Register a "Continue with Turtini" (OIDC) client

Onboarding a third-party site to "Continue with Turtini" is a platform-admin action on the **OAuth Clients** screen at /admin/oauth-clients. A developer emails [email protected]; you register their client here and send back the credentials.

Register an identity client:
1. Open /admin/oauth-clients and click the **Continue with Turtini (OIDC)** preset — it pre-fills the form with the identity-only scopes `openid profile email`. (The other preset, "ChatGPT (data access)", is for clients that read org data — a different posture.)
2. Set the **Client ID** (lowercase, [a-z0-9_-]), display **Name**, **Description**, homepage and privacy-policy URLs.
3. Set the **Redirect URI(s)** to exactly what the site will use for its callback (e.g. `https://example.com/auth/turtini/callback`). Comma- or newline-separate multiple URIs. A mismatch here is the most common cause of a failed flow.
4. Keep **Allowed scopes** as `openid profile email` for a pure sign-in client. Only add data scopes (e.g. `contacts:read`) if the site genuinely needs org data — identity sign-in should not.
5. **Owner org ID** (optional) — set it to a Turtini org's ID to render that org's live logo and name on the consent screen, so users see real branding instead of a static logo URL.
6. Save. The screen returns the `client_id` and a one-time `client_secret` — copy the secret now; it isn't shown again. Send both to the developer.

Identity-only vs data clients:
• A client whose scopes are only `openid`/`profile`/`email` is an **identity-only** client — its grants assert who the user is and never touch org data. The consent screen for these doesn't require the user to pick an org, and returning users are silently re-approved (the One Tap / instant-sign-in feel).
• A client with data scopes shows the full permission list and the org picker, exactly like the ChatGPT/Claude data-access flow.

Maintenance:
• **Rotate a secret** — use the rotate-secret control with the client's ID; the new secret is shown once and the old one stops working. Use this if a secret leaks.
• **Add a redirect URI** — clients sometimes need a new callback (new domain, staging). Add it from the same screen without re-registering.
• Tokens are RS256 id_tokens issued from issuer `https://api.turtini.com`; nothing about the signing key is configured per client.