId: flow.application.id,
+                scopes: flow.clientScopes ?? [],
            });
-            // Generate JWT
+            const jwt = await sign(
-            const jwt = await new SignJWT({
+                {
-                sub: user.id,
+                    sub: user.id,
-                iss: new URL(context.get("config").http.base_url).origin,
+                    iss: new URL(context.get("config").http.base_url).origin,
-                aud: flow.application.clientId,
+                    aud: flow.client.id,
-                exp: Math.floor(Date.now() / 1000) + 60 * 60,
+                    exp: Math.floor(Date.now() / 1000) + 60 * 60,
-                iat: Math.floor(Date.now() / 1000),
+                    iat: Math.floor(Date.now() / 1000),
-                nbf: Math.floor(Date.now() / 1000),
+                    nbf: Math.floor(Date.now() / 1000),
-            })
+                },
-                .setProtectedHeader({ alg: "EdDSA" })
+                config.authentication.key,
-                .sign(config.authentication.keys.private);
+            );
            // Redirect back to application
            setCookie(context, "jwt", jwt, {
@ -320,21 +299,17 @@ export default apiRoute((app) => {
                maxAge: 60 * 60 * 24 * 14,
            });
-            return context.redirect(
+            return redirectWithMessage(
-                new URL(
+                {
-                    `${context.get("config").frontend.routes.consent}?${new URLSearchParams(
+                    redirect_uri: flow.clientRedirectUri ?? undefined,
-                        {
+                    code,
-                            redirect_uri: flow.application.redirectUri,
+                    client_id: flow.client.id,
-                            code,
+                    application: flow.client.name,
-                            client_id: flow.application.clientId,
+                    website: flow.client.website ?? "",
-                            application: flow.application.name,
+                    scope: flow.clientScopes?.join(" "),
-                            website: flow.application.website ?? "",
+                    state: flow.clientState ?? undefined,
-                            scope: flow.application.scopes,
+                },
-                            response_type: "code",
+                config.frontend.routes.consent,
                        },
                    ).toString()}`,
                    context.get("config").http.base_url,
                ).toString(),
            );
        },
    );
--- a/packages/api/routes/oauth/sso/[issuer]/index.ts
+++ b/packages/api/routes/oauth/sso/[issuer]/index.ts
@ -0,0 +1,122 @@
 import { config } from "@versia-server/config";
 import { ApiError } from "@versia-server/kit";
 import { apiRoute, handleZodError } from "@versia-server/kit/api";
 import { Client, db } from "@versia-server/kit/db";
 import { OpenIdLoginFlows } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { describeRoute, validator } from "hono-openapi";
 import * as client from "openid-client";
 import { z } from "zod/v4";
 import { oauthRedirectUri } from "@/lib";
 export default apiRoute((app) => {
    app.post(
        "/oauth/sso/:issuer",
        describeRoute({
            summary: "Initiate SSO login flow",
            tags: ["OpenID"],
            responses: {
                302: {
                    description:
                        "Redirect to SSO provider's authorization endpoint",
                },
                422: ApiError.validationFailed().schema,
            },
        }),
        validator(
            "param",
            z.object({
                issuer: z.string(),
            }),
            handleZodError,
        ),
        validator(
            "json",
            z.object({
                client_id: z.string(),
                redirect_uri: z.url(),
                scopes: z.string().array().default(["read"]),
                state: z.string().optional(),
            }),
            handleZodError,
        ),
        async (context) => {
            // This is the Versia client's client_id, not the external OAuth provider's client_id
            const { client_id, redirect_uri, scopes, state } =
                context.req.valid("json");
            const { issuer: issuerId } = context.req.valid("param");
            const issuer = config.authentication.openid_providers.find(
                (provider) => provider.id === issuerId,
            );
            if (!issuer) {
                throw new ApiError(422, "Unknown or invalid issuer");
            }
            const application = await Client.fromClientId(client_id);
            if (!application) {
                throw new ApiError(422, "Unknown or invalid client_id");
            }
            if (!application.data.redirectUris.includes(redirect_uri)) {
                throw new ApiError(
                    422,
                    "redirect_uri is not a subset of application's redirect_uris",
                );
            }
            // TODO: Validate oauth scopes
            const oidcConfig = await client.discovery(
                issuer.url,
                issuer.client_id,
                issuer.client_secret,
            );
            const codeVerifier = client.randomPKCECodeVerifier();
            const codeChallenge =
                await client.calculatePKCECodeChallenge(codeVerifier);
            const parameters: Record<string, string> = {
                scope: "openid profile email",
                code_challenge: codeChallenge,
                code_challenge_method: "S256",
            };
            if (!oidcConfig.serverMetadata().supportsPKCE()) {
                parameters.state = client.randomState();
            }
            // Store into database
            const newFlow = (
                await db
                    .insert(OpenIdLoginFlows)
                    .values({
                        id: randomUUIDv7(),
                        codeVerifier,
                        state: parameters.state,
                        clientState: state,
                        clientRedirectUri: redirect_uri,
                        clientScopes: scopes,
                        clientId: application.id,
                        issuerId,
                    })
                    .returning()
            )[0];
            parameters.redirect_uri = `${oauthRedirectUri(
                context.get("config").http.base_url,
                issuerId,
            )}?${new URLSearchParams({
                flow: newFlow.id,
            })}`;
            const redirectTo = client.buildAuthorizationUrl(
                oidcConfig,
                parameters,
            );
            return context.redirect(redirectTo);
        },
    );
 });
--- a/packages/api/routes/api/oauth/token.test.ts
+++ b/packages/api/routes/api/oauth/token.test.ts
@ -1,36 +1,40 @@
 import { afterAll, describe, expect, test } from "bun:test";
-import { Application, Token } from "@versia-server/kit/db";
+import { Client, db } from "@versia-server/kit/db";
 import { fakeRequest, getTestUsers } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 import { eq } from "drizzle-orm";
 import { randomString } from "@/math";
 import { AuthorizationCodes } from "~/packages/kit/tables/schema";
 const { deleteUsers, users } = await getTestUsers(1);
-const application = await Application.insert({
+const application = await Client.insert({
    id: randomUUIDv7(),
-    clientId: "test-client-id",
+    redirectUris: ["https://example.com/callback"],
-    redirectUri: "https://example.com/callback",
+    scopes: ["openid", "profile", "email"],
    scopes: "openid profile email",
    secret: "test-secret",
    name: "Test Application",
 });
-const token = await Token.insert({
+const authorizationCode = (
-    id: randomUUIDv7(),
+    await db
-    code: "test-code",
+        .insert(AuthorizationCodes)
-    redirectUri: application.data.redirectUri,
+        .values({
-    clientId: application.data.clientId,
+            clientId: application.id,
-    accessToken: "test-access-token",
+            code: randomString(10),
-    expiresAt: new Date(Date.now() + 3600 * 1000).toISOString(),
+            redirectUri: application.data.redirectUris[0],
-    createdAt: new Date().toISOString(),
+            userId: users[0].id,
-    tokenType: "Bearer",
+            expiresAt: new Date(Date.now() + 300 * 1000).toISOString(),
-    scope: application.data.scopes,
+        })
-    userId: users[0].id,
+        .returning()
-});
+)[0];
 afterAll(async () => {
    await deleteUsers();
    await application.delete();
-    await token.delete();
+    await db
        .delete(AuthorizationCodes)
        .where(eq(AuthorizationCodes.code, authorizationCode.code));
 });
 describe("/oauth/token", () => {
@ -42,18 +46,18 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
-                code: "test-code",
+                code: authorizationCode.code,
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
        expect(response.status).toBe(200);
        const body = await response.json();
-        expect(body.access_token).toBe("test-access-token");
+        expect(body.access_token).toBeString();
        expect(body.token_type).toBe("Bearer");
-        expect(body.expires_in).toBeGreaterThan(0);
+        expect(body.expires_in).toBeNull();
    });
    test("should return error for missing code", async () => {
@ -64,16 +68,15 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
-        expect(response.status).toBe(401);
+        expect(response.status).toBe(422);
        const body = await response.json();
-        expect(body.error).toBe("invalid_request");
+        expect(body.error).toInclude(`Expected string at "code"`);
        expect(body.error_description).toBe("Code is required");
    });
    test("should return error for missing redirect_uri", async () => {
@ -84,16 +87,15 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
-                code: "test-code",
+                code: authorizationCode.code,
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
-        expect(response.status).toBe(401);
+        expect(response.status).toBe(422);
        const body = await response.json();
-        expect(body.error).toBe("invalid_request");
+        expect(body.error).toInclude(`Expected string at "redirect_uri"`);
        expect(body.error_description).toBe("Redirect URI is required");
    });
    test("should return error for missing client_id", async () => {
@ -104,16 +106,15 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
-                code: "test-code",
+                code: authorizationCode.code,
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
                client_secret: application.data.secret,
            }),
        });
-        expect(response.status).toBe(401);
+        expect(response.status).toBe(422);
        const body = await response.json();
-        expect(body.error).toBe("invalid_request");
+        expect(body.error).toInclude(`Expected string at "client_id"`);
        expect(body.error_description).toBe("Client ID is required");
    });
    test("should return error for invalid client credentials", async () => {
@ -124,9 +125,9 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "authorization_code",
-                code: "test-code",
+                code: authorizationCode.code,
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: "invalid-secret",
            }),
        });
@ -146,16 +147,18 @@ describe("/oauth/token", () => {
            body: JSON.stringify({
                grant_type: "authorization_code",
                code: "invalid-code",
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
-        expect(response.status).toBe(401);
+        expect(response.status).toBe(404);
        const body = await response.json();
        expect(body.error).toBe("invalid_grant");
-        expect(body.error_description).toBe("Code not found");
+        expect(body.error_description).toBe(
            "Authorization code not found or expired",
        );
    });
    test("should return error for unsupported grant type", async () => {
@ -166,9 +169,9 @@ describe("/oauth/token", () => {
            },
            body: JSON.stringify({
                grant_type: "refresh_token",
-                code: "test-code",
+                code: authorizationCode.code,
-                redirect_uri: application.data.redirectUri,
+                redirect_uri: application.data.redirectUris[0],
-                client_id: application.data.clientId,
+                client_id: application.data.id,
                client_secret: application.data.secret,
            }),
        });
--- a/packages/api/routes/oauth/token.ts
+++ b/packages/api/routes/oauth/token.ts
@ -0,0 +1,145 @@
 import { Token as TokenSchema } from "@versia/client/schemas";
 import { apiRoute, handleZodError, jsonOrForm } from "@versia-server/kit/api";
 import { Client, db, Token } from "@versia-server/kit/db";
 import { AuthorizationCodes } from "@versia-server/kit/tables";
 import { randomUUIDv7 } from "bun";
 import { and, eq } from "drizzle-orm";
 import { describeRoute, resolver, validator } from "hono-openapi";
 import { z } from "zod/v4";
 import { randomString } from "@/math";
 export default apiRoute((app) => {
    app.post(
        "/oauth/token",
        describeRoute({
            summary: "Obtain a token",
            description:
                "Obtain an access token, to be used during API calls that are not public.",
            externalDocs: {
                url: "https://docs.joinmastodon.org/methods/oauth/#token",
            },
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "Token",
                    content: {
                        "application/json": {
                            schema: resolver(TokenSchema),
                        },
                    },
                },
                401: {
                    description: "Invalid grant",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    error: z.string(),
                                    error_description: z.string(),
                                }),
                            ),
                        },
                    },
                },
            },
        }),
        jsonOrForm(),
        validator(
            "json",
            z.object({
                code: z.string(),
                grant_type: z.enum([
                    "authorization_code",
                    "refresh_token",
                    "client_credentials",
                ]),
                code_verifier: z.string().optional(),
                client_id: z.string(),
                client_secret: z.string(),
                redirect_uri: z.url(),
                refresh_token: z.string().optional(),
                scope: z.string().default("read"),
            }),
            handleZodError,
        ),
        async (context) => {
            const { code, client_id, client_secret, redirect_uri, grant_type } =
                context.req.valid("json");
            if (grant_type !== "authorization_code") {
                return context.json(
                    {
                        error: "unsupported_grant_type",
                        error_description: "Unsupported grant type",
                    },
                    401,
                );
            }
            // Verify the client_secret
            const client = await Client.fromClientId(client_id);
            if (!client || client.data.secret !== client_secret) {
                return context.json(
                    {
                        error: "invalid_client",
                        error_description: "Invalid client credentials",
                    },
                    401,
                );
            }
            const authorizationCode =
                await db.query.AuthorizationCodes.findFirst({
                    where: (codeTable) =>
                        and(
                            eq(codeTable.code, code),
                            eq(codeTable.redirectUri, redirect_uri),
                            eq(codeTable.clientId, client.id),
                        ),
                });
            if (
                !authorizationCode ||
                new Date(authorizationCode.expiresAt).getTime() < Date.now()
            ) {
                return context.json(
                    {
                        error: "invalid_grant",
                        error_description:
                            "Authorization code not found or expired",
                    },
                    404,
                );
            }
            const token = await Token.insert({
                accessToken: randomString(64, "base64url"),
                clientId: client.id,
                id: randomUUIDv7(),
                userId: authorizationCode.userId,
                expiresAt: null,
            });
            // Invalidate the code
            await db
                .delete(AuthorizationCodes)
                .where(eq(AuthorizationCodes.code, authorizationCode.code));
            return context.json(
                {
                    ...token.toApi(),
                    expires_in: token.data.expiresAt
                        ? Math.floor(
                              (new Date(token.data.expiresAt).getTime() -
                                  Date.now()) /
                                  1000,
                          )
                        : null,
                    refresh_token: null,
                },
                200,
            );
        },
    );
 });
--- a/packages/api/routes/well-known/jwks.test.ts
+++ b/packages/api/routes/well-known/jwks.test.ts
@ -1,35 +0,0 @@
 import { afterAll, describe, expect, test } from "bun:test";
 import { Application } from "@versia-server/kit/db";
 import { fakeRequest } from "@versia-server/tests";
 import { randomUUIDv7 } from "bun";
 const application = await Application.insert({
    id: randomUUIDv7(),
    clientId: "test-client-id",
    redirectUri: "https://example.com/callback",
    scopes: "openid profile email",
    secret: "test-secret",
    name: "Test Application",
 });
 afterAll(async () => {
    await application.delete();
 });
 describe("/.well-known/jwks", () => {
    test("should return JWK set with valid inputs", async () => {
        const response = await fakeRequest("/.well-known/jwks", {
            method: "GET",
        });
        expect(response.status).toBe(200);
        const body = await response.json();
        expect(body.keys).toHaveLength(1);
        expect(body.keys[0].kty).toBe("OKP");
        expect(body.keys[0].use).toBe("sig");
        expect(body.keys[0].alg).toBe("EdDSA");
        expect(body.keys[0].kid).toBe("1");
        expect(body.keys[0].crv).toBe("Ed25519");
        expect(body.keys[0].x).toBeString();
    });
 });
--- a/packages/api/routes/well-known/jwks.ts
+++ b/packages/api/routes/well-known/jwks.ts
@ -1,62 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute, auth } from "@versia-server/kit/api";
 import { describeRoute, resolver } from "hono-openapi";
 import { exportJWK } from "jose";
 import { z } from "zod/v4";
 export default apiRoute((app) => {
    app.get(
        "/.well-known/jwks",
        describeRoute({
            summary: "JWK Set",
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "JWK Set",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    keys: z.array(
                                        z.object({
                                            kty: z.string().optional(),
                                            use: z.string(),
                                            alg: z.string(),
                                            kid: z.string(),
                                            crv: z.string().optional(),
                                            x: z.string().optional(),
                                            y: z.string().optional(),
                                        }),
                                    ),
                                }),
                            ),
                        },
                    },
                },
            },
        }),
        auth({
            auth: false,
        }),
        async (context) => {
            const jwk = await exportJWK(config.authentication.keys.private);
            // Remove the private key 💀
            jwk.d = undefined;
            return context.json(
                {
                    keys: [
                        {
                            ...jwk,
                            use: "sig",
                            alg: "EdDSA",
                            kid: "1",
                        },
                    ],
                },
                200,
            );
        },
    );
 });
--- a/packages/api/routes/well-known/openid-configuration/index.ts
+++ b/packages/api/routes/well-known/openid-configuration/index.ts
@ -1,65 +0,0 @@
 import { config } from "@versia-server/config";
 import { apiRoute } from "@versia-server/kit/api";
 import { describeRoute, resolver } from "hono-openapi";
 import { z } from "zod/v4";
 export default apiRoute((app) =>
    app.get(
        "/.well-known/openid-configuration",
        describeRoute({
            summary: "OpenID Configuration",
            tags: ["OpenID"],
            responses: {
                200: {
                    description: "OpenID Configuration",
                    content: {
                        "application/json": {
                            schema: resolver(
                                z.object({
                                    issuer: z.string(),
                                    authorization_endpoint: z.string(),
                                    token_endpoint: z.string(),
                                    userinfo_endpoint: z.string(),
                                    jwks_uri: z.string(),
                                    response_types_supported: z.array(
                                        z.string(),
                                    ),
                                    subject_types_supported: z.array(
                                        z.string(),
                                    ),
                                    id_token_signing_alg_values_supported:
                                        z.array(z.string()),
                                    scopes_supported: z.array(z.string()),
                                    token_endpoint_auth_methods_supported:
                                        z.array(z.string()),
                                    claims_supported: z.array(z.string()),
                                }),
                            ),
                        },
                    },
                },
            },
        }),
        (context) => {
            const baseUrl = config.http.base_url;
            return context.json(
                {
                    issuer: baseUrl.origin.toString(),
                    authorization_endpoint: `${baseUrl.origin}/oauth/authorize`,
                    token_endpoint: `${baseUrl.origin}/oauth/token`,
                    userinfo_endpoint: `${baseUrl.origin}/api/v1/accounts/verify_credentials`,
                    jwks_uri: `${baseUrl.origin}/.well-known/jwks`,
                    response_types_supported: ["code"],
                    subject_types_supported: ["public"],
                    id_token_signing_alg_values_supported: ["EdDSA"],
                    scopes_supported: ["openid", "profile", "email"],
                    token_endpoint_auth_methods_supported: [
                        "client_secret_basic",
                    ],
                    claims_supported: ["sub"],
                },
                200,
            );
        },
    ),
 );
--- a/packages/client/schemas/versia.ts
+++ b/packages/client/schemas/versia.ts
@ -87,11 +87,6 @@ export const NoteReactionWithAccounts = NoteReaction.extend({
 /* Versia Server API extension */
 export const SSOConfig = z.object({
    forced: z.boolean().meta({
        description:
            "If this is enabled, normal identifier/password login is disabled and login must be done through SSO.",
        example: false,
    }),
    providers: z
        .array(
            z.object({
--- a/packages/config/index.ts
+++ b/packages/config/index.ts
@ -6,7 +6,6 @@ import ISO6391 from "iso-639-1";
 import { types as mimeTypes } from "mime-types";
 import { generateVAPIDKeys } from "web-push";
 import { z } from "zod/v4";
 import { fromZodError } from "zod-validation-error";
 export class ProxiableUrl extends URL {
    private isAllowedOrigin(): boolean {
@ -174,9 +173,10 @@ export const keyPair = z
                await crypto.subtle.exportKey("spki", keys.publicKey),
            ).toString("base64");
-            ctx.addIssue({
+            ctx.issues.push({
                code: "custom",
-                error: `Public and private keys are not set. Here are generated keys for you to copy.\n\nPublic: ${publicKey}\nPrivate: ${privateKey}`,
+                message: `Public and private keys are not set. Here are generated keys for you to copy.\n\nPublic: ${publicKey}\nPrivate: ${privateKey}`,
                input: k,
            });
            return z.NEVER;
@ -194,9 +194,10 @@ export const keyPair = z
                ["verify"],
            );
        } catch {
-            ctx.addIssue({
+            ctx.issues.push({
                code: "custom",
-                error: "Public key is invalid",
+                message: "Public key is invalid",
                input: k,
            });
            return z.NEVER;
@ -211,9 +212,10 @@ export const keyPair = z
                ["sign"],
            );
        } catch {
-            ctx.addIssue({
+            ctx.issues.push({
                code: "custom",
-                error: "Private key is invalid",
+                message: "Private key is invalid",
                input: k,
            });
            return z.NEVER;
@ -235,9 +237,10 @@ export const vapidKeyPair = z
        if (!(k?.public && k?.private)) {
            const keys = generateVAPIDKeys();
-            ctx.addIssue({
+            ctx.issues.push({
                code: "custom",
-                error: `VAPID keys are not set. Here are generated keys for you to copy.\n\nPublic: ${keys.publicKey}\nPrivate: ${keys.privateKey}`,
+                message: `VAPID keys are not set. Here are generated keys for you to copy.\n\nPublic: ${keys.publicKey}\nPrivate: ${keys.privateKey}`,
                input: k,
            });
            return z.NEVER;
@ -246,51 +249,55 @@ export const vapidKeyPair = z
        return k;
    });
-export const hmacKey = sensitiveString.transform(async (text, ctx) => {
+export const hmacKey = sensitiveString
-    if (!text) {
+    .optional()
-        const key = await crypto.subtle.generateKey(
+    .transform(async (text, ctx) => {
-            {
+        if (!text) {
-                name: "HMAC",
+            const key = await crypto.subtle.generateKey(
-                hash: "SHA-256",
+                {
-            },
+                    name: "HMAC",
-            true,
+                    hash: "SHA-256",
-            ["sign"],
+                },
-        );
+                true,
                ["sign"],
            );
-        const exported = await crypto.subtle.exportKey("raw", key);
+            const exported = await crypto.subtle.exportKey("raw", key);
-        const base64 = Buffer.from(exported).toString("base64");
+            const base64 = Buffer.from(exported).toString("base64");
-        ctx.addIssue({
+            ctx.issues.push({
-            code: "custom",
+                code: "custom",
-            error: `HMAC key is not set. Here is a generated key for you to copy: ${base64}`,
+                message: `HMAC key is not set. Here is a generated key for you to copy: ${base64}`,
-        });
+                input: text,
            });
-        return z.NEVER;
+            return z.NEVER;
-    }
+        }
-    try {
+        try {
-        await crypto.subtle.importKey(
+            await crypto.subtle.importKey(
-            "raw",
+                "raw",
-            Buffer.from(text, "base64"),
+                Buffer.from(text, "base64"),
-            {
+                {
-                name: "HMAC",
+                    name: "HMAC",
-                hash: "SHA-256",
+                    hash: "SHA-256",
-            },
+                },
-            true,
+                true,
-            ["sign"],
+                ["sign"],
-        );
+            );
-    } catch {
+        } catch {
-        ctx.addIssue({
+            ctx.issues.push({
-            code: "custom",
+                code: "custom",
-            error: "HMAC key is invalid",
+                message: "HMAC key is invalid",
-        });
+                input: text,
            });
-        return z.NEVER;
+            return z.NEVER;
-    }
+        }
-    return text;
+        return text;
-});
+    });
 export const ConfigSchema = z
    .strictObject({
@ -793,13 +800,12 @@ export const ConfigSchema = z
            })
            .optional(),
        authentication: z.strictObject({
            forced_openid: z.boolean().default(false),
            openid_providers: z
                .array(
                    z.strictObject({
                        name: z.string().min(1),
                        id: z.string().min(1),
-                        url: z.string().min(1),
+                        url,
                        client_id: z.string().min(1),
                        client_secret: sensitiveString,
                        icon: url.optional(),
@ -807,7 +813,7 @@ export const ConfigSchema = z
                )
                .default([]),
            openid_registration: z.boolean().default(true),
-            keys: keyPair,
+            key: hmacKey,
        }),
    })
    .refine(
@ -840,9 +846,8 @@ if (!parsed.success) {
    console.error(
        "⚠ Here is the error message, please fix the configuration file accordingly:",
    );
    const errorMessage = fromZodError(parsed.error).message;
-    console.info(errorMessage);
+    console.info(z.prettifyError(parsed.error));
    throw new Error("Configuration file is invalid.");
 }
--- a/packages/kit/api.ts
+++ b/packages/kit/api.ts
@ -14,7 +14,7 @@ import { type ZodAny, ZodError, z } from "zod/v4";
 import { fromZodError } from "zod-validation-error";
 import type { AuthData, HonoEnv } from "~/types/api";
 import { ApiError } from "./api-error.ts";
-import { Application } from "./db/application.ts";
+import { Client } from "./db/application.ts";
 import { Emoji } from "./db/emoji.ts";
 import { Note } from "./db/note.ts";
 import { Token } from "./db/token.ts";
@ -169,8 +169,8 @@ export const auth = <AuthRequired extends boolean>(options: {
        const auth: AuthData = {
            token,
-            application: token?.data.application
+            application: token?.data.client
-                ? new Application(token?.data.application)
+                ? new Client(token?.data.client)
                : null,
            user: (await token?.getUser()) ?? null,
        };
--- a/packages/kit/db/application.ts
+++ b/packages/kit/db/application.ts
@ -12,42 +12,42 @@ import {
 } from "drizzle-orm";
 import type { z } from "zod/v4";
 import { db } from "../tables/db.ts";
-import { Applications } from "../tables/schema.ts";
+import { Clients } from "../tables/schema.ts";
 import { BaseInterface } from "./base.ts";
 import { Token } from "./token.ts";
-type ApplicationType = InferSelectModel<typeof Applications>;
+type ClientType = InferSelectModel<typeof Clients>;
-export class Application extends BaseInterface<typeof Applications> {
+export class Client extends BaseInterface<typeof Clients> {
-    public static $type: ApplicationType;
+    public static $type: ClientType;
    public async reload(): Promise<void> {
-        const reloaded = await Application.fromId(this.data.id);
+        const reloaded = await Client.fromId(this.data.id);
        if (!reloaded) {
-            throw new Error("Failed to reload application");
+            throw new Error("Failed to reload client");
        }
        this.data = reloaded.data;
    }
-    public static async fromId(id: string | null): Promise<Application | null> {
+    public static async fromId(id: string | null): Promise<Client | null> {
        if (!id) {
            return null;
        }
-        return await Application.fromSql(eq(Applications.id, id));
+        return await Client.fromSql(eq(Clients.id, id));
    }
-    public static async fromIds(ids: string[]): Promise<Application[]> {
+    public static async fromIds(ids: string[]): Promise<Client[]> {
-        return await Application.manyFromSql(inArray(Applications.id, ids));
+        return await Client.manyFromSql(inArray(Clients.id, ids));
    }
    public static async fromSql(
        sql: SQL<unknown> | undefined,
-        orderBy: SQL<unknown> | undefined = desc(Applications.id),
+        orderBy: SQL<unknown> | undefined = desc(Clients.id),
-    ): Promise<Application | null> {
+    ): Promise<Client | null> {
-        const found = await db.query.Applications.findFirst({
+        const found = await db.query.Clients.findFirst({
            where: sql,
            orderBy,
        });
@ -55,17 +55,17 @@ export class Application extends BaseInterface<typeof Applications> {
        if (!found) {
            return null;
        }
-        return new Application(found);
+        return new Client(found);
    }
    public static async manyFromSql(
        sql: SQL<unknown> | undefined,
-        orderBy: SQL<unknown> | undefined = desc(Applications.id),
+        orderBy: SQL<unknown> | undefined = desc(Clients.id),
        limit?: number,
        offset?: number,
-        extra?: Parameters<typeof db.query.Applications.findMany>[0],
+        extra?: Parameters<typeof db.query.Clients.findMany>[0],
-    ): Promise<Application[]> {
+    ): Promise<Client[]> {
-        const found = await db.query.Applications.findMany({
+        const found = await db.query.Clients.findMany({
            where: sql,
            orderBy,
            limit,
@ -73,32 +73,28 @@ export class Application extends BaseInterface<typeof Applications> {
            with: extra?.with,
        });
-        return found.map((s) => new Application(s));
+        return found.map((s) => new Client(s));
    }
-    public static async getFromToken(
+    public static async getFromToken(token: string): Promise<Client | null> {
        token: string,
    ): Promise<Application | null> {
        const result = await Token.fromAccessToken(token);
-        return result?.data.application
+        return result?.data.client ? new Client(result.data.client) : null;
            ? new Application(result.data.application)
            : null;
    }
-    public static fromClientId(clientId: string): Promise<Application | null> {
+    public static fromClientId(clientId: string): Promise<Client | null> {
-        return Application.fromSql(eq(Applications.clientId, clientId));
+        return Client.fromSql(eq(Clients.id, clientId));
    }
    public async update(
-        newApplication: Partial<ApplicationType>,
+        newApplication: Partial<ClientType>,
-    ): Promise<ApplicationType> {
+    ): Promise<ClientType> {
        await db
-            .update(Applications)
+            .update(Clients)
            .set(newApplication)
-            .where(eq(Applications.id, this.id));
+            .where(eq(Clients.id, this.id));
-        const updated = await Application.fromId(this.data.id);
+        const updated = await Client.fromId(this.data.id);
        if (!updated) {
            throw new Error("Failed to update application");
@ -108,26 +104,24 @@ export class Application extends BaseInterface<typeof Applications> {
        return updated.data;
    }
-    public save(): Promise<ApplicationType> {
+    public save(): Promise<ClientType> {
        return this.update(this.data);
    }
    public async delete(ids?: string[]): Promise<void> {
        if (Array.isArray(ids)) {
-            await db.delete(Applications).where(inArray(Applications.id, ids));
+            await db.delete(Clients).where(inArray(Clients.id, ids));
        } else {
-            await db.delete(Applications).where(eq(Applications.id, this.id));
+            await db.delete(Clients).where(eq(Clients.id, this.id));
        }
    }
    public static async insert(
-        data: InferInsertModel<typeof Applications>,
+        data: InferInsertModel<typeof Clients>,
-    ): Promise<Application> {
+    ): Promise<Client> {
-        const inserted = (
+        const inserted = (await db.insert(Clients).values(data).returning())[0];
            await db.insert(Applications).values(data).returning()
        )[0];
-        const application = await Application.fromId(inserted.id);
+        const application = await Client.fromId(inserted.id);
        if (!application) {
            throw new Error("Failed to insert application");
@ -144,9 +138,9 @@ export class Application extends BaseInterface<typeof Applications> {
        return {
            name: this.data.name,
            website: this.data.website,
-            scopes: this.data.scopes.split(" "),
+            scopes: this.data.scopes,
-            redirect_uri: this.data.redirectUri,
+            redirect_uri: this.data.redirectUris.join(" "),
-            redirect_uris: this.data.redirectUri.split("\n"),
+            redirect_uris: this.data.redirectUris,
        };
    }
@ -154,12 +148,12 @@ export class Application extends BaseInterface<typeof Applications> {
        return {
            name: this.data.name,
            website: this.data.website,
-            client_id: this.data.clientId,
+            client_id: this.data.id,
            client_secret: this.data.secret,
            client_secret_expires_at: "0",
-            scopes: this.data.scopes.split(" "),
+            scopes: this.data.scopes,
-            redirect_uri: this.data.redirectUri,
+            redirect_uri: this.data.redirectUris.join(" "),
-            redirect_uris: this.data.redirectUri.split("\n"),
+            redirect_uris: this.data.redirectUris,
        };
    }
 }
--- a/packages/kit/db/index.ts
+++ b/packages/kit/db/index.ts
@ -1,5 +1,5 @@
 export { db, setupDatabase } from "../tables/db.ts";
-export { Application } from "./application.ts";
+export { Client } from "./application.ts";
 export { Emoji } from "./emoji.ts";
 export { Instance } from "./instance.ts";
 export { Like } from "./like.ts";
@ -12,4 +12,4 @@ export { Relationship } from "./relationship.ts";
 export { Role } from "./role.ts";
 export { Timeline } from "./timeline.ts";
 export { Token } from "./token.ts";
-export { User } from "./user.ts";
+export { transformOutputToUserWithRelations, User } from "./user.ts";
--- a/packages/kit/db/note.ts
+++ b/packages/kit/db/note.ts
@ -36,7 +36,7 @@ import {
    Notifications,
    Users,
 } from "../tables/schema.ts";
-import { Application } from "./application.ts";
+import { Client } from "./application.ts";
 import { BaseInterface } from "./base.ts";
 import { Emoji } from "./emoji.ts";
 import { Instance } from "./instance.ts";
@ -129,7 +129,7 @@ const findManyNotes = async (
                        },
                    },
                    likes: true,
-                    application: true,
+                    client: true,
                    mentions: {
                        with: {
                            user: {
@ -238,7 +238,7 @@ type NoteTypeWithRelations = NoteType & {
    emojis: (typeof Emoji.$type)[];
    reply: NoteType | null;
    quote: NoteType | null;
-    application: typeof Application.$type | null;
+    client: typeof Client.$type | null;
    pinned: boolean;
    reblogged: boolean;
    muted: boolean;
@ -514,7 +514,7 @@ export class Note extends BaseInterface<typeof Notes, NoteTypeWithRelations> {
            visibility,
            sensitive: false,
            updatedAt: new Date().toISOString(),
-            applicationId: null,
+            clientId: null,
            uri: uri?.href,
        });
@ -1162,8 +1162,8 @@ export class Note extends BaseInterface<typeof Notes, NoteTypeWithRelations> {
            in_reply_to_account_id: data.reply?.authorId || null,
            account: this.author.toApi(userFetching?.id === data.authorId),
            created_at: new Date(data.createdAt).toISOString(),
-            application: data.application
+            application: data.client
-                ? new Application(data.application).toApi()
+                ? new Client(data.client).toApi()
                : undefined,
            card: null,
            content: replacedContent,
--- a/packages/kit/db/token.ts
+++ b/packages/kit/db/token.ts
@ -10,12 +10,12 @@ import {
 import type { z } from "zod/v4";
 import { db } from "../tables/db.ts";
 import { Tokens } from "../tables/schema.ts";
-import type { Application } from "./application.ts";
+import type { Client } from "./application.ts";
 import { BaseInterface } from "./base.ts";
 import { User } from "./user.ts";
 type TokenType = InferSelectModel<typeof Tokens> & {
-    application: typeof Application.$type | null;
+    client: typeof Client.$type;
 };
 export class Token extends BaseInterface<typeof Tokens, TokenType> {
@ -51,7 +51,7 @@ export class Token extends BaseInterface<typeof Tokens, TokenType> {
            where: sql,
            orderBy,
            with: {
-                application: true,
+                client: true,
            },
        });
@ -74,7 +74,7 @@ export class Token extends BaseInterface<typeof Tokens, TokenType> {
            limit,
            offset,
            with: {
-                application: true,
+                client: true,
                ...extra?.with,
            },
        });
@ -159,7 +159,7 @@ export class Token extends BaseInterface<typeof Tokens, TokenType> {
        return {
            access_token: this.data.accessToken,
            token_type: "Bearer",
-            scope: this.data.scope,
+            scope: this.data.scopes.join(" "),
            created_at: Math.floor(
                new Date(this.data.createdAt).getTime() / 1000,
            ),
--- a/packages/kit/db/user.ts
+++ b/packages/kit/db/user.ts
@ -77,6 +77,7 @@ export const userRelations = {
    },
 } as const;
 // TODO: Remove this function and use what drizzle outputs directly instead of transforming it
 export const transformOutputToUserWithRelations = (
    user: Omit<InferSelectModel<typeof Users>, "endpoints"> & {
        followerCount: unknown;
@ -525,15 +526,15 @@ export class User extends BaseInterface<typeof Users, UserWithRelations> {
        providers: {
            id: string;
            name: string;
-            url: string;
+            url: ProxiableUrl;
            icon?: ProxiableUrl;
        }[],
    ): Promise<
        {
            id: string;
            name: string;
-            url: string;
+            url: ProxiableUrl;
-            icon?: string | undefined;
+            icon?: ProxiableUrl;
            server_id: string;
        }[]
    > {
@ -556,7 +557,7 @@ export class User extends BaseInterface<typeof Users, UserWithRelations> {
                    id: issuer.id,
                    name: issuer.name,
                    url: issuer.url,
-                    icon: issuer.icon?.proxied,
+                    icon: issuer.icon,
                    server_id: account.serverId,
                };
            })
--- a/packages/kit/tables/migrations/0051_stiff_morbius.sql
+++ b/packages/kit/tables/migrations/0051_stiff_morbius.sql
@ -0,0 +1,46 @@
 CREATE TABLE "AuthorizationCodes" (
 	"code" text PRIMARY KEY NOT NULL,
 	"scopes" text[] DEFAULT ARRAY[]::text[] NOT NULL,
 	"redirect_uri" text,
 	"expires_at" timestamp(3) NOT NULL,
 	"created_at" timestamp(3) DEFAULT now() NOT NULL,
 	"code_challenge" text,
 	"code_challenge_method" text,
 	"userId" uuid NOT NULL,
 	"clientId" text NOT NULL
 );
 --> statement-breakpoint
 ALTER TABLE "Tokens" RENAME COLUMN "applicationId" TO "clientId";--> statement-breakpoint
 --ALTER TABLE "Notes" DROP CONSTRAINT "Notes_applicationId_Applications_id_fk";
 --> statement-breakpoint
 --ALTER TABLE "OpenIdLoginFlows" DROP CONSTRAINT "OpenIdLoginFlows_applicationId_Applications_id_fk";
 --> statement-breakpoint
 --ALTER TABLE "Tokens" DROP CONSTRAINT "Tokens_applicationId_Applications_id_fk";
 --> statement-breakpoint
 DROP INDEX "Applications_client_id_index";--> statement-breakpoint
 ALTER TABLE "Applications" DROP COLUMN "id" CASCADE;--> statement-breakpoint
 ALTER TABLE "Applications" ADD PRIMARY KEY ("client_id");--> statement-breakpoint
 ALTER TABLE "Applications" ALTER COLUMN "scopes" SET DATA TYPE text[] USING (string_to_array("scopes", ' ')::text[]);--> statement-breakpoint
 ALTER TABLE "Applications" ALTER COLUMN "scopes" SET DEFAULT ARRAY[]::text[];--> statement-breakpoint
 ALTER TABLE "Notes" ALTER COLUMN "applicationId" SET DATA TYPE text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ALTER COLUMN "applicationId" SET DATA TYPE text;--> statement-breakpoint
 ALTER TABLE "Applications" ADD COLUMN "redirect_uris" text[] DEFAULT ARRAY[]::text[] NOT NULL;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "state" text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "client_state" text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "client_redirect_uri" text;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD COLUMN "client_scopes" text[];--> statement-breakpoint
 ALTER TABLE "Tokens" ADD COLUMN "scopes" text[] DEFAULT ARRAY[]::text[] NOT NULL;--> statement-breakpoint
 ALTER TABLE "AuthorizationCodes" ADD CONSTRAINT "AuthorizationCodes_userId_Users_id_fk" FOREIGN KEY ("userId") REFERENCES "public"."Users"("id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "AuthorizationCodes" ADD CONSTRAINT "AuthorizationCodes_clientId_Applications_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Applications"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Notes" ADD CONSTRAINT "Notes_applicationId_Applications_client_id_fk" FOREIGN KEY ("applicationId") REFERENCES "public"."Applications"("client_id") ON DELETE set null ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD CONSTRAINT "OpenIdLoginFlows_applicationId_Applications_client_id_fk" FOREIGN KEY ("applicationId") REFERENCES "public"."Applications"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Tokens" ALTER COLUMN "clientId" SET DATA TYPE text;--> statement-breakpoint
 ALTER TABLE "Tokens" ADD CONSTRAINT "Tokens_clientId_Applications_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Applications"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Applications" DROP COLUMN "vapid_key";--> statement-breakpoint
 ALTER TABLE "Applications" DROP COLUMN "redirect_uri";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "token_type";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "scope";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "code";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "client_id";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "redirect_uri";--> statement-breakpoint
 ALTER TABLE "Tokens" DROP COLUMN "id_token";
--- a/packages/kit/tables/migrations/0052_complete_hellfire_club.sql
+++ b/packages/kit/tables/migrations/0052_complete_hellfire_club.sql
@ -0,0 +1,15 @@
 ALTER TABLE "Applications" RENAME TO "Clients";--> statement-breakpoint
 ALTER TABLE "Notes" RENAME COLUMN "applicationId" TO "clientId";--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" RENAME COLUMN "applicationId" TO "clientId";--> statement-breakpoint
 ALTER TABLE "AuthorizationCodes" DROP CONSTRAINT "AuthorizationCodes_clientId_Applications_client_id_fk";
 --> statement-breakpoint
 ALTER TABLE "Notes" DROP CONSTRAINT "Notes_applicationId_Applications_client_id_fk";
 --> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" DROP CONSTRAINT "OpenIdLoginFlows_applicationId_Applications_client_id_fk";
 --> statement-breakpoint
 ALTER TABLE "Tokens" DROP CONSTRAINT "Tokens_clientId_Applications_client_id_fk";
 --> statement-breakpoint
 ALTER TABLE "AuthorizationCodes" ADD CONSTRAINT "AuthorizationCodes_clientId_Clients_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Clients"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Notes" ADD CONSTRAINT "Notes_clientId_Clients_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Clients"("client_id") ON DELETE set null ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "OpenIdLoginFlows" ADD CONSTRAINT "OpenIdLoginFlows_clientId_Clients_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Clients"("client_id") ON DELETE cascade ON UPDATE cascade;--> statement-breakpoint
 ALTER TABLE "Tokens" ADD CONSTRAINT "Tokens_clientId_Clients_client_id_fk" FOREIGN KEY ("clientId") REFERENCES "public"."Clients"("client_id") ON DELETE cascade ON UPDATE cascade;
--- a/packages/kit/tables/migrations/meta/0051_snapshot.json
+++ b/packages/kit/tables/migrations/meta/0051_snapshot.json
--- a/packages/kit/tables/migrations/meta/0052_snapshot.json
+++ b/packages/kit/tables/migrations/meta/0052_snapshot.json
--- a/packages/kit/tables/migrations/meta/_journal.json
+++ b/packages/kit/tables/migrations/meta/_journal.json
@ -358,6 +358,20 @@
            "when": 1746368175263,
            "tag": "0050_thick_lester",
            "breakpoints": true
        },
        {
            "idx": 51,
            "version": "7",
            "when": 1755729662013,
            "tag": "0051_stiff_morbius",
            "breakpoints": true
        },
        {
            "idx": 52,
            "version": "7",
            "when": 1755732000165,
            "tag": "0052_complete_hellfire_club",
            "breakpoints": true
        }
    ]
 }
--- a/packages/kit/tables/schema.ts
+++ b/packages/kit/tables/schema.ts
@ -28,6 +28,7 @@ import {
 import type { z } from "zod/v4";
 const createdAt = () =>
    // TODO: Change mode to Date
    timestamp("created_at", { precision: 3, mode: "string" })
        .defaultNow()
        .notNull();
@ -39,7 +40,7 @@ const updatedAt = () =>
 const uri = () => text("uri").unique();
-const id = () => uuid("id").primaryKey().notNull();
+const id = () => uuid("id").primaryKey();
 export const Challenges = pgTable("Challenges", {
    id: id(),
@ -308,47 +309,41 @@ export const RelationshipsRelations = relations(Relationships, ({ one }) => ({
    }),
 }));
-export const Applications = pgTable(
+export const Clients = pgTable("Clients", {
-    "Applications",
+    id: text("client_id").primaryKey(),
-    {
+    secret: text("secret").notNull(),
-        id: id(),
+    redirectUris: text("redirect_uris")
-        name: text("name").notNull(),
+        .array()
-        website: text("website"),
+        .notNull()
-        vapidKey: text("vapid_key"),
+        .default(sql`ARRAY[]::text[]`),
-        clientId: text("client_id").notNull(),
+    scopes: text("scopes").array().notNull().default(sql`ARRAY[]::text[]`),
-        secret: text("secret").notNull(),
+    name: text("name").notNull(),
-        scopes: text("scopes").notNull(),
+    website: text("website"),
-        redirectUri: text("redirect_uri").notNull(),
+});
    },
    (table) => [uniqueIndex().on(table.clientId)],
 );
-export const ApplicationsRelations = relations(Applications, ({ many }) => ({
+export const ClientsRelations = relations(Clients, ({ many }) => ({
    tokens: many(Tokens),
    loginFlows: many(OpenIdLoginFlows),
 }));
 export const Tokens = pgTable("Tokens", {
    id: id(),
-    tokenType: text("token_type").notNull(),
+    scopes: text("scopes").array().notNull().default(sql`ARRAY[]::text[]`),
    scope: text("scope").notNull(),
    accessToken: text("access_token").notNull(),
    code: text("code"),
    expiresAt: timestamp("expires_at", { precision: 3, mode: "string" }),
    createdAt: createdAt(),
    clientId: text("client_id").notNull().default(""),
    redirectUri: text("redirect_uri").notNull().default(""),
    idToken: text("id_token"),
    userId: uuid("userId")
        .references(() => Users.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
        })
        .notNull(),
-    applicationId: uuid("applicationId").references(() => Applications.id, {
+    clientId: text("clientId")
-        onDelete: "cascade",
+        .references(() => Clients.id, {
-        onUpdate: "cascade",
+            onDelete: "cascade",
-    }),
+            onUpdate: "cascade",
        })
        .notNull(),
 });
 export const TokensRelations = relations(Tokens, ({ one }) => ({
@ -356,12 +351,51 @@ export const TokensRelations = relations(Tokens, ({ one }) => ({
        fields: [Tokens.userId],
        references: [Users.id],
    }),
-    application: one(Applications, {
+    client: one(Clients, {
-        fields: [Tokens.applicationId],
+        fields: [Tokens.clientId],
-        references: [Applications.id],
+        references: [Clients.id],
    }),
 }));
 export const AuthorizationCodes = pgTable("AuthorizationCodes", {
    code: text("code").primaryKey(),
    scopes: text("scopes").array().notNull().default(sql`ARRAY[]::text[]`),
    redirectUri: text("redirect_uri"),
    expiresAt: timestamp("expires_at", {
        precision: 3,
        mode: "string",
    }).notNull(),
    createdAt: createdAt(),
    codeChallenge: text("code_challenge"),
    codeChallengeMethod: text("code_challenge_method"),
    userId: uuid("userId")
        .references(() => Users.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
        })
        .notNull(),
    clientId: text("clientId")
        .references(() => Clients.id, {
            onDelete: "cascade",
            onUpdate: "cascade",
        })
        .notNull(),
 });
 export const AuthorizationCodesRelations = relations(
    AuthorizationCodes,
    ({ one }) => ({
        user: one(Users, {
            fields: [AuthorizationCodes.userId],
            references: [Users.id],
        }),
        client: one(Clients, {
            fields: [AuthorizationCodes.clientId],
            references: [Clients.id],
        }),
    }),
 );
 export const Medias = pgTable("Medias", {
    id: id(),
    content: jsonb("content")
@ -460,7 +494,7 @@ export const Notes = pgTable("Notes", {
    }),
    sensitive: boolean("sensitive").notNull().default(false),
    spoilerText: text("spoiler_text").default("").notNull(),
-    applicationId: uuid("applicationId").references(() => Applications.id, {
+    clientId: text("clientId").references(() => Clients.id, {
        onDelete: "set null",
        onUpdate: "cascade",
    }),
@ -494,9 +528,9 @@ export const NotesRelations = relations(Notes, ({ many, one }) => ({
        references: [Notes.id],
        relationName: "NoteToQuotes",
    }),
-    application: one(Applications, {
+    client: one(Clients, {
-        fields: [Notes.applicationId],
+        fields: [Notes.clientId],
-        references: [Applications.id],
+        references: [Clients.id],
    }),
    quotes: many(Notes, {
        relationName: "NoteToQuotes",
@ -665,7 +699,11 @@ export const UsersRelations = relations(Users, ({ many, one }) => ({
 export const OpenIdLoginFlows = pgTable("OpenIdLoginFlows", {
    id: id(),
    codeVerifier: text("code_verifier").notNull(),
-    applicationId: uuid("applicationId").references(() => Applications.id, {
+    state: text("state"),
    clientState: text("client_state"),
    clientRedirectUri: text("client_redirect_uri"),
    clientScopes: text("client_scopes").array(),
    clientId: text("clientId").references(() => Clients.id, {
        onDelete: "cascade",
        onUpdate: "cascade",
    }),
@ -675,9 +713,9 @@ export const OpenIdLoginFlows = pgTable("OpenIdLoginFlows", {
 export const OpenIdLoginFlowsRelations = relations(
    OpenIdLoginFlows,
    ({ one }) => ({
-        application: one(Applications, {
+        client: one(Clients, {
-            fields: [OpenIdLoginFlows.applicationId],
+            fields: [OpenIdLoginFlows.clientId],
-            references: [Applications.id],
+            references: [Clients.id],
        }),
    }),
 );
--- a/packages/tests/index.ts
+++ b/packages/tests/index.ts
@ -1,7 +1,14 @@
 import { mock } from "bun:test";
 import { Client as VersiaClient } from "@versia/client";
 import { config } from "@versia-server/config";
-import { db, Note, setupDatabase, Token, User } from "@versia-server/kit/db";
+import {
    Client,
    db,
    Note,
    setupDatabase,
    Token,
    User,
 } from "@versia-server/kit/db";
 import { searchManager } from "@versia-server/kit/search";
 import { Notes, Users } from "@versia-server/kit/tables";
 import { solveChallenge } from "altcha-lib";
@ -43,15 +50,21 @@ export const generateClient = async (
        dbToken: Token;
    }
 > => {
    const application = await Client.insert({
        id: randomUUIDv7(),
        name: "Versia",
        redirectUris: [],
        scopes: ["openid", "profile", "email"],
        secret: "",
    });
    const token = user
        ? await Token.insert({
              id: randomUUIDv7(),
              accessToken: randomString(32, "hex"),
              tokenType: "bearer",
              userId: user.id,
-              applicationId: null,
+              clientId: application.id,
-              code: randomString(32, "hex"),
+              scopes: ["read", "write", "follow", "push"],
              scope: "read write follow push",
          })
        : null;
@ -71,6 +84,7 @@ export const generateClient = async (
    // @ts-expect-error This is REAL monkeypatching done by REAL programmers, BITCH!
    client[Symbol.asyncDispose] = async (): Promise<void> => {
        await token?.delete();
        await application.delete();
    };
    // @ts-expect-error More monkeypatching
@ -97,6 +111,14 @@ export const getTestUsers = async (
    const users: User[] = [];
    const passwords: string[] = [];
    const application = await Client.insert({
        id: randomUUIDv7(),
        name: "Versia",
        redirectUris: [],
        scopes: ["openid", "profile", "email"],
        secret: "",
    });
    for (let i = 0; i < count; i++) {
        const password = randomString(32, "hex");
@ -119,9 +141,9 @@ export const getTestUsers = async (
            accessToken: randomString(32, "hex"),
            tokenType: "bearer",
            userId: u.id,
-            applicationId: null,
+            clientId: application.id,
            code: randomString(32, "hex"),
-            scope: "read write follow push",
+            scopes: ["read", "write", "follow", "push"],
        })),
    );
@ -140,6 +162,7 @@ export const getTestUsers = async (
                    users.map((u) => u.id),
                ),
            );
            await application.delete();
        },
    };
 };
@ -159,7 +182,7 @@ export const getTestStatuses = async (
            sensitive: false,
            updatedAt: new Date().toISOString(),
            visibility: "public",
-            applicationId: null,
+            clientId: null,
            ...partial,
        });
--- a/types/api.ts
+++ b/types/api.ts
@ -1,6 +1,6 @@
 import type * as VersiaEntities from "@versia/sdk/entities";
 import type { ConfigSchema } from "@versia-server/config";
-import type { Application, Token, User } from "@versia-server/kit/db";
+import type { Client, Token, User } from "@versia-server/kit/db";
 import type { SocketAddress } from "bun";
 import type { Hono } from "hono";
 import type { RouterRoute } from "hono/types";
@ -11,7 +11,7 @@ export type HttpVerb = "GET" | "POST" | "PUT" | "DELETE" | "PATCH" | "OPTIONS";
 export interface AuthData {
    user: User | null;
    token: Token | null;
-    application: Application | null;
+    application: Client | null;
 }
 export type HonoEnv = {
--- a/utils/bull-board.ts
+++ b/utils/bull-board.ts
@ -14,8 +14,7 @@ import { relationshipQueue } from "@versia-server/kit/queues/relationships";
 import type { Hono } from "hono";
 import { serveStatic } from "hono/bun";
 import { getCookie } from "hono/cookie";
-import { jwtVerify } from "jose";
+import { verify } from "hono/jwt";
 import { JOSEError, JWTExpired } from "jose/errors";
 import type { HonoEnv } from "~/types/api";
 import pkg from "../package.json" with { type: "json" };
@ -58,38 +57,15 @@ export const applyToHono = (app: Hono<HonoEnv>): void => {
            throw new ApiError(401, "Missing JWT cookie");
        }
-        const result = await jwtVerify(
+        const result = await verify(jwtCookie, config.authentication.key);
            jwtCookie,
            config.authentication.keys.public,
            {
                algorithms: ["EdDSA"],
                issuer: new URL(context.get("config").http.base_url).origin,
            },
        ).catch((error) => {
            if (error instanceof JOSEError) {
                return error;
            }
-            throw error;
+        const { sub } = result;
        });
        if (result instanceof JOSEError) {
            if (result instanceof JWTExpired) {
                throw new ApiError(401, "JWT has expired");
            }
            throw new ApiError(401, "Invalid JWT");
        }
        const {
            payload: { sub },
        } = result;
        if (!sub) {
            throw new ApiError(401, "Invalid JWT (no sub)");
        }
-        const user = await User.fromId(sub);
+        const user = await User.fromId(sub as string);
        if (!user?.hasPermission(RolePermission.ManageInstanceFederation)) {
            throw new ApiError(
--- a/utils/lib.ts
+++ b/utils/lib.ts
@ -9,3 +9,6 @@ export const mergeAndDeduplicate = <T extends ElementWithId>(
            (element, index, self) =>
                index === self.findIndex((t) => t.id === element.id),
        );
 export const oauthRedirectUri = (baseUrl: URL, issuer: string): URL =>
    new URL(`/oauth/sso/${issuer}/callback`, baseUrl);