feat(client): add OAuth confidential client endpoints

- Add /api/oauth/client-metadata.json for OAuth client discovery
- Add /api/oauth/jwks.json for public key distribution
- Update .env.example with all required variables
- Add vercel.json for deployment

Author: daviddao

client/.env.example

@@ -1,3 +1,31 @@
-# Hypergoat API URL
-# Change this to your Hypergoat server's address in production
+# =============================================================================
+# Hypergoat Client Configuration
+# =============================================================================
+
+# Backend API URL (the Go server)
+# For local development: http://localhost:8080
+# For production: https://your-railway-app.up.railway.app
 NEXT_PUBLIC_API_URL=http://localhost:8080
+
+# Same as above, used for server-side API calls
+HYPERGOAT_URL=http://127.0.0.1:8080
+
+# =============================================================================
+# OAuth Configuration
+# =============================================================================
+
+# Public URL of this client (required for production OAuth)
+# This is the Vercel URL where the client is deployed
+# Leave empty for local development (uses http://127.0.0.1:3000)
+PUBLIC_URL=
+
+# Secret for encrypting session cookies (must be at least 32 characters)
+# Generate with: openssl rand -base64 32
+COOKIE_SECRET=development-secret-at-least-32-chars!!
+
+# Private JWK for confidential OAuth client (optional)
+# For production, you can generate a key pair with:
+#   npx @atproto/jwk-cli generate --alg ES256
+# Then paste the private key JSON here (minified, single line)
+# Leave empty to use public client mode (simpler, works for most cases)
+ATPROTO_JWK_PRIVATE=

client/src/app/api/oauth/client-metadata.json/route.ts

@@ -0,0 +1,40 @@
+import { NextResponse } from "next/server";
+import { env } from "@/lib/env";
+
+export const dynamic = "force-dynamic";
+
+export async function GET() {
+  const publicUrl = env.PUBLIC_URL;
+  
+  if (!publicUrl) {
+    return NextResponse.json(
+      { error: "PUBLIC_URL not configured" },
+      { status: 500 }
+    );
+  }
+
+  const metadata = {
+    client_id: `${publicUrl}/api/oauth/client-metadata.json`,
+    client_name: "Hypergoat Admin",
+    client_uri: publicUrl,
+    logo_uri: `${publicUrl}/logo.png`,
+    tos_uri: `${publicUrl}/terms`,
+    policy_uri: `${publicUrl}/privacy`,
+    redirect_uris: [`${publicUrl}/api/oauth/callback`],
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    scope: "atproto transition:generic",
+    token_endpoint_auth_method: "private_key_jwt",
+    token_endpoint_auth_signing_alg: "ES256",
+    jwks_uri: `${publicUrl}/api/oauth/jwks.json`,
+    application_type: "web",
+    dpop_bound_access_tokens: true,
+  };
+
+  return NextResponse.json(metadata, {
+    headers: {
+      "Content-Type": "application/json",
+      "Cache-Control": "public, max-age=3600",
+    },
+  });
+}

client/src/app/api/oauth/jwks.json/route.ts

@@ -0,0 +1,36 @@
+import { NextResponse } from "next/server";
+import { getJwks } from "@/lib/auth/client";
+
+export const dynamic = "force-dynamic";
+
+export async function GET() {
+  try {
+    const jwks = await getJwks();
+    
+    if (!jwks) {
+      // Return empty keyset if no private key configured (public client mode)
+      return NextResponse.json(
+        { keys: [] },
+        {
+          headers: {
+            "Content-Type": "application/json",
+            "Cache-Control": "public, max-age=3600",
+          },
+        }
+      );
+    }
+
+    return NextResponse.json(jwks, {
+      headers: {
+        "Content-Type": "application/json",
+        "Cache-Control": "public, max-age=3600",
+      },
+    });
+  } catch (error) {
+    console.error("Failed to get JWKS:", error);
+    return NextResponse.json(
+      { error: "Failed to get JWKS" },
+      { status: 500 }
+    );
+  }
+}

client/vercel.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://openapi.vercel.sh/vercel.json",
+  "framework": "nextjs"
+}