feat: setup-dot-and-metadata-endpoint

[Zaimwa9]

Thanks for submitting a PR! Please check the boxes below:

• I have read the Contributing Guide.
• I have added information to docs/ if required so people know about the feature.
• I have filled in the "Changes" section below.
• I have filled in the "How did you test this code" section below.

Changes

Contributes to #7032

• Add django-oauth-toolkit as a dependency
• Add oauth2_provider to INSTALLED_APPS and OAuth2Authentication to DRF authentication classes
• Configure OAUTH2_PROVIDER settings: 15min access tokens, 30-day rotating refresh tokens, PKCE S256 mandatory, mcp scope
• Add FLAGSMITH_API_URL and FLAGSMITH_FRONTEND_URL environment variables (for self-hosted)
• Expose DOT endpoints under /o/ (authorize, token, revoke, introspect)
• Add GET /.well-known/oauth-authorization-server metadata endpoint (RFC 8414)
• Add daily cleartokens recurring task to clear expired OAuth2 tokens

🟢 Includes a Node.js test server (node auth2_test_server.mjs) to test e2e => http://localhost:3000

How did you test this code?

• New tests
• curl http://localhost:8000/.well-known/oauth-authorization-server
• Manual e2e using node oauth2_test_server.mjs :
  a. Create a public OAuth application in Django admin at /admin/oauth2_provider/application/add_/
  (Authorization: code grant, redirect URI: http://localhost:3000/oauth/callback)
  b. Update CLIENT_ID in oauth2_test_server.mjs with the generated client ID
  c. Run the server and open http://localhost:3000
  d. Approve the authorisation, token is exchanged automatically
  You should receive a payload like:

{
  "access_token": "gC1lOUXpMv22K4L5mQipQE6SKzwBqA",
  "expires_in": 900,
  "token_type": "Bearer",
  "scope": "mcp",
  "refresh_token": "iRpml11oIDiuQXbNmkXE2jKB03bkal"
}

[claude]

⚠️ Code review skipped — your organization's overage spend limit has been reached.

Code review is billed via overage credits. To resume reviews, an organization admin can raise the monthly limit at claude.ai/admin-settings/claude-code.

Once credits are available, reopen this pull request to trigger a review.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
docs	Ignored	Preview	Mar 30, 2026 10:47am
flagsmith-frontend-preview	Ignored	Preview	Mar 30, 2026 10:47am
flagsmith-frontend-staging	Ignored	Preview	Mar 30, 2026 10:47am

[github-actions]

Docker builds report

Image	Build Status	Security report
ghcr.io/flagsmith/flagsmith-api-test:pr-7057	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-e2e:pr-7057	Finished ✅	Skipped
ghcr.io/flagsmith/flagsmith-frontend:pr-7057	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-api:pr-7057	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith:pr-7057	Finished ✅	Results ✅
ghcr.io/flagsmith/flagsmith-private-cloud:pr-7057	Finished ✅	Results ✅

[Zaimwa9]

Reminder

[github-actions]

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 41.2 seconds
 eeb1584
 🔄 Run: #15519 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 28 seconds
 eeb1584
 🔄 Run: #15519 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 52.1 seconds
 e190637
 🔄 Run: #15518 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 23.6 seconds
 e330174
 🔄 Run: #15520 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 45 seconds
 e190637
 🔄 Run: #15518 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 1 minute, 1 second
 e190637
 🔄 Run: #15518 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 52.2 seconds
 e330174
 🔄 Run: #15520 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 58.9 seconds
 e330174
 🔄 Run: #15520 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 47.1 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 52 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 55.8 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 1 minute, 2 seconds
 ccd5ffd
 🔄 Run: #15521 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 42.4 seconds
 262ebda
 🔄 Run: #15522 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 24.6 seconds
 1f0d84e
 🔄 Run: #15523 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 46.7 seconds
 262ebda
 🔄 Run: #15522 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 53.1 seconds
 1f0d84e
 🔄 Run: #15523 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 45 seconds
 262ebda
 🔄 Run: #15522 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 28 seconds
 74d4fc1
 🔄 Run: #15543 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 42.5 seconds
 74d4fc1
 🔄 Run: #15543 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 failed

Details

 2 tests across 2 suites
 34.1 seconds
 74d4fc1
 📦 Artifacts: View test results and HTML report
🔄 Run: #15543 (attempt 1)

Failed tests

firefox › tests/change-request-test.pw.ts › Change Request Tests › Change requests can be created, approved, and published with 4-eyes approval @enterprise
firefox › tests/roles-test.pw.ts › Roles Tests › Roles can be created with project and environment permissions @enterprise

### Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 26.9 seconds
 36477da
 🔄 Run: #15548 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 29.5 seconds
 36477da
 🔄 Run: #15548 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 52.2 seconds
 36477da
 🔄 Run: #15548 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 2 passed

Details

 2 tests across 2 suites
 58.9 seconds
 36477da
 🔄 Run: #15548 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 43 seconds
 ec0b067
 🔄 Run: #15549 (attempt 1)

Playwright Test Results (oss - depot-ubuntu-latest-arm-16)

 10 passed

Details

 10 tests across 7 suites
 51.5 seconds
 ec0b067
 🔄 Run: #15549 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-16)

 2 passed

Details

 2 tests across 2 suites
 44 seconds
 ec0b067
 🔄 Run: #15549 (attempt 1)

Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)

 1 passed

Details

 1 test across 1 suite
 1 minute, 9 seconds
 ec0b067
 🔄 Run: #15549 (attempt 1)

[github-actions]

Playwright Test Results (oss - depot-ubuntu-latest-16)

 10 passed

Details

 10 tests across 7 suites
 42 seconds
 e190637
 🔄 Run: #15518 (attempt 1)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.27%. Comparing base (61ca107) to head (ec0b067).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7057      +/-   ##
==========================================
- Coverage   98.33%   98.27%   -0.07%     
==========================================
  Files        1337     1344       +7     
  Lines       50012    50126     +114     
==========================================
+ Hits        49180    49259      +79     
- Misses        832      867      +35     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.