From 5dc87b3b30ade4ca06ccf07941752d1e74cadc31 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 2 Dec 2025 17:03:46 +0000
Subject: [PATCH 01/72] feat: add OAuth client developer settings page with
 approval workflow

- Add new developer OAuth page at /settings/developer/oAuth for users to submit OAuth client requests
- Transform admin OAuth page into management dashboard for reviewing/approving submissions
- Add OAuthClientApprovalStatus enum (PENDING, APPROVED, REJECTED) to track submission status
- Add userId and createdAt fields to OAuthClient model for tracking submissions
- Create email notifications for admin (new submission) and user (approval)
- Add sidebar navigation link in developer section below API keys
- Add comprehensive translations for new UI strings
- Create OAuthClientRepository for data access following repository pattern

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 .../(admin-layout)/admin/oAuth/page.tsx       |  10 +-
 .../SettingsLayoutAppDirClient.tsx            |  27 +-
 .../developer/oauth/page.tsx                  |  36 ++
 .../admin/oauth-clients-admin-view.tsx        | 350 ++++++++++++++++++
 .../settings/developer/oauth-clients-view.tsx | 258 +++++++++++++
 apps/web/public/static/locales/en/common.json |  55 ++-
 .../AdminOAuthClientNotificationEmail.tsx     | 111 ++++++
 .../OAuthClientApprovedNotificationEmail.tsx  |  81 ++++
 packages/emails/src/templates/index.ts        |   2 +
 .../admin-oauth-client-notification.ts        |  47 +++
 .../oauth-client-approved-notification.ts     |  44 +++
 packages/lib/server/repository/oAuthClient.ts | 172 +++++++++
 .../migration.sql                             |  10 +
 packages/prisma/schema.prisma                 |  25 +-
 .../server/routers/viewer/oAuth/_router.tsx   |  42 ++-
 .../routers/viewer/oAuth/addClient.handler.ts |  33 +-
 .../viewer/oAuth/listClients.handler.ts       |  19 +
 .../viewer/oAuth/listClients.schema.ts        |   9 +
 .../viewer/oAuth/listUserClients.handler.ts   |  17 +
 .../viewer/oAuth/submitClient.handler.ts      |  54 +++
 .../viewer/oAuth/submitClient.schema.ts       |  10 +
 .../oAuth/updateClientStatus.handler.ts       |  39 ++
 .../viewer/oAuth/updateClientStatus.schema.ts |  10 +
 23 files changed, 1404 insertions(+), 57 deletions(-)
 create mode 100644 apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
 create mode 100644 apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
 create mode 100644 apps/web/modules/settings/developer/oauth-clients-view.tsx
 create mode 100644 packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
 create mode 100644 packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
 create mode 100644 packages/emails/templates/admin-oauth-client-notification.ts
 create mode 100644 packages/emails/templates/oauth-client-approved-notification.ts
 create mode 100644 packages/lib/server/repository/oAuthClient.ts
 create mode 100644 packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts

diff --git a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
index 8be1a816367fc0..3ae73f578cc568 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
@@ -2,12 +2,12 @@ import { _generateMetadata, getTranslate } from "app/_utils";
 
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import LegacyPage from "~/settings/admin/oauth-view";
+import OAuthClientsAdminView from "~/settings/admin/oauth-clients-admin-view";
 
 export const generateMetadata = async () =>
   await _generateMetadata(
-    (t) => t("oAuth"),
-    (t) => t("admin_oAuth_description"),
+    (t) => t("oauth_clients_admin"),
+    (t) => t("oauth_clients_admin_description"),
     undefined,
     undefined,
     "/settings/admin/oAuth"
@@ -16,8 +16,8 @@ export const generateMetadata = async () =>
 const Page = async () => {
   const t = await getTranslate();
   return (
-    <SettingsHeader title={t("oAuth")} description={t("admin_oAuth_description")}>
-      <LegacyPage />
+    <SettingsHeader title={t("oauth_clients_admin")} description={t("oauth_clients_admin_description")}>
+      <OAuthClientsAdminView />
     </SettingsHeader>
   );
 };
diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index e154eac9562868..88d71bf397215e 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -64,19 +64,20 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
       icon: "credit-card",
       children: [{ name: "manage_billing", href: "/settings/billing", trackingMetadata: { section: "billing", page: "manage_billing" } }],
     },
-    {
-      name: "developer",
-      href: "/settings/developer",
-      icon: "terminal",
-      children: [
-        //
-        { name: "webhooks", href: "/settings/developer/webhooks", trackingMetadata: { section: "developer", page: "webhooks" } },
-        { name: "api_keys", href: "/settings/developer/api-keys", trackingMetadata: { section: "developer", page: "api_keys" } },
-        { name: "admin_api", href: "/settings/organizations/admin-api", trackingMetadata: { section: "developer", page: "admin_api" } },
-        // TODO: Add profile level for embeds
-        // { name: "embeds", href: "/v2/settings/developer/embeds" },
-      ],
-    },
+        {
+          name: "developer",
+          href: "/settings/developer",
+          icon: "terminal",
+          children: [
+            //
+            { name: "webhooks", href: "/settings/developer/webhooks", trackingMetadata: { section: "developer", page: "webhooks" } },
+            { name: "api_keys", href: "/settings/developer/api-keys", trackingMetadata: { section: "developer", page: "api_keys" } },
+            { name: "oauth_clients", href: "/settings/developer/oauth", trackingMetadata: { section: "developer", page: "oauth_clients" } },
+            { name: "admin_api", href: "/settings/organizations/admin-api", trackingMetadata: { section: "developer", page: "admin_api" } },
+            // TODO: Add profile level for embeds
+            // { name: "embeds", href: "/v2/settings/developer/embeds" },
+          ],
+        },
     {
       name: "organization",
       href: "/settings/organizations",
diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
new file mode 100644
index 00000000000000..b0b43387ea2f3b
--- /dev/null
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
@@ -0,0 +1,36 @@
+import { _generateMetadata, getTranslate } from "app/_utils";
+import { cookies, headers } from "next/headers";
+import { redirect } from "next/navigation";
+
+import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
+import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
+
+import { buildLegacyRequest } from "@lib/buildLegacyCtx";
+
+import OAuthClientsView from "~/settings/developer/oauth-clients-view";
+
+export const generateMetadata = async () =>
+  await _generateMetadata(
+    (t) => t("oauth_clients"),
+    (t) => t("oauth_clients_description"),
+    undefined,
+    undefined,
+    "/settings/developer/oauth"
+  );
+
+const Page = async () => {
+  const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) });
+  const t = await getTranslate();
+
+  if (!session) {
+    redirect("/auth/login?callbackUrl=/settings/developer/oauth");
+  }
+
+  return (
+    <SettingsHeader title={t("oauth_clients")} description={t("oauth_clients_description")}>
+      <OAuthClientsView />
+    </SettingsHeader>
+  );
+};
+
+export default Page;
diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
new file mode 100644
index 00000000000000..a8863759459fe2
--- /dev/null
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -0,0 +1,350 @@
+"use client";
+
+import { useState } from "react";
+import { useForm } from "react-hook-form";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+import { trpc } from "@calcom/trpc/react";
+import { Avatar } from "@calcom/ui/components/avatar";
+import { Badge } from "@calcom/ui/components/badge";
+import { Button } from "@calcom/ui/components/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogFooter,
+  DialogClose,
+} from "@calcom/ui/components/dialog";
+import {
+  Dropdown,
+  DropdownMenuTrigger,
+  DropdownMenuContent,
+  DropdownMenuItem,
+} from "@calcom/ui/components/dropdown";
+import { EmptyScreen } from "@calcom/ui/components/empty-screen";
+import { Form, Label, Switch, TextField } from "@calcom/ui/components/form";
+import { Icon } from "@calcom/ui/components/icon";
+import { ImageUploader } from "@calcom/ui/components/image-uploader";
+import { showToast } from "@calcom/ui/components/toast";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+
+type FormValues = {
+  name: string;
+  redirectUri: string;
+  logo: string;
+  enablePkce: boolean;
+};
+
+export default function OAuthClientsAdminView() {
+  const { t } = useLocale();
+  const utils = trpc.useUtils();
+  const [showAddDialog, setShowAddDialog] = useState(false);
+  const [logo, setLogo] = useState("");
+  const [createdClient, setCreatedClient] = useState<{
+    clientId: string;
+    clientSecret?: string;
+    name: string;
+  } | null>(null);
+
+  const oAuthForm = useForm<FormValues>({
+    defaultValues: {
+      name: "",
+      redirectUri: "",
+      logo: "",
+      enablePkce: false,
+    },
+  });
+
+  const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listClients.useQuery({});
+
+  const addMutation = trpc.viewer.oAuth.addClient.useMutation({
+    onSuccess: async (data) => {
+      setCreatedClient({
+        clientId: data.clientId,
+        clientSecret: data.clientSecret,
+        name: data.name,
+      });
+      showToast(t("oauth_client_created"), "success");
+      utils.viewer.oAuth.listClients.invalidate();
+    },
+    onError: (error) => {
+      showToast(`${t("oauth_client_create_error")}: ${error.message}`, "error");
+    },
+  });
+
+  const updateStatusMutation = trpc.viewer.oAuth.updateClientStatus.useMutation({
+    onSuccess: async (data) => {
+      showToast(
+        t("oauth_client_status_updated", { name: data.name, status: data.approvalStatus }),
+        "success"
+      );
+      utils.viewer.oAuth.listClients.invalidate();
+    },
+    onError: (error) => {
+      showToast(`${t("oauth_client_status_update_error")}: ${error.message}`, "error");
+    },
+  });
+
+  const handleAddClient = (values: FormValues) => {
+    addMutation.mutate({
+      name: values.name,
+      redirectUri: values.redirectUri,
+      logo: values.logo,
+      enablePkce: values.enablePkce,
+    });
+  };
+
+  const handleCloseDialog = () => {
+    setShowAddDialog(false);
+    setCreatedClient(null);
+    setLogo("");
+    oAuthForm.reset();
+  };
+
+  const handleApprove = (clientId: string) => {
+    updateStatusMutation.mutate({ clientId, status: "APPROVED" });
+  };
+
+  const handleReject = (clientId: string) => {
+    updateStatusMutation.mutate({ clientId, status: "REJECTED" });
+  };
+
+  const getStatusBadge = (status: string) => {
+    switch (status) {
+      case "APPROVED":
+        return <Badge variant="success">{t("approved")}</Badge>;
+      case "REJECTED":
+        return <Badge variant="red">{t("rejected")}</Badge>;
+      case "PENDING":
+      default:
+        return <Badge variant="orange">{t("pending")}</Badge>;
+    }
+  };
+
+  if (isLoading) {
+    return <div className="flex justify-center py-8">{t("loading")}</div>;
+  }
+
+  return (
+    <div>
+      <div className="mb-4 flex justify-end">
+        <Button color="primary" StartIcon="plus" onClick={() => setShowAddDialog(true)}>
+          {t("add_oauth_client")}
+        </Button>
+      </div>
+
+      {oAuthClients && oAuthClients.length > 0 ? (
+        <div className="border-subtle overflow-hidden rounded-lg border">
+          <table className="w-full">
+            <thead className="bg-subtle">
+              <tr>
+                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("client_name")}</th>
+                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("redirect_uri")}</th>
+                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("submitted_by")}</th>
+                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("status")}</th>
+                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("actions")}</th>
+              </tr>
+            </thead>
+            <tbody className="divide-subtle divide-y">
+              {oAuthClients.map((client) => (
+                <tr key={client.clientId} className="hover:bg-subtle/50">
+                  <td className="px-4 py-3">
+                    <div className="flex items-center gap-3">
+                      <Avatar
+                        alt={client.name}
+                        imageSrc={client.logo || undefined}
+                        fallback={<Icon name="key" className="text-subtle h-4 w-4" />}
+                        size="sm"
+                      />
+                      <span className="text-emphasis font-medium">{client.name}</span>
+                    </div>
+                  </td>
+                  <td className="text-default px-4 py-3 text-sm">{client.redirectUri}</td>
+                  <td className="text-default px-4 py-3 text-sm">
+                    {client.user ? (
+                      <span>
+                        {client.user.name || client.user.email}
+                      </span>
+                    ) : (
+                      <span className="text-subtle">{t("admin")}</span>
+                    )}
+                  </td>
+                  <td className="px-4 py-3">{getStatusBadge(client.approvalStatus)}</td>
+                  <td className="px-4 py-3">
+                    <Dropdown>
+                      <DropdownMenuTrigger asChild>
+                        <Button color="minimal" size="sm" StartIcon="ellipsis" />
+                      </DropdownMenuTrigger>
+                      <DropdownMenuContent align="end">
+                        {client.approvalStatus === "PENDING" && (
+                          <>
+                            <DropdownMenuItem onClick={() => handleApprove(client.clientId)}>
+                              <Icon name="check" className="mr-2 h-4 w-4" />
+                              {t("approve")}
+                            </DropdownMenuItem>
+                            <DropdownMenuItem onClick={() => handleReject(client.clientId)}>
+                              <Icon name="x" className="mr-2 h-4 w-4" />
+                              {t("reject")}
+                            </DropdownMenuItem>
+                          </>
+                        )}
+                        {client.approvalStatus === "REJECTED" && (
+                          <DropdownMenuItem onClick={() => handleApprove(client.clientId)}>
+                            <Icon name="check" className="mr-2 h-4 w-4" />
+                            {t("approve")}
+                          </DropdownMenuItem>
+                        )}
+                        {client.approvalStatus === "APPROVED" && (
+                          <DropdownMenuItem onClick={() => handleReject(client.clientId)}>
+                            <Icon name="x" className="mr-2 h-4 w-4" />
+                            {t("reject")}
+                          </DropdownMenuItem>
+                        )}
+                        <DropdownMenuItem
+                          onClick={() => {
+                            navigator.clipboard.writeText(client.clientId);
+                            showToast(t("client_id_copied"), "success");
+                          }}>
+                          <Icon name="clipboard" className="mr-2 h-4 w-4" />
+                          {t("copy_client_id")}
+                        </DropdownMenuItem>
+                      </DropdownMenuContent>
+                    </Dropdown>
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      ) : (
+        <EmptyScreen
+          Icon="key"
+          headline={t("no_oauth_clients")}
+          description={t("no_oauth_clients_admin_description")}
+          buttonRaw={
+            <Button color="primary" StartIcon="plus" onClick={() => setShowAddDialog(true)}>
+              {t("add_oauth_client")}
+            </Button>
+          }
+        />
+      )}
+
+      <Dialog open={showAddDialog} onOpenChange={setShowAddDialog}>
+        <DialogContent
+          type="creation"
+          title={createdClient ? t("oauth_client_created") : t("add_oauth_client")}
+          description={
+            createdClient ? t("oauth_client_created_description") : t("add_oauth_client_description")
+          }>
+          {!createdClient ? (
+            <Form form={oAuthForm} handleSubmit={handleAddClient} className="space-y-4">
+              <TextField
+                {...oAuthForm.register("name", { required: true })}
+                label={t("client_name")}
+                type="text"
+                id="name"
+                placeholder={t("client_name_placeholder")}
+                required
+              />
+              <TextField
+                {...oAuthForm.register("redirectUri", { required: true })}
+                label={t("redirect_uri")}
+                type="url"
+                id="redirectUri"
+                placeholder="https://example.com/callback"
+                required
+              />
+
+              <div>
+                <Label className="text-emphasis mb-2 block text-sm font-medium">
+                  {t("authentication_mode")}
+                </Label>
+                <div className="flex items-center space-x-3">
+                  <Switch
+                    checked={oAuthForm.watch("enablePkce")}
+                    onCheckedChange={(checked) => oAuthForm.setValue("enablePkce", checked)}
+                  />
+                  <span className="text-default text-sm">{t("use_pkce")}</span>
+                </div>
+              </div>
+
+              <div className="flex items-center">
+                <Avatar
+                  alt=""
+                  fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
+                  className="mr-5 items-center"
+                  imageSrc={logo}
+                  size="lg"
+                />
+                <ImageUploader
+                  target="avatar"
+                  id="avatar-upload"
+                  buttonMsg={t("upload_logo")}
+                  handleAvatarChange={(newLogo: string) => {
+                    setLogo(newLogo);
+                    oAuthForm.setValue("logo", newLogo);
+                  }}
+                  imageSrc={logo}
+                />
+              </div>
+
+              <DialogFooter>
+                <DialogClose onClick={handleCloseDialog}>{t("cancel")}</DialogClose>
+                <Button type="submit" loading={addMutation.isPending}>
+                  {t("add_client")}
+                </Button>
+              </DialogFooter>
+            </Form>
+          ) : (
+            <div>
+              <div className="text-emphasis mb-5 text-xl font-semibold">{createdClient.name}</div>
+              <div className="mb-2 font-medium">{t("client_id")}</div>
+              <div className="flex">
+                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                  {createdClient.clientId}
+                </code>
+                <Tooltip side="top" content={t("copy_to_clipboard")}>
+                  <Button
+                    onClick={() => {
+                      navigator.clipboard.writeText(createdClient.clientId);
+                      showToast(t("client_id_copied"), "success");
+                    }}
+                    type="button"
+                    className="rounded-l-none text-base"
+                    StartIcon="clipboard">
+                    {t("copy")}
+                  </Button>
+                </Tooltip>
+              </div>
+              {createdClient.clientSecret && (
+                <>
+                  <div className="mb-2 mt-4 font-medium">{t("client_secret")}</div>
+                  <div className="flex">
+                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                      {createdClient.clientSecret}
+                    </code>
+                    <Tooltip side="top" content={t("copy_to_clipboard")}>
+                      <Button
+                        onClick={() => {
+                          navigator.clipboard.writeText(createdClient.clientSecret || "");
+                          showToast(t("client_secret_copied"), "success");
+                        }}
+                        type="button"
+                        className="rounded-l-none text-base"
+                        StartIcon="clipboard">
+                        {t("copy")}
+                      </Button>
+                    </Tooltip>
+                  </div>
+                  <div className="text-subtle mt-2 text-sm">{t("copy_client_secret_info")}</div>
+                </>
+              )}
+              <DialogFooter className="mt-6">
+                <Button onClick={handleCloseDialog}>{t("done")}</Button>
+              </DialogFooter>
+            </div>
+          )}
+        </DialogContent>
+      </Dialog>
+    </div>
+  );
+}
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
new file mode 100644
index 00000000000000..67d82fedc29517
--- /dev/null
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -0,0 +1,258 @@
+"use client";
+
+import { useState } from "react";
+import { useForm } from "react-hook-form";
+
+import { Dialog } from "@calcom/features/components/controlled-dialog";
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+import { trpc } from "@calcom/trpc/react";
+import { Avatar } from "@calcom/ui/components/avatar";
+import { Badge } from "@calcom/ui/components/badge";
+import { Button } from "@calcom/ui/components/button";
+import { DialogContent, DialogFooter, DialogClose } from "@calcom/ui/components/dialog";
+import { EmptyScreen } from "@calcom/ui/components/empty-screen";
+import { Form, Label, Switch, TextField } from "@calcom/ui/components/form";
+import { Icon } from "@calcom/ui/components/icon";
+import { ImageUploader } from "@calcom/ui/components/image-uploader";
+import { showToast } from "@calcom/ui/components/toast";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+
+type FormValues = {
+  name: string;
+  redirectUri: string;
+  logo: string;
+  enablePkce: boolean;
+};
+
+const OAuthClientsView = () => {
+  const { t } = useLocale();
+  const utils = trpc.useUtils();
+  const [showDialog, setShowDialog] = useState(false);
+  const [logo, setLogo] = useState("");
+  const [submittedClient, setSubmittedClient] = useState<{
+    clientId: string;
+    name: string;
+    isPkceEnabled?: boolean;
+  } | null>(null);
+
+  const oAuthForm = useForm<FormValues>({
+    defaultValues: {
+      name: "",
+      redirectUri: "",
+      logo: "",
+      enablePkce: false,
+    },
+  });
+
+  const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listUserClients.useQuery();
+
+  const submitMutation = trpc.viewer.oAuth.submitClient.useMutation({
+    onSuccess: async (data) => {
+      setSubmittedClient({
+        clientId: data.clientId,
+        name: data.name,
+        isPkceEnabled: data.isPkceEnabled,
+      });
+      showToast(t("oauth_client_submitted"), "success");
+      utils.viewer.oAuth.listUserClients.invalidate();
+    },
+    onError: (error) => {
+      showToast(`${t("oauth_client_submit_error")}: ${error.message}`, "error");
+    },
+  });
+
+  const handleSubmit = (values: FormValues) => {
+    submitMutation.mutate({
+      name: values.name,
+      redirectUri: values.redirectUri,
+      logo: values.logo,
+      enablePkce: values.enablePkce,
+    });
+  };
+
+  const handleCloseDialog = () => {
+    setShowDialog(false);
+    setSubmittedClient(null);
+    setLogo("");
+    oAuthForm.reset();
+  };
+
+  const getStatusBadge = (status: string) => {
+    switch (status) {
+      case "APPROVED":
+        return <Badge variant="success">{t("approved")}</Badge>;
+      case "REJECTED":
+        return <Badge variant="red">{t("rejected")}</Badge>;
+      case "PENDING":
+      default:
+        return <Badge variant="orange">{t("pending")}</Badge>;
+    }
+  };
+
+  if (isLoading) {
+    return <div className="flex justify-center py-8">{t("loading")}</div>;
+  }
+
+  return (
+    <div>
+      <div className="mb-4 flex justify-end">
+        <Button color="primary" StartIcon="plus" onClick={() => setShowDialog(true)}>
+          {t("new_oauth_client")}
+        </Button>
+      </div>
+
+      {oAuthClients && oAuthClients.length > 0 ? (
+        <div className="border-subtle rounded-lg border">
+          {oAuthClients.map((client, index) => (
+            <div
+              key={client.clientId}
+              className={`flex items-center justify-between p-4 ${
+                index !== oAuthClients.length - 1 ? "border-subtle border-b" : ""
+              }`}>
+              <div className="flex items-center gap-4">
+                <Avatar
+                  alt={client.name}
+                  imageSrc={client.logo || undefined}
+                  fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
+                  size="md"
+                />
+                <div>
+                  <div className="text-emphasis font-medium">{client.name}</div>
+                  <div className="text-subtle text-sm">{client.redirectUri}</div>
+                </div>
+              </div>
+              <div className="flex items-center gap-4">
+                {getStatusBadge(client.approvalStatus)}
+                {client.approvalStatus === "APPROVED" && (
+                  <Tooltip content={t("copy_client_id")}>
+                    <Button
+                      color="minimal"
+                      size="sm"
+                      StartIcon="clipboard"
+                      onClick={() => {
+                        navigator.clipboard.writeText(client.clientId);
+                        showToast(t("client_id_copied"), "success");
+                      }}
+                    />
+                  </Tooltip>
+                )}
+              </div>
+            </div>
+          ))}
+        </div>
+      ) : (
+        <EmptyScreen
+          Icon="key"
+          headline={t("no_oauth_clients")}
+          description={t("no_oauth_clients_description")}
+          buttonRaw={
+            <Button color="primary" StartIcon="plus" onClick={() => setShowDialog(true)}>
+              {t("new_oauth_client")}
+            </Button>
+          }
+        />
+      )}
+
+      <Dialog open={showDialog} onOpenChange={setShowDialog}>
+        <DialogContent
+          type="creation"
+          title={submittedClient ? t("oauth_client_submitted") : t("new_oauth_client")}
+          description={
+            submittedClient ? t("oauth_client_submitted_description") : t("new_oauth_client_description")
+          }>
+          {!submittedClient ? (
+            <Form
+              form={oAuthForm}
+              handleSubmit={handleSubmit}
+              className="space-y-4">
+              <TextField
+                {...oAuthForm.register("name", { required: true })}
+                label={t("client_name")}
+                type="text"
+                id="name"
+                placeholder={t("client_name_placeholder")}
+                required
+              />
+              <TextField
+                {...oAuthForm.register("redirectUri", { required: true })}
+                label={t("redirect_uri")}
+                type="url"
+                id="redirectUri"
+                placeholder="https://example.com/callback"
+                required
+              />
+
+              <div>
+                <Label className="text-emphasis mb-2 block text-sm font-medium">
+                  {t("authentication_mode")}
+                </Label>
+                <div className="flex items-center space-x-3">
+                  <Switch
+                    checked={oAuthForm.watch("enablePkce")}
+                    onCheckedChange={(checked) => oAuthForm.setValue("enablePkce", checked)}
+                  />
+                  <span className="text-default text-sm">{t("use_pkce")}</span>
+                </div>
+              </div>
+
+              <div className="flex items-center">
+                <Avatar
+                  alt=""
+                  fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
+                  className="mr-5 items-center"
+                  imageSrc={logo}
+                  size="lg"
+                />
+                <ImageUploader
+                  target="avatar"
+                  id="avatar-upload"
+                  buttonMsg={t("upload_logo")}
+                  handleAvatarChange={(newLogo: string) => {
+                    setLogo(newLogo);
+                    oAuthForm.setValue("logo", newLogo);
+                  }}
+                  imageSrc={logo}
+                />
+              </div>
+
+              <DialogFooter>
+                <DialogClose onClick={handleCloseDialog}>{t("cancel")}</DialogClose>
+                <Button type="submit" loading={submitMutation.isPending}>
+                  {t("submit_for_approval")}
+                </Button>
+              </DialogFooter>
+            </Form>
+          ) : (
+            <div>
+              <div className="text-emphasis mb-5 text-xl font-semibold">{submittedClient.name}</div>
+              <div className="mb-2 font-medium">{t("client_id")}</div>
+              <div className="flex">
+                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                  {submittedClient.clientId}
+                </code>
+                <Tooltip side="top" content={t("copy_to_clipboard")}>
+                  <Button
+                    onClick={() => {
+                      navigator.clipboard.writeText(submittedClient.clientId);
+                      showToast(t("client_id_copied"), "success");
+                    }}
+                    type="button"
+                    className="rounded-l-none text-base"
+                    StartIcon="clipboard">
+                    {t("copy")}
+                  </Button>
+                </Tooltip>
+              </div>
+              <div className="text-subtle mt-4 text-sm">{t("oauth_client_pending_approval")}</div>
+              <DialogFooter className="mt-6">
+                <Button onClick={handleCloseDialog}>{t("done")}</Button>
+              </DialogFooter>
+            </div>
+          )}
+        </DialogContent>
+      </Dialog>
+    </div>
+  );
+};
+
+export default OAuthClientsView;
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 9d0d0f85ac6a7a..9db9a36e109203 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -998,11 +998,56 @@
   "create_team": "Create team",
   "name": "Name",
   "nameless_team": "Nameless Team",
-  "oauth_clients": "OAuth Clients",
-  "oauth_clients_description": "Manage OAuth clients for your organization",
-  "create_oauth_client": "Create OAuth Client",
-  "create_oauth_client_description": "Create a new OAuth client for third-party integrations",
-  "oauth_client_deletion_message": "OAuth client deleted successfully",
+    "oauth_clients": "OAuth Clients",
+    "oauth_clients_description": "Create and manage OAuth clients for third-party integrations",
+    "create_oauth_client": "Create OAuth Client",
+    "create_oauth_client_description": "Create a new OAuth client for third-party integrations",
+    "oauth_client_deletion_message": "OAuth client deleted successfully",
+    "oauth_clients_admin": "OAuth Clients",
+    "oauth_clients_admin_description": "Manage and approve OAuth client submissions",
+    "new_oauth_client": "New OAuth Client",
+    "new_oauth_client_description": "Submit a new OAuth client for approval",
+    "oauth_client_submitted": "OAuth Client Submitted",
+    "oauth_client_submitted_description": "Your OAuth client has been submitted for approval",
+    "oauth_client_submit_error": "Failed to submit OAuth client",
+    "oauth_client_created": "OAuth Client Created",
+    "oauth_client_created_description": "Your OAuth client has been created successfully",
+    "oauth_client_create_error": "Failed to create OAuth client",
+    "oauth_client_status_updated": "OAuth client {{name}} status updated to {{status}}",
+    "oauth_client_status_update_error": "Failed to update OAuth client status",
+    "oauth_client_pending_approval": "Your OAuth client is pending approval. You will receive an email notification once it has been reviewed.",
+    "add_oauth_client": "Add OAuth Client",
+    "add_oauth_client_description": "Add a new OAuth client",
+    "no_oauth_clients": "No OAuth Clients",
+    "no_oauth_clients_description": "You haven't created any OAuth clients yet. Create one to get started.",
+    "no_oauth_clients_admin_description": "No OAuth clients have been submitted yet.",
+    "submit_for_approval": "Submit for Approval",
+    "client_name": "Client Name",
+    "client_name_placeholder": "My OAuth App",
+    "redirect_uri": "Redirect URI",
+    "authentication_mode": "Authentication Mode",
+    "use_pkce": "Use PKCE (recommended for mobile/SPA applications)",
+    "upload_logo": "Upload Logo",
+    "copy_client_id": "Copy Client ID",
+    "client_id_copied": "Client ID copied to clipboard",
+    "submitted_by": "Submitted By",
+    "approve": "Approve",
+    "reject": "Reject",
+    "approved": "Approved",
+    "rejected": "Rejected",
+    "pending": "Pending",
+    "hi_user": "Hi {{name}}",
+    "there": "there",
+    "admin_oauth_notification_email_subject": "New OAuth Client Submission: {{clientName}}",
+    "admin_oauth_notification_email_title": "New OAuth Client: {{clientName}}",
+    "admin_oauth_notification_email_body": "A new OAuth client has been submitted by {{submitterEmail}} and is awaiting your review.",
+    "admin_oauth_notification_email_cta": "Review OAuth Clients",
+    "admin_oauth_notification_email_footer": "Please review this submission and approve or reject it in the admin dashboard.",
+    "oauth_client_approved_email_subject": "Your OAuth Client {{clientName}} Has Been Approved",
+    "oauth_client_approved_email_title": "OAuth Client Approved: {{clientName}}",
+    "oauth_client_approved_email_body": "Great news! Your OAuth client has been approved and is now ready to use.",
+    "oauth_client_approved_email_cta": "View Your OAuth Clients",
+    "oauth_client_approved_email_footer": "You can now use your client ID and secret to integrate with Cal.com.",
   "create_new_team_description": "Create a new team to collaborate with users.",
   "create_new_team": "Create a new team",
   "booking_redirect_uri": "URL of your booking page",
diff --git a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
new file mode 100644
index 00000000000000..11c92822216445
--- /dev/null
+++ b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
@@ -0,0 +1,111 @@
+import type { TFunction } from "i18next";
+
+import { APP_NAME, WEBAPP_URL } from "@calcom/lib/constants";
+
+import { BaseEmailHtml, CallToAction } from "../components";
+
+type AdminOAuthClientNotification = {
+  language: TFunction;
+  clientName: string;
+  clientId: string;
+  redirectUri: string;
+  submitterEmail: string;
+  submitterName: string | null;
+};
+
+export const AdminOAuthClientNotificationEmail = ({
+  clientName,
+  clientId,
+  redirectUri,
+  submitterEmail,
+  submitterName,
+  language,
+}: AdminOAuthClientNotification) => {
+  return (
+    <BaseEmailHtml
+      subject={language("admin_oauth_notification_email_subject", { clientName, appName: APP_NAME })}
+      callToAction={
+        <CallToAction
+          label={language("admin_oauth_notification_email_cta")}
+          href={`${WEBAPP_URL}/settings/admin/oAuth`}
+          endIconName="white-arrow-right"
+        />
+      }>
+      <p
+        style={{
+          fontWeight: 600,
+          fontSize: "24px",
+          lineHeight: "38px",
+        }}>
+        <>{language("admin_oauth_notification_email_title", { clientName })}</>
+      </p>
+      <p style={{ fontWeight: 400 }}>
+        <>{language("hi_admin")}!</>
+      </p>
+      <p style={{ fontWeight: 400, lineHeight: "24px" }}>
+        {language("admin_oauth_notification_email_body", { submitterEmail })}
+      </p>
+      <table
+        role="presentation"
+        border={0}
+        cellSpacing="0"
+        cellPadding="0"
+        style={{
+          verticalAlign: "top",
+          marginTop: "10px",
+          borderRadius: "6px",
+          borderCollapse: "separate",
+          border: "solid #e5e7eb 1px",
+        }}
+        width="100%">
+        <tbody>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+                width: "30%",
+              }}>
+              {language("client_name")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{clientName}</td>
+          </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+              }}>
+              {language("client_id")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>
+              <code style={{ fontSize: "12px" }}>{clientId}</code>
+            </td>
+          </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+              }}>
+              {language("redirect_uri")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{redirectUri}</td>
+          </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td style={{ padding: "12px", fontWeight: 600 }}>{language("submitted_by")}</td>
+            <td style={{ padding: "12px" }}>
+              {submitterName ? `${submitterName} (${submitterEmail})` : submitterEmail}
+            </td>
+          </tr>
+        </tbody>
+      </table>
+      <p style={{ fontWeight: 400, lineHeight: "24px", marginTop: "20px" }}>
+        {language("admin_oauth_notification_email_footer")}
+      </p>
+    </BaseEmailHtml>
+  );
+};
diff --git a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
new file mode 100644
index 00000000000000..bad702bfd2ccff
--- /dev/null
+++ b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
@@ -0,0 +1,81 @@
+import type { TFunction } from "i18next";
+
+import { APP_NAME, WEBAPP_URL } from "@calcom/lib/constants";
+
+import { BaseEmailHtml, CallToAction } from "../components";
+
+type OAuthClientApprovedNotification = {
+  language: TFunction;
+  userName: string | null;
+  clientName: string;
+  clientId: string;
+};
+
+export const OAuthClientApprovedNotificationEmail = ({
+  userName,
+  clientName,
+  clientId,
+  language,
+}: OAuthClientApprovedNotification) => {
+  return (
+    <BaseEmailHtml
+      subject={language("oauth_client_approved_email_subject", { clientName, appName: APP_NAME })}
+      callToAction={
+        <CallToAction
+          label={language("oauth_client_approved_email_cta")}
+          href={`${WEBAPP_URL}/settings/developer/oauth`}
+          endIconName="white-arrow-right"
+        />
+      }>
+      <p
+        style={{
+          fontWeight: 600,
+          fontSize: "24px",
+          lineHeight: "38px",
+        }}>
+        <>{language("oauth_client_approved_email_title", { clientName })}</>
+      </p>
+      <p style={{ fontWeight: 400 }}>
+        <>{language("hi_user", { name: userName || language("there") })}!</>
+      </p>
+      <p style={{ fontWeight: 400, lineHeight: "24px" }}>{language("oauth_client_approved_email_body")}</p>
+      <table
+        role="presentation"
+        border={0}
+        cellSpacing="0"
+        cellPadding="0"
+        style={{
+          verticalAlign: "top",
+          marginTop: "10px",
+          borderRadius: "6px",
+          borderCollapse: "separate",
+          border: "solid #e5e7eb 1px",
+        }}
+        width="100%">
+        <tbody>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+                width: "30%",
+              }}>
+              {language("client_name")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{clientName}</td>
+          </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td style={{ padding: "12px", fontWeight: 600 }}>{language("client_id")}</td>
+            <td style={{ padding: "12px" }}>
+              <code style={{ fontSize: "12px" }}>{clientId}</code>
+            </td>
+          </tr>
+        </tbody>
+      </table>
+      <p style={{ fontWeight: 400, lineHeight: "24px", marginTop: "20px" }}>
+        {language("oauth_client_approved_email_footer")}
+      </p>
+    </BaseEmailHtml>
+  );
+};
diff --git a/packages/emails/src/templates/index.ts b/packages/emails/src/templates/index.ts
index 3fb98750ebfe56..2548834c25f442 100644
--- a/packages/emails/src/templates/index.ts
+++ b/packages/emails/src/templates/index.ts
@@ -37,6 +37,8 @@ export { OrganisationAccountVerifyEmail } from "./OrganizationAccountVerifyEmail
 export { OrgAutoInviteEmail } from "./OrgAutoInviteEmail";
 export { MonthlyDigestEmail } from "./MonthlyDigestEmail";
 export { AdminOrganizationNotificationEmail } from "./AdminOrganizationNotificationEmail";
+export { AdminOAuthClientNotificationEmail } from "./AdminOAuthClientNotificationEmail";
+export { OAuthClientApprovedNotificationEmail } from "./OAuthClientApprovedNotificationEmail";
 export { BookingRedirectEmailNotification } from "./BookingRedirectEmailNotification";
 export { VerifyEmailChangeEmail } from "./VerifyEmailChangeEmail";
 export { OrganizationCreationEmail } from "./OrganizationCreationEmail";
diff --git a/packages/emails/templates/admin-oauth-client-notification.ts b/packages/emails/templates/admin-oauth-client-notification.ts
new file mode 100644
index 00000000000000..d92a54d6faf6a3
--- /dev/null
+++ b/packages/emails/templates/admin-oauth-client-notification.ts
@@ -0,0 +1,47 @@
+import type { TFunction } from "i18next";
+
+import { EMAIL_FROM_NAME } from "@calcom/lib/constants";
+
+import renderEmail from "../src/renderEmail";
+import BaseEmail from "./_base-email";
+
+export type OAuthClientNotification = {
+  t: TFunction;
+  clientName: string;
+  clientId: string;
+  redirectUri: string;
+  submitterEmail: string;
+  submitterName: string | null;
+};
+
+export default class AdminOAuthClientNotification extends BaseEmail {
+  input: OAuthClientNotification;
+
+  constructor(input: OAuthClientNotification) {
+    super();
+    this.name = "SEND_ADMIN_OAUTH_CLIENT_NOTIFICATION";
+    this.input = input;
+  }
+
+  protected async getNodeMailerPayload(): Promise<Record<string, unknown>> {
+    return {
+      from: `${EMAIL_FROM_NAME} <${this.getMailerOptions().from}>`,
+      to: "team@cal.com",
+      subject: `${this.input.t("admin_oauth_notification_email_subject", { clientName: this.input.clientName })}`,
+      html: await renderEmail("AdminOAuthClientNotificationEmail", {
+        clientName: this.input.clientName,
+        clientId: this.input.clientId,
+        redirectUri: this.input.redirectUri,
+        submitterEmail: this.input.submitterEmail,
+        submitterName: this.input.submitterName,
+        language: this.input.t,
+      }),
+      text: this.getTextBody(),
+    };
+  }
+
+  protected getTextBody(): string {
+    return `${this.input.t("hi_admin")}, ${this.input.t("admin_oauth_notification_email_title", { clientName: this.input.clientName })}
+    ${this.input.t("admin_oauth_notification_email_body", { submitterEmail: this.input.submitterEmail })}`.trim();
+  }
+}
diff --git a/packages/emails/templates/oauth-client-approved-notification.ts b/packages/emails/templates/oauth-client-approved-notification.ts
new file mode 100644
index 00000000000000..b476efd57ac0eb
--- /dev/null
+++ b/packages/emails/templates/oauth-client-approved-notification.ts
@@ -0,0 +1,44 @@
+import type { TFunction } from "i18next";
+
+import { EMAIL_FROM_NAME } from "@calcom/lib/constants";
+
+import renderEmail from "../src/renderEmail";
+import BaseEmail from "./_base-email";
+
+export type OAuthClientApprovedNotification = {
+  t: TFunction;
+  userEmail: string;
+  userName: string | null;
+  clientName: string;
+  clientId: string;
+};
+
+export default class OAuthClientApprovedEmail extends BaseEmail {
+  input: OAuthClientApprovedNotification;
+
+  constructor(input: OAuthClientApprovedNotification) {
+    super();
+    this.name = "SEND_OAUTH_CLIENT_APPROVED_NOTIFICATION";
+    this.input = input;
+  }
+
+  protected async getNodeMailerPayload(): Promise<Record<string, unknown>> {
+    return {
+      from: `${EMAIL_FROM_NAME} <${this.getMailerOptions().from}>`,
+      to: this.input.userEmail,
+      subject: `${this.input.t("oauth_client_approved_email_subject", { clientName: this.input.clientName })}`,
+      html: await renderEmail("OAuthClientApprovedNotificationEmail", {
+        userName: this.input.userName,
+        clientName: this.input.clientName,
+        clientId: this.input.clientId,
+        language: this.input.t,
+      }),
+      text: this.getTextBody(),
+    };
+  }
+
+  protected getTextBody(): string {
+    return `${this.input.t("oauth_client_approved_email_title", { clientName: this.input.clientName })}
+    ${this.input.t("oauth_client_approved_email_body")}`.trim();
+  }
+}
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
new file mode 100644
index 00000000000000..85f364b9153b07
--- /dev/null
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -0,0 +1,172 @@
+import { randomBytes, createHash } from "crypto";
+
+import type { PrismaClient } from "@calcom/prisma";
+import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+
+export class OAuthClientRepository {
+  constructor(private prismaClient: PrismaClient) {}
+
+  static async withGlobalPrisma() {
+    return new OAuthClientRepository((await import("@calcom/prisma")).prisma);
+  }
+
+  async findByClientId(clientId: string) {
+    return this.prismaClient.oAuthClient.findUnique({
+      where: { clientId },
+      select: {
+        clientId: true,
+        redirectUri: true,
+        name: true,
+        logo: true,
+        clientType: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
+      },
+    });
+  }
+
+  async findByClientIdIncludeUser(clientId: string) {
+    return this.prismaClient.oAuthClient.findUnique({
+      where: { clientId },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+    });
+  }
+
+  async findByUserId(userId: number) {
+    return this.prismaClient.oAuthClient.findMany({
+      where: { userId },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async findByUserIdAndStatus(userId: number, approvalStatus: OAuthClientApprovalStatus) {
+    return this.prismaClient.oAuthClient.findMany({
+      where: { userId, approvalStatus },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async findAll() {
+    return this.prismaClient.oAuthClient.findMany({
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async findByStatus(approvalStatus: OAuthClientApprovalStatus) {
+    return this.prismaClient.oAuthClient.findMany({
+      where: { approvalStatus },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async create(data: {
+    name: string;
+    redirectUri: string;
+    logo?: string;
+    enablePkce?: boolean;
+    userId?: number;
+    approvalStatus?: OAuthClientApprovalStatus;
+  }) {
+    const { name, redirectUri, logo, enablePkce, userId, approvalStatus } = data;
+
+    const clientId = randomBytes(32).toString("hex");
+
+    let clientSecret: string | undefined;
+    let hashedSecret: string | undefined;
+    if (!enablePkce) {
+      const [hashed, plain] = this.generateSecret();
+      hashedSecret = hashed;
+      clientSecret = plain;
+    }
+
+    const client = await this.prismaClient.oAuthClient.create({
+      data: {
+        name,
+        redirectUri,
+        clientId,
+        clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
+        logo,
+        approvalStatus: approvalStatus || "PENDING",
+        clientSecret: hashedSecret,
+        ...(userId && {
+          user: {
+            connect: { id: userId },
+          },
+        }),
+      },
+    });
+
+    return {
+      clientId: client.clientId,
+      name: client.name,
+      redirectUri: client.redirectUri,
+      logo: client.logo,
+      clientType: client.clientType,
+      clientSecret,
+      isPkceEnabled: enablePkce,
+      approvalStatus: client.approvalStatus,
+    };
+  }
+
+  async updateStatus(clientId: string, approvalStatus: OAuthClientApprovalStatus) {
+    return this.prismaClient.oAuthClient.update({
+      where: { clientId },
+      data: { approvalStatus },
+    });
+  }
+
+  async update(
+    clientId: string,
+    data: {
+      name?: string;
+      redirectUri?: string;
+      logo?: string;
+    }
+  ) {
+    return this.prismaClient.oAuthClient.update({
+      where: { clientId },
+      data,
+    });
+  }
+
+  async delete(clientId: string) {
+    return this.prismaClient.oAuthClient.delete({
+      where: { clientId },
+    });
+  }
+
+  private hashSecretKey(apiKey: string): string {
+    return createHash("sha256").update(apiKey).digest("hex");
+  }
+
+  private generateSecret(secret = randomBytes(32).toString("hex")): [string, string] {
+    return [this.hashSecretKey(secret), secret];
+  }
+}
diff --git a/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql b/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
new file mode 100644
index 00000000000000..a15361895fb033
--- /dev/null
+++ b/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
@@ -0,0 +1,10 @@
+-- CreateEnum
+CREATE TYPE "public"."OAuthClientApprovalStatus" AS ENUM ('pending', 'approved', 'rejected');
+
+-- AlterTable
+ALTER TABLE "public"."OAuthClient" ADD COLUMN     "approvalStatus" "public"."OAuthClientApprovalStatus" NOT NULL DEFAULT 'pending',
+ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+ADD COLUMN     "userId" INTEGER;
+
+-- AddForeignKey
+ALTER TABLE "public"."OAuthClient" ADD CONSTRAINT "OAuthClient_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 0241e5820960c4..517cd7b4fd300f 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -478,6 +478,7 @@ model User {
   whitelistWorkflows             Boolean                       @default(false)
   calAiPhoneNumbers              CalAiPhoneNumber[]
   agents                         Agent[]
+  oAuthClients                   OAuthClient[]
 
   @@unique([email])
   @@unique([email, username])
@@ -1742,14 +1743,24 @@ enum OAuthClientType {
   PUBLIC       @map("public")
 }
 
+enum OAuthClientApprovalStatus {
+  PENDING  @map("pending")
+  APPROVED @map("approved")
+  REJECTED @map("rejected")
+}
+
 model OAuthClient {
-  clientId     String          @id @unique
-  redirectUri  String
-  clientSecret String?
-  clientType   OAuthClientType @default(CONFIDENTIAL)
-  name         String
-  logo         String?
-  accessCodes  AccessCode[]
+  clientId       String                    @id @unique
+  redirectUri    String
+  clientSecret   String?
+  clientType     OAuthClientType           @default(CONFIDENTIAL)
+  name           String
+  logo           String?
+  accessCodes    AccessCode[]
+  approvalStatus OAuthClientApprovalStatus @default(PENDING)
+  userId         Int?
+  user           User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
+  createdAt      DateTime                  @default(now())
 }
 
 model AccessCode {
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 8f9ab297e31da4..ddb912769a28c1 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -4,11 +4,18 @@ import { router } from "../../../trpc";
 import { ZAddClientInputSchema } from "./addClient.schema";
 import { ZGenerateAuthCodeInputSchema } from "./generateAuthCode.schema";
 import { ZGetClientInputSchema } from "./getClient.schema";
+import { ZListClientsInputSchema } from "./listClients.schema";
+import { ZSubmitClientInputSchema } from "./submitClient.schema";
+import { ZUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
 
-type OAuthRouterHandlerCache = {
+type _OAuthRouterHandlerCache = {
   getClient?: typeof import("./getClient.handler").getClientHandler;
   addClient?: typeof import("./addClient.handler").addClientHandler;
   generateAuthCode?: typeof import("./generateAuthCode.handler").generateAuthCodeHandler;
+  submitClient?: typeof import("./submitClient.handler").submitClientHandler;
+  listClients?: typeof import("./listClients.handler").listClientsHandler;
+  listUserClients?: typeof import("./listUserClients.handler").listUserClientsHandler;
+  updateClientStatus?: typeof import("./updateClientStatus.handler").updateClientStatusHandler;
 };
 
 export const oAuthRouter = router({
@@ -36,4 +43,37 @@ export const oAuthRouter = router({
       input,
     });
   }),
+
+  submitClient: authedProcedure.input(ZSubmitClientInputSchema).mutation(async ({ ctx, input }) => {
+    const { submitClientHandler } = await import("./submitClient.handler");
+
+    return submitClientHandler({
+      ctx,
+      input,
+    });
+  }),
+
+  listClients: authedAdminProcedure.input(ZListClientsInputSchema).query(async ({ input }) => {
+    const { listClientsHandler } = await import("./listClients.handler");
+
+    return listClientsHandler({
+      input,
+    });
+  }),
+
+  listUserClients: authedProcedure.query(async ({ ctx }) => {
+    const { listUserClientsHandler } = await import("./listUserClients.handler");
+
+    return listUserClientsHandler({
+      ctx,
+    });
+  }),
+
+  updateClientStatus: authedAdminProcedure.input(ZUpdateClientStatusInputSchema).mutation(async ({ input }) => {
+    const { updateClientStatusHandler } = await import("./updateClientStatus.handler");
+
+    return updateClientStatusHandler({
+      input,
+    });
+  }),
 });
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index 6e26d2ae926390..6dc87b7f27d563 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -1,7 +1,4 @@
-import { randomBytes, createHash } from "crypto";
-
-import { prisma } from "@calcom/prisma";
-import { Prisma } from "@calcom/prisma/client";
+import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
 
 import type { TAddClientInputSchema } from "./addClient.schema";
 
@@ -12,26 +9,15 @@ type AddClientOptions = {
 export const addClientHandler = async ({ input }: AddClientOptions) => {
   const { name, redirectUri, logo, enablePkce } = input;
 
-  const clientId = randomBytes(32).toString("hex");
-  const clientType = enablePkce ? "PUBLIC" : "CONFIDENTIAL";
+  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
 
-  // Only generate client secret for confidential clients
-  const clientData: Prisma.OAuthClientCreateInput = {
+  // Admin-created clients are auto-approved
+  const client = await oAuthClientRepository.create({
     name,
     redirectUri,
-    clientId,
-    clientType,
     logo,
-  };
-
-  let secret: string | undefined;
-  if (!enablePkce) {
-    const [hashedSecret, plainSecret] = generateSecret();
-    clientData.clientSecret = hashedSecret;
-    secret = plainSecret;
-  }
-  const client = await prisma.oAuthClient.create({
-    data: clientData,
+    enablePkce,
+    approvalStatus: "APPROVED",
   });
 
   return {
@@ -40,12 +26,7 @@ export const addClientHandler = async ({ input }: AddClientOptions) => {
     redirectUri: client.redirectUri,
     logo: client.logo,
     clientType: client.clientType,
-    clientSecret: secret, // Only return plain secret for confidential clients
+    clientSecret: client.clientSecret,
     isPkceEnabled: enablePkce,
   };
 };
-
-const hashSecretKey = (apiKey: string): string => createHash("sha256").update(apiKey).digest("hex");
-
-// Generate a random secret
-export const generateSecret = (secret = randomBytes(32).toString("hex")) => [hashSecretKey(secret), secret];
diff --git a/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts b/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
new file mode 100644
index 00000000000000..168ef7aee32bfa
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
@@ -0,0 +1,19 @@
+import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+
+import type { TListClientsInputSchema } from "./listClients.schema";
+
+type ListClientsOptions = {
+  input: TListClientsInputSchema;
+};
+
+export const listClientsHandler = async ({ input }: ListClientsOptions) => {
+  const { status } = input;
+
+  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+
+  if (status) {
+    return oAuthClientRepository.findByStatus(status);
+  }
+
+  return oAuthClientRepository.findAll();
+};
diff --git a/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts b/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts
new file mode 100644
index 00000000000000..2499674889cda3
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts
@@ -0,0 +1,9 @@
+import { z } from "zod";
+
+import { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+
+export const ZListClientsInputSchema = z.object({
+  status: z.nativeEnum(OAuthClientApprovalStatus).optional(),
+});
+
+export type TListClientsInputSchema = z.infer<typeof ZListClientsInputSchema>;
diff --git a/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts b/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
new file mode 100644
index 00000000000000..02e1d7f608bb5c
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
@@ -0,0 +1,17 @@
+import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+
+type ListUserClientsOptions = {
+  ctx: {
+    user: {
+      id: number;
+    };
+  };
+};
+
+export const listUserClientsHandler = async ({ ctx }: ListUserClientsOptions) => {
+  const userId = ctx.user.id;
+
+  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+
+  return oAuthClientRepository.findByUserId(userId);
+};
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
new file mode 100644
index 00000000000000..1edeecf0132e0e
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -0,0 +1,54 @@
+import AdminOAuthClientNotification from "@calcom/emails/templates/admin-oauth-client-notification";
+import { getTranslation } from "@calcom/lib/server/i18n";
+import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+
+import type { TSubmitClientInputSchema } from "./submitClient.schema";
+
+type SubmitClientOptions = {
+  ctx: {
+    user: {
+      id: number;
+      email: string;
+      name: string | null;
+    };
+  };
+  input: TSubmitClientInputSchema;
+};
+
+export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) => {
+  const { name, redirectUri, logo, enablePkce } = input;
+  const userId = ctx.user.id;
+
+  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+
+  const client = await oAuthClientRepository.create({
+    name,
+    redirectUri,
+    logo,
+    enablePkce,
+    userId,
+    approvalStatus: "PENDING",
+  });
+
+  // Send email notification to team@cal.com
+  const t = await getTranslation("en", "common");
+  const adminNotification = new AdminOAuthClientNotification({
+    t,
+    clientName: client.name,
+    clientId: client.clientId,
+    redirectUri: client.redirectUri,
+    submitterEmail: ctx.user.email,
+    submitterName: ctx.user.name,
+  });
+  await adminNotification.sendEmail();
+
+  return {
+    clientId: client.clientId,
+    name: client.name,
+    redirectUri: client.redirectUri,
+    logo: client.logo,
+    clientType: client.clientType,
+    approvalStatus: client.approvalStatus,
+    isPkceEnabled: enablePkce,
+  };
+};
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
new file mode 100644
index 00000000000000..8c4d7208c5984d
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
@@ -0,0 +1,10 @@
+import { z } from "zod";
+
+export const ZSubmitClientInputSchema = z.object({
+  name: z.string().min(1, "Client name is required"),
+  redirectUri: z.string().url("Must be a valid URL"),
+  logo: z.string().optional(),
+  enablePkce: z.boolean().optional().default(false),
+});
+
+export type TSubmitClientInputSchema = z.infer<typeof ZSubmitClientInputSchema>;
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
new file mode 100644
index 00000000000000..bbf5d2e4018213
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -0,0 +1,39 @@
+import OAuthClientApprovedEmail from "@calcom/emails/templates/oauth-client-approved-notification";
+import { getTranslation } from "@calcom/lib/server/i18n";
+import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+
+import type { TUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
+
+type UpdateClientStatusOptions = {
+  input: TUpdateClientStatusInputSchema;
+};
+
+export const updateClientStatusHandler = async ({ input }: UpdateClientStatusOptions) => {
+  const { clientId, status } = input;
+
+  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+
+  // Get client with user info before updating
+  const clientWithUser = await oAuthClientRepository.findByClientIdIncludeUser(clientId);
+
+  const updatedClient = await oAuthClientRepository.updateStatus(clientId, status);
+
+  // Send approval notification email to user if approved
+  if (status === "APPROVED" && clientWithUser?.user) {
+    const t = await getTranslation("en", "common");
+    const approvalNotification = new OAuthClientApprovedEmail({
+      t,
+      userEmail: clientWithUser.user.email,
+      userName: clientWithUser.user.name,
+      clientName: updatedClient.name,
+      clientId: updatedClient.clientId,
+    });
+    await approvalNotification.sendEmail();
+  }
+
+  return {
+    clientId: updatedClient.clientId,
+    name: updatedClient.name,
+    approvalStatus: updatedClient.approvalStatus,
+  };
+};
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
new file mode 100644
index 00000000000000..7b134a54ff95df
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
@@ -0,0 +1,10 @@
+import { z } from "zod";
+
+import { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+
+export const ZUpdateClientStatusInputSchema = z.object({
+  clientId: z.string(),
+  status: z.nativeEnum(OAuthClientApprovalStatus),
+});
+
+export type TUpdateClientStatusInputSchema = z.infer<typeof ZUpdateClientStatusInputSchema>;

From c6c68d43ae137d6b14046e17ea29e8d9d16ee8f6 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 2 Dec 2025 17:17:00 +0000
Subject: [PATCH 02/72] fix: re-export generateSecret for backward
 compatibility

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 packages/lib/server/repository/oAuthClient.ts  | 18 +++++++++---------
 .../routers/viewer/oAuth/addClient.handler.ts  |  5 ++++-
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
index 85f364b9153b07..820d0d089fc3b7 100644
--- a/packages/lib/server/repository/oAuthClient.ts
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -3,6 +3,14 @@ import { randomBytes, createHash } from "crypto";
 import type { PrismaClient } from "@calcom/prisma";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
+const hashSecretKey = (apiKey: string): string => createHash("sha256").update(apiKey).digest("hex");
+
+// Generate a random secret - exported for backward compatibility
+export const generateSecret = (secret = randomBytes(32).toString("hex")): [string, string] => [
+  hashSecretKey(secret),
+  secret,
+];
+
 export class OAuthClientRepository {
   constructor(private prismaClient: PrismaClient) {}
 
@@ -101,7 +109,7 @@ export class OAuthClientRepository {
     let clientSecret: string | undefined;
     let hashedSecret: string | undefined;
     if (!enablePkce) {
-      const [hashed, plain] = this.generateSecret();
+      const [hashed, plain] = generateSecret();
       hashedSecret = hashed;
       clientSecret = plain;
     }
@@ -161,12 +169,4 @@ export class OAuthClientRepository {
       where: { clientId },
     });
   }
-
-  private hashSecretKey(apiKey: string): string {
-    return createHash("sha256").update(apiKey).digest("hex");
-  }
-
-  private generateSecret(secret = randomBytes(32).toString("hex")): [string, string] {
-    return [this.hashSecretKey(secret), secret];
-  }
 }
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index 6dc87b7f27d563..fc4c59608b34bc 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -1,7 +1,10 @@
-import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { OAuthClientRepository, generateSecret } from "@calcom/lib/server/repository/oAuthClient";
 
 import type { TAddClientInputSchema } from "./addClient.schema";
 
+// Re-export generateSecret for backward compatibility
+export { generateSecret };
+
 type AddClientOptions = {
   input: TAddClientInputSchema;
 };

From a3f1bc915d4c300ba5ecaacd4773224d533cbfbe Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 8 Dec 2025 08:43:22 +0000
Subject: [PATCH 03/72] feat: make logo mandatory and list items clickable for
 OAuth clients

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 .../settings/developer/oauth-clients-view.tsx | 169 ++++++++++++++----
 apps/web/public/static/locales/en/common.json |   3 +
 .../viewer/oAuth/submitClient.schema.ts       |   2 +-
 3 files changed, 140 insertions(+), 34 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 67d82fedc29517..dc98e359f06e81 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -29,11 +29,20 @@ const OAuthClientsView = () => {
   const utils = trpc.useUtils();
   const [showDialog, setShowDialog] = useState(false);
   const [logo, setLogo] = useState("");
+  const [logoError, setLogoError] = useState(false);
   const [submittedClient, setSubmittedClient] = useState<{
     clientId: string;
     name: string;
     isPkceEnabled?: boolean;
   } | null>(null);
+  const [selectedClient, setSelectedClient] = useState<{
+    clientId: string;
+    clientSecret?: string | null;
+    name: string;
+    logo?: string | null;
+    redirectUri: string;
+    approvalStatus: string;
+  } | null>(null);
 
   const oAuthForm = useForm<FormValues>({
     defaultValues: {
@@ -62,6 +71,11 @@ const OAuthClientsView = () => {
   });
 
   const handleSubmit = (values: FormValues) => {
+    if (!values.logo) {
+      setLogoError(true);
+      return;
+    }
+    setLogoError(false);
     submitMutation.mutate({
       name: values.name,
       redirectUri: values.redirectUri,
@@ -74,9 +88,14 @@ const OAuthClientsView = () => {
     setShowDialog(false);
     setSubmittedClient(null);
     setLogo("");
+    setLogoError(false);
     oAuthForm.reset();
   };
 
+  const handleCloseClientDialog = () => {
+    setSelectedClient(null);
+  };
+
   const getStatusBadge = (status: string) => {
     switch (status) {
       case "APPROVED":
@@ -106,9 +125,17 @@ const OAuthClientsView = () => {
           {oAuthClients.map((client, index) => (
             <div
               key={client.clientId}
-              className={`flex items-center justify-between p-4 ${
+              className={`flex cursor-pointer items-center justify-between p-4 transition-colors hover:bg-subtle ${
                 index !== oAuthClients.length - 1 ? "border-subtle border-b" : ""
-              }`}>
+              }`}
+              onClick={() => setSelectedClient(client)}
+              role="button"
+              tabIndex={0}
+              onKeyDown={(e) => {
+                if (e.key === "Enter" || e.key === " ") {
+                  setSelectedClient(client);
+                }
+              }}>
               <div className="flex items-center gap-4">
                 <Avatar
                   alt={client.name}
@@ -123,19 +150,7 @@ const OAuthClientsView = () => {
               </div>
               <div className="flex items-center gap-4">
                 {getStatusBadge(client.approvalStatus)}
-                {client.approvalStatus === "APPROVED" && (
-                  <Tooltip content={t("copy_client_id")}>
-                    <Button
-                      color="minimal"
-                      size="sm"
-                      StartIcon="clipboard"
-                      onClick={() => {
-                        navigator.clipboard.writeText(client.clientId);
-                        showToast(t("client_id_copied"), "success");
-                      }}
-                    />
-                  </Tooltip>
-                )}
+                <Icon name="chevron-right" className="text-subtle h-5 w-5" />
               </div>
             </div>
           ))}
@@ -195,24 +210,33 @@ const OAuthClientsView = () => {
                 </div>
               </div>
 
-              <div className="flex items-center">
-                <Avatar
-                  alt=""
-                  fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
-                  className="mr-5 items-center"
-                  imageSrc={logo}
-                  size="lg"
-                />
-                <ImageUploader
-                  target="avatar"
-                  id="avatar-upload"
-                  buttonMsg={t("upload_logo")}
-                  handleAvatarChange={(newLogo: string) => {
-                    setLogo(newLogo);
-                    oAuthForm.setValue("logo", newLogo);
-                  }}
-                  imageSrc={logo}
-                />
+              <div>
+                <Label className="text-emphasis mb-2 block text-sm font-medium">
+                  {t("logo")} <span className="text-error">*</span>
+                </Label>
+                <div className="flex items-center">
+                  <Avatar
+                    alt=""
+                    fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
+                    className="mr-5 items-center"
+                    imageSrc={logo}
+                    size="lg"
+                  />
+                  <ImageUploader
+                    target="avatar"
+                    id="avatar-upload"
+                    buttonMsg={t("upload_logo")}
+                    handleAvatarChange={(newLogo: string) => {
+                      setLogo(newLogo);
+                      setLogoError(false);
+                      oAuthForm.setValue("logo", newLogo);
+                    }}
+                    imageSrc={logo}
+                  />
+                </div>
+                {logoError && (
+                  <p className="text-error mt-2 text-sm">{t("logo_required")}</p>
+                )}
               </div>
 
               <DialogFooter>
@@ -251,6 +275,85 @@ const OAuthClientsView = () => {
           )}
         </DialogContent>
       </Dialog>
+
+      <Dialog open={!!selectedClient} onOpenChange={(open) => !open && handleCloseClientDialog()}>
+        <DialogContent type="creation" title={selectedClient?.name || ""}>
+          {selectedClient && (
+            <div className="space-y-4">
+              <div className="flex items-center gap-4">
+                <Avatar
+                  alt={selectedClient.name}
+                  imageSrc={selectedClient.logo || undefined}
+                  fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
+                  size="lg"
+                />
+                <div>
+                  <div className="text-emphasis font-medium">{selectedClient.name}</div>
+                  <div className="text-subtle text-sm">{selectedClient.redirectUri}</div>
+                </div>
+                {getStatusBadge(selectedClient.approvalStatus)}
+              </div>
+
+              <div>
+                <div className="mb-2 font-medium">{t("client_id")}</div>
+                <div className="flex">
+                  <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                    {selectedClient.clientId}
+                  </code>
+                  <Tooltip side="top" content={t("copy_to_clipboard")}>
+                    <Button
+                      onClick={() => {
+                        navigator.clipboard.writeText(selectedClient.clientId);
+                        showToast(t("client_id_copied"), "success");
+                      }}
+                      type="button"
+                      className="rounded-l-none text-base"
+                      StartIcon="clipboard">
+                      {t("copy")}
+                    </Button>
+                  </Tooltip>
+                </div>
+              </div>
+
+              {selectedClient.approvalStatus === "APPROVED" && selectedClient.clientSecret && (
+                <div>
+                  <div className="mb-2 font-medium">{t("client_secret")}</div>
+                  <div className="flex">
+                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                      {selectedClient.clientSecret}
+                    </code>
+                    <Tooltip side="top" content={t("copy_to_clipboard")}>
+                      <Button
+                        onClick={() => {
+                          navigator.clipboard.writeText(selectedClient.clientSecret || "");
+                          showToast(t("client_secret_copied"), "success");
+                        }}
+                        type="button"
+                        className="rounded-l-none text-base"
+                        StartIcon="clipboard">
+                        {t("copy")}
+                      </Button>
+                    </Tooltip>
+                  </div>
+                  <p className="text-subtle mt-2 text-sm">{t("client_secret_warning")}</p>
+                </div>
+              )}
+
+              {selectedClient.approvalStatus === "PENDING" && (
+                <p className="text-subtle text-sm">{t("oauth_client_pending_approval")}</p>
+              )}
+
+              {selectedClient.approvalStatus === "REJECTED" && (
+                <p className="text-error text-sm">{t("oauth_client_rejected")}</p>
+              )}
+
+              <DialogFooter>
+                <Button onClick={handleCloseClientDialog}>{t("done")}</Button>
+              </DialogFooter>
+            </div>
+          )}
+        </DialogContent>
+      </Dialog>
     </div>
   );
 };
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 9db9a36e109203..0b961914ab5f1b 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1016,6 +1016,9 @@
     "oauth_client_status_updated": "OAuth client {{name}} status updated to {{status}}",
     "oauth_client_status_update_error": "Failed to update OAuth client status",
     "oauth_client_pending_approval": "Your OAuth client is pending approval. You will receive an email notification once it has been reviewed.",
+    "oauth_client_rejected": "Your OAuth client submission was rejected. Please contact support for more information.",
+    "logo_required": "Logo is required",
+    "client_secret_warning": "Store this secret securely. You won't be able to see it again.",
     "add_oauth_client": "Add OAuth Client",
     "add_oauth_client_description": "Add a new OAuth client",
     "no_oauth_clients": "No OAuth Clients",
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
index 8c4d7208c5984d..a79c7af25f5aa1 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
@@ -3,7 +3,7 @@ import { z } from "zod";
 export const ZSubmitClientInputSchema = z.object({
   name: z.string().min(1, "Client name is required"),
   redirectUri: z.string().url("Must be a valid URL"),
-  logo: z.string().optional(),
+  logo: z.string().min(1, "Logo is required"),
   enablePkce: z.boolean().optional().default(false),
 });
 

From b1b39a2ab3c69739c72588b72a99c97089489eb6 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 8 Dec 2025 08:46:05 +0000
Subject: [PATCH 04/72] fix: add missing translation keys and remove client
 secret from details dialog

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 .../settings/developer/oauth-clients-view.tsx | 25 ++-----------------
 apps/web/public/static/locales/en/common.json |  2 ++
 2 files changed, 4 insertions(+), 23 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index dc98e359f06e81..10999853cecc96 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -37,7 +37,6 @@ const OAuthClientsView = () => {
   } | null>(null);
   const [selectedClient, setSelectedClient] = useState<{
     clientId: string;
-    clientSecret?: string | null;
     name: string;
     logo?: string | null;
     redirectUri: string;
@@ -315,28 +314,8 @@ const OAuthClientsView = () => {
                 </div>
               </div>
 
-              {selectedClient.approvalStatus === "APPROVED" && selectedClient.clientSecret && (
-                <div>
-                  <div className="mb-2 font-medium">{t("client_secret")}</div>
-                  <div className="flex">
-                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
-                      {selectedClient.clientSecret}
-                    </code>
-                    <Tooltip side="top" content={t("copy_to_clipboard")}>
-                      <Button
-                        onClick={() => {
-                          navigator.clipboard.writeText(selectedClient.clientSecret || "");
-                          showToast(t("client_secret_copied"), "success");
-                        }}
-                        type="button"
-                        className="rounded-l-none text-base"
-                        StartIcon="clipboard">
-                        {t("copy")}
-                      </Button>
-                    </Tooltip>
-                  </div>
-                  <p className="text-subtle mt-2 text-sm">{t("client_secret_warning")}</p>
-                </div>
+              {selectedClient.approvalStatus === "APPROVED" && (
+                <p className="text-subtle text-sm">{t("oauth_client_approved_note")}</p>
               )}
 
               {selectedClient.approvalStatus === "PENDING" && (
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 0b961914ab5f1b..a251c5e7a73d8f 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1017,6 +1017,8 @@
     "oauth_client_status_update_error": "Failed to update OAuth client status",
     "oauth_client_pending_approval": "Your OAuth client is pending approval. You will receive an email notification once it has been reviewed.",
     "oauth_client_rejected": "Your OAuth client submission was rejected. Please contact support for more information.",
+    "oauth_client_approved_note": "Your OAuth client is approved and ready to use. The client secret was shown only once when the client was approved.",
+    "logo": "Logo",
     "logo_required": "Logo is required",
     "client_secret_warning": "Store this secret securely. You won't be able to see it again.",
     "add_oauth_client": "Add OAuth Client",

From 03c7d1336247c30ccab41386a1216c686a863a6f Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 8 Dec 2025 09:23:55 +0000
Subject: [PATCH 05/72] fix: address cubic AI reviewer comments

- Remove duplicate 'there' JSON key in common.json
- Add select clause to findByUserId to avoid exposing clientSecret
- Add @@index([userId]) to OAuthClient model for query performance
- Update migration to include the index

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 apps/web/public/static/locales/en/common.json          |  3 +--
 packages/lib/server/repository/oAuthClient.ts          | 10 ++++++++++
 .../migration.sql                                      |  3 +++
 packages/prisma/schema.prisma                          |  2 ++
 4 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index a251c5e7a73d8f..fe647abf6e1ca1 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1042,8 +1042,7 @@
     "rejected": "Rejected",
     "pending": "Pending",
     "hi_user": "Hi {{name}}",
-    "there": "there",
-    "admin_oauth_notification_email_subject": "New OAuth Client Submission: {{clientName}}",
+    "admin_oauth_notification_email_subject":"New OAuth Client Submission: {{clientName}}",
     "admin_oauth_notification_email_title": "New OAuth Client: {{clientName}}",
     "admin_oauth_notification_email_body": "A new OAuth client has been submitted by {{submitterEmail}} and is awaiting your review.",
     "admin_oauth_notification_email_cta": "Review OAuth Clients",
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
index 820d0d089fc3b7..58738c36d3f6ee 100644
--- a/packages/lib/server/repository/oAuthClient.ts
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -52,6 +52,16 @@ export class OAuthClientRepository {
   async findByUserId(userId: number) {
     return this.prismaClient.oAuthClient.findMany({
       where: { userId },
+      select: {
+        clientId: true,
+        redirectUri: true,
+        name: true,
+        logo: true,
+        clientType: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
+      },
       orderBy: { createdAt: "desc" },
     });
   }
diff --git a/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql b/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
index a15361895fb033..b651d75e888638 100644
--- a/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
+++ b/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
@@ -8,3 +8,6 @@ ADD COLUMN     "userId" INTEGER;
 
 -- AddForeignKey
 ALTER TABLE "public"."OAuthClient" ADD CONSTRAINT "OAuthClient_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- CreateIndex
+CREATE INDEX "OAuthClient_userId_idx" ON "public"."OAuthClient"("userId");
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 517cd7b4fd300f..5812a5bb28d51e 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1761,6 +1761,8 @@ model OAuthClient {
   userId         Int?
   user           User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
   createdAt      DateTime                  @default(now())
+
+  @@index([userId])
 }
 
 model AccessCode {

From 582cef5298afa5dec625e0193f252bc809bdcaa4 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 8 Dec 2025 16:40:17 +0000
Subject: [PATCH 06/72] fix: address PR review comments - fix indentation and
 use useCopy hook

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 .../admin/oauth-clients-admin-view.tsx        |  17 ++-
 .../settings/developer/oauth-clients-view.tsx |  12 +-
 apps/web/public/static/locales/en/common.json | 110 +++++++++---------
 3 files changed, 74 insertions(+), 65 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index a8863759459fe2..ae48d4e1d562d5 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -3,6 +3,7 @@
 import { useState } from "react";
 import { useForm } from "react-hook-form";
 
+import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
 import { Avatar } from "@calcom/ui/components/avatar";
@@ -36,6 +37,7 @@ type FormValues = {
 
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
   const utils = trpc.useUtils();
   const [showAddDialog, setShowAddDialog] = useState(false);
   const [logo, setLogo] = useState("");
@@ -201,8 +203,9 @@ export default function OAuthClientsAdminView() {
                         )}
                         <DropdownMenuItem
                           onClick={() => {
-                            navigator.clipboard.writeText(client.clientId);
-                            showToast(t("client_id_copied"), "success");
+                            copyToClipboard(client.clientId, {
+                              onSuccess: () => showToast(t("client_id_copied"), "success"),
+                            });
                           }}>
                           <Icon name="clipboard" className="mr-2 h-4 w-4" />
                           {t("copy_client_id")}
@@ -305,8 +308,9 @@ export default function OAuthClientsAdminView() {
                 <Tooltip side="top" content={t("copy_to_clipboard")}>
                   <Button
                     onClick={() => {
-                      navigator.clipboard.writeText(createdClient.clientId);
-                      showToast(t("client_id_copied"), "success");
+                      copyToClipboard(createdClient.clientId, {
+                        onSuccess: () => showToast(t("client_id_copied"), "success"),
+                      });
                     }}
                     type="button"
                     className="rounded-l-none text-base"
@@ -325,8 +329,9 @@ export default function OAuthClientsAdminView() {
                     <Tooltip side="top" content={t("copy_to_clipboard")}>
                       <Button
                         onClick={() => {
-                          navigator.clipboard.writeText(createdClient.clientSecret || "");
-                          showToast(t("client_secret_copied"), "success");
+                          copyToClipboard(createdClient.clientSecret || "", {
+                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                          });
                         }}
                         type="button"
                         className="rounded-l-none text-base"
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 10999853cecc96..c0848bb7f8c490 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -4,6 +4,7 @@ import { useState } from "react";
 import { useForm } from "react-hook-form";
 
 import { Dialog } from "@calcom/features/components/controlled-dialog";
+import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
 import { Avatar } from "@calcom/ui/components/avatar";
@@ -26,6 +27,7 @@ type FormValues = {
 
 const OAuthClientsView = () => {
   const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
   const utils = trpc.useUtils();
   const [showDialog, setShowDialog] = useState(false);
   const [logo, setLogo] = useState("");
@@ -256,8 +258,9 @@ const OAuthClientsView = () => {
                 <Tooltip side="top" content={t("copy_to_clipboard")}>
                   <Button
                     onClick={() => {
-                      navigator.clipboard.writeText(submittedClient.clientId);
-                      showToast(t("client_id_copied"), "success");
+                      copyToClipboard(submittedClient.clientId, {
+                        onSuccess: () => showToast(t("client_id_copied"), "success"),
+                      });
                     }}
                     type="button"
                     className="rounded-l-none text-base"
@@ -302,8 +305,9 @@ const OAuthClientsView = () => {
                   <Tooltip side="top" content={t("copy_to_clipboard")}>
                     <Button
                       onClick={() => {
-                        navigator.clipboard.writeText(selectedClient.clientId);
-                        showToast(t("client_id_copied"), "success");
+                        copyToClipboard(selectedClient.clientId, {
+                          onSuccess: () => showToast(t("client_id_copied"), "success"),
+                        });
                       }}
                       type="button"
                       className="rounded-l-none text-base"
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index fe647abf6e1ca1..913cc29f942397 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -998,61 +998,61 @@
   "create_team": "Create team",
   "name": "Name",
   "nameless_team": "Nameless Team",
-    "oauth_clients": "OAuth Clients",
-    "oauth_clients_description": "Create and manage OAuth clients for third-party integrations",
-    "create_oauth_client": "Create OAuth Client",
-    "create_oauth_client_description": "Create a new OAuth client for third-party integrations",
-    "oauth_client_deletion_message": "OAuth client deleted successfully",
-    "oauth_clients_admin": "OAuth Clients",
-    "oauth_clients_admin_description": "Manage and approve OAuth client submissions",
-    "new_oauth_client": "New OAuth Client",
-    "new_oauth_client_description": "Submit a new OAuth client for approval",
-    "oauth_client_submitted": "OAuth Client Submitted",
-    "oauth_client_submitted_description": "Your OAuth client has been submitted for approval",
-    "oauth_client_submit_error": "Failed to submit OAuth client",
-    "oauth_client_created": "OAuth Client Created",
-    "oauth_client_created_description": "Your OAuth client has been created successfully",
-    "oauth_client_create_error": "Failed to create OAuth client",
-    "oauth_client_status_updated": "OAuth client {{name}} status updated to {{status}}",
-    "oauth_client_status_update_error": "Failed to update OAuth client status",
-    "oauth_client_pending_approval": "Your OAuth client is pending approval. You will receive an email notification once it has been reviewed.",
-    "oauth_client_rejected": "Your OAuth client submission was rejected. Please contact support for more information.",
-    "oauth_client_approved_note": "Your OAuth client is approved and ready to use. The client secret was shown only once when the client was approved.",
-    "logo": "Logo",
-    "logo_required": "Logo is required",
-    "client_secret_warning": "Store this secret securely. You won't be able to see it again.",
-    "add_oauth_client": "Add OAuth Client",
-    "add_oauth_client_description": "Add a new OAuth client",
-    "no_oauth_clients": "No OAuth Clients",
-    "no_oauth_clients_description": "You haven't created any OAuth clients yet. Create one to get started.",
-    "no_oauth_clients_admin_description": "No OAuth clients have been submitted yet.",
-    "submit_for_approval": "Submit for Approval",
-    "client_name": "Client Name",
-    "client_name_placeholder": "My OAuth App",
-    "redirect_uri": "Redirect URI",
-    "authentication_mode": "Authentication Mode",
-    "use_pkce": "Use PKCE (recommended for mobile/SPA applications)",
-    "upload_logo": "Upload Logo",
-    "copy_client_id": "Copy Client ID",
-    "client_id_copied": "Client ID copied to clipboard",
-    "submitted_by": "Submitted By",
-    "approve": "Approve",
-    "reject": "Reject",
-    "approved": "Approved",
-    "rejected": "Rejected",
-    "pending": "Pending",
-    "hi_user": "Hi {{name}}",
-    "admin_oauth_notification_email_subject":"New OAuth Client Submission: {{clientName}}",
-    "admin_oauth_notification_email_title": "New OAuth Client: {{clientName}}",
-    "admin_oauth_notification_email_body": "A new OAuth client has been submitted by {{submitterEmail}} and is awaiting your review.",
-    "admin_oauth_notification_email_cta": "Review OAuth Clients",
-    "admin_oauth_notification_email_footer": "Please review this submission and approve or reject it in the admin dashboard.",
-    "oauth_client_approved_email_subject": "Your OAuth Client {{clientName}} Has Been Approved",
-    "oauth_client_approved_email_title": "OAuth Client Approved: {{clientName}}",
-    "oauth_client_approved_email_body": "Great news! Your OAuth client has been approved and is now ready to use.",
-    "oauth_client_approved_email_cta": "View Your OAuth Clients",
-    "oauth_client_approved_email_footer": "You can now use your client ID and secret to integrate with Cal.com.",
-  "create_new_team_description": "Create a new team to collaborate with users.",
+  "oauth_clients": "OAuth Clients",
+  "oauth_clients_description": "Create and manage OAuth clients for third-party integrations",
+  "create_oauth_client": "Create OAuth Client",
+  "create_oauth_client_description": "Create a new OAuth client for third-party integrations",
+  "oauth_client_deletion_message": "OAuth client deleted successfully",
+  "oauth_clients_admin": "OAuth Clients",
+  "oauth_clients_admin_description": "Manage and approve OAuth client submissions",
+  "new_oauth_client": "New OAuth Client",
+  "new_oauth_client_description": "Submit a new OAuth client for approval",
+  "oauth_client_submitted": "OAuth Client Submitted",
+  "oauth_client_submitted_description": "Your OAuth client has been submitted for approval",
+  "oauth_client_submit_error": "Failed to submit OAuth client",
+  "oauth_client_created": "OAuth Client Created",
+  "oauth_client_created_description": "Your OAuth client has been created successfully",
+  "oauth_client_create_error": "Failed to create OAuth client",
+  "oauth_client_status_updated": "OAuth client {{name}} status updated to {{status}}",
+  "oauth_client_status_update_error": "Failed to update OAuth client status",
+  "oauth_client_pending_approval": "Your OAuth client is pending approval. You will receive an email notification once it has been reviewed.",
+  "oauth_client_rejected": "Your OAuth client submission was rejected. Please contact support for more information.",
+  "oauth_client_approved_note": "Your OAuth client is approved and ready to use. The client secret was shown only once when the client was approved.",
+  "logo": "Logo",
+  "logo_required": "Logo is required",
+  "client_secret_warning": "Store this secret securely. You won't be able to see it again.",
+  "add_oauth_client": "Add OAuth Client",
+  "add_oauth_client_description": "Add a new OAuth client",
+  "no_oauth_clients": "No OAuth Clients",
+  "no_oauth_clients_description": "You haven't created any OAuth clients yet. Create one to get started.",
+  "no_oauth_clients_admin_description": "No OAuth clients have been submitted yet.",
+  "submit_for_approval": "Submit for Approval",
+  "client_name": "Client Name",
+  "client_name_placeholder": "My OAuth App",
+  "redirect_uri": "Redirect URI",
+  "authentication_mode": "Authentication Mode",
+  "use_pkce": "Use PKCE (recommended for mobile/SPA applications)",
+  "upload_logo": "Upload Logo",
+  "copy_client_id": "Copy Client ID",
+  "client_id_copied": "Client ID copied to clipboard",
+  "submitted_by": "Submitted By",
+  "approve": "Approve",
+  "reject": "Reject",
+  "approved": "Approved",
+  "rejected": "Rejected",
+  "pending": "Pending",
+  "hi_user": "Hi {{name}}",
+  "admin_oauth_notification_email_subject": "New OAuth Client Submission: {{clientName}}",
+  "admin_oauth_notification_email_title": "New OAuth Client: {{clientName}}",
+  "admin_oauth_notification_email_body": "A new OAuth client has been submitted by {{submitterEmail}} and is awaiting your review.",
+  "admin_oauth_notification_email_cta": "Review OAuth Clients",
+  "admin_oauth_notification_email_footer": "Please review this submission and approve or reject it in the admin dashboard.",
+  "oauth_client_approved_email_subject": "Your OAuth Client {{clientName}} Has Been Approved",
+  "oauth_client_approved_email_title": "OAuth Client Approved: {{clientName}}",
+  "oauth_client_approved_email_body": "Great news! Your OAuth client has been approved and is now ready to use.",
+  "oauth_client_approved_email_cta": "View Your OAuth Clients",
+  "oauth_client_approved_email_footer": "You can now use your client ID and secret to integrate with Cal.com.",
+  "create_new_team_description":"Create a new team to collaborate with users.",
   "create_new_team": "Create a new team",
   "booking_redirect_uri": "URL of your booking page",
   "booking_cancel_redirect_uri": "URL of the page where your users can cancel their booking",

From c3e0b709c2d88fd221143cb4ce9cd25bb8c94277 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 09:47:50 +0000
Subject: [PATCH 07/72] fix: change react-dom/server import to fix Turbopack
 compatibility

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 packages/emails/src/renderEmail.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/emails/src/renderEmail.ts b/packages/emails/src/renderEmail.ts
index 4ada467b557fd6..c808a706b023ec 100644
--- a/packages/emails/src/renderEmail.ts
+++ b/packages/emails/src/renderEmail.ts
@@ -5,7 +5,7 @@ async function renderEmail<K extends keyof typeof templates>(
   props: React.ComponentProps<(typeof templates)[K]>
 ) {
   const Component = templates[template];
-  const ReactDOMServer = (await import("react-dom/server")).default;
+  const ReactDOMServer = await import("react-dom/server");
   return (
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-expect-error

From c29dbb31babfb80d26069d771407398e9166d1ea Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 09:50:39 +0000
Subject: [PATCH 08/72] Revert "fix: change react-dom/server import to fix
 Turbopack compatibility"

This reverts commit c3e0b709c2d88fd221143cb4ce9cd25bb8c94277.
---
 packages/emails/src/renderEmail.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/emails/src/renderEmail.ts b/packages/emails/src/renderEmail.ts
index c808a706b023ec..4ada467b557fd6 100644
--- a/packages/emails/src/renderEmail.ts
+++ b/packages/emails/src/renderEmail.ts
@@ -5,7 +5,7 @@ async function renderEmail<K extends keyof typeof templates>(
   props: React.ComponentProps<(typeof templates)[K]>
 ) {
   const Component = templates[template];
-  const ReactDOMServer = await import("react-dom/server");
+  const ReactDOMServer = (await import("react-dom/server")).default;
   return (
     // eslint-disable-next-line @typescript-eslint/ban-ts-comment
     // @ts-expect-error

From c5f13a54f5e5c39863f5c4e91567e6772a2afe9f Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 09:57:27 +0000
Subject: [PATCH 09/72] fix: use email service pattern for OAuth client
 notifications

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 packages/emails/oauth-email-service.ts        | 25 +++++++++++++++++++
 .../viewer/oAuth/submitClient.handler.ts      |  5 ++--
 .../oAuth/updateClientStatus.handler.ts       |  5 ++--
 3 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 packages/emails/oauth-email-service.ts

diff --git a/packages/emails/oauth-email-service.ts b/packages/emails/oauth-email-service.ts
new file mode 100644
index 00000000000000..f48d8f9730739d
--- /dev/null
+++ b/packages/emails/oauth-email-service.ts
@@ -0,0 +1,25 @@
+import type BaseEmail from "@calcom/emails/templates/_base-email";
+
+import type { OAuthClientNotification } from "./templates/admin-oauth-client-notification";
+import AdminOAuthClientNotification from "./templates/admin-oauth-client-notification";
+import type { OAuthClientApprovedNotification } from "./templates/oauth-client-approved-notification";
+import OAuthClientApprovedEmail from "./templates/oauth-client-approved-notification";
+
+const sendEmail = (prepare: () => BaseEmail) => {
+  return new Promise((resolve, reject) => {
+    try {
+      const email = prepare();
+      resolve(email.sendEmail());
+    } catch (e) {
+      reject(console.error(`${prepare.constructor.name}.sendEmail failed`, e));
+    }
+  });
+};
+
+export const sendAdminOAuthClientNotification = async (input: OAuthClientNotification) => {
+  await sendEmail(() => new AdminOAuthClientNotification(input));
+};
+
+export const sendOAuthClientApprovedNotification = async (input: OAuthClientApprovedNotification) => {
+  await sendEmail(() => new OAuthClientApprovedEmail(input));
+};
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 1edeecf0132e0e..7a0758971ce532 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -1,4 +1,4 @@
-import AdminOAuthClientNotification from "@calcom/emails/templates/admin-oauth-client-notification";
+import { sendAdminOAuthClientNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
 
@@ -32,7 +32,7 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
 
   // Send email notification to team@cal.com
   const t = await getTranslation("en", "common");
-  const adminNotification = new AdminOAuthClientNotification({
+  await sendAdminOAuthClientNotification({
     t,
     clientName: client.name,
     clientId: client.clientId,
@@ -40,7 +40,6 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
     submitterEmail: ctx.user.email,
     submitterName: ctx.user.name,
   });
-  await adminNotification.sendEmail();
 
   return {
     clientId: client.clientId,
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index bbf5d2e4018213..49de8ef490a741 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -1,4 +1,4 @@
-import OAuthClientApprovedEmail from "@calcom/emails/templates/oauth-client-approved-notification";
+import { sendOAuthClientApprovedNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
 
@@ -21,14 +21,13 @@ export const updateClientStatusHandler = async ({ input }: UpdateClientStatusOpt
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
     const t = await getTranslation("en", "common");
-    const approvalNotification = new OAuthClientApprovedEmail({
+    await sendOAuthClientApprovedNotification({
       t,
       userEmail: clientWithUser.user.email,
       userName: clientWithUser.user.name,
       clientName: updatedClient.name,
       clientId: updatedClient.clientId,
     });
-    await approvalNotification.sendEmail();
   }
 
   return {

From fc9d47cd773505ebc5ee2696718aad4a8a98be77 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 10:04:25 +0000
Subject: [PATCH 10/72] fix: add try-catch around email sending to handle
 Turbopack react-dom/server issue

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 .../viewer/oAuth/submitClient.handler.ts      | 22 ++++++++++++-------
 .../oAuth/updateClientStatus.handler.ts       | 20 +++++++++++------
 2 files changed, 27 insertions(+), 15 deletions(-)

diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 7a0758971ce532..1afe1a91f69e91 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -32,14 +32,20 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
 
   // Send email notification to team@cal.com
   const t = await getTranslation("en", "common");
-  await sendAdminOAuthClientNotification({
-    t,
-    clientName: client.name,
-    clientId: client.clientId,
-    redirectUri: client.redirectUri,
-    submitterEmail: ctx.user.email,
-    submitterName: ctx.user.name,
-  });
+  try {
+    await sendAdminOAuthClientNotification({
+      t,
+      clientName: client.name,
+      clientId: client.clientId,
+      redirectUri: client.redirectUri,
+      submitterEmail: ctx.user.email,
+      submitterName: ctx.user.name,
+    });
+  } catch (error) {
+    // Log the error but don't fail the request - email sending can fail in dev due to
+    // Turbopack's handling of react-dom/server. The OAuth client is still created successfully.
+    console.error("Failed to send admin OAuth client notification email:", error);
+  }
 
   return {
     clientId: client.clientId,
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 49de8ef490a741..db4eefae4a7b8a 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -21,13 +21,19 @@ export const updateClientStatusHandler = async ({ input }: UpdateClientStatusOpt
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
     const t = await getTranslation("en", "common");
-    await sendOAuthClientApprovedNotification({
-      t,
-      userEmail: clientWithUser.user.email,
-      userName: clientWithUser.user.name,
-      clientName: updatedClient.name,
-      clientId: updatedClient.clientId,
-    });
+    try {
+      await sendOAuthClientApprovedNotification({
+        t,
+        userEmail: clientWithUser.user.email,
+        userName: clientWithUser.user.name,
+        clientName: updatedClient.name,
+        clientId: updatedClient.clientId,
+      });
+    } catch (error) {
+      // Log the error but don't fail the request - email sending can fail in dev due to
+      // Turbopack's handling of react-dom/server. The status update is still applied successfully.
+      console.error("Failed to send OAuth client approved notification email:", error);
+    }
   }
 
   return {

From 3804fe37221761a12ecc749ab460b4207a34ae55 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 10:15:55 +0000
Subject: [PATCH 11/72] Revert "fix: add try-catch around email sending to
 handle Turbopack react-dom/server issue"

This reverts commit fc9d47cd773505ebc5ee2696718aad4a8a98be77.
---
 .../viewer/oAuth/submitClient.handler.ts      | 22 +++++++------------
 .../oAuth/updateClientStatus.handler.ts       | 20 ++++++-----------
 2 files changed, 15 insertions(+), 27 deletions(-)

diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 1afe1a91f69e91..7a0758971ce532 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -32,20 +32,14 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
 
   // Send email notification to team@cal.com
   const t = await getTranslation("en", "common");
-  try {
-    await sendAdminOAuthClientNotification({
-      t,
-      clientName: client.name,
-      clientId: client.clientId,
-      redirectUri: client.redirectUri,
-      submitterEmail: ctx.user.email,
-      submitterName: ctx.user.name,
-    });
-  } catch (error) {
-    // Log the error but don't fail the request - email sending can fail in dev due to
-    // Turbopack's handling of react-dom/server. The OAuth client is still created successfully.
-    console.error("Failed to send admin OAuth client notification email:", error);
-  }
+  await sendAdminOAuthClientNotification({
+    t,
+    clientName: client.name,
+    clientId: client.clientId,
+    redirectUri: client.redirectUri,
+    submitterEmail: ctx.user.email,
+    submitterName: ctx.user.name,
+  });
 
   return {
     clientId: client.clientId,
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index db4eefae4a7b8a..49de8ef490a741 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -21,19 +21,13 @@ export const updateClientStatusHandler = async ({ input }: UpdateClientStatusOpt
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
     const t = await getTranslation("en", "common");
-    try {
-      await sendOAuthClientApprovedNotification({
-        t,
-        userEmail: clientWithUser.user.email,
-        userName: clientWithUser.user.name,
-        clientName: updatedClient.name,
-        clientId: updatedClient.clientId,
-      });
-    } catch (error) {
-      // Log the error but don't fail the request - email sending can fail in dev due to
-      // Turbopack's handling of react-dom/server. The status update is still applied successfully.
-      console.error("Failed to send OAuth client approved notification email:", error);
-    }
+    await sendOAuthClientApprovedNotification({
+      t,
+      userEmail: clientWithUser.user.email,
+      userName: clientWithUser.user.name,
+      clientName: updatedClient.name,
+      clientId: updatedClient.clientId,
+    });
   }
 
   return {

From 05172df34f2f2f295edc01789f10e5a014b5edd1 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 10:27:51 +0000
Subject: [PATCH 12/72] fix: improve OAuth client UI with skeleton loaders and
 smaller dialog styling

- Replace 'Loading...' text with proper skeleton loaders in both developer and admin OAuth client views
- Make client_id and copy button smaller in dialogs using size='sm' and text-sm styling
- Add 'client_id' translation key to common.json for proper i18n

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 .../admin/oauth-clients-admin-skeleton.tsx    | 60 +++++++++++++++++++
 .../admin/oauth-clients-admin-view.tsx        | 18 +++---
 .../developer/oauth-clients-skeleton.tsx      | 30 ++++++++++
 .../settings/developer/oauth-clients-view.tsx | 18 +++---
 apps/web/public/static/locales/en/common.json |  1 +
 5 files changed, 113 insertions(+), 14 deletions(-)
 create mode 100644 apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx
 create mode 100644 apps/web/modules/settings/developer/oauth-clients-skeleton.tsx

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx
new file mode 100644
index 00000000000000..5dba0972d6421a
--- /dev/null
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx
@@ -0,0 +1,60 @@
+"use client";
+
+import { SkeletonText, SkeletonContainer } from "@calcom/ui/components/skeleton";
+
+export const OAuthClientsAdminSkeleton = () => {
+  return (
+    <SkeletonContainer>
+      <div className="mb-4 flex justify-end">
+        <div className="bg-emphasis h-9 w-36 rounded-md" />
+      </div>
+      <div className="border-subtle overflow-hidden rounded-lg border">
+        <table className="w-full">
+          <thead className="bg-subtle">
+            <tr>
+              <th className="px-4 py-3 text-left">
+                <SkeletonText className="h-4 w-20" />
+              </th>
+              <th className="px-4 py-3 text-left">
+                <SkeletonText className="h-4 w-20" />
+              </th>
+              <th className="px-4 py-3 text-left">
+                <SkeletonText className="h-4 w-20" />
+              </th>
+              <th className="px-4 py-3 text-left">
+                <SkeletonText className="h-4 w-16" />
+              </th>
+              <th className="px-4 py-3 text-left">
+                <SkeletonText className="h-4 w-16" />
+              </th>
+            </tr>
+          </thead>
+          <tbody className="divide-subtle divide-y">
+            {[1, 2, 3].map((i) => (
+              <tr key={i}>
+                <td className="px-4 py-3">
+                  <div className="flex items-center gap-3">
+                    <div className="bg-emphasis h-8 w-8 rounded-full" />
+                    <SkeletonText className="h-4 w-24" />
+                  </div>
+                </td>
+                <td className="px-4 py-3">
+                  <SkeletonText className="h-4 w-40" />
+                </td>
+                <td className="px-4 py-3">
+                  <SkeletonText className="h-4 w-24" />
+                </td>
+                <td className="px-4 py-3">
+                  <SkeletonText className="h-5 w-16 rounded-full" />
+                </td>
+                <td className="px-4 py-3">
+                  <div className="bg-emphasis h-8 w-8 rounded" />
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </div>
+    </SkeletonContainer>
+  );
+};
diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index ae48d4e1d562d5..18138d37363e32 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -6,6 +6,8 @@ import { useForm } from "react-hook-form";
 import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
+
+import { OAuthClientsAdminSkeleton } from "./oauth-clients-admin-skeleton";
 import { Avatar } from "@calcom/ui/components/avatar";
 import { Badge } from "@calcom/ui/components/badge";
 import { Button } from "@calcom/ui/components/button";
@@ -123,7 +125,7 @@ export default function OAuthClientsAdminView() {
   };
 
   if (isLoading) {
-    return <div className="flex justify-center py-8">{t("loading")}</div>;
+    return <OAuthClientsAdminSkeleton />;
   }
 
   return (
@@ -300,9 +302,9 @@ export default function OAuthClientsAdminView() {
           ) : (
             <div>
               <div className="text-emphasis mb-5 text-xl font-semibold">{createdClient.name}</div>
-              <div className="mb-2 font-medium">{t("client_id")}</div>
+              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
               <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                   {createdClient.clientId}
                 </code>
                 <Tooltip side="top" content={t("copy_to_clipboard")}>
@@ -313,7 +315,8 @@ export default function OAuthClientsAdminView() {
                       });
                     }}
                     type="button"
-                    className="rounded-l-none text-base"
+                    size="sm"
+                    className="rounded-l-none"
                     StartIcon="clipboard">
                     {t("copy")}
                   </Button>
@@ -321,9 +324,9 @@ export default function OAuthClientsAdminView() {
               </div>
               {createdClient.clientSecret && (
                 <>
-                  <div className="mb-2 mt-4 font-medium">{t("client_secret")}</div>
+                  <div className="text-subtle mb-1 mt-4 text-sm">{t("client_secret")}</div>
                   <div className="flex">
-                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                       {createdClient.clientSecret}
                     </code>
                     <Tooltip side="top" content={t("copy_to_clipboard")}>
@@ -334,7 +337,8 @@ export default function OAuthClientsAdminView() {
                           });
                         }}
                         type="button"
-                        className="rounded-l-none text-base"
+                        size="sm"
+                        className="rounded-l-none"
                         StartIcon="clipboard">
                         {t("copy")}
                       </Button>
diff --git a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
new file mode 100644
index 00000000000000..e4be71be230ac5
--- /dev/null
+++ b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
@@ -0,0 +1,30 @@
+"use client";
+
+import { SkeletonText, SkeletonContainer } from "@calcom/ui/components/skeleton";
+
+export const OAuthClientsSkeleton = () => {
+  return (
+    <SkeletonContainer>
+      <div className="mb-4 flex justify-end">
+        <div className="bg-emphasis h-9 w-36 rounded-md" />
+      </div>
+      <div className="border-subtle divide-subtle divide-y rounded-lg border">
+        {[1, 2, 3].map((i) => (
+          <div key={i} className="flex items-center justify-between p-4">
+            <div className="flex items-center gap-4">
+              <div className="bg-emphasis h-10 w-10 rounded-full" />
+              <div className="space-y-2">
+                <SkeletonText className="h-4 w-32" />
+                <SkeletonText className="h-3 w-48" />
+              </div>
+            </div>
+            <div className="flex items-center gap-4">
+              <SkeletonText className="h-5 w-16 rounded-full" />
+              <div className="bg-emphasis h-5 w-5 rounded" />
+            </div>
+          </div>
+        ))}
+      </div>
+    </SkeletonContainer>
+  );
+};
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index c0848bb7f8c490..51a0ddaff182b7 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -7,6 +7,8 @@ import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
+
+import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 import { Avatar } from "@calcom/ui/components/avatar";
 import { Badge } from "@calcom/ui/components/badge";
 import { Button } from "@calcom/ui/components/button";
@@ -110,7 +112,7 @@ const OAuthClientsView = () => {
   };
 
   if (isLoading) {
-    return <div className="flex justify-center py-8">{t("loading")}</div>;
+    return <OAuthClientsSkeleton />;
   }
 
   return (
@@ -250,9 +252,9 @@ const OAuthClientsView = () => {
           ) : (
             <div>
               <div className="text-emphasis mb-5 text-xl font-semibold">{submittedClient.name}</div>
-              <div className="mb-2 font-medium">{t("client_id")}</div>
+              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
               <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                   {submittedClient.clientId}
                 </code>
                 <Tooltip side="top" content={t("copy_to_clipboard")}>
@@ -263,7 +265,8 @@ const OAuthClientsView = () => {
                       });
                     }}
                     type="button"
-                    className="rounded-l-none text-base"
+                    size="sm"
+                    className="rounded-l-none"
                     StartIcon="clipboard">
                     {t("copy")}
                   </Button>
@@ -297,9 +300,9 @@ const OAuthClientsView = () => {
               </div>
 
               <div>
-                <div className="mb-2 font-medium">{t("client_id")}</div>
+                <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
                 <div className="flex">
-                  <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
+                  <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                     {selectedClient.clientId}
                   </code>
                   <Tooltip side="top" content={t("copy_to_clipboard")}>
@@ -310,7 +313,8 @@ const OAuthClientsView = () => {
                         });
                       }}
                       type="button"
-                      className="rounded-l-none text-base"
+                      size="sm"
+                      className="rounded-l-none"
                       StartIcon="clipboard">
                       {t("copy")}
                     </Button>
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 913cc29f942397..af4cfdbdc181c6 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1033,6 +1033,7 @@
   "authentication_mode": "Authentication Mode",
   "use_pkce": "Use PKCE (recommended for mobile/SPA applications)",
   "upload_logo": "Upload Logo",
+  "client_id": "Client ID",
   "copy_client_id": "Copy Client ID",
   "client_id_copied": "Client ID copied to clipboard",
   "submitted_by": "Submitted By",

From dfd5bc22bb86c0d210019160438baf86772c5ebf Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 14:04:00 +0000
Subject: [PATCH 13/72] fix: improve skeleton loader to match actual OAuth
 client list structure

- Remove divide-y from container and use conditional border-b on rows
- Match the exact structure from oauth-clients-view.tsx L126-160
- Use proper spacing for text elements (mt-1 instead of space-y-2)

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 .../developer/oauth-clients-skeleton.tsx       | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
index e4be71be230ac5..13a66837f3ea76 100644
--- a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
@@ -2,25 +2,31 @@
 
 import { SkeletonText, SkeletonContainer } from "@calcom/ui/components/skeleton";
 
+const skeletonItems = [1, 2, 3];
+
 export const OAuthClientsSkeleton = () => {
   return (
     <SkeletonContainer>
       <div className="mb-4 flex justify-end">
         <div className="bg-emphasis h-9 w-36 rounded-md" />
       </div>
-      <div className="border-subtle divide-subtle divide-y rounded-lg border">
-        {[1, 2, 3].map((i) => (
-          <div key={i} className="flex items-center justify-between p-4">
+      <div className="border-subtle rounded-lg border">
+        {skeletonItems.map((i, index) => (
+          <div
+            key={i}
+            className={`flex items-center justify-between p-4 ${
+              index !== skeletonItems.length - 1 ? "border-subtle border-b" : ""
+            }`}>
             <div className="flex items-center gap-4">
               <div className="bg-emphasis h-10 w-10 rounded-full" />
-              <div className="space-y-2">
+              <div>
                 <SkeletonText className="h-4 w-32" />
-                <SkeletonText className="h-3 w-48" />
+                <SkeletonText className="mt-1 h-3 w-48" />
               </div>
             </div>
             <div className="flex items-center gap-4">
               <SkeletonText className="h-5 w-16 rounded-full" />
-              <div className="bg-emphasis h-5 w-5 rounded" />
+              <div className="bg-emphasis h-5 w-5" />
             </div>
           </div>
         ))}

From 7500de877dec0e25c3e81bd2ef95efe8d0382efe Mon Sep 17 00:00:00 2001
From: Eunjae Lee <hey@eunjae.dev>
Date: Tue, 9 Dec 2025 15:12:05 +0100
Subject: [PATCH 14/72] fix skeleton

---
 .../settings/developer/oauth-clients-skeleton.tsx | 12 ++++++------
 .../settings/developer/oauth-clients-view.tsx     | 15 +++++----------
 2 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
index 13a66837f3ea76..8a058191508998 100644
--- a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
@@ -2,7 +2,7 @@
 
 import { SkeletonText, SkeletonContainer } from "@calcom/ui/components/skeleton";
 
-const skeletonItems = [1, 2, 3];
+const skeletonItems = Array(3).fill(undefined);
 
 export const OAuthClientsSkeleton = () => {
   return (
@@ -17,16 +17,16 @@ export const OAuthClientsSkeleton = () => {
             className={`flex items-center justify-between p-4 ${
               index !== skeletonItems.length - 1 ? "border-subtle border-b" : ""
             }`}>
-            <div className="flex items-center gap-4">
-              <div className="bg-emphasis h-10 w-10 rounded-full" />
-              <div>
+            <div className="mb-0.5 flex items-center gap-4">
+              <div className="bg-emphasis h-8 w-8 rounded-full" />
+              <div className="mt-0.5 flex flex-col">
                 <SkeletonText className="h-4 w-32" />
-                <SkeletonText className="mt-1 h-3 w-48" />
+                <SkeletonText className="mt-2 h-4 w-48" />
               </div>
             </div>
             <div className="flex items-center gap-4">
               <SkeletonText className="h-5 w-16 rounded-full" />
-              <div className="bg-emphasis h-5 w-5" />
+              <div className="bg-emphasis h-5 w-5 rounded-full" />
             </div>
           </div>
         ))}
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 51a0ddaff182b7..3626143fa633fb 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -7,8 +7,6 @@ import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
-
-import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 import { Avatar } from "@calcom/ui/components/avatar";
 import { Badge } from "@calcom/ui/components/badge";
 import { Button } from "@calcom/ui/components/button";
@@ -20,6 +18,8 @@ import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { showToast } from "@calcom/ui/components/toast";
 import { Tooltip } from "@calcom/ui/components/tooltip";
 
+import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
+
 type FormValues = {
   name: string;
   redirectUri: string;
@@ -128,7 +128,7 @@ const OAuthClientsView = () => {
           {oAuthClients.map((client, index) => (
             <div
               key={client.clientId}
-              className={`flex cursor-pointer items-center justify-between p-4 transition-colors hover:bg-subtle ${
+              className={`hover:bg-subtle flex cursor-pointer items-center justify-between p-4 transition-colors ${
                 index !== oAuthClients.length - 1 ? "border-subtle border-b" : ""
               }`}
               onClick={() => setSelectedClient(client)}
@@ -179,10 +179,7 @@ const OAuthClientsView = () => {
             submittedClient ? t("oauth_client_submitted_description") : t("new_oauth_client_description")
           }>
           {!submittedClient ? (
-            <Form
-              form={oAuthForm}
-              handleSubmit={handleSubmit}
-              className="space-y-4">
+            <Form form={oAuthForm} handleSubmit={handleSubmit} className="space-y-4">
               <TextField
                 {...oAuthForm.register("name", { required: true })}
                 label={t("client_name")}
@@ -237,9 +234,7 @@ const OAuthClientsView = () => {
                     imageSrc={logo}
                   />
                 </div>
-                {logoError && (
-                  <p className="text-error mt-2 text-sm">{t("logo_required")}</p>
-                )}
+                {logoError && <p className="text-error mt-2 text-sm">{t("logo_required")}</p>}
               </div>
 
               <DialogFooter>

From a1d86ac7eb60bc6298f257d2109a8f56ed0e3090 Mon Sep 17 00:00:00 2001
From: Eunjae Lee <hey@eunjae.dev>
Date: Tue, 9 Dec 2025 15:18:35 +0100
Subject: [PATCH 15/72] rename the selected oauth client dialog

---
 apps/web/modules/settings/developer/oauth-clients-view.tsx | 4 ++--
 apps/web/public/static/locales/en/common.json              | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 3626143fa633fb..f9c83258f0c905 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -277,7 +277,7 @@ const OAuthClientsView = () => {
       </Dialog>
 
       <Dialog open={!!selectedClient} onOpenChange={(open) => !open && handleCloseClientDialog()}>
-        <DialogContent type="creation" title={selectedClient?.name || ""}>
+        <DialogContent type="creation" title={t("oauth_client")}>
           {selectedClient && (
             <div className="space-y-4">
               <div className="flex items-center gap-4">
@@ -290,8 +290,8 @@ const OAuthClientsView = () => {
                 <div>
                   <div className="text-emphasis font-medium">{selectedClient.name}</div>
                   <div className="text-subtle text-sm">{selectedClient.redirectUri}</div>
+                  {getStatusBadge(selectedClient.approvalStatus)}
                 </div>
-                {getStatusBadge(selectedClient.approvalStatus)}
               </div>
 
               <div>
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index af4cfdbdc181c6..fb2dd5fccd2759 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1053,7 +1053,7 @@
   "oauth_client_approved_email_body": "Great news! Your OAuth client has been approved and is now ready to use.",
   "oauth_client_approved_email_cta": "View Your OAuth Clients",
   "oauth_client_approved_email_footer": "You can now use your client ID and secret to integrate with Cal.com.",
-  "create_new_team_description":"Create a new team to collaborate with users.",
+  "create_new_team_description": "Create a new team to collaborate with users.",
   "create_new_team": "Create a new team",
   "booking_redirect_uri": "URL of your booking page",
   "booking_cancel_redirect_uri": "URL of the page where your users can cancel their booking",
@@ -4102,5 +4102,6 @@
   "booking_response": "Booking Response",
   "list_view": "List view",
   "calendar_view": "Calendar view",
+  "oauth_client": "OAuth Client",
   "ADD_NEW_STRINGS_ABOVE_THIS_LINE_TO_PREVENT_MERGE_CONFLICTS": "↑↑↑↑↑↑↑↑↑↑↑↑↑ Add your new strings above here ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑"
 }

From bc6f449ea2f4a170812675773bd7eebb5eed0012 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Tue, 9 Dec 2025 14:35:10 +0000
Subject: [PATCH 16/72] fix: address PR feedback - admin auth, dropdown
 styling, sidebar label

- Add defense-in-depth admin authorization check in updateClientStatus handler
- Fix broken dropdown menu by using DropdownItem with StartIcon prop
- Fix sidebar menu label from 'oAuth' to 'oauth_clients' to match developer view

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 .../SettingsLayoutAppDirClient.tsx            |  2 +-
 .../admin/oauth-clients-admin-view.tsx        | 60 ++++++++++++-------
 .../server/routers/viewer/oAuth/_router.tsx   |  3 +-
 .../oAuth/updateClientStatus.handler.ts       | 16 ++++-
 4 files changed, 58 insertions(+), 23 deletions(-)

diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index 88d71bf397215e..2aa1f14e752fad 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -150,7 +150,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
         { name: "users", href: "/settings/admin/users", trackingMetadata: { section: "admin", page: "users" } },
         { name: "organizations", href: "/settings/admin/organizations", trackingMetadata: { section: "admin", page: "organizations" } },
         { name: "lockedSMS", href: "/settings/admin/lockedSMS", trackingMetadata: { section: "admin", page: "locked_sms" } },
-        { name: "oAuth", href: "/settings/admin/oAuth", trackingMetadata: { section: "admin", page: "oauth" } },
+        { name: "oauth_clients", href: "/settings/admin/oAuth", trackingMetadata: { section: "admin", page: "oauth" } },
         { name: "Workspace Platforms", href: "/settings/admin/workspace-platforms", trackingMetadata: { section: "admin", page: "workspace_platforms" } },
         { name: "Playground", href: "/settings/admin/playground", trackingMetadata: { section: "admin", page: "playground" } },
       ],
diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 18138d37363e32..7b2c94a5a14f16 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -19,6 +19,7 @@ import {
 } from "@calcom/ui/components/dialog";
 import {
   Dropdown,
+  DropdownItem,
   DropdownMenuTrigger,
   DropdownMenuContent,
   DropdownMenuItem,
@@ -181,36 +182,55 @@ export default function OAuthClientsAdminView() {
                       <DropdownMenuContent align="end">
                         {client.approvalStatus === "PENDING" && (
                           <>
-                            <DropdownMenuItem onClick={() => handleApprove(client.clientId)}>
-                              <Icon name="check" className="mr-2 h-4 w-4" />
-                              {t("approve")}
+                            <DropdownMenuItem>
+                              <DropdownItem
+                                type="button"
+                                StartIcon="check"
+                                onClick={() => handleApprove(client.clientId)}>
+                                {t("approve")}
+                              </DropdownItem>
                             </DropdownMenuItem>
-                            <DropdownMenuItem onClick={() => handleReject(client.clientId)}>
-                              <Icon name="x" className="mr-2 h-4 w-4" />
-                              {t("reject")}
+                            <DropdownMenuItem>
+                              <DropdownItem
+                                type="button"
+                                StartIcon="x"
+                                onClick={() => handleReject(client.clientId)}>
+                                {t("reject")}
+                              </DropdownItem>
                             </DropdownMenuItem>
                           </>
                         )}
                         {client.approvalStatus === "REJECTED" && (
-                          <DropdownMenuItem onClick={() => handleApprove(client.clientId)}>
-                            <Icon name="check" className="mr-2 h-4 w-4" />
-                            {t("approve")}
+                          <DropdownMenuItem>
+                            <DropdownItem
+                              type="button"
+                              StartIcon="check"
+                              onClick={() => handleApprove(client.clientId)}>
+                              {t("approve")}
+                            </DropdownItem>
                           </DropdownMenuItem>
                         )}
                         {client.approvalStatus === "APPROVED" && (
-                          <DropdownMenuItem onClick={() => handleReject(client.clientId)}>
-                            <Icon name="x" className="mr-2 h-4 w-4" />
-                            {t("reject")}
+                          <DropdownMenuItem>
+                            <DropdownItem
+                              type="button"
+                              StartIcon="x"
+                              onClick={() => handleReject(client.clientId)}>
+                              {t("reject")}
+                            </DropdownItem>
                           </DropdownMenuItem>
                         )}
-                        <DropdownMenuItem
-                          onClick={() => {
-                            copyToClipboard(client.clientId, {
-                              onSuccess: () => showToast(t("client_id_copied"), "success"),
-                            });
-                          }}>
-                          <Icon name="clipboard" className="mr-2 h-4 w-4" />
-                          {t("copy_client_id")}
+                        <DropdownMenuItem>
+                          <DropdownItem
+                            type="button"
+                            StartIcon="clipboard"
+                            onClick={() => {
+                              copyToClipboard(client.clientId, {
+                                onSuccess: () => showToast(t("client_id_copied"), "success"),
+                              });
+                            }}>
+                            {t("copy_client_id")}
+                          </DropdownItem>
                         </DropdownMenuItem>
                       </DropdownMenuContent>
                     </Dropdown>
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index ddb912769a28c1..622d4803dbe733 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -69,10 +69,11 @@ export const oAuthRouter = router({
     });
   }),
 
-  updateClientStatus: authedAdminProcedure.input(ZUpdateClientStatusInputSchema).mutation(async ({ input }) => {
+  updateClientStatus: authedAdminProcedure.input(ZUpdateClientStatusInputSchema).mutation(async ({ ctx, input }) => {
     const { updateClientStatusHandler } = await import("./updateClientStatus.handler");
 
     return updateClientStatusHandler({
+      ctx,
       input,
     });
   }),
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 49de8ef490a741..5bd9940499545c 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -1,16 +1,30 @@
+import { TRPCError } from "@trpc/server";
+
 import { sendOAuthClientApprovedNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { UserPermissionRole } from "@calcom/prisma/enums";
 
 import type { TUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
 
 type UpdateClientStatusOptions = {
+  ctx: {
+    user: {
+      id: number;
+      role: UserPermissionRole;
+    };
+  };
   input: TUpdateClientStatusInputSchema;
 };
 
-export const updateClientStatusHandler = async ({ input }: UpdateClientStatusOptions) => {
+export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStatusOptions) => {
   const { clientId, status } = input;
 
+  // Defense-in-depth: Only instance admins can update OAuth client status
+  if (ctx.user.role !== UserPermissionRole.ADMIN) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can update OAuth client status" });
+  }
+
   const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
 
   // Get client with user info before updating

From 523db2fa43da6d1a1103043b1c89325634324bf3 Mon Sep 17 00:00:00 2001
From: Eunjae Lee <hey@eunjae.dev>
Date: Tue, 9 Dec 2025 15:55:21 +0100
Subject: [PATCH 17/72] update common.json

---
 apps/web/public/static/locales/en/common.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index fb2dd5fccd2759..097516dae951be 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -4103,5 +4103,6 @@
   "list_view": "List view",
   "calendar_view": "Calendar view",
   "oauth_client": "OAuth Client",
+  "actions": "Actions",
   "ADD_NEW_STRINGS_ABOVE_THIS_LINE_TO_PREVENT_MERGE_CONFLICTS": "↑↑↑↑↑↑↑↑↑↑↑↑↑ Add your new strings above here ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑"
 }

From 661ffa758fbd330ecaebaad3f4b43217188008ad Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Sun, 14 Dec 2025 10:05:56 +0000
Subject: [PATCH 18/72] feat: show client secret in approval email for
 confidential OAuth clients

- Add regenerateSecret method to OAuthClientRepository
- Regenerate secret when admin approves a PENDING confidential client
- Include client secret in approval notification email
- Add one-time warning message about storing the secret securely
- Only regenerate on first approval (not re-approvals)

Co-Authored-By: eunjae@cal.com <hey@eunjae.dev>
---
 apps/web/public/static/locales/en/common.json |  1 +
 .../OAuthClientApprovedNotificationEmail.tsx  | 35 +++++++++++++++++--
 .../oauth-client-approved-notification.ts     |  2 ++
 packages/lib/server/repository/oAuthClient.ts | 14 ++++++++
 .../oAuth/updateClientStatus.handler.ts       | 13 +++++++
 5 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 097516dae951be..9eeb3dcf39ce12 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1053,6 +1053,7 @@
   "oauth_client_approved_email_body": "Great news! Your OAuth client has been approved and is now ready to use.",
   "oauth_client_approved_email_cta": "View Your OAuth Clients",
   "oauth_client_approved_email_footer": "You can now use your client ID and secret to integrate with Cal.com.",
+  "oauth_client_secret_one_time_warning": "Important: This client secret is shown only once. Store it securely now - you will not be able to view it again.",
   "create_new_team_description": "Create a new team to collaborate with users.",
   "create_new_team": "Create a new team",
   "booking_redirect_uri": "URL of your booking page",
diff --git a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
index bad702bfd2ccff..bdc8ca6f6a6239 100644
--- a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
+++ b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
@@ -9,12 +9,14 @@ type OAuthClientApprovedNotification = {
   userName: string | null;
   clientName: string;
   clientId: string;
+  clientSecret?: string;
 };
 
 export const OAuthClientApprovedNotificationEmail = ({
   userName,
   clientName,
   clientId,
+  clientSecret,
   language,
 }: OAuthClientApprovedNotification) => {
   return (
@@ -66,13 +68,42 @@ export const OAuthClientApprovedNotificationEmail = ({
             <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{clientName}</td>
           </tr>
           <tr style={{ lineHeight: "24px" }}>
-            <td style={{ padding: "12px", fontWeight: 600 }}>{language("client_id")}</td>
-            <td style={{ padding: "12px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: clientSecret ? "1px solid #e5e7eb" : undefined,
+                fontWeight: 600,
+              }}>
+              {language("client_id")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: clientSecret ? "1px solid #e5e7eb" : undefined }}>
               <code style={{ fontSize: "12px" }}>{clientId}</code>
             </td>
           </tr>
+          {clientSecret && (
+            <tr style={{ lineHeight: "24px" }}>
+              <td style={{ padding: "12px", fontWeight: 600 }}>{language("client_secret")}</td>
+              <td style={{ padding: "12px" }}>
+                <code style={{ fontSize: "12px" }}>{clientSecret}</code>
+              </td>
+            </tr>
+          )}
         </tbody>
       </table>
+      {clientSecret && (
+        <p
+          style={{
+            fontWeight: 400,
+            lineHeight: "24px",
+            marginTop: "12px",
+            padding: "12px",
+            backgroundColor: "#fef3c7",
+            borderRadius: "6px",
+            border: "1px solid #f59e0b",
+          }}>
+          {language("oauth_client_secret_one_time_warning")}
+        </p>
+      )}
       <p style={{ fontWeight: 400, lineHeight: "24px", marginTop: "20px" }}>
         {language("oauth_client_approved_email_footer")}
       </p>
diff --git a/packages/emails/templates/oauth-client-approved-notification.ts b/packages/emails/templates/oauth-client-approved-notification.ts
index b476efd57ac0eb..a3cf5d2afc26c9 100644
--- a/packages/emails/templates/oauth-client-approved-notification.ts
+++ b/packages/emails/templates/oauth-client-approved-notification.ts
@@ -11,6 +11,7 @@ export type OAuthClientApprovedNotification = {
   userName: string | null;
   clientName: string;
   clientId: string;
+  clientSecret?: string;
 };
 
 export default class OAuthClientApprovedEmail extends BaseEmail {
@@ -31,6 +32,7 @@ export default class OAuthClientApprovedEmail extends BaseEmail {
         userName: this.input.userName,
         clientName: this.input.clientName,
         clientId: this.input.clientId,
+        clientSecret: this.input.clientSecret,
         language: this.input.t,
       }),
       text: this.getTextBody(),
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
index 58738c36d3f6ee..e783bf2e8bc87b 100644
--- a/packages/lib/server/repository/oAuthClient.ts
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -160,6 +160,20 @@ export class OAuthClientRepository {
     });
   }
 
+  async regenerateSecret(clientId: string) {
+    const [hashed, plain] = generateSecret();
+    const updated = await this.prismaClient.oAuthClient.update({
+      where: { clientId },
+      data: { clientSecret: hashed },
+      select: {
+        clientId: true,
+        name: true,
+        clientType: true,
+      },
+    });
+    return { ...updated, clientSecret: plain };
+  }
+
   async update(
     clientId: string,
     data: {
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 5bd9940499545c..146ed30e8869cb 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -35,12 +35,25 @@ export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStat
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
     const t = await getTranslation("en", "common");
+
+    // Only regenerate secret for confidential clients that are being approved for the first time
+    // (transitioning from non-APPROVED status to APPROVED)
+    const isFirstApproval = clientWithUser.approvalStatus !== "APPROVED";
+    const isConfidentialClient = updatedClient.clientType === "CONFIDENTIAL";
+
+    let clientSecret: string | undefined;
+    if (isFirstApproval && isConfidentialClient) {
+      const regenerated = await oAuthClientRepository.regenerateSecret(clientId);
+      clientSecret = regenerated.clientSecret;
+    }
+
     await sendOAuthClientApprovedNotification({
       t,
       userEmail: clientWithUser.user.email,
       userName: clientWithUser.user.name,
       clientName: updatedClient.name,
       clientId: updatedClient.clientId,
+      clientSecret,
     });
   }
 

From 5b0b738310303e48937a26a8ed80f118f1b21f55 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 22 Dec 2025 14:46:59 +0000
Subject: [PATCH 19/72] feat: add Website URL field, fix logo styling, show
 client secret after approval

- Add Website URL field to OAuth client forms (admin and developer views)
- Fix Upload Logo section styling by wrapping in Label div with proper gap
- Display client secret in dialog after admin approves a confidential OAuth client
- Add websiteUrl field to Prisma schema with migration
- Update tRPC handlers and repository to support websiteUrl
- Add translation keys for new UI elements

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 .../admin/oauth-clients-admin-view.tsx        | 124 +++++++++++++++---
 .../settings/developer/oauth-clients-view.tsx |  15 ++-
 apps/web/public/static/locales/en/common.json |   3 +
 packages/lib/server/repository/oAuthClient.ts |   7 +-
 .../migration.sql                             |   2 +
 packages/prisma/schema.prisma                 |   1 +
 .../routers/viewer/oAuth/addClient.handler.ts |   3 +-
 .../routers/viewer/oAuth/addClient.schema.ts  |   1 +
 .../viewer/oAuth/submitClient.handler.ts      |   3 +-
 .../viewer/oAuth/submitClient.schema.ts       |   1 +
 .../oAuth/updateClientStatus.handler.ts       |   1 +
 11 files changed, 138 insertions(+), 23 deletions(-)
 create mode 100644 packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 7b2c94a5a14f16..64fa4c9ecdc94a 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -34,6 +34,7 @@ import { Tooltip } from "@calcom/ui/components/tooltip";
 type FormValues = {
   name: string;
   redirectUri: string;
+  websiteUrl: string;
   logo: string;
   enablePkce: boolean;
 };
@@ -49,11 +50,17 @@ export default function OAuthClientsAdminView() {
     clientSecret?: string;
     name: string;
   } | null>(null);
+  const [approvedClient, setApprovedClient] = useState<{
+    clientId: string;
+    clientSecret?: string;
+    name: string;
+  } | null>(null);
 
   const oAuthForm = useForm<FormValues>({
     defaultValues: {
       name: "",
       redirectUri: "",
+      websiteUrl: "",
       logo: "",
       enablePkce: false,
     },
@@ -83,6 +90,14 @@ export default function OAuthClientsAdminView() {
         "success"
       );
       utils.viewer.oAuth.listClients.invalidate();
+      // Show client secret dialog if a secret was generated during approval
+      if (data.clientSecret) {
+        setApprovedClient({
+          clientId: data.clientId,
+          clientSecret: data.clientSecret,
+          name: data.name,
+        });
+      }
     },
     onError: (error) => {
       showToast(`${t("oauth_client_status_update_error")}: ${error.message}`, "error");
@@ -93,6 +108,7 @@ export default function OAuthClientsAdminView() {
     addMutation.mutate({
       name: values.name,
       redirectUri: values.redirectUri,
+      websiteUrl: values.websiteUrl || undefined,
       logo: values.logo,
       enablePkce: values.enablePkce,
     });
@@ -105,6 +121,10 @@ export default function OAuthClientsAdminView() {
     oAuthForm.reset();
   };
 
+  const handleCloseApprovedDialog = () => {
+    setApprovedClient(null);
+  };
+
   const handleApprove = (clientId: string) => {
     updateStatusMutation.mutate({ clientId, status: "APPROVED" });
   };
@@ -279,6 +299,14 @@ export default function OAuthClientsAdminView() {
                 required
               />
 
+              <TextField
+                {...oAuthForm.register("websiteUrl")}
+                label={t("website_url")}
+                type="url"
+                id="websiteUrl"
+                placeholder="https://example.com"
+              />
+
               <div>
                 <Label className="text-emphasis mb-2 block text-sm font-medium">
                   {t("authentication_mode")}
@@ -292,24 +320,26 @@ export default function OAuthClientsAdminView() {
                 </div>
               </div>
 
-              <div className="flex items-center">
-                <Avatar
-                  alt=""
-                  fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
-                  className="mr-5 items-center"
-                  imageSrc={logo}
-                  size="lg"
-                />
-                <ImageUploader
-                  target="avatar"
-                  id="avatar-upload"
-                  buttonMsg={t("upload_logo")}
-                  handleAvatarChange={(newLogo: string) => {
-                    setLogo(newLogo);
-                    oAuthForm.setValue("logo", newLogo);
-                  }}
-                  imageSrc={logo}
-                />
+              <div>
+                <Label className="text-emphasis mb-2 block text-sm font-medium">{t("logo")}</Label>
+                <div className="flex items-center gap-4">
+                  <Avatar
+                    alt=""
+                    fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
+                    imageSrc={logo}
+                    size="lg"
+                  />
+                  <ImageUploader
+                    target="avatar"
+                    id="avatar-upload"
+                    buttonMsg={t("upload_logo")}
+                    handleAvatarChange={(newLogo: string) => {
+                      setLogo(newLogo);
+                      oAuthForm.setValue("logo", newLogo);
+                    }}
+                    imageSrc={logo}
+                  />
+                </div>
               </div>
 
               <DialogFooter>
@@ -374,6 +404,64 @@ export default function OAuthClientsAdminView() {
           )}
         </DialogContent>
       </Dialog>
+
+      <Dialog open={!!approvedClient} onOpenChange={(open) => !open && handleCloseApprovedDialog()}>
+        <DialogContent type="creation" title={t("oauth_client_approved")} description={t("oauth_client_approved_description")}>
+          {approvedClient && (
+            <div>
+              <div className="text-emphasis mb-5 text-xl font-semibold">{approvedClient.name}</div>
+              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
+              <div className="flex">
+                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                  {approvedClient.clientId}
+                </code>
+                <Tooltip side="top" content={t("copy_to_clipboard")}>
+                  <Button
+                    onClick={() => {
+                      copyToClipboard(approvedClient.clientId, {
+                        onSuccess: () => showToast(t("client_id_copied"), "success"),
+                      });
+                    }}
+                    type="button"
+                    size="sm"
+                    className="rounded-l-none"
+                    StartIcon="clipboard">
+                    {t("copy")}
+                  </Button>
+                </Tooltip>
+              </div>
+              {approvedClient.clientSecret && (
+                <>
+                  <div className="text-subtle mb-1 mt-4 text-sm">{t("client_secret")}</div>
+                  <div className="flex">
+                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                      {approvedClient.clientSecret}
+                    </code>
+                    <Tooltip side="top" content={t("copy_to_clipboard")}>
+                      <Button
+                        onClick={() => {
+                          copyToClipboard(approvedClient.clientSecret || "", {
+                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                          });
+                        }}
+                        type="button"
+                        size="sm"
+                        className="rounded-l-none"
+                        StartIcon="clipboard">
+                        {t("copy")}
+                      </Button>
+                    </Tooltip>
+                  </div>
+                  <div className="text-subtle mt-2 text-sm">{t("copy_client_secret_info")}</div>
+                </>
+              )}
+              <DialogFooter className="mt-6">
+                <Button onClick={handleCloseApprovedDialog}>{t("done")}</Button>
+              </DialogFooter>
+            </div>
+          )}
+        </DialogContent>
+      </Dialog>
     </div>
   );
 }
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index f9c83258f0c905..51182399912391 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -23,6 +23,7 @@ import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 type FormValues = {
   name: string;
   redirectUri: string;
+  websiteUrl: string;
   logo: string;
   enablePkce: boolean;
 };
@@ -51,6 +52,7 @@ const OAuthClientsView = () => {
     defaultValues: {
       name: "",
       redirectUri: "",
+      websiteUrl: "",
       logo: "",
       enablePkce: false,
     },
@@ -82,6 +84,7 @@ const OAuthClientsView = () => {
     submitMutation.mutate({
       name: values.name,
       redirectUri: values.redirectUri,
+      websiteUrl: values.websiteUrl,
       logo: values.logo,
       enablePkce: values.enablePkce,
     });
@@ -197,6 +200,15 @@ const OAuthClientsView = () => {
                 required
               />
 
+              <TextField
+                {...oAuthForm.register("websiteUrl", { required: true })}
+                label={t("website_url")}
+                type="url"
+                id="websiteUrl"
+                placeholder="https://example.com"
+                required
+              />
+
               <div>
                 <Label className="text-emphasis mb-2 block text-sm font-medium">
                   {t("authentication_mode")}
@@ -214,11 +226,10 @@ const OAuthClientsView = () => {
                 <Label className="text-emphasis mb-2 block text-sm font-medium">
                   {t("logo")} <span className="text-error">*</span>
                 </Label>
-                <div className="flex items-center">
+                <div className="flex items-center gap-4">
                   <Avatar
                     alt=""
                     fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
-                    className="mr-5 items-center"
                     imageSrc={logo}
                     size="lg"
                   />
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 9eeb3dcf39ce12..ee2ab2ad55f77b 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1030,6 +1030,7 @@
   "client_name": "Client Name",
   "client_name_placeholder": "My OAuth App",
   "redirect_uri": "Redirect URI",
+  "website_url": "Website URL",
   "authentication_mode": "Authentication Mode",
   "use_pkce": "Use PKCE (recommended for mobile/SPA applications)",
   "upload_logo": "Upload Logo",
@@ -1048,6 +1049,8 @@
   "admin_oauth_notification_email_body": "A new OAuth client has been submitted by {{submitterEmail}} and is awaiting your review.",
   "admin_oauth_notification_email_cta": "Review OAuth Clients",
   "admin_oauth_notification_email_footer": "Please review this submission and approve or reject it in the admin dashboard.",
+  "oauth_client_approved": "OAuth Client Approved",
+  "oauth_client_approved_description": "The OAuth client has been approved and the client secret has been generated.",
   "oauth_client_approved_email_subject": "Your OAuth Client {{clientName}} Has Been Approved",
   "oauth_client_approved_email_title": "OAuth Client Approved: {{clientName}}",
   "oauth_client_approved_email_body": "Great news! Your OAuth client has been approved and is now ready to use.",
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
index e783bf2e8bc87b..e04acac2bd1d08 100644
--- a/packages/lib/server/repository/oAuthClient.ts
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -26,6 +26,7 @@ export class OAuthClientRepository {
         redirectUri: true,
         name: true,
         logo: true,
+        websiteUrl: true,
         clientType: true,
         approvalStatus: true,
         userId: true,
@@ -57,6 +58,7 @@ export class OAuthClientRepository {
         redirectUri: true,
         name: true,
         logo: true,
+        websiteUrl: true,
         clientType: true,
         approvalStatus: true,
         userId: true,
@@ -108,11 +110,12 @@ export class OAuthClientRepository {
     name: string;
     redirectUri: string;
     logo?: string;
+    websiteUrl?: string;
     enablePkce?: boolean;
     userId?: number;
     approvalStatus?: OAuthClientApprovalStatus;
   }) {
-    const { name, redirectUri, logo, enablePkce, userId, approvalStatus } = data;
+    const { name, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
 
     const clientId = randomBytes(32).toString("hex");
 
@@ -131,6 +134,7 @@ export class OAuthClientRepository {
         clientId,
         clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
         logo,
+        websiteUrl,
         approvalStatus: approvalStatus || "PENDING",
         clientSecret: hashedSecret,
         ...(userId && {
@@ -180,6 +184,7 @@ export class OAuthClientRepository {
       name?: string;
       redirectUri?: string;
       logo?: string;
+      websiteUrl?: string;
     }
   ) {
     return this.prismaClient.oAuthClient.update({
diff --git a/packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql b/packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql
new file mode 100644
index 00000000000000..ea5298d8136772
--- /dev/null
+++ b/packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."OAuthClient" ADD COLUMN     "websiteUrl" TEXT;
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 5812a5bb28d51e..fdfebd3be4cb33 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1756,6 +1756,7 @@ model OAuthClient {
   clientType     OAuthClientType           @default(CONFIDENTIAL)
   name           String
   logo           String?
+  websiteUrl     String?
   accessCodes    AccessCode[]
   approvalStatus OAuthClientApprovalStatus @default(PENDING)
   userId         Int?
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index fc4c59608b34bc..30a09b0e844fa0 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -10,7 +10,7 @@ type AddClientOptions = {
 };
 
 export const addClientHandler = async ({ input }: AddClientOptions) => {
-  const { name, redirectUri, logo, enablePkce } = input;
+  const { name, redirectUri, logo, websiteUrl, enablePkce } = input;
 
   const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
 
@@ -19,6 +19,7 @@ export const addClientHandler = async ({ input }: AddClientOptions) => {
     name,
     redirectUri,
     logo,
+    websiteUrl,
     enablePkce,
     approvalStatus: "APPROVED",
   });
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
index d0ec12cdc04dba..db284995d13d0c 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
@@ -4,6 +4,7 @@ export const ZAddClientInputSchema = z.object({
   name: z.string(),
   redirectUri: z.string(),
   logo: z.string(),
+  websiteUrl: z.string().url().optional(),
   enablePkce: z.boolean().optional().default(false),
 });
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 7a0758971ce532..023e343a27669e 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -16,7 +16,7 @@ type SubmitClientOptions = {
 };
 
 export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) => {
-  const { name, redirectUri, logo, enablePkce } = input;
+  const { name, redirectUri, logo, websiteUrl, enablePkce } = input;
   const userId = ctx.user.id;
 
   const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
@@ -25,6 +25,7 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
     name,
     redirectUri,
     logo,
+    websiteUrl,
     enablePkce,
     userId,
     approvalStatus: "PENDING",
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
index a79c7af25f5aa1..75ff0af0647b86 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
@@ -4,6 +4,7 @@ export const ZSubmitClientInputSchema = z.object({
   name: z.string().min(1, "Client name is required"),
   redirectUri: z.string().url("Must be a valid URL"),
   logo: z.string().min(1, "Logo is required"),
+  websiteUrl: z.string().url("Must be a valid URL"),
   enablePkce: z.boolean().optional().default(false),
 });
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 146ed30e8869cb..f588534300c6be 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -61,5 +61,6 @@ export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStat
     clientId: updatedClient.clientId,
     name: updatedClient.name,
     approvalStatus: updatedClient.approvalStatus,
+    clientSecret,
   };
 };

From a05ffea61b277148faef3988ccbae027219c9013 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 22 Dec 2025 15:05:52 +0000
Subject: [PATCH 20/72] fix: move clientSecret variable declaration outside if
 block for proper scoping

Co-Authored-By: peer@cal.com <peer@cal.com>
---
 .../server/routers/viewer/oAuth/updateClientStatus.handler.ts  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index f588534300c6be..14ead74d5791c2 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -32,6 +32,8 @@ export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStat
 
   const updatedClient = await oAuthClientRepository.updateStatus(clientId, status);
 
+  let clientSecret: string | undefined;
+
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
     const t = await getTranslation("en", "common");
@@ -41,7 +43,6 @@ export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStat
     const isFirstApproval = clientWithUser.approvalStatus !== "APPROVED";
     const isConfidentialClient = updatedClient.clientType === "CONFIDENTIAL";
 
-    let clientSecret: string | undefined;
     if (isFirstApproval && isConfidentialClient) {
       const regenerated = await oAuthClientRepository.regenerateSecret(clientId);
       clientSecret = regenerated.clientSecret;

From 80dc2ede5da523fd93874e8f5dd90e3c70a74353 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 7 Jan 2026 16:14:01 +0100
Subject: [PATCH 21/72] refactor: dont expose client secret in emails

---
 .../OAuthClientApprovedNotificationEmail.tsx  | 33 +++----------------
 .../oauth-client-approved-notification.ts     |  2 --
 .../oAuth/updateClientStatus.handler.ts       | 14 ++++++--
 3 files changed, 16 insertions(+), 33 deletions(-)

diff --git a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
index bdc8ca6f6a6239..273dad94f6562d 100644
--- a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
+++ b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
@@ -9,16 +9,14 @@ type OAuthClientApprovedNotification = {
   userName: string | null;
   clientName: string;
   clientId: string;
-  clientSecret?: string;
 };
 
 export const OAuthClientApprovedNotificationEmail = ({
   userName,
   clientName,
   clientId,
-  clientSecret,
   language,
-}: OAuthClientApprovedNotification) => {
+}: OAuthClientApprovedNotification): JSX.Element => {
   return (
     <BaseEmailHtml
       subject={language("oauth_client_approved_email_subject", { clientName, appName: APP_NAME })}
@@ -35,10 +33,10 @@ export const OAuthClientApprovedNotificationEmail = ({
           fontSize: "24px",
           lineHeight: "38px",
         }}>
-        <>{language("oauth_client_approved_email_title", { clientName })}</>
+        {language("oauth_client_approved_email_title", { clientName })}
       </p>
       <p style={{ fontWeight: 400 }}>
-        <>{language("hi_user", { name: userName || language("there") })}!</>
+        {language("hi_user", { name: userName || language("there") })}!
       </p>
       <p style={{ fontWeight: 400, lineHeight: "24px" }}>{language("oauth_client_approved_email_body")}</p>
       <table
@@ -71,39 +69,16 @@ export const OAuthClientApprovedNotificationEmail = ({
             <td
               style={{
                 padding: "12px",
-                borderBottom: clientSecret ? "1px solid #e5e7eb" : undefined,
                 fontWeight: 600,
               }}>
               {language("client_id")}
             </td>
-            <td style={{ padding: "12px", borderBottom: clientSecret ? "1px solid #e5e7eb" : undefined }}>
+            <td style={{ padding: "12px" }}>
               <code style={{ fontSize: "12px" }}>{clientId}</code>
             </td>
           </tr>
-          {clientSecret && (
-            <tr style={{ lineHeight: "24px" }}>
-              <td style={{ padding: "12px", fontWeight: 600 }}>{language("client_secret")}</td>
-              <td style={{ padding: "12px" }}>
-                <code style={{ fontSize: "12px" }}>{clientSecret}</code>
-              </td>
-            </tr>
-          )}
         </tbody>
       </table>
-      {clientSecret && (
-        <p
-          style={{
-            fontWeight: 400,
-            lineHeight: "24px",
-            marginTop: "12px",
-            padding: "12px",
-            backgroundColor: "#fef3c7",
-            borderRadius: "6px",
-            border: "1px solid #f59e0b",
-          }}>
-          {language("oauth_client_secret_one_time_warning")}
-        </p>
-      )}
       <p style={{ fontWeight: 400, lineHeight: "24px", marginTop: "20px" }}>
         {language("oauth_client_approved_email_footer")}
       </p>
diff --git a/packages/emails/templates/oauth-client-approved-notification.ts b/packages/emails/templates/oauth-client-approved-notification.ts
index a3cf5d2afc26c9..b476efd57ac0eb 100644
--- a/packages/emails/templates/oauth-client-approved-notification.ts
+++ b/packages/emails/templates/oauth-client-approved-notification.ts
@@ -11,7 +11,6 @@ export type OAuthClientApprovedNotification = {
   userName: string | null;
   clientName: string;
   clientId: string;
-  clientSecret?: string;
 };
 
 export default class OAuthClientApprovedEmail extends BaseEmail {
@@ -32,7 +31,6 @@ export default class OAuthClientApprovedEmail extends BaseEmail {
         userName: this.input.userName,
         clientName: this.input.clientName,
         clientId: this.input.clientId,
-        clientSecret: this.input.clientSecret,
         language: this.input.t,
       }),
       text: this.getTextBody(),
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 14ead74d5791c2..39717b1749d602 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -4,6 +4,7 @@ import { sendOAuthClientApprovedNotification } from "@calcom/emails/oauth-email-
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
 import { UserPermissionRole } from "@calcom/prisma/enums";
+import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
 import type { TUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
 
@@ -17,7 +18,17 @@ type UpdateClientStatusOptions = {
   input: TUpdateClientStatusInputSchema;
 };
 
-export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStatusOptions) => {
+type UpdateClientStatusOutput = {
+  clientId: string;
+  name: string;
+  approvalStatus: OAuthClientApprovalStatus;
+  clientSecret: string | undefined;
+};
+
+export const updateClientStatusHandler = async ({
+  ctx,
+  input,
+}: UpdateClientStatusOptions): Promise<UpdateClientStatusOutput> => {
   const { clientId, status } = input;
 
   // Defense-in-depth: Only instance admins can update OAuth client status
@@ -54,7 +65,6 @@ export const updateClientStatusHandler = async ({ ctx, input }: UpdateClientStat
       userName: clientWithUser.user.name,
       clientName: updatedClient.name,
       clientId: updatedClient.clientId,
-      clientSecret,
     });
   }
 

From 098ebccc1a566a5556146c8b07a3436f22df59f9 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 08:49:10 +0100
Subject: [PATCH 22/72] refactor: dont regenerate secret upon status change

---
 .../OAuthClientApprovedNotificationEmail.tsx     |  2 +-
 packages/lib/server/repository/oAuthClient.ts    | 16 +---------------
 .../viewer/oAuth/updateClientStatus.handler.ts   | 14 --------------
 3 files changed, 2 insertions(+), 30 deletions(-)

diff --git a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
index 273dad94f6562d..ef6a5e888328cf 100644
--- a/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
+++ b/packages/emails/src/templates/OAuthClientApprovedNotificationEmail.tsx
@@ -16,7 +16,7 @@ export const OAuthClientApprovedNotificationEmail = ({
   clientName,
   clientId,
   language,
-}: OAuthClientApprovedNotification): JSX.Element => {
+}: OAuthClientApprovedNotification) => {
   return (
     <BaseEmailHtml
       subject={language("oauth_client_approved_email_subject", { clientName, appName: APP_NAME })}
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
index e04acac2bd1d08..b7d22fdef52750 100644
--- a/packages/lib/server/repository/oAuthClient.ts
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -1,4 +1,4 @@
-import { randomBytes, createHash } from "crypto";
+import { randomBytes, createHash } from "node:crypto";
 
 import type { PrismaClient } from "@calcom/prisma";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
@@ -164,20 +164,6 @@ export class OAuthClientRepository {
     });
   }
 
-  async regenerateSecret(clientId: string) {
-    const [hashed, plain] = generateSecret();
-    const updated = await this.prismaClient.oAuthClient.update({
-      where: { clientId },
-      data: { clientSecret: hashed },
-      select: {
-        clientId: true,
-        name: true,
-        clientType: true,
-      },
-    });
-    return { ...updated, clientSecret: plain };
-  }
-
   async update(
     clientId: string,
     data: {
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 39717b1749d602..e035016923a014 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -22,7 +22,6 @@ type UpdateClientStatusOutput = {
   clientId: string;
   name: string;
   approvalStatus: OAuthClientApprovalStatus;
-  clientSecret: string | undefined;
 };
 
 export const updateClientStatusHandler = async ({
@@ -43,22 +42,10 @@ export const updateClientStatusHandler = async ({
 
   const updatedClient = await oAuthClientRepository.updateStatus(clientId, status);
 
-  let clientSecret: string | undefined;
-
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
     const t = await getTranslation("en", "common");
 
-    // Only regenerate secret for confidential clients that are being approved for the first time
-    // (transitioning from non-APPROVED status to APPROVED)
-    const isFirstApproval = clientWithUser.approvalStatus !== "APPROVED";
-    const isConfidentialClient = updatedClient.clientType === "CONFIDENTIAL";
-
-    if (isFirstApproval && isConfidentialClient) {
-      const regenerated = await oAuthClientRepository.regenerateSecret(clientId);
-      clientSecret = regenerated.clientSecret;
-    }
-
     await sendOAuthClientApprovedNotification({
       t,
       userEmail: clientWithUser.user.email,
@@ -72,6 +59,5 @@ export const updateClientStatusHandler = async ({
     clientId: updatedClient.clientId,
     name: updatedClient.name,
     approvalStatus: updatedClient.approvalStatus,
-    clientSecret,
   };
 };

From c0a7c5f791f40ec5cc196ee80ae24e77ebc705a8 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 09:05:59 +0100
Subject: [PATCH 23/72] refactor: reuse existing hash function

---
 packages/features/oauth/utils/generateSecret.ts      |  5 ++---
 packages/lib/server/repository/oAuthClient.ts        | 12 ++----------
 .../server/routers/viewer/oAuth/addClient.handler.ts | 11 +----------
 .../server/routers/viewer/oAuth/addClient.schema.ts  |  2 ++
 4 files changed, 7 insertions(+), 23 deletions(-)

diff --git a/packages/features/oauth/utils/generateSecret.ts b/packages/features/oauth/utils/generateSecret.ts
index dae26956246fac..d9571a91c500a0 100644
--- a/packages/features/oauth/utils/generateSecret.ts
+++ b/packages/features/oauth/utils/generateSecret.ts
@@ -1,6 +1,5 @@
-import { randomBytes, createHash } from "crypto";
+import { randomBytes, createHash } from "node:crypto";
 
-const hashSecretKey = (apiKey: string): string => createHash("sha256").update(apiKey).digest("hex");
+export const hashSecretKey = (apiKey: string): string => createHash("sha256").update(apiKey).digest("hex");
 
-// Generate a random secret
 export const generateSecret = (secret = randomBytes(32).toString("hex")) => [hashSecretKey(secret), secret];
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
index b7d22fdef52750..ab932f622e6456 100644
--- a/packages/lib/server/repository/oAuthClient.ts
+++ b/packages/lib/server/repository/oAuthClient.ts
@@ -1,16 +1,8 @@
-import { randomBytes, createHash } from "node:crypto";
-
+import { randomBytes } from "node:crypto";
+import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
 import type { PrismaClient } from "@calcom/prisma";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
-const hashSecretKey = (apiKey: string): string => createHash("sha256").update(apiKey).digest("hex");
-
-// Generate a random secret - exported for backward compatibility
-export const generateSecret = (secret = randomBytes(32).toString("hex")): [string, string] => [
-  hashSecretKey(secret),
-  secret,
-];
-
 export class OAuthClientRepository {
   constructor(private prismaClient: PrismaClient) {}
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index ac5794435e2e19..3afa7e4912af2c 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -1,15 +1,7 @@
-import { OAuthClientRepository, generateSecret } from "@calcom/lib/server/repository/oAuthClient";
-import { randomBytes } from "node:crypto";
-
-import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
-import { prisma } from "@calcom/prisma";
-import { Prisma } from "@calcom/prisma/client";
+import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
 
 import type { TAddClientInputSchema } from "./addClient.schema";
 
-// Re-export generateSecret for backward compatibility
-export { generateSecret };
-
 type AddClientOptions = {
   input: TAddClientInputSchema;
 };
@@ -19,7 +11,6 @@ export const addClientHandler = async ({ input }: AddClientOptions) => {
 
   const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
 
-  // Admin-created clients are auto-approved
   const client = await oAuthClientRepository.create({
     name,
     redirectUri,
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
index 651d39d145ac96..46e58db78a685b 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
@@ -4,6 +4,7 @@ export type TAddClientInputSchemaInput = {
   name: string;
   redirectUri: string;
   logo: string;
+  websiteUrl?: string;
   enablePkce?: boolean;
 };
 
@@ -11,6 +12,7 @@ export type TAddClientInputSchema = {
   name: string;
   redirectUri: string;
   logo: string;
+  websiteUrl?: string;
   enablePkce: boolean;
 };
 

From c384a37d198ec75a5cadb7f873701da01eaeaaa3 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 09:08:56 +0100
Subject: [PATCH 24/72] refactor: rename admin/oAuth to admin/oauth page

---
 .../settings/(admin-layout)/admin/oAuth/page.tsx                | 2 +-
 .../settings/(settings-layout)/SettingsLayoutAppDirClient.tsx   | 2 +-
 .../emails/src/templates/AdminOAuthClientNotificationEmail.tsx  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
index 3ae73f578cc568..48d9dc5d87c0d4 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
@@ -10,7 +10,7 @@ export const generateMetadata = async () =>
     (t) => t("oauth_clients_admin_description"),
     undefined,
     undefined,
-    "/settings/admin/oAuth"
+    "/settings/admin/oauth"
   );
 
 const Page = async () => {
diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index d0cd0b640bef4c..273ccf09fd6485 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -247,7 +247,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
         },
         {
           name: "oAuth",
-          href: "/settings/admin/oAuth",
+          href: "/settings/admin/oauth",
           trackingMetadata: { section: "admin", page: "oauth" },
         },
         {
diff --git a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
index 11c92822216445..cb52fa8d27b2d7 100644
--- a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
+++ b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
@@ -27,7 +27,7 @@ export const AdminOAuthClientNotificationEmail = ({
       callToAction={
         <CallToAction
           label={language("admin_oauth_notification_email_cta")}
-          href={`${WEBAPP_URL}/settings/admin/oAuth`}
+          href={`${WEBAPP_URL}/settings/admin/oauth`}
           endIconName="white-arrow-right"
         />
       }>

From 93c2fd75410a37eac8aeac148c9b6d6fdd82cae5 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 09:36:30 +0100
Subject: [PATCH 25/72] refactor: deduplicate oauth repositories

---
 .../repositories/OAuthClientRepository.ts     | 162 ++++++++++++++++
 packages/lib/server/repository/oAuthClient.ts | 179 ------------------
 .../routers/viewer/oAuth/addClient.handler.ts |   2 +-
 .../viewer/oAuth/listClients.handler.ts       |   2 +-
 .../viewer/oAuth/listUserClients.handler.ts   |   2 +-
 .../viewer/oAuth/submitClient.handler.ts      |   2 +-
 .../oAuth/updateClientStatus.handler.ts       |   2 +-
 7 files changed, 167 insertions(+), 184 deletions(-)
 delete mode 100644 packages/lib/server/repository/oAuthClient.ts

diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index 3181b1fb2282ce..1cce08df3136f5 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -1,8 +1,16 @@
+import { randomBytes } from "node:crypto";
+
+import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
 import type { PrismaClient } from "@calcom/prisma";
+import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
 export class OAuthClientRepository {
   constructor(private readonly prisma: PrismaClient) {}
 
+  static async withGlobalPrisma() {
+    return new OAuthClientRepository((await import("@calcom/prisma")).prisma);
+  }
+
   async findByClientId(clientId: string) {
     return await this.prisma.oAuthClient.findFirst({
       where: {
@@ -15,6 +23,10 @@ export class OAuthClientRepository {
         logo: true,
         clientId: true,
         isTrusted: true,
+        websiteUrl: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
       },
     });
   }
@@ -30,4 +42,154 @@ export class OAuthClientRepository {
       },
     });
   }
+
+  async findByClientIdIncludeUser(clientId: string) {
+    return this.prisma.oAuthClient.findUnique({
+      where: { clientId },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+    });
+  }
+
+  async findByUserId(userId: number) {
+    return this.prisma.oAuthClient.findMany({
+      where: { userId },
+      select: {
+        clientId: true,
+        redirectUri: true,
+        name: true,
+        logo: true,
+        websiteUrl: true,
+        clientType: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
+      },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async findByUserIdAndStatus(userId: number, approvalStatus: OAuthClientApprovalStatus) {
+    return this.prisma.oAuthClient.findMany({
+      where: { userId, approvalStatus },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async findAll() {
+    return this.prisma.oAuthClient.findMany({
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async findByStatus(approvalStatus: OAuthClientApprovalStatus) {
+    return this.prisma.oAuthClient.findMany({
+      where: { approvalStatus },
+      include: {
+        user: {
+          select: {
+            id: true,
+            email: true,
+            name: true,
+          },
+        },
+      },
+      orderBy: { createdAt: "desc" },
+    });
+  }
+
+  async create(data: {
+    name: string;
+    redirectUri: string;
+    logo?: string;
+    websiteUrl?: string;
+    enablePkce?: boolean;
+    userId?: number;
+    approvalStatus?: OAuthClientApprovalStatus;
+  }) {
+    const { name, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
+
+    const clientId = randomBytes(32).toString("hex");
+
+    let clientSecret: string | undefined;
+    let hashedSecret: string | undefined;
+    if (!enablePkce) {
+      const [hashed, plain] = generateSecret();
+      hashedSecret = hashed;
+      clientSecret = plain;
+    }
+
+    const client = await this.prisma.oAuthClient.create({
+      data: {
+        name,
+        redirectUri,
+        clientId,
+        clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
+        logo,
+        websiteUrl,
+        approvalStatus: approvalStatus || "PENDING",
+        clientSecret: hashedSecret,
+        ...(userId && {
+          user: {
+            connect: { id: userId },
+          },
+        }),
+      },
+    });
+
+    return {
+      clientId: client.clientId,
+      name: client.name,
+      redirectUri: client.redirectUri,
+      logo: client.logo,
+      clientType: client.clientType,
+      clientSecret,
+      isPkceEnabled: enablePkce,
+      approvalStatus: client.approvalStatus,
+    };
+  }
+
+  async updateStatus(clientId: string, approvalStatus: OAuthClientApprovalStatus) {
+    return this.prisma.oAuthClient.update({
+      where: { clientId },
+      data: { approvalStatus },
+    });
+  }
+
+  async update(
+    clientId: string,
+    data: {
+      name?: string;
+      redirectUri?: string;
+      logo?: string;
+      websiteUrl?: string;
+    }
+  ) {
+    return this.prisma.oAuthClient.update({
+      where: { clientId },
+      data,
+    });
+  }
+
+  async delete(clientId: string) {
+    return this.prisma.oAuthClient.delete({
+      where: { clientId },
+    });
+  }
 }
diff --git a/packages/lib/server/repository/oAuthClient.ts b/packages/lib/server/repository/oAuthClient.ts
deleted file mode 100644
index ab932f622e6456..00000000000000
--- a/packages/lib/server/repository/oAuthClient.ts
+++ /dev/null
@@ -1,179 +0,0 @@
-import { randomBytes } from "node:crypto";
-import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
-import type { PrismaClient } from "@calcom/prisma";
-import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
-
-export class OAuthClientRepository {
-  constructor(private prismaClient: PrismaClient) {}
-
-  static async withGlobalPrisma() {
-    return new OAuthClientRepository((await import("@calcom/prisma")).prisma);
-  }
-
-  async findByClientId(clientId: string) {
-    return this.prismaClient.oAuthClient.findUnique({
-      where: { clientId },
-      select: {
-        clientId: true,
-        redirectUri: true,
-        name: true,
-        logo: true,
-        websiteUrl: true,
-        clientType: true,
-        approvalStatus: true,
-        userId: true,
-        createdAt: true,
-      },
-    });
-  }
-
-  async findByClientIdIncludeUser(clientId: string) {
-    return this.prismaClient.oAuthClient.findUnique({
-      where: { clientId },
-      include: {
-        user: {
-          select: {
-            id: true,
-            email: true,
-            name: true,
-          },
-        },
-      },
-    });
-  }
-
-  async findByUserId(userId: number) {
-    return this.prismaClient.oAuthClient.findMany({
-      where: { userId },
-      select: {
-        clientId: true,
-        redirectUri: true,
-        name: true,
-        logo: true,
-        websiteUrl: true,
-        clientType: true,
-        approvalStatus: true,
-        userId: true,
-        createdAt: true,
-      },
-      orderBy: { createdAt: "desc" },
-    });
-  }
-
-  async findByUserIdAndStatus(userId: number, approvalStatus: OAuthClientApprovalStatus) {
-    return this.prismaClient.oAuthClient.findMany({
-      where: { userId, approvalStatus },
-      orderBy: { createdAt: "desc" },
-    });
-  }
-
-  async findAll() {
-    return this.prismaClient.oAuthClient.findMany({
-      include: {
-        user: {
-          select: {
-            id: true,
-            email: true,
-            name: true,
-          },
-        },
-      },
-      orderBy: { createdAt: "desc" },
-    });
-  }
-
-  async findByStatus(approvalStatus: OAuthClientApprovalStatus) {
-    return this.prismaClient.oAuthClient.findMany({
-      where: { approvalStatus },
-      include: {
-        user: {
-          select: {
-            id: true,
-            email: true,
-            name: true,
-          },
-        },
-      },
-      orderBy: { createdAt: "desc" },
-    });
-  }
-
-  async create(data: {
-    name: string;
-    redirectUri: string;
-    logo?: string;
-    websiteUrl?: string;
-    enablePkce?: boolean;
-    userId?: number;
-    approvalStatus?: OAuthClientApprovalStatus;
-  }) {
-    const { name, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
-
-    const clientId = randomBytes(32).toString("hex");
-
-    let clientSecret: string | undefined;
-    let hashedSecret: string | undefined;
-    if (!enablePkce) {
-      const [hashed, plain] = generateSecret();
-      hashedSecret = hashed;
-      clientSecret = plain;
-    }
-
-    const client = await this.prismaClient.oAuthClient.create({
-      data: {
-        name,
-        redirectUri,
-        clientId,
-        clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
-        logo,
-        websiteUrl,
-        approvalStatus: approvalStatus || "PENDING",
-        clientSecret: hashedSecret,
-        ...(userId && {
-          user: {
-            connect: { id: userId },
-          },
-        }),
-      },
-    });
-
-    return {
-      clientId: client.clientId,
-      name: client.name,
-      redirectUri: client.redirectUri,
-      logo: client.logo,
-      clientType: client.clientType,
-      clientSecret,
-      isPkceEnabled: enablePkce,
-      approvalStatus: client.approvalStatus,
-    };
-  }
-
-  async updateStatus(clientId: string, approvalStatus: OAuthClientApprovalStatus) {
-    return this.prismaClient.oAuthClient.update({
-      where: { clientId },
-      data: { approvalStatus },
-    });
-  }
-
-  async update(
-    clientId: string,
-    data: {
-      name?: string;
-      redirectUri?: string;
-      logo?: string;
-      websiteUrl?: string;
-    }
-  ) {
-    return this.prismaClient.oAuthClient.update({
-      where: { clientId },
-      data,
-    });
-  }
-
-  async delete(clientId: string) {
-    return this.prismaClient.oAuthClient.delete({
-      where: { clientId },
-    });
-  }
-}
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index 3afa7e4912af2c..d6ea8284ff5384 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -1,4 +1,4 @@
-import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 
 import type { TAddClientInputSchema } from "./addClient.schema";
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts b/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
index 168ef7aee32bfa..b642cd3c82432a 100644
--- a/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
@@ -1,4 +1,4 @@
-import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 
 import type { TListClientsInputSchema } from "./listClients.schema";
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts b/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
index 02e1d7f608bb5c..c0bb9af98f4e7a 100644
--- a/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
@@ -1,4 +1,4 @@
-import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 
 type ListUserClientsOptions = {
   ctx: {
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 023e343a27669e..fb43666f0e401c 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -1,6 +1,6 @@
 import { sendAdminOAuthClientNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
-import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 
 import type { TSubmitClientInputSchema } from "./submitClient.schema";
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index e035016923a014..1ba0673aa60de6 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -2,7 +2,7 @@ import { TRPCError } from "@trpc/server";
 
 import { sendOAuthClientApprovedNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
-import { OAuthClientRepository } from "@calcom/lib/server/repository/oAuthClient";
+import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 import { UserPermissionRole } from "@calcom/prisma/enums";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 

From 8415ef035c12638daa9983db24ef614ad03bb425 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 09:41:47 +0100
Subject: [PATCH 26/72] refactor: remove withGlobalPrisma from oauth repository

---
 .../features/oauth/repositories/OAuthClientRepository.ts  | 4 ----
 packages/trpc/server/routers/viewer/oAuth/_router.tsx     | 6 ++++--
 .../trpc/server/routers/viewer/oAuth/addClient.handler.ts | 8 ++++++--
 .../server/routers/viewer/oAuth/listClients.handler.ts    | 8 ++++++--
 .../routers/viewer/oAuth/listUserClients.handler.ts       | 4 +++-
 .../server/routers/viewer/oAuth/submitClient.handler.ts   | 5 ++++-
 .../routers/viewer/oAuth/updateClientStatus.handler.ts    | 4 +++-
 7 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index 1cce08df3136f5..4790e2b3f5dffe 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -7,10 +7,6 @@ import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 export class OAuthClientRepository {
   constructor(private readonly prisma: PrismaClient) {}
 
-  static async withGlobalPrisma() {
-    return new OAuthClientRepository((await import("@calcom/prisma")).prisma);
-  }
-
   async findByClientId(clientId: string) {
     return await this.prisma.oAuthClient.findFirst({
       where: {
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 622d4803dbe733..3832dada2111ad 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -27,10 +27,11 @@ export const oAuthRouter = router({
     });
   }),
 
-  addClient: authedAdminProcedure.input(ZAddClientInputSchema).mutation(async ({ input }) => {
+  addClient: authedAdminProcedure.input(ZAddClientInputSchema).mutation(async ({ ctx, input }) => {
     const { addClientHandler } = await import("./addClient.handler");
 
     return addClientHandler({
+      ctx,
       input,
     });
   }),
@@ -53,10 +54,11 @@ export const oAuthRouter = router({
     });
   }),
 
-  listClients: authedAdminProcedure.input(ZListClientsInputSchema).query(async ({ input }) => {
+  listClients: authedAdminProcedure.input(ZListClientsInputSchema).query(async ({ ctx, input }) => {
     const { listClientsHandler } = await import("./listClients.handler");
 
     return listClientsHandler({
+      ctx,
       input,
     });
   }),
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index d6ea8284ff5384..d3671b8276bec5 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -1,15 +1,19 @@
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
+import type { PrismaClient } from "@calcom/prisma";
 
 import type { TAddClientInputSchema } from "./addClient.schema";
 
 type AddClientOptions = {
+  ctx: {
+    prisma: PrismaClient;
+  };
   input: TAddClientInputSchema;
 };
 
-export const addClientHandler = async ({ input }: AddClientOptions) => {
+export const addClientHandler = async ({ ctx, input }: AddClientOptions) => {
   const { name, redirectUri, logo, websiteUrl, enablePkce } = input;
 
-  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   const client = await oAuthClientRepository.create({
     name,
diff --git a/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts b/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
index b642cd3c82432a..870e4900b0bf91 100644
--- a/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/listClients.handler.ts
@@ -1,15 +1,19 @@
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
+import type { PrismaClient } from "@calcom/prisma";
 
 import type { TListClientsInputSchema } from "./listClients.schema";
 
 type ListClientsOptions = {
+  ctx: {
+    prisma: PrismaClient;
+  };
   input: TListClientsInputSchema;
 };
 
-export const listClientsHandler = async ({ input }: ListClientsOptions) => {
+export const listClientsHandler = async ({ ctx, input }: ListClientsOptions) => {
   const { status } = input;
 
-  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   if (status) {
     return oAuthClientRepository.findByStatus(status);
diff --git a/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts b/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
index c0bb9af98f4e7a..54511adf9780c5 100644
--- a/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/listUserClients.handler.ts
@@ -1,17 +1,19 @@
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
+import type { PrismaClient } from "@calcom/prisma";
 
 type ListUserClientsOptions = {
   ctx: {
     user: {
       id: number;
     };
+    prisma: PrismaClient;
   };
 };
 
 export const listUserClientsHandler = async ({ ctx }: ListUserClientsOptions) => {
   const userId = ctx.user.id;
 
-  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   return oAuthClientRepository.findByUserId(userId);
 };
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index fb43666f0e401c..733064c68a6fcc 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -2,6 +2,8 @@ import { sendAdminOAuthClientNotification } from "@calcom/emails/oauth-email-ser
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 
+import type { PrismaClient } from "@calcom/prisma";
+
 import type { TSubmitClientInputSchema } from "./submitClient.schema";
 
 type SubmitClientOptions = {
@@ -11,6 +13,7 @@ type SubmitClientOptions = {
       email: string;
       name: string | null;
     };
+    prisma: PrismaClient;
   };
   input: TSubmitClientInputSchema;
 };
@@ -19,7 +22,7 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
   const { name, redirectUri, logo, websiteUrl, enablePkce } = input;
   const userId = ctx.user.id;
 
-  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   const client = await oAuthClientRepository.create({
     name,
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 1ba0673aa60de6..ed3dd5901179ba 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -3,6 +3,7 @@ import { TRPCError } from "@trpc/server";
 import { sendOAuthClientApprovedNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
+import type { PrismaClient } from "@calcom/prisma";
 import { UserPermissionRole } from "@calcom/prisma/enums";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
@@ -14,6 +15,7 @@ type UpdateClientStatusOptions = {
       id: number;
       role: UserPermissionRole;
     };
+    prisma: PrismaClient;
   };
   input: TUpdateClientStatusInputSchema;
 };
@@ -35,7 +37,7 @@ export const updateClientStatusHandler = async ({
     throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can update OAuth client status" });
   }
 
-  const oAuthClientRepository = await OAuthClientRepository.withGlobalPrisma();
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   // Get client with user info before updating
   const clientWithUser = await oAuthClientRepository.findByClientIdIncludeUser(clientId);

From fa7458a4d4257cff8aa24abd92ab76dee2e946a6 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 14:24:20 +0100
Subject: [PATCH 27/72] refactor: developer oauth page

---
 .../(admin-layout)/admin/oAuth/page.tsx       |   8 +-
 .../SettingsLayoutAppDirClient.tsx            |   2 +-
 .../developer/oauth/page.tsx                  |   5 +-
 .../admin/oauth-clients-admin-view.tsx        |  38 ++---
 .../settings/developer/oauth-clients-view.tsx | 141 +++++++++++++-----
 .../server/routers/viewer/oAuth/_router.tsx   |  21 +--
 .../viewer/oAuth/submitClient.handler.ts      |   1 +
 .../viewer/oAuth/submitClient.schema.ts       |  23 ++-
 8 files changed, 161 insertions(+), 78 deletions(-)

diff --git a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
index 48d9dc5d87c0d4..931c84d14e452b 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
@@ -1,7 +1,5 @@
 import { _generateMetadata, getTranslate } from "app/_utils";
 
-import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
-
 import OAuthClientsAdminView from "~/settings/admin/oauth-clients-admin-view";
 
 export const generateMetadata = async () =>
@@ -15,11 +13,7 @@ export const generateMetadata = async () =>
 
 const Page = async () => {
   const t = await getTranslate();
-  return (
-    <SettingsHeader title={t("oauth_clients_admin")} description={t("oauth_clients_admin_description")}>
-      <OAuthClientsAdminView />
-    </SettingsHeader>
-  );
+  return <OAuthClientsAdminView />;
 };
 
 export default Page;
diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index 273ccf09fd6485..32145d08e0da0e 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -128,7 +128,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
           trackingMetadata: { section: "developer", page: "api_keys" },
         },
         {
-          name: "oauth_clients",
+          name: "oAuth",
           href: "/settings/developer/oauth",
           trackingMetadata: { section: "developer", page: "oauth_clients" }
         },
diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
index b0b43387ea2f3b..c622db5626a75b 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/developer/oauth/page.tsx
@@ -3,7 +3,6 @@ import { cookies, headers } from "next/headers";
 import { redirect } from "next/navigation";
 
 import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
-import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
 import { buildLegacyRequest } from "@lib/buildLegacyCtx";
 
@@ -27,9 +26,7 @@ const Page = async () => {
   }
 
   return (
-    <SettingsHeader title={t("oauth_clients")} description={t("oauth_clients_description")}>
-      <OAuthClientsView />
-    </SettingsHeader>
+    <OAuthClientsView />
   );
 };
 
diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 64fa4c9ecdc94a..f12253211bd2f5 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -30,6 +30,7 @@ import { Icon } from "@calcom/ui/components/icon";
 import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { showToast } from "@calcom/ui/components/toast";
 import { Tooltip } from "@calcom/ui/components/tooltip";
+import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
 type FormValues = {
   name: string;
@@ -90,14 +91,6 @@ export default function OAuthClientsAdminView() {
         "success"
       );
       utils.viewer.oAuth.listClients.invalidate();
-      // Show client secret dialog if a secret was generated during approval
-      if (data.clientSecret) {
-        setApprovedClient({
-          clientId: data.clientId,
-          clientSecret: data.clientSecret,
-          name: data.name,
-        });
-      }
     },
     onError: (error) => {
       showToast(`${t("oauth_client_status_update_error")}: ${error.message}`, "error");
@@ -149,14 +142,22 @@ export default function OAuthClientsAdminView() {
     return <OAuthClientsAdminSkeleton />;
   }
 
-  return (
-    <div>
-      <div className="mb-4 flex justify-end">
-        <Button color="primary" StartIcon="plus" onClick={() => setShowAddDialog(true)}>
-          {t("add_oauth_client")}
-        </Button>
-      </div>
+  const NewOAuthClientButton = () => (
+    <Button
+      color="secondary"
+      StartIcon="plus"
+      size="sm"
+      variant="fab"
+      onClick={() => setShowAddDialog(true)}>
+      {t("new")}
+    </Button>
+  );
 
+  return (
+    <SettingsHeader
+      title={t("oauth_clients_admin")}
+      description={t("oauth_clients_admin_description")}
+      CTA={oAuthClients && oAuthClients.length > 0 ? <NewOAuthClientButton /> : null}>
       {oAuthClients && oAuthClients.length > 0 ? (
         <div className="border-subtle overflow-hidden rounded-lg border">
           <table className="w-full">
@@ -266,9 +267,7 @@ export default function OAuthClientsAdminView() {
           headline={t("no_oauth_clients")}
           description={t("no_oauth_clients_admin_description")}
           buttonRaw={
-            <Button color="primary" StartIcon="plus" onClick={() => setShowAddDialog(true)}>
-              {t("add_oauth_client")}
-            </Button>
+            <NewOAuthClientButton />
           }
         />
       )}
@@ -276,6 +275,7 @@ export default function OAuthClientsAdminView() {
       <Dialog open={showAddDialog} onOpenChange={setShowAddDialog}>
         <DialogContent
           type="creation"
+          enableOverflow
           title={createdClient ? t("oauth_client_created") : t("add_oauth_client")}
           description={
             createdClient ? t("oauth_client_created_description") : t("add_oauth_client_description")
@@ -462,6 +462,6 @@ export default function OAuthClientsAdminView() {
           )}
         </DialogContent>
       </Dialog>
-    </div>
+    </SettingsHeader>
   );
 }
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 51182399912391..0e807dfad23edf 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -2,10 +2,9 @@
 
 import { useState } from "react";
 import { useForm } from "react-hook-form";
-
-import { Dialog } from "@calcom/features/components/controlled-dialog";
-import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
+import { useCopy } from "@calcom/lib/hooks/useCopy";
+import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { trpc } from "@calcom/trpc/react";
 import { Avatar } from "@calcom/ui/components/avatar";
 import { Badge } from "@calcom/ui/components/badge";
@@ -17,6 +16,7 @@ import { Icon } from "@calcom/ui/components/icon";
 import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { showToast } from "@calcom/ui/components/toast";
 import { Tooltip } from "@calcom/ui/components/tooltip";
+import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
 import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 
@@ -28,6 +28,13 @@ type FormValues = {
   enablePkce: boolean;
 };
 
+type SubmitClientMutationResult = {
+  clientId: string;
+  name: string;
+  isPkceEnabled?: boolean;
+  clientSecret?: string;
+};
+
 const OAuthClientsView = () => {
   const { t } = useLocale();
   const { copyToClipboard } = useCopy();
@@ -38,6 +45,7 @@ const OAuthClientsView = () => {
   const [submittedClient, setSubmittedClient] = useState<{
     clientId: string;
     name: string;
+    clientSecret?: string;
     isPkceEnabled?: boolean;
   } | null>(null);
   const [selectedClient, setSelectedClient] = useState<{
@@ -61,10 +69,11 @@ const OAuthClientsView = () => {
   const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listUserClients.useQuery();
 
   const submitMutation = trpc.viewer.oAuth.submitClient.useMutation({
-    onSuccess: async (data) => {
+    onSuccess: async (data: SubmitClientMutationResult) => {
       setSubmittedClient({
         clientId: data.clientId,
         name: data.name,
+        clientSecret: data.clientSecret,
         isPkceEnabled: data.isPkceEnabled,
       });
       showToast(t("oauth_client_submitted"), "success");
@@ -76,15 +85,10 @@ const OAuthClientsView = () => {
   });
 
   const handleSubmit = (values: FormValues) => {
-    if (!values.logo) {
-      setLogoError(true);
-      return;
-    }
-    setLogoError(false);
     submitMutation.mutate({
-      name: values.name,
-      redirectUri: values.redirectUri,
-      websiteUrl: values.websiteUrl,
+      name: values.name.trim() || "",
+      redirectUri: values.redirectUri.trim() || "",
+      websiteUrl: values.websiteUrl.trim() || "",
       logo: values.logo,
       enablePkce: values.enablePkce,
     });
@@ -118,14 +122,22 @@ const OAuthClientsView = () => {
     return <OAuthClientsSkeleton />;
   }
 
-  return (
-    <div>
-      <div className="mb-4 flex justify-end">
-        <Button color="primary" StartIcon="plus" onClick={() => setShowDialog(true)}>
-          {t("new_oauth_client")}
-        </Button>
-      </div>
+  const NewOAuthClientButton = () => (
+    <Button
+      color="secondary"
+      StartIcon="plus"
+      size="sm"
+      variant="fab"
+      onClick={() => setShowDialog(true)}>
+      {t("new")}
+    </Button>
+  );
 
+  return (
+    <SettingsHeader
+      title={t("oauth_clients")}
+      description={t("oauth_clients_description")}
+      CTA={<NewOAuthClientButton />}>
       {oAuthClients && oAuthClients.length > 0 ? (
         <div className="border-subtle rounded-lg border">
           {oAuthClients.map((client, index) => (
@@ -167,15 +179,22 @@ const OAuthClientsView = () => {
           headline={t("no_oauth_clients")}
           description={t("no_oauth_clients_description")}
           buttonRaw={
-            <Button color="primary" StartIcon="plus" onClick={() => setShowDialog(true)}>
-              {t("new_oauth_client")}
-            </Button>
+            <NewOAuthClientButton />
           }
         />
       )}
 
-      <Dialog open={showDialog} onOpenChange={setShowDialog}>
+      <Dialog
+        open={showDialog}
+        onOpenChange={(open) => {
+          if (!open) {
+            handleCloseDialog();
+            return;
+          }
+          setShowDialog(open);
+        }}>
         <DialogContent
+          enableOverflow
           type="creation"
           title={submittedClient ? t("oauth_client_submitted") : t("new_oauth_client")}
           description={
@@ -185,14 +204,24 @@ const OAuthClientsView = () => {
             <Form form={oAuthForm} handleSubmit={handleSubmit} className="space-y-4">
               <TextField
                 {...oAuthForm.register("name", { required: true })}
-                label={t("client_name")}
+                label={t("name")}
                 type="text"
                 id="name"
                 placeholder={t("client_name_placeholder")}
                 required
               />
               <TextField
-                {...oAuthForm.register("redirectUri", { required: true })}
+                {...oAuthForm.register("redirectUri", {
+                  required: true,
+                  validate: (value) => {
+                    try {
+                      new URL(value);
+                      return true;
+                    } catch {
+                      return t("invalid_url");
+                    }
+                  },
+                })}
                 label={t("redirect_uri")}
                 type="url"
                 id="redirectUri"
@@ -200,14 +229,23 @@ const OAuthClientsView = () => {
                 required
               />
 
-              <TextField
-                {...oAuthForm.register("websiteUrl", { required: true })}
-                label={t("website_url")}
-                type="url"
-                id="websiteUrl"
-                placeholder="https://example.com"
-                required
-              />
+                <TextField
+                  {...oAuthForm.register("websiteUrl", {
+                    validate: (value) => {
+                      if (!value) return true;
+                      try {
+                        new URL(value);
+                        return true;
+                      } catch {
+                        return t("invalid_url");
+                      }
+                    },
+                  })}
+                  label={t("website_url")}
+                  type="url"
+                  id="websiteUrl"
+                  placeholder="https://example.com"
+                />
 
               <div>
                 <Label className="text-emphasis mb-2 block text-sm font-medium">
@@ -224,7 +262,7 @@ const OAuthClientsView = () => {
 
               <div>
                 <Label className="text-emphasis mb-2 block text-sm font-medium">
-                  {t("logo")} <span className="text-error">*</span>
+                  {t("logo")}
                 </Label>
                 <div className="flex items-center gap-4">
                   <Avatar
@@ -245,7 +283,6 @@ const OAuthClientsView = () => {
                     imageSrc={logo}
                   />
                 </div>
-                {logoError && <p className="text-error mt-2 text-sm">{t("logo_required")}</p>}
               </div>
 
               <DialogFooter>
@@ -268,6 +305,7 @@ const OAuthClientsView = () => {
                     onClick={() => {
                       copyToClipboard(submittedClient.clientId, {
                         onSuccess: () => showToast(t("client_id_copied"), "success"),
+                        onFailure: () => showToast(t("error"), "error"),
                       });
                     }}
                     type="button"
@@ -278,6 +316,36 @@ const OAuthClientsView = () => {
                   </Button>
                 </Tooltip>
               </div>
+
+              {submittedClient.clientSecret ? (
+                <div className="mt-4">
+                  <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
+                  <div className="flex">
+                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                      {submittedClient.clientSecret}
+                    </code>
+                    <Tooltip side="top" content={t("copy_to_clipboard")}>
+                      <Button
+                        onClick={() => {
+                          copyToClipboard(submittedClient.clientSecret ?? "", {
+                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                            onFailure: () => showToast(t("error"), "error"),
+                          });
+                        }}
+                        type="button"
+                        size="sm"
+                        className="rounded-l-none"
+                        StartIcon="clipboard">
+                        {t("copy")}
+                      </Button>
+                    </Tooltip>
+                  </div>
+                  <div className="text-subtle mt-2 text-sm">
+                    {t("oauth_client_client_secret_one_time_warning")}
+                  </div>
+                </div>
+              ) : null}
+
               <div className="text-subtle mt-4 text-sm">{t("oauth_client_pending_approval")}</div>
               <DialogFooter className="mt-6">
                 <Button onClick={handleCloseDialog}>{t("done")}</Button>
@@ -316,6 +384,7 @@ const OAuthClientsView = () => {
                       onClick={() => {
                         copyToClipboard(selectedClient.clientId, {
                           onSuccess: () => showToast(t("client_id_copied"), "success"),
+                          onFailure: () => showToast(t("error"), "error"),
                         });
                       }}
                       type="button"
@@ -347,7 +416,7 @@ const OAuthClientsView = () => {
           )}
         </DialogContent>
       </Dialog>
-    </div>
+    </SettingsHeader>
   );
 };
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 3832dada2111ad..9db52c0ffd6205 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -5,7 +5,7 @@ import { ZAddClientInputSchema } from "./addClient.schema";
 import { ZGenerateAuthCodeInputSchema } from "./generateAuthCode.schema";
 import { ZGetClientInputSchema } from "./getClient.schema";
 import { ZListClientsInputSchema } from "./listClients.schema";
-import { ZSubmitClientInputSchema } from "./submitClient.schema";
+import { ZSubmitClientInputSchema, ZSubmitClientOutputSchema } from "./submitClient.schema";
 import { ZUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
 
 type _OAuthRouterHandlerCache = {
@@ -45,14 +45,17 @@ export const oAuthRouter = router({
     });
   }),
 
-  submitClient: authedProcedure.input(ZSubmitClientInputSchema).mutation(async ({ ctx, input }) => {
-    const { submitClientHandler } = await import("./submitClient.handler");
-
-    return submitClientHandler({
-      ctx,
-      input,
-    });
-  }),
+  submitClient: authedProcedure
+    .input(ZSubmitClientInputSchema)
+    .output(ZSubmitClientOutputSchema)
+    .mutation(async ({ ctx, input }) => {
+      const { submitClientHandler } = await import("./submitClient.handler");
+
+      return submitClientHandler({
+        ctx,
+        input,
+      });
+    }),
 
   listClients: authedAdminProcedure.input(ZListClientsInputSchema).query(async ({ ctx, input }) => {
     const { listClientsHandler } = await import("./listClients.handler");
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 733064c68a6fcc..5d03429438a302 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -48,6 +48,7 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
   return {
     clientId: client.clientId,
     name: client.name,
+    clientSecret: client.clientSecret,
     redirectUri: client.redirectUri,
     logo: client.logo,
     clientType: client.clientType,
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
index 75ff0af0647b86..0f270b06029d07 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
@@ -3,9 +3,28 @@ import { z } from "zod";
 export const ZSubmitClientInputSchema = z.object({
   name: z.string().min(1, "Client name is required"),
   redirectUri: z.string().url("Must be a valid URL"),
-  logo: z.string().min(1, "Logo is required"),
-  websiteUrl: z.string().url("Must be a valid URL"),
+  logo: z.preprocess(
+    (value) => (typeof value === "string" && value.trim() === "" ? undefined : value),
+    z.string().optional()
+  ),
+  websiteUrl: z.preprocess(
+    (value) => (typeof value === "string" && value.trim() === "" ? undefined : value),
+    z.string().url("Must be a valid URL").optional()
+  ),
   enablePkce: z.boolean().optional().default(false),
 });
 
+export const ZSubmitClientOutputSchema = z.object({
+  clientId: z.string(),
+  name: z.string(),
+  clientSecret: z.string().optional(),
+  redirectUri: z.string(),
+  logo: z.string().nullable(),
+  clientType: z.string(),
+  approvalStatus: z.string(),
+  isPkceEnabled: z.boolean().optional(),
+});
+
 export type TSubmitClientInputSchema = z.infer<typeof ZSubmitClientInputSchema>;
+
+export type TSubmitClientOutputSchema = z.infer<typeof ZSubmitClientOutputSchema>;

From d163a1d2aef8a23213af473000c318e845eb4957 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 14:35:39 +0100
Subject: [PATCH 28/72] refactor: oauth status by default accepted

---
 packages/features/oauth/repositories/OAuthClientRepository.ts   | 2 +-
 .../migration.sql                                               | 2 ++
 packages/prisma/schema.prisma                                   | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql

diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index 4790e2b3f5dffe..8117a84bce46eb 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -139,7 +139,7 @@ export class OAuthClientRepository {
         clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
         logo,
         websiteUrl,
-        approvalStatus: approvalStatus || "PENDING",
+        approvalStatus: approvalStatus,
         clientSecret: hashedSecret,
         ...(userId && {
           user: {
diff --git a/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql b/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
new file mode 100644
index 00000000000000..786fad214e712b
--- /dev/null
+++ b/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."OAuthClient" ALTER COLUMN "approvalStatus" SET DEFAULT 'approved';
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 87368f7856ed6f..8d730a85076305 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1782,7 +1782,7 @@ model OAuthClient {
   websiteUrl     String?
   isTrusted      Boolean                   @default(false)
   accessCodes    AccessCode[]
-  approvalStatus OAuthClientApprovalStatus @default(PENDING)
+  approvalStatus OAuthClientApprovalStatus @default(APPROVED)
   userId         Int?
   user           User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
   createdAt      DateTime                  @default(now())

From cf5c4e3fff2acb63ed115f7ccb318dc06851277d Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 8 Jan 2026 14:36:50 +0100
Subject: [PATCH 29/72] refactor: request oauth status when creating

---
 packages/features/oauth/repositories/OAuthClientRepository.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index 8117a84bce46eb..76ffeaca2d5276 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -117,7 +117,7 @@ export class OAuthClientRepository {
     websiteUrl?: string;
     enablePkce?: boolean;
     userId?: number;
-    approvalStatus?: OAuthClientApprovalStatus;
+    approvalStatus: OAuthClientApprovalStatus;
   }) {
     const { name, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
 

From bb0af5b7b41d7091ebbf0f6190e78136ad32e79c Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Fri, 9 Jan 2026 16:50:22 +0100
Subject: [PATCH 30/72] refactor ux

---
 .../admin/oauth-clients-admin-view.tsx        | 474 ++++--------------
 .../developer/oauth-clients-skeleton.tsx      |   2 +-
 .../settings/developer/oauth-clients-view.tsx | 431 ++++------------
 .../oauth/OAuthClientCreateDialog.tsx         | 202 ++++++++
 .../oauth/OAuthClientDetailsDialog.tsx        | 461 +++++++++++++++++
 .../settings/oauth/OAuthClientFormFields.tsx  | 165 ++++++
 .../settings/oauth/OAuthClientsList.tsx       |  71 +++
 packages/emails/oauth-email-service.ts        |   6 +
 .../AdminOAuthClientNotificationEmail.tsx     |  13 +
 .../OAuthClientRejectedNotificationEmail.tsx  | 101 ++++
 packages/emails/src/templates/index.ts        |   1 +
 .../admin-oauth-client-notification.ts        |   2 +
 .../oauth-client-rejected-notification.ts     |  49 ++
 .../repositories/OAuthClientRepository.ts     |  50 +-
 .../migration.sql                             |   2 +
 .../migration.sql                             |   2 +
 packages/prisma/schema.prisma                 |  28 +-
 .../server/routers/viewer/oAuth/_router.tsx   |  23 +-
 .../routers/viewer/oAuth/addClient.handler.ts |   4 +-
 .../routers/viewer/oAuth/addClient.schema.ts  |   3 +
 .../viewer/oAuth/deleteClient.handler.ts      |  37 ++
 .../viewer/oAuth/deleteClient.schema.ts       |   7 +
 .../viewer/oAuth/submitClient.handler.ts      |   5 +-
 .../viewer/oAuth/submitClient.schema.ts       |   2 +
 .../oAuth/updateClientStatus.handler.ts       | 116 ++++-
 .../viewer/oAuth/updateClientStatus.schema.ts |  28 ++
 26 files changed, 1562 insertions(+), 723 deletions(-)
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientsList.tsx
 create mode 100644 packages/emails/src/templates/OAuthClientRejectedNotificationEmail.tsx
 create mode 100644 packages/emails/templates/oauth-client-rejected-notification.ts
 create mode 100644 packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql
 create mode 100644 packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/deleteClient.schema.ts

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index f12253211bd2f5..7dd48012e2deeb 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -1,73 +1,42 @@
 "use client";
 
 import { useState } from "react";
-import { useForm } from "react-hook-form";
 
-import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
+import type { RouterOutputs } from "@calcom/trpc/react";
 
 import { OAuthClientsAdminSkeleton } from "./oauth-clients-admin-skeleton";
-import { Avatar } from "@calcom/ui/components/avatar";
-import { Badge } from "@calcom/ui/components/badge";
 import { Button } from "@calcom/ui/components/button";
-import {
-  Dialog,
-  DialogContent,
-  DialogFooter,
-  DialogClose,
-} from "@calcom/ui/components/dialog";
-import {
-  Dropdown,
-  DropdownItem,
-  DropdownMenuTrigger,
-  DropdownMenuContent,
-  DropdownMenuItem,
-} from "@calcom/ui/components/dropdown";
 import { EmptyScreen } from "@calcom/ui/components/empty-screen";
-import { Form, Label, Switch, TextField } from "@calcom/ui/components/form";
-import { Icon } from "@calcom/ui/components/icon";
-import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { showToast } from "@calcom/ui/components/toast";
-import { Tooltip } from "@calcom/ui/components/tooltip";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-type FormValues = {
-  name: string;
-  redirectUri: string;
-  websiteUrl: string;
-  logo: string;
-  enablePkce: boolean;
-};
+import {
+  OAuthClientCreateDialog,
+  type OAuthClientCreateFormValues,
+} from "../oauth/OAuthClientCreateDialog";
+import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
+import { OAuthClientsList } from "../oauth/OAuthClientsList";
+
+type OAuthClientRow = RouterOutputs["viewer"]["oAuth"]["listClients"][number];
 
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
-  const { copyToClipboard } = useCopy();
   const utils = trpc.useUtils();
   const [showAddDialog, setShowAddDialog] = useState(false);
-  const [logo, setLogo] = useState("");
-  const [createdClient, setCreatedClient] = useState<{
-    clientId: string;
-    clientSecret?: string;
-    name: string;
-  } | null>(null);
-  const [approvedClient, setApprovedClient] = useState<{
-    clientId: string;
-    clientSecret?: string;
-    name: string;
-  } | null>(null);
+  const [createdClient, setCreatedClient] = useState<OAuthClientDetails | null>(null);
+  const [selectedClient, setSelectedClient] = useState<OAuthClientDetails | null>(null);
 
-  const oAuthForm = useForm<FormValues>({
-    defaultValues: {
-      name: "",
-      redirectUri: "",
-      websiteUrl: "",
-      logo: "",
-      enablePkce: false,
-    },
+  const { data: pendingClients, isLoading: isPendingClientsLoading } = trpc.viewer.oAuth.listClients.useQuery({
+    status: "PENDING",
+  });
+  const { data: rejectedClients, isLoading: isRejectedClientsLoading } = trpc.viewer.oAuth.listClients.useQuery({
+    status: "REJECTED",
+  });
+  const { data: approvedClients, isLoading: isApprovedClientsLoading } = trpc.viewer.oAuth.listClients.useQuery({
+    status: "APPROVED",
   });
-
-  const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listClients.useQuery({});
 
   const addMutation = trpc.viewer.oAuth.addClient.useMutation({
     onSuccess: async (data) => {
@@ -75,6 +44,10 @@ export default function OAuthClientsAdminView() {
         clientId: data.clientId,
         clientSecret: data.clientSecret,
         name: data.name,
+        purpose: data.purpose,
+        approvalStatus: "APPROVED",
+        redirectUri: data.redirectUri,
+        logo: data.logo || null,
       });
       showToast(t("oauth_client_created"), "success");
       utils.viewer.oAuth.listClients.invalidate();
@@ -90,6 +63,17 @@ export default function OAuthClientsAdminView() {
         t("oauth_client_status_updated", { name: data.name, status: data.approvalStatus }),
         "success"
       );
+
+      setSelectedClient((prev) => {
+        if (!prev) return prev;
+        if (prev.clientId !== data.clientId) return prev;
+        return {
+          ...prev,
+          approvalStatus: data.approvalStatus,
+          rejectionReason: data.rejectionReason,
+        };
+      });
+
       utils.viewer.oAuth.listClients.invalidate();
     },
     onError: (error) => {
@@ -97,11 +81,12 @@ export default function OAuthClientsAdminView() {
     },
   });
 
-  const handleAddClient = (values: FormValues) => {
+  const handleAddClient = (values: OAuthClientCreateFormValues) => {
     addMutation.mutate({
       name: values.name,
+      purpose: values.purpose,
       redirectUri: values.redirectUri,
-      websiteUrl: values.websiteUrl || undefined,
+      websiteUrl: values.websiteUrl,
       logo: values.logo,
       enablePkce: values.enablePkce,
     });
@@ -110,38 +95,36 @@ export default function OAuthClientsAdminView() {
   const handleCloseDialog = () => {
     setShowAddDialog(false);
     setCreatedClient(null);
-    setLogo("");
-    oAuthForm.reset();
   };
 
-  const handleCloseApprovedDialog = () => {
-    setApprovedClient(null);
+  const handleCloseClientDialog = () => {
+    setSelectedClient(null);
   };
 
   const handleApprove = (clientId: string) => {
     updateStatusMutation.mutate({ clientId, status: "APPROVED" });
   };
 
-  const handleReject = (clientId: string) => {
-    updateStatusMutation.mutate({ clientId, status: "REJECTED" });
+  const handleReject = (input: { clientId: string; rejectionReason: string }) => {
+    updateStatusMutation.mutate({ clientId: input.clientId, status: "REJECTED", rejectionReason: input.rejectionReason });
   };
 
-  const getStatusBadge = (status: string) => {
-    switch (status) {
-      case "APPROVED":
-        return <Badge variant="success">{t("approved")}</Badge>;
-      case "REJECTED":
-        return <Badge variant="red">{t("rejected")}</Badge>;
-      case "PENDING":
-      default:
-        return <Badge variant="orange">{t("pending")}</Badge>;
-    }
-  };
-
-  if (isLoading) {
+  if (isPendingClientsLoading || isRejectedClientsLoading || isApprovedClientsLoading) {
     return <OAuthClientsAdminSkeleton />;
   }
 
+  const toClientDetails = (client: OAuthClientRow): OAuthClientDetails => ({
+    clientId: client.clientId,
+    name: client.name,
+    purpose: client.purpose,
+    redirectUri: client.redirectUri,
+    websiteUrl: client.websiteUrl,
+    logo: client.logo,
+    approvalStatus: client.approvalStatus,
+    rejectionReason: client.rejectionReason,
+    clientType: client.clientType,
+  });
+
   const NewOAuthClientButton = () => (
     <Button
       color="secondary"
@@ -153,113 +136,44 @@ export default function OAuthClientsAdminView() {
     </Button>
   );
 
+  const hasClients =
+    (pendingClients && pendingClients.length > 0) ||
+    (rejectedClients && rejectedClients.length > 0) ||
+    (approvedClients && approvedClients.length > 0);
+
   return (
     <SettingsHeader
       title={t("oauth_clients_admin")}
       description={t("oauth_clients_admin_description")}
-      CTA={oAuthClients && oAuthClients.length > 0 ? <NewOAuthClientButton /> : null}>
-      {oAuthClients && oAuthClients.length > 0 ? (
-        <div className="border-subtle overflow-hidden rounded-lg border">
-          <table className="w-full">
-            <thead className="bg-subtle">
-              <tr>
-                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("client_name")}</th>
-                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("redirect_uri")}</th>
-                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("submitted_by")}</th>
-                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("status")}</th>
-                <th className="text-emphasis px-4 py-3 text-left text-sm font-medium">{t("actions")}</th>
-              </tr>
-            </thead>
-            <tbody className="divide-subtle divide-y">
-              {oAuthClients.map((client) => (
-                <tr key={client.clientId} className="hover:bg-subtle/50">
-                  <td className="px-4 py-3">
-                    <div className="flex items-center gap-3">
-                      <Avatar
-                        alt={client.name}
-                        imageSrc={client.logo || undefined}
-                        fallback={<Icon name="key" className="text-subtle h-4 w-4" />}
-                        size="sm"
-                      />
-                      <span className="text-emphasis font-medium">{client.name}</span>
-                    </div>
-                  </td>
-                  <td className="text-default px-4 py-3 text-sm">{client.redirectUri}</td>
-                  <td className="text-default px-4 py-3 text-sm">
-                    {client.user ? (
-                      <span>
-                        {client.user.name || client.user.email}
-                      </span>
-                    ) : (
-                      <span className="text-subtle">{t("admin")}</span>
-                    )}
-                  </td>
-                  <td className="px-4 py-3">{getStatusBadge(client.approvalStatus)}</td>
-                  <td className="px-4 py-3">
-                    <Dropdown>
-                      <DropdownMenuTrigger asChild>
-                        <Button color="minimal" size="sm" StartIcon="ellipsis" />
-                      </DropdownMenuTrigger>
-                      <DropdownMenuContent align="end">
-                        {client.approvalStatus === "PENDING" && (
-                          <>
-                            <DropdownMenuItem>
-                              <DropdownItem
-                                type="button"
-                                StartIcon="check"
-                                onClick={() => handleApprove(client.clientId)}>
-                                {t("approve")}
-                              </DropdownItem>
-                            </DropdownMenuItem>
-                            <DropdownMenuItem>
-                              <DropdownItem
-                                type="button"
-                                StartIcon="x"
-                                onClick={() => handleReject(client.clientId)}>
-                                {t("reject")}
-                              </DropdownItem>
-                            </DropdownMenuItem>
-                          </>
-                        )}
-                        {client.approvalStatus === "REJECTED" && (
-                          <DropdownMenuItem>
-                            <DropdownItem
-                              type="button"
-                              StartIcon="check"
-                              onClick={() => handleApprove(client.clientId)}>
-                              {t("approve")}
-                            </DropdownItem>
-                          </DropdownMenuItem>
-                        )}
-                        {client.approvalStatus === "APPROVED" && (
-                          <DropdownMenuItem>
-                            <DropdownItem
-                              type="button"
-                              StartIcon="x"
-                              onClick={() => handleReject(client.clientId)}>
-                              {t("reject")}
-                            </DropdownItem>
-                          </DropdownMenuItem>
-                        )}
-                        <DropdownMenuItem>
-                          <DropdownItem
-                            type="button"
-                            StartIcon="clipboard"
-                            onClick={() => {
-                              copyToClipboard(client.clientId, {
-                                onSuccess: () => showToast(t("client_id_copied"), "success"),
-                              });
-                            }}>
-                            {t("copy_client_id")}
-                          </DropdownItem>
-                        </DropdownMenuItem>
-                      </DropdownMenuContent>
-                    </Dropdown>
-                  </td>
-                </tr>
-              ))}
-            </tbody>
-          </table>
+      CTA={<NewOAuthClientButton />}>
+      {hasClients ? (
+        <div className="space-y-10">
+          <div className="space-y-3">
+            <h2 className="text-emphasis text-base font-semibold">{t("pending")}</h2>
+            <OAuthClientsList
+              clients={(pendingClients ?? []).map(toClientDetails)}
+              onSelectClient={(client) => setSelectedClient(client)}
+              showStatus
+            />
+          </div>
+
+          <div className="space-y-3">
+            <h2 className="text-emphasis text-base font-semibold">{t("rejected")}</h2>
+            <OAuthClientsList
+              clients={(rejectedClients ?? []).map(toClientDetails)}
+              onSelectClient={(client) => setSelectedClient(client)}
+              showStatus
+            />
+          </div>
+
+          <div className="space-y-3">
+            <h2 className="text-emphasis text-base font-semibold">{t("approved")}</h2>
+            <OAuthClientsList
+              clients={(approvedClients ?? []).map(toClientDetails)}
+              onSelectClient={(client) => setSelectedClient(client)}
+              showStatus
+            />
+          </div>
         </div>
       ) : (
         <EmptyScreen
@@ -272,196 +186,28 @@ export default function OAuthClientsAdminView() {
         />
       )}
 
-      <Dialog open={showAddDialog} onOpenChange={setShowAddDialog}>
-        <DialogContent
-          type="creation"
-          enableOverflow
-          title={createdClient ? t("oauth_client_created") : t("add_oauth_client")}
-          description={
-            createdClient ? t("oauth_client_created_description") : t("add_oauth_client_description")
-          }>
-          {!createdClient ? (
-            <Form form={oAuthForm} handleSubmit={handleAddClient} className="space-y-4">
-              <TextField
-                {...oAuthForm.register("name", { required: true })}
-                label={t("client_name")}
-                type="text"
-                id="name"
-                placeholder={t("client_name_placeholder")}
-                required
-              />
-              <TextField
-                {...oAuthForm.register("redirectUri", { required: true })}
-                label={t("redirect_uri")}
-                type="url"
-                id="redirectUri"
-                placeholder="https://example.com/callback"
-                required
-              />
-
-              <TextField
-                {...oAuthForm.register("websiteUrl")}
-                label={t("website_url")}
-                type="url"
-                id="websiteUrl"
-                placeholder="https://example.com"
-              />
-
-              <div>
-                <Label className="text-emphasis mb-2 block text-sm font-medium">
-                  {t("authentication_mode")}
-                </Label>
-                <div className="flex items-center space-x-3">
-                  <Switch
-                    checked={oAuthForm.watch("enablePkce")}
-                    onCheckedChange={(checked) => oAuthForm.setValue("enablePkce", checked)}
-                  />
-                  <span className="text-default text-sm">{t("use_pkce")}</span>
-                </div>
-              </div>
-
-              <div>
-                <Label className="text-emphasis mb-2 block text-sm font-medium">{t("logo")}</Label>
-                <div className="flex items-center gap-4">
-                  <Avatar
-                    alt=""
-                    fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
-                    imageSrc={logo}
-                    size="lg"
-                  />
-                  <ImageUploader
-                    target="avatar"
-                    id="avatar-upload"
-                    buttonMsg={t("upload_logo")}
-                    handleAvatarChange={(newLogo: string) => {
-                      setLogo(newLogo);
-                      oAuthForm.setValue("logo", newLogo);
-                    }}
-                    imageSrc={logo}
-                  />
-                </div>
-              </div>
-
-              <DialogFooter>
-                <DialogClose onClick={handleCloseDialog}>{t("cancel")}</DialogClose>
-                <Button type="submit" loading={addMutation.isPending}>
-                  {t("add_client")}
-                </Button>
-              </DialogFooter>
-            </Form>
-          ) : (
-            <div>
-              <div className="text-emphasis mb-5 text-xl font-semibold">{createdClient.name}</div>
-              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-              <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                  {createdClient.clientId}
-                </code>
-                <Tooltip side="top" content={t("copy_to_clipboard")}>
-                  <Button
-                    onClick={() => {
-                      copyToClipboard(createdClient.clientId, {
-                        onSuccess: () => showToast(t("client_id_copied"), "success"),
-                      });
-                    }}
-                    type="button"
-                    size="sm"
-                    className="rounded-l-none"
-                    StartIcon="clipboard">
-                    {t("copy")}
-                  </Button>
-                </Tooltip>
-              </div>
-              {createdClient.clientSecret && (
-                <>
-                  <div className="text-subtle mb-1 mt-4 text-sm">{t("client_secret")}</div>
-                  <div className="flex">
-                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                      {createdClient.clientSecret}
-                    </code>
-                    <Tooltip side="top" content={t("copy_to_clipboard")}>
-                      <Button
-                        onClick={() => {
-                          copyToClipboard(createdClient.clientSecret || "", {
-                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
-                          });
-                        }}
-                        type="button"
-                        size="sm"
-                        className="rounded-l-none"
-                        StartIcon="clipboard">
-                        {t("copy")}
-                      </Button>
-                    </Tooltip>
-                  </div>
-                  <div className="text-subtle mt-2 text-sm">{t("copy_client_secret_info")}</div>
-                </>
-              )}
-              <DialogFooter className="mt-6">
-                <Button onClick={handleCloseDialog}>{t("done")}</Button>
-              </DialogFooter>
-            </div>
-          )}
-        </DialogContent>
-      </Dialog>
-
-      <Dialog open={!!approvedClient} onOpenChange={(open) => !open && handleCloseApprovedDialog()}>
-        <DialogContent type="creation" title={t("oauth_client_approved")} description={t("oauth_client_approved_description")}>
-          {approvedClient && (
-            <div>
-              <div className="text-emphasis mb-5 text-xl font-semibold">{approvedClient.name}</div>
-              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-              <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                  {approvedClient.clientId}
-                </code>
-                <Tooltip side="top" content={t("copy_to_clipboard")}>
-                  <Button
-                    onClick={() => {
-                      copyToClipboard(approvedClient.clientId, {
-                        onSuccess: () => showToast(t("client_id_copied"), "success"),
-                      });
-                    }}
-                    type="button"
-                    size="sm"
-                    className="rounded-l-none"
-                    StartIcon="clipboard">
-                    {t("copy")}
-                  </Button>
-                </Tooltip>
-              </div>
-              {approvedClient.clientSecret && (
-                <>
-                  <div className="text-subtle mb-1 mt-4 text-sm">{t("client_secret")}</div>
-                  <div className="flex">
-                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                      {approvedClient.clientSecret}
-                    </code>
-                    <Tooltip side="top" content={t("copy_to_clipboard")}>
-                      <Button
-                        onClick={() => {
-                          copyToClipboard(approvedClient.clientSecret || "", {
-                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
-                          });
-                        }}
-                        type="button"
-                        size="sm"
-                        className="rounded-l-none"
-                        StartIcon="clipboard">
-                        {t("copy")}
-                      </Button>
-                    </Tooltip>
-                  </div>
-                  <div className="text-subtle mt-2 text-sm">{t("copy_client_secret_info")}</div>
-                </>
-              )}
-              <DialogFooter className="mt-6">
-                <Button onClick={handleCloseApprovedDialog}>{t("done")}</Button>
-              </DialogFooter>
-            </div>
-          )}
-        </DialogContent>
-      </Dialog>
+      <OAuthClientCreateDialog
+        open={showAddDialog}
+        onOpenChange={setShowAddDialog}
+        title={t("create_oauth_client")}
+        submitLabel={t("create")}
+        isSubmitting={addMutation.isPending}
+        onSubmit={handleAddClient}
+        resultClient={createdClient}
+        resultTitle={t("oauth_client_created")}
+        resultDescription={t("oauth_client_created_description")}
+        clientSecretInfoKey="copy_client_secret_info"
+        onClose={handleCloseDialog}
+      />
+
+      <OAuthClientDetailsDialog
+        open={Boolean(selectedClient)}
+        onOpenChange={(open) => !open && handleCloseClientDialog()}
+        client={selectedClient}
+        onApprove={handleApprove}
+        onReject={handleReject}
+        isStatusChangePending={updateStatusMutation.isPending}
+      />
     </SettingsHeader>
   );
 }
diff --git a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
index 8a058191508998..22e4eef89c590a 100644
--- a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
@@ -13,7 +13,7 @@ export const OAuthClientsSkeleton = () => {
       <div className="border-subtle rounded-lg border">
         {skeletonItems.map((i, index) => (
           <div
-            key={i}
+            key={`oauth-client-skeleton-${index}`}
             className={`flex items-center justify-between p-4 ${
               index !== skeletonItems.length - 1 ? "border-subtle border-b" : ""
             }`}>
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 0e807dfad23edf..483b5b5f75a065 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -1,70 +1,39 @@
 "use client";
 
 import { useState } from "react";
-import { useForm } from "react-hook-form";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
-import { useCopy } from "@calcom/lib/hooks/useCopy";
-import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { trpc } from "@calcom/trpc/react";
-import { Avatar } from "@calcom/ui/components/avatar";
-import { Badge } from "@calcom/ui/components/badge";
 import { Button } from "@calcom/ui/components/button";
-import { DialogContent, DialogFooter, DialogClose } from "@calcom/ui/components/dialog";
 import { EmptyScreen } from "@calcom/ui/components/empty-screen";
-import { Form, Label, Switch, TextField } from "@calcom/ui/components/form";
-import { Icon } from "@calcom/ui/components/icon";
-import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { showToast } from "@calcom/ui/components/toast";
-import { Tooltip } from "@calcom/ui/components/tooltip";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
+import {
+  OAuthClientCreateDialog,
+  type OAuthClientCreateFormValues,
+} from "../oauth/OAuthClientCreateDialog";
+import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
+import { OAuthClientsList } from "../oauth/OAuthClientsList";
 
-type FormValues = {
-  name: string;
-  redirectUri: string;
-  websiteUrl: string;
-  logo: string;
-  enablePkce: boolean;
-};
+import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 
 type SubmitClientMutationResult = {
   clientId: string;
   name: string;
+  purpose: string;
   isPkceEnabled?: boolean;
   clientSecret?: string;
+  redirectUri?: string;
+  logo?: string | null;
+  approvalStatus?: string;
 };
 
 const OAuthClientsView = () => {
   const { t } = useLocale();
-  const { copyToClipboard } = useCopy();
   const utils = trpc.useUtils();
   const [showDialog, setShowDialog] = useState(false);
-  const [logo, setLogo] = useState("");
-  const [logoError, setLogoError] = useState(false);
-  const [submittedClient, setSubmittedClient] = useState<{
-    clientId: string;
-    name: string;
-    clientSecret?: string;
-    isPkceEnabled?: boolean;
-  } | null>(null);
-  const [selectedClient, setSelectedClient] = useState<{
-    clientId: string;
-    name: string;
-    logo?: string | null;
-    redirectUri: string;
-    approvalStatus: string;
-  } | null>(null);
-
-  const oAuthForm = useForm<FormValues>({
-    defaultValues: {
-      name: "",
-      redirectUri: "",
-      websiteUrl: "",
-      logo: "",
-      enablePkce: false,
-    },
-  });
+  const [submittedClient, setSubmittedClient] = useState<OAuthClientDetails | null>(null);
+  const [selectedClient, setSelectedClient] = useState<OAuthClientDetails | null>(null);
 
   const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listUserClients.useQuery();
 
@@ -73,7 +42,9 @@ const OAuthClientsView = () => {
       setSubmittedClient({
         clientId: data.clientId,
         name: data.name,
+        purpose: data.purpose,
         clientSecret: data.clientSecret,
+        approvalStatus: data.approvalStatus ?? "PENDING",
         isPkceEnabled: data.isPkceEnabled,
       });
       showToast(t("oauth_client_submitted"), "success");
@@ -84,11 +55,49 @@ const OAuthClientsView = () => {
     },
   });
 
-  const handleSubmit = (values: FormValues) => {
+  const deleteClientMutation = trpc.viewer.oAuth.deleteClient.useMutation({
+    onSuccess: async () => {
+      showToast(t("oauth_client_deletion_message"), "success");
+      setSelectedClient(null);
+      utils.viewer.oAuth.listUserClients.invalidate();
+    },
+    onError: (error) => {
+      showToast(error.message || t("error"), "error");
+    },
+  });
+
+  const updateClientMutation = trpc.viewer.oAuth.updateClient.useMutation({
+    onSuccess: async (data) => {
+      showToast(t("oauth_client_updated_successfully"), "success");
+
+      setSelectedClient((prev) => {
+        if (!prev) return prev;
+        if (prev.clientId !== data.clientId) return prev;
+        return {
+          ...prev,
+          name: data.name,
+          purpose: data.purpose,
+          redirectUri: data.redirectUri,
+          websiteUrl: data.websiteUrl,
+          logo: data.logo,
+          approvalStatus: data.approvalStatus,
+          rejectionReason: data.rejectionReason,
+        };
+      });
+
+      utils.viewer.oAuth.listUserClients.invalidate();
+    },
+    onError: (error) => {
+      showToast(`${t("updating_oauth_client_error")}: ${error.message}`, "error");
+    },
+  });
+
+  const handleSubmit = (values: OAuthClientCreateFormValues) => {
     submitMutation.mutate({
-      name: values.name.trim() || "",
-      redirectUri: values.redirectUri.trim() || "",
-      websiteUrl: values.websiteUrl.trim() || "",
+      name: values.name,
+      purpose: values.purpose,
+      redirectUri: values.redirectUri,
+      websiteUrl: values.websiteUrl,
       logo: values.logo,
       enablePkce: values.enablePkce,
     });
@@ -97,27 +106,12 @@ const OAuthClientsView = () => {
   const handleCloseDialog = () => {
     setShowDialog(false);
     setSubmittedClient(null);
-    setLogo("");
-    setLogoError(false);
-    oAuthForm.reset();
   };
 
   const handleCloseClientDialog = () => {
     setSelectedClient(null);
   };
 
-  const getStatusBadge = (status: string) => {
-    switch (status) {
-      case "APPROVED":
-        return <Badge variant="success">{t("approved")}</Badge>;
-      case "REJECTED":
-        return <Badge variant="red">{t("rejected")}</Badge>;
-      case "PENDING":
-      default:
-        return <Badge variant="orange">{t("pending")}</Badge>;
-    }
-  };
-
   if (isLoading) {
     return <OAuthClientsSkeleton />;
   }
@@ -139,40 +133,20 @@ const OAuthClientsView = () => {
       description={t("oauth_clients_description")}
       CTA={<NewOAuthClientButton />}>
       {oAuthClients && oAuthClients.length > 0 ? (
-        <div className="border-subtle rounded-lg border">
-          {oAuthClients.map((client, index) => (
-            <div
-              key={client.clientId}
-              className={`hover:bg-subtle flex cursor-pointer items-center justify-between p-4 transition-colors ${
-                index !== oAuthClients.length - 1 ? "border-subtle border-b" : ""
-              }`}
-              onClick={() => setSelectedClient(client)}
-              role="button"
-              tabIndex={0}
-              onKeyDown={(e) => {
-                if (e.key === "Enter" || e.key === " ") {
-                  setSelectedClient(client);
-                }
-              }}>
-              <div className="flex items-center gap-4">
-                <Avatar
-                  alt={client.name}
-                  imageSrc={client.logo || undefined}
-                  fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
-                  size="md"
-                />
-                <div>
-                  <div className="text-emphasis font-medium">{client.name}</div>
-                  <div className="text-subtle text-sm">{client.redirectUri}</div>
-                </div>
-              </div>
-              <div className="flex items-center gap-4">
-                {getStatusBadge(client.approvalStatus)}
-                <Icon name="chevron-right" className="text-subtle h-5 w-5" />
-              </div>
-            </div>
-          ))}
-        </div>
+        <OAuthClientsList
+          clients={oAuthClients.map((client) => ({
+            clientId: client.clientId,
+            name: client.name,
+            purpose: client.purpose,
+            redirectUri: client.redirectUri,
+            websiteUrl: client.websiteUrl,
+            logo: client.logo,
+            approvalStatus: client.approvalStatus,
+            rejectionReason: client.rejectionReason,
+            clientType: client.clientType,
+          }))}
+          onSelectClient={(client) => setSelectedClient(client)}
+        />
       ) : (
         <EmptyScreen
           Icon="key"
@@ -184,238 +158,39 @@ const OAuthClientsView = () => {
         />
       )}
 
-      <Dialog
+      <OAuthClientCreateDialog
         open={showDialog}
-        onOpenChange={(open) => {
-          if (!open) {
-            handleCloseDialog();
-            return;
-          }
-          setShowDialog(open);
-        }}>
-        <DialogContent
-          enableOverflow
-          type="creation"
-          title={submittedClient ? t("oauth_client_submitted") : t("new_oauth_client")}
-          description={
-            submittedClient ? t("oauth_client_submitted_description") : t("new_oauth_client_description")
-          }>
-          {!submittedClient ? (
-            <Form form={oAuthForm} handleSubmit={handleSubmit} className="space-y-4">
-              <TextField
-                {...oAuthForm.register("name", { required: true })}
-                label={t("name")}
-                type="text"
-                id="name"
-                placeholder={t("client_name_placeholder")}
-                required
-              />
-              <TextField
-                {...oAuthForm.register("redirectUri", {
-                  required: true,
-                  validate: (value) => {
-                    try {
-                      new URL(value);
-                      return true;
-                    } catch {
-                      return t("invalid_url");
-                    }
-                  },
-                })}
-                label={t("redirect_uri")}
-                type="url"
-                id="redirectUri"
-                placeholder="https://example.com/callback"
-                required
-              />
-
-                <TextField
-                  {...oAuthForm.register("websiteUrl", {
-                    validate: (value) => {
-                      if (!value) return true;
-                      try {
-                        new URL(value);
-                        return true;
-                      } catch {
-                        return t("invalid_url");
-                      }
-                    },
-                  })}
-                  label={t("website_url")}
-                  type="url"
-                  id="websiteUrl"
-                  placeholder="https://example.com"
-                />
-
-              <div>
-                <Label className="text-emphasis mb-2 block text-sm font-medium">
-                  {t("authentication_mode")}
-                </Label>
-                <div className="flex items-center space-x-3">
-                  <Switch
-                    checked={oAuthForm.watch("enablePkce")}
-                    onCheckedChange={(checked) => oAuthForm.setValue("enablePkce", checked)}
-                  />
-                  <span className="text-default text-sm">{t("use_pkce")}</span>
-                </div>
-              </div>
-
-              <div>
-                <Label className="text-emphasis mb-2 block text-sm font-medium">
-                  {t("logo")}
-                </Label>
-                <div className="flex items-center gap-4">
-                  <Avatar
-                    alt=""
-                    fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
-                    imageSrc={logo}
-                    size="lg"
-                  />
-                  <ImageUploader
-                    target="avatar"
-                    id="avatar-upload"
-                    buttonMsg={t("upload_logo")}
-                    handleAvatarChange={(newLogo: string) => {
-                      setLogo(newLogo);
-                      setLogoError(false);
-                      oAuthForm.setValue("logo", newLogo);
-                    }}
-                    imageSrc={logo}
-                  />
-                </div>
-              </div>
-
-              <DialogFooter>
-                <DialogClose onClick={handleCloseDialog}>{t("cancel")}</DialogClose>
-                <Button type="submit" loading={submitMutation.isPending}>
-                  {t("submit_for_approval")}
-                </Button>
-              </DialogFooter>
-            </Form>
-          ) : (
-            <div>
-              <div className="text-emphasis mb-5 text-xl font-semibold">{submittedClient.name}</div>
-              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-              <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                  {submittedClient.clientId}
-                </code>
-                <Tooltip side="top" content={t("copy_to_clipboard")}>
-                  <Button
-                    onClick={() => {
-                      copyToClipboard(submittedClient.clientId, {
-                        onSuccess: () => showToast(t("client_id_copied"), "success"),
-                        onFailure: () => showToast(t("error"), "error"),
-                      });
-                    }}
-                    type="button"
-                    size="sm"
-                    className="rounded-l-none"
-                    StartIcon="clipboard">
-                    {t("copy")}
-                  </Button>
-                </Tooltip>
-              </div>
-
-              {submittedClient.clientSecret ? (
-                <div className="mt-4">
-                  <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
-                  <div className="flex">
-                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                      {submittedClient.clientSecret}
-                    </code>
-                    <Tooltip side="top" content={t("copy_to_clipboard")}>
-                      <Button
-                        onClick={() => {
-                          copyToClipboard(submittedClient.clientSecret ?? "", {
-                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
-                            onFailure: () => showToast(t("error"), "error"),
-                          });
-                        }}
-                        type="button"
-                        size="sm"
-                        className="rounded-l-none"
-                        StartIcon="clipboard">
-                        {t("copy")}
-                      </Button>
-                    </Tooltip>
-                  </div>
-                  <div className="text-subtle mt-2 text-sm">
-                    {t("oauth_client_client_secret_one_time_warning")}
-                  </div>
-                </div>
-              ) : null}
-
-              <div className="text-subtle mt-4 text-sm">{t("oauth_client_pending_approval")}</div>
-              <DialogFooter className="mt-6">
-                <Button onClick={handleCloseDialog}>{t("done")}</Button>
-              </DialogFooter>
-            </div>
-          )}
-        </DialogContent>
-      </Dialog>
-
-      <Dialog open={!!selectedClient} onOpenChange={(open) => !open && handleCloseClientDialog()}>
-        <DialogContent type="creation" title={t("oauth_client")}>
-          {selectedClient && (
-            <div className="space-y-4">
-              <div className="flex items-center gap-4">
-                <Avatar
-                  alt={selectedClient.name}
-                  imageSrc={selectedClient.logo || undefined}
-                  fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
-                  size="lg"
-                />
-                <div>
-                  <div className="text-emphasis font-medium">{selectedClient.name}</div>
-                  <div className="text-subtle text-sm">{selectedClient.redirectUri}</div>
-                  {getStatusBadge(selectedClient.approvalStatus)}
-                </div>
-              </div>
-
-              <div>
-                <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-                <div className="flex">
-                  <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                    {selectedClient.clientId}
-                  </code>
-                  <Tooltip side="top" content={t("copy_to_clipboard")}>
-                    <Button
-                      onClick={() => {
-                        copyToClipboard(selectedClient.clientId, {
-                          onSuccess: () => showToast(t("client_id_copied"), "success"),
-                          onFailure: () => showToast(t("error"), "error"),
-                        });
-                      }}
-                      type="button"
-                      size="sm"
-                      className="rounded-l-none"
-                      StartIcon="clipboard">
-                      {t("copy")}
-                    </Button>
-                  </Tooltip>
-                </div>
-              </div>
-
-              {selectedClient.approvalStatus === "APPROVED" && (
-                <p className="text-subtle text-sm">{t("oauth_client_approved_note")}</p>
-              )}
-
-              {selectedClient.approvalStatus === "PENDING" && (
-                <p className="text-subtle text-sm">{t("oauth_client_pending_approval")}</p>
-              )}
-
-              {selectedClient.approvalStatus === "REJECTED" && (
-                <p className="text-error text-sm">{t("oauth_client_rejected")}</p>
-              )}
-
-              <DialogFooter>
-                <Button onClick={handleCloseClientDialog}>{t("done")}</Button>
-              </DialogFooter>
-            </div>
-          )}
-        </DialogContent>
-      </Dialog>
+        onOpenChange={setShowDialog}
+        title={t("create_oauth_client")}
+        submitLabel={t("create")}
+        isSubmitting={submitMutation.isPending}
+        onSubmit={handleSubmit}
+        resultClient={submittedClient}
+        resultTitle={t("oauth_client_submitted")}
+        resultDescription={t("oauth_client_submitted_description")}
+        onClose={handleCloseDialog}
+      />
+
+      <OAuthClientDetailsDialog
+        open={Boolean(selectedClient)}
+        onOpenChange={(open) => !open && handleCloseClientDialog()}
+        client={selectedClient}
+        onUpdate={(values) => {
+          updateClientMutation.mutate({
+            clientId: values.clientId,
+            name: values.name,
+            purpose: values.purpose,
+            redirectUri: values.redirectUri,
+            websiteUrl: values.websiteUrl,
+            logo: values.logo,
+          });
+        }}
+        onDelete={(clientId) => {
+          deleteClientMutation.mutate({ clientId });
+        }}
+        isUpdatePending={updateClientMutation.isPending}
+        isDeletePending={deleteClientMutation.isPending}
+      />
     </SettingsHeader>
   );
 };
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
new file mode 100644
index 00000000000000..660a1c1d3258a4
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
@@ -0,0 +1,202 @@
+"use client";
+
+import { useState } from "react";
+import { useForm } from "react-hook-form";
+
+import { Dialog } from "@calcom/features/components/controlled-dialog";
+import { useCopy } from "@calcom/lib/hooks/useCopy";
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { Alert } from "@calcom/ui/components/alert";
+import { Badge } from "@calcom/ui/components/badge";
+import { Button } from "@calcom/ui/components/button";
+import { DialogClose, DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
+import { Form } from "@calcom/ui/components/form";
+import { showToast } from "@calcom/ui/components/toast";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+import { OAuthClientFormFields } from "./OAuthClientFormFields";
+
+export type OAuthClientCreateFormValues = {
+  name: string;
+  purpose: string;
+  redirectUri: string;
+  websiteUrl: string;
+  logo: string;
+  enablePkce: boolean;
+};
+
+export const OAuthClientCreateDialog = ({
+  open,
+  onOpenChange,
+  title,
+  description,
+  submitLabel,
+  isSubmitting,
+  onSubmit,
+  resultClient,
+  resultTitle,
+  resultDescription,
+  clientSecretInfoKey,
+  onClose,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  title: string;
+  description?: string;
+  submitLabel: string;
+  isSubmitting: boolean;
+  onSubmit: (values: OAuthClientCreateFormValues) => void;
+  resultClient: OAuthClientDetails | null;
+  resultTitle: string;
+  resultDescription?: string;
+  clientSecretInfoKey?: string;
+  onClose: () => void;
+}) => {
+  const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
+  const [logo, setLogo] = useState("");
+
+  const form = useForm<OAuthClientCreateFormValues>({
+    defaultValues: {
+      name: "",
+      purpose: "",
+      redirectUri: "",
+      websiteUrl: "",
+      logo: "",
+      enablePkce: false,
+    },
+  });
+
+  const handleClose = () => {
+    onClose();
+    setLogo("");
+    form.reset();
+  };
+
+  const handleOpenChange = (nextOpen: boolean) => {
+    if (!nextOpen) {
+      handleClose();
+      return;
+    }
+    onOpenChange(nextOpen);
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={handleOpenChange}>
+      <DialogContent
+        enableOverflow
+        type="creation"
+        title={
+          resultClient ? (
+            <>
+              {resultClient.approvalStatus === "PENDING" ? (
+                <span className="mb-2 flex items-center justify-start">
+                  <Badge variant="orange">{t("pending")}</Badge>
+                </span>
+              ) : null}
+              <span>{resultTitle}</span>
+            </>
+          ) : (
+            title
+          )
+        }
+        description={resultClient ? resultDescription : description}>
+        {!resultClient ? (
+          <Form
+            form={form}
+            handleSubmit={(values) => {
+              onSubmit({
+                name: values.name.trim() || "",
+                purpose: values.purpose.trim() || "",
+                redirectUri: values.redirectUri.trim() || "",
+                websiteUrl: values.websiteUrl.trim() || "",
+                logo: values.logo,
+                enablePkce: values.enablePkce,
+              });
+            }}
+            className="space-y-4">
+            <OAuthClientFormFields form={form} logo={logo} setLogo={setLogo} />
+
+            <DialogFooter>
+              <DialogClose onClick={handleClose}>{t("close")}</DialogClose>
+              <Button type="submit" loading={isSubmitting}>
+                {submitLabel}
+              </Button>
+            </DialogFooter>
+          </Form>
+        ) : (
+          <>
+            <div className="space-y-4">
+              <div>
+                <div className="text-subtle mb-1 text-sm">{t("client_name")}</div>
+                <div className="text-emphasis font-medium">{resultClient.name}</div>
+              </div>
+
+              <div>
+                <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
+                <div className="flex">
+                  <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                    {resultClient.clientId}
+                  </code>
+                  <Tooltip side="top" content={t("copy_to_clipboard")}>
+                    <Button
+                      onClick={() => {
+                        copyToClipboard(resultClient.clientId, {
+                          onSuccess: () => showToast(t("client_id_copied"), "success"),
+                          onFailure: () => showToast(t("error"), "error"),
+                        });
+                      }}
+                      type="button"
+                      size="sm"
+                      className="rounded-l-none"
+                      StartIcon="clipboard">
+                      {t("copy")}
+                    </Button>
+                  </Tooltip>
+                </div>
+              </div>
+
+              {resultClient.clientSecret ? (
+                <div>
+                  <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
+                  <div className="flex">
+                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                      {resultClient.clientSecret}
+                    </code>
+                    <Tooltip side="top" content={t("copy_to_clipboard")}>
+                      <Button
+                        onClick={() => {
+                          copyToClipboard(resultClient.clientSecret ?? "", {
+                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                            onFailure: () => showToast(t("error"), "error"),
+                          });
+                        }}
+                        type="button"
+                        size="sm"
+                        className="rounded-l-none"
+                        StartIcon="clipboard">
+                        {t("copy")}
+                      </Button>
+                    </Tooltip>
+                  </div>
+                  <Alert
+                    severity="warning"
+                    message={t(clientSecretInfoKey ?? "oauth_client_client_secret_one_time_warning")}
+                    className="mt-3"
+                  />
+                </div>
+              ) : null}
+            </div>
+            <DialogFooter className="mt-6">
+              <Button type="button" onClick={handleClose}>
+                {t("done")}
+              </Button>
+            </DialogFooter>
+          </>
+        )}
+      </DialogContent>
+    </Dialog>
+  );
+};
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
new file mode 100644
index 00000000000000..ead7a0b90ad5a5
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -0,0 +1,461 @@
+"use client";
+
+import { useEffect, useState } from "react";
+import { useForm } from "react-hook-form";
+
+import { Dialog } from "@calcom/features/components/controlled-dialog";
+import { useCopy } from "@calcom/lib/hooks/useCopy";
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { Avatar } from "@calcom/ui/components/avatar";
+import { Alert } from "@calcom/ui/components/alert";
+import { Badge } from "@calcom/ui/components/badge";
+import { Button } from "@calcom/ui/components/button";
+import { ConfirmationDialogContent, DialogClose, DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
+import { Icon } from "@calcom/ui/components/icon";
+import { showToast } from "@calcom/ui/components/toast";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+import { Label, TextArea } from "@calcom/ui/components/form";
+
+import type { OAuthClientCreateFormValues } from "./OAuthClientCreateDialog";
+import { OAuthClientFormFields } from "./OAuthClientFormFields";
+
+export type OAuthClientDetails = {
+  clientId: string;
+  name: string;
+  purpose?: string;
+  redirectUri?: string;
+  websiteUrl?: string | null;
+  logo?: string | null;
+  approvalStatus?: string;
+  rejectionReason?: string | null;
+  clientSecret?: string;
+  isPkceEnabled?: boolean;
+  clientType?: string;
+};
+
+const getStatusBadgeVariant = (status: string) => {
+  switch (status) {
+    case "APPROVED":
+      return { variant: "success" as const, labelKey: "approved" as const };
+    case "REJECTED":
+      return { variant: "red" as const, labelKey: "rejected" as const };
+    case "PENDING":
+    default:
+      return { variant: "orange" as const, labelKey: "pending" as const };
+  }
+};
+
+export const OAuthClientDetailsContent = ({
+  client,
+  showRedirectUri = true,
+  showStatusBadge = true,
+  showStatusBadgeTopLeft = false,
+  showStatusNote = true,
+  clientSecretInfoKey = "oauth_client_client_secret_one_time_warning",
+}: {
+  client: OAuthClientDetails;
+  showRedirectUri?: boolean;
+  showStatusBadge?: boolean;
+  showStatusBadgeTopLeft?: boolean;
+  showStatusNote?: boolean;
+  clientSecretInfoKey?: string;
+}) => {
+  const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
+
+  const approvalStatus = client.approvalStatus;
+
+  return (
+    <div className="space-y-4">
+      {showStatusBadge && showStatusBadgeTopLeft && approvalStatus ? (
+        <div className="flex items-center justify-start">
+          <Badge variant={getStatusBadgeVariant(approvalStatus).variant}>
+            {t(getStatusBadgeVariant(approvalStatus).labelKey)}
+          </Badge>
+        </div>
+      ) : null}
+      <div className="flex items-center gap-4">
+        <Avatar
+          alt={client.name}
+          imageSrc={client.logo || undefined}
+          fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
+          size="lg"
+        />
+        <div>
+          <div className="text-emphasis font-medium">{client.name}</div>
+          {showRedirectUri ? (
+            <div className="text-subtle mt-1 space-y-1 text-sm">
+              {client.redirectUri ? (
+                <div>
+                  <span className="font-medium">{t("redirect_uri")}:</span> {client.redirectUri}
+                </div>
+              ) : null}
+              {client.websiteUrl ? (
+                <div>
+                  <span className="font-medium">{t("website_url")}:</span> {client.websiteUrl}
+                </div>
+              ) : null}
+            </div>
+          ) : null}
+          {showStatusBadge && !showStatusBadgeTopLeft && approvalStatus ? (
+            <Badge variant={getStatusBadgeVariant(approvalStatus).variant}>
+              {t(getStatusBadgeVariant(approvalStatus).labelKey)}
+            </Badge>
+          ) : null}
+        </div>
+      </div>
+
+      <div>
+        <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
+        <div className="flex">
+          <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+            {client.clientId}
+          </code>
+          <Tooltip side="top" content={t("copy_to_clipboard")}>
+            <Button
+              onClick={() => {
+                copyToClipboard(client.clientId, {
+                  onSuccess: () => showToast(t("client_id_copied"), "success"),
+                  onFailure: () => showToast(t("error"), "error"),
+                });
+              }}
+              type="button"
+              size="sm"
+              className="rounded-l-none"
+              StartIcon="clipboard">
+              {t("copy")}
+            </Button>
+          </Tooltip>
+        </div>
+      </div>
+
+      {client.clientSecret ? (
+        <div>
+          <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
+          <div className="flex">
+            <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+              {client.clientSecret}
+            </code>
+            <Tooltip side="top" content={t("copy_to_clipboard")}>
+              <Button
+                onClick={() => {
+                  copyToClipboard(client.clientSecret ?? "", {
+                    onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                    onFailure: () => showToast(t("error"), "error"),
+                  });
+                }}
+                type="button"
+                size="sm"
+                className="rounded-l-none"
+                StartIcon="clipboard">
+                {t("copy")}
+              </Button>
+            </Tooltip>
+          </div>
+          <Alert severity="warning" message={t(clientSecretInfoKey)} className="mt-3" />
+        </div>
+      ) : null}
+
+      {showStatusNote && approvalStatus === "APPROVED" ? (
+        <p className="text-subtle text-sm">{t("oauth_client_approved_note")}</p>
+      ) : null}
+
+      {showStatusNote && approvalStatus === "PENDING" ? (
+        <p className="text-subtle text-sm">{t("oauth_client_pending_approval")}</p>
+      ) : null}
+
+      {showStatusNote && approvalStatus === "REJECTED" ? (
+        <div className="space-y-2">
+          <p className="text-error text-sm">{t("oauth_client_rejected")}</p>
+          {client.rejectionReason ? (
+            <p className="text-subtle text-sm">
+              <span className="font-medium">{t("oauth_client_rejection_reason")}:</span> {client.rejectionReason}
+            </p>
+          ) : null}
+        </div>
+      ) : null}
+    </div>
+  );
+};
+
+export const OAuthClientDetailsDialog = ({
+  open,
+  onOpenChange,
+  client,
+  onApprove,
+  onReject,
+  onUpdate,
+  onDelete,
+  isStatusChangePending,
+  isUpdatePending,
+  isDeletePending,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  client: OAuthClientDetails | null;
+  onApprove?: (clientId: string) => void;
+  onReject?: (input: { clientId: string; rejectionReason: string }) => void;
+  onUpdate?: (input: {
+    clientId: string;
+    name: string;
+    purpose: string;
+    redirectUri: string;
+    websiteUrl: string;
+    logo: string;
+  }) => void;
+  onDelete?: (clientId: string) => void;
+  isStatusChangePending?: boolean;
+  isUpdatePending?: boolean;
+  isDeletePending?: boolean;
+}) => {
+  const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
+
+  const [logo, setLogo] = useState("");
+  const [isDeleteConfirmOpen, setIsDeleteConfirmOpen] = useState(false);
+  const [isRejectConfirmOpen, setIsRejectConfirmOpen] = useState(false);
+  const [rejectionReason, setRejectionReason] = useState("");
+  const [showRejectionReasonError, setShowRejectionReasonError] = useState(false);
+  const form = useForm<OAuthClientCreateFormValues>({
+    defaultValues: {
+      name: "",
+      purpose: "",
+      redirectUri: "",
+      websiteUrl: "",
+      logo: "",
+      enablePkce: false,
+    },
+  });
+
+  useEffect(() => {
+    if (open) return;
+    setIsDeleteConfirmOpen(false);
+    setIsRejectConfirmOpen(false);
+    setRejectionReason("");
+    setShowRejectionReasonError(false);
+  }, [open]);
+
+  useEffect(() => {
+    if (!client) return;
+
+    const enablePkce =
+      client.isPkceEnabled ?? (client.clientType ? client.clientType.toUpperCase() === "PUBLIC" : false);
+    const nextLogo = client.logo ?? "";
+
+    setLogo(nextLogo);
+    form.reset({
+      name: client.name ?? "",
+      purpose: client.purpose ?? "",
+      redirectUri: client.redirectUri ?? "",
+      websiteUrl: client.websiteUrl ?? "",
+      logo: nextLogo,
+      enablePkce,
+    });
+  }, [client, form]);
+
+  const approvalStatus = client?.approvalStatus;
+
+  const showAdminActions = Boolean(onApprove) || Boolean(onReject);
+  const isFormDisabled = showAdminActions;
+  const canEdit = Boolean(onUpdate) && !isFormDisabled;
+  const canDelete = Boolean(onDelete) && !showAdminActions;
+
+  const showApprove = Boolean(onApprove) && (approvalStatus === "PENDING" || approvalStatus === "REJECTED");
+  const showReject = Boolean(onReject) && (approvalStatus === "PENDING" || approvalStatus === "APPROVED");
+
+  const handleConfirmReject = () => {
+    if (!client) return;
+
+    const trimmedReason = rejectionReason.trim();
+    if (trimmedReason.length === 0) {
+      setShowRejectionReasonError(true);
+      return;
+    }
+
+    onReject?.({ clientId: client.clientId, rejectionReason: trimmedReason });
+    setIsRejectConfirmOpen(false);
+    setRejectionReason("");
+    setShowRejectionReasonError(false);
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent enableOverflow type="creation"> 
+        {client ? (
+          <form
+            className="space-y-4"
+            onSubmit={form.handleSubmit((values) => {
+              if (!canEdit) return;
+              onUpdate?.({
+                clientId: client.clientId,
+                name: values.name.trim() || "",
+                purpose: values.purpose.trim() || "",
+                redirectUri: values.redirectUri.trim() || "",
+                websiteUrl: values.websiteUrl.trim() || "",
+                logo: values.logo,
+              });
+            })}>
+            {approvalStatus ? (
+              <div className="flex items-center justify-start">
+                <Badge variant={getStatusBadgeVariant(approvalStatus).variant}>
+                  {t(getStatusBadgeVariant(approvalStatus).labelKey)}
+                </Badge>
+              </div>
+            ) : null}
+
+            {approvalStatus === "REJECTED" && client.rejectionReason ? (
+              <div className="text-subtle text-sm">
+                <span className="font-medium">{t("oauth_client_rejection_reason")}:</span> {client.rejectionReason}
+              </div>
+            ) : null}
+
+            <div>
+              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
+              <div className="flex">
+                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                  {client.clientId}
+                </code>
+                <Tooltip side="top" content={t("copy_to_clipboard")}> 
+                  <Button
+                    onClick={() => {
+                      copyToClipboard(client.clientId, {
+                        onSuccess: () => showToast(t("client_id_copied"), "success"),
+                        onFailure: () => showToast(t("error"), "error"),
+                      });
+                    }}
+                    type="button"
+                    size="sm"
+                    className="rounded-l-none"
+                    StartIcon="clipboard">
+                    {t("copy")}
+                  </Button>
+                </Tooltip>
+              </div>
+            </div>
+
+            <OAuthClientFormFields
+              form={form}
+              logo={logo}
+              setLogo={setLogo}
+              isFormDisabled={isFormDisabled}
+              isPkceLocked
+              showLogoActions={!showAdminActions}
+              logoFooter={
+                canDelete ? (
+                  <>
+                    <Button
+                      type="button"
+                      color="destructive"
+                      StartIcon="trash"
+                      loading={isDeletePending}
+                      className="w-auto"
+                      onClick={() => setIsDeleteConfirmOpen(true)}>
+                      {t("delete_oauth_client")}
+                    </Button>
+                    <Dialog open={isDeleteConfirmOpen} onOpenChange={setIsDeleteConfirmOpen}>
+                      <ConfirmationDialogContent
+                        variety="danger"
+                        title={t("delete_oauth_client")}
+                        confirmBtnText={t("delete")}
+                        cancelBtnText={t("cancel")}
+                        isPending={isDeletePending}
+                        loadingText={t("deleting")}
+                        onConfirm={() => {
+                          if (!client) return;
+                          onDelete?.(client.clientId);
+                        }}>
+                        <p className="mb-4">{t("confirm_delete_oauth_client")}</p>
+                      </ConfirmationDialogContent>
+                    </Dialog>
+                  </>
+                ) : null
+              }
+            />
+
+            <DialogFooter className="mt-6">
+              {showAdminActions ? (
+                <div className="flex w-full items-center justify-end gap-2">
+                  <DialogClose color="minimal">{t("close")}</DialogClose>
+                  {showReject ? (
+                    <Button
+                      type="button"
+                      color="primary"
+                      StartIcon="x"
+                      loading={isStatusChangePending}
+                      className="not-disabled:hover:!bg-error not-disabled:hover:!text-white not-disabled:hover:!border-semantic-error"
+                      onClick={() => {
+                        setIsRejectConfirmOpen(true);
+                        setRejectionReason("");
+                        setShowRejectionReasonError(false);
+                      }}>
+                      {t("reject")}
+                    </Button>
+                  ) : null}
+                  {showApprove ? (
+                    <Button
+                      type="button"
+                      color="primary"
+                      StartIcon="check"
+                      loading={isStatusChangePending}
+                      className="not-disabled:hover:!bg-cal-success not-disabled:hover:!text-white not-disabled:hover:!border-cal-success"
+                      onClick={() => onApprove?.(client.clientId)}>
+                      {t("approve")}
+                    </Button>
+                  ) : null}
+                </div>
+              ) : canEdit ? (
+                <div className="flex w-full items-center justify-end gap-2">
+                  <DialogClose color="minimal">{t("close")}</DialogClose>
+                  <Button type="submit" loading={isUpdatePending}>
+                    {t("save")}
+                  </Button>
+                </div>
+              ) : (
+                <div className="flex w-full items-center justify-end">
+                  <DialogClose color="minimal">{t("close")}</DialogClose>
+                </div>
+              )}
+            </DialogFooter>
+
+            <Dialog open={isRejectConfirmOpen} onOpenChange={setIsRejectConfirmOpen}>
+              <ConfirmationDialogContent
+                variety="danger"
+                title={t("reject_oauth_client")}
+                cancelBtnText={t("cancel")}
+                confirmBtn={
+                  <Button
+                    type="button"
+                    color="primary"
+                    StartIcon="x"
+                    loading={isStatusChangePending}
+                    className="not-disabled:hover:!bg-error not-disabled:hover:!text-white not-disabled:hover:!border-semantic-error"
+                    onClick={handleConfirmReject}>
+                    {t("reject")}
+                  </Button>
+                }>
+                <div className="mt-4 space-y-2">
+                  <Label htmlFor="oauth-rejection-reason">{t("reason_for_rejection")}</Label>
+                  <TextArea
+                    id="oauth-rejection-reason"
+                    value={rejectionReason}
+                    onChange={(e) => {
+                      setRejectionReason(e.target.value);
+                      if (showRejectionReasonError && e.target.value.trim().length > 0) {
+                        setShowRejectionReasonError(false);
+                      }
+                    }}
+                    className={showRejectionReasonError ? "border-error" : undefined}
+                  />
+                  {showRejectionReasonError ? (
+                    <p className="text-error text-sm">{t("is_required")}</p>
+                  ) : null}
+                </div>
+              </ConfirmationDialogContent>
+            </Dialog>
+          </form>
+        ) : null}
+      </DialogContent>
+    </Dialog>
+  );
+};
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
new file mode 100644
index 00000000000000..f9a7ebfb3d7b2e
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -0,0 +1,165 @@
+"use client";
+
+import { useMemo } from "react";
+import type { ReactNode } from "react";
+import type { Dispatch, SetStateAction } from "react";
+import type { RegisterOptions, UseFormReturn } from "react-hook-form";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { Avatar } from "@calcom/ui/components/avatar";
+import { Label, Switch, TextArea, TextField } from "@calcom/ui/components/form";
+import { Icon } from "@calcom/ui/components/icon";
+import { ImageUploader } from "@calcom/ui/components/image-uploader";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+
+import type { OAuthClientCreateFormValues } from "./OAuthClientCreateDialog";
+
+export const OAuthClientFormFields = ({
+  form,
+  logo,
+  setLogo,
+  logoFooter,
+  isFormDisabled,
+  isPkceLocked,
+  showLogoActions = true,
+}: {
+  form: UseFormReturn<OAuthClientCreateFormValues>;
+  logo: string;
+  setLogo: Dispatch<SetStateAction<string>>;
+  logoFooter?: ReactNode;
+  isFormDisabled?: boolean;
+  isPkceLocked?: boolean;
+  showLogoActions?: boolean;
+}) => {
+  const { t } = useLocale();
+
+  const redirectUriValidation: RegisterOptions<OAuthClientCreateFormValues, "redirectUri"> = useMemo(
+    () => ({
+      required: true,
+      validate: (value: string) => {
+        try {
+          new URL(value);
+          return true;
+        } catch {
+          return t("invalid_url");
+        }
+      },
+    }),
+    [t]
+  );
+
+  const websiteUrlValidation: RegisterOptions<OAuthClientCreateFormValues, "websiteUrl"> = useMemo(
+    () => ({
+      validate: (value: string) => {
+        if (!value) return true;
+        try {
+          new URL(value);
+          return true;
+        } catch {
+          return t("invalid_url");
+        }
+      },
+    }),
+    [t]
+  );
+
+  return (
+    <>
+      <TextField
+        {...form.register("name", { required: true })}
+        label={t("client_name")}
+        type="text"
+        id="name"
+        placeholder={t("client_name_placeholder")}
+        required
+        disabled={isFormDisabled}
+      />
+
+      <div>
+        <Label htmlFor="purpose" className="text-emphasis mb-2 flex items-center gap-1 text-sm font-medium">
+          {t("purpose")}
+          <Tooltip content={t("purpose_tooltip")}>
+            <span>
+              <Icon name="info" className="text-subtle h-4 w-4" />
+            </span>
+          </Tooltip>
+        </Label>
+        <TextArea
+          {...form.register("purpose", { required: true })}
+          id="purpose"
+          placeholder={t("purpose_placeholder")}
+          required
+          disabled={isFormDisabled}
+        />
+      </div>
+      <TextField
+        {...form.register("redirectUri", redirectUriValidation)}
+        label={t("redirect_uri")}
+        type="url"
+        id="redirectUri"
+        placeholder="https://example.com/callback"
+        required
+        disabled={isFormDisabled}
+      />
+
+      <TextField
+        {...form.register("websiteUrl", websiteUrlValidation)}
+        label={
+          <span className="flex items-center gap-1">
+            {t("website_url")}
+            <Tooltip content={t("website_url_tooltip")}>
+              <span>
+                <Icon name="info" className="text-subtle h-4 w-4" />
+              </span>
+            </Tooltip>
+          </span>
+        }
+        type="url"
+        id="websiteUrl"
+        placeholder="https://example.com"
+        disabled={isFormDisabled}
+      />
+
+      <div>
+        <Label className="text-emphasis mb-2 block text-sm font-medium">{t("authentication_mode")}</Label>
+        <div className="flex items-center space-x-3">
+          <Switch
+            checked={form.watch("enablePkce")}
+            onCheckedChange={(checked) => form.setValue("enablePkce", checked)}
+            disabled={isFormDisabled || isPkceLocked}
+          />
+          <span className="text-default text-sm">{t("use_pkce")}</span>
+        </div>
+      </div>
+
+      <div>
+        <Label className="text-emphasis mb-2 block text-sm font-medium">{t("logo")}</Label>
+        <div className="space-y-3">
+          <div className="flex items-center gap-4">
+            <Avatar
+              alt=""
+              fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
+              imageSrc={logo}
+              size="lg"
+            />
+            {showLogoActions ? (
+              <ImageUploader
+                target="avatar"
+                id="avatar-upload"
+                buttonMsg={t("upload_logo")}
+                handleAvatarChange={(newLogo: string) => {
+                  setLogo(newLogo);
+                  form.setValue("logo", newLogo);
+                }}
+                imageSrc={logo}
+                disabled={isFormDisabled}
+              />
+            ) : null}
+          </div>
+          {showLogoActions && logoFooter ? <div className="pt-2">{logoFooter}</div> : null}
+        </div>
+      </div>
+    </>
+  );
+};
diff --git a/apps/web/modules/settings/oauth/OAuthClientsList.tsx b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
new file mode 100644
index 00000000000000..89eef3e9398a7c
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
@@ -0,0 +1,71 @@
+"use client";
+
+import type { ReactNode } from "react";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { Avatar } from "@calcom/ui/components/avatar";
+import { Badge } from "@calcom/ui/components/badge";
+import { Icon } from "@calcom/ui/components/icon";
+
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+
+const getStatusBadge = (status: string, t: (key: string) => string): ReactNode => {
+  switch (status) {
+    case "APPROVED":
+      return <Badge variant="success">{t("approved")}</Badge>;
+    case "REJECTED":
+      return <Badge variant="red">{t("rejected")}</Badge>;
+    case "PENDING":
+    default:
+      return <Badge variant="orange">{t("pending")}</Badge>;
+  }
+};
+
+export const OAuthClientsList = ({
+  clients,
+  onSelectClient,
+  showStatus = true,
+}: {
+  clients: OAuthClientDetails[];
+  onSelectClient: (client: OAuthClientDetails) => void;
+  showStatus?: boolean;
+}) => {
+  const { t } = useLocale();
+
+  return (
+    <div className="border-subtle rounded-lg border">
+      {clients.map((client, index) => (
+        <div
+          key={client.clientId}
+          className={`hover:bg-subtle flex cursor-pointer items-center justify-between p-4 transition-colors ${
+            index !== clients.length - 1 ? "border-subtle border-b" : ""
+          }`}
+          onClick={() => onSelectClient(client)}
+          role="button"
+          tabIndex={0}
+          onKeyDown={(e) => {
+            if (e.key === "Enter" || e.key === " ") {
+              onSelectClient(client);
+            }
+          }}>
+          <div className="flex items-center gap-4">
+            <Avatar
+              alt={client.name}
+              imageSrc={client.logo || undefined}
+              fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
+              size="md"
+            />
+            <div>
+              <div className="text-emphasis font-medium">{client.name}</div>
+            </div>
+          </div>
+          <div className="flex items-center gap-4">
+            {showStatus && client.approvalStatus ? getStatusBadge(client.approvalStatus, t) : null}
+            <Icon name="chevron-right" className="text-subtle h-5 w-5" />
+          </div>
+        </div>
+      ))}
+    </div>
+  );
+};
diff --git a/packages/emails/oauth-email-service.ts b/packages/emails/oauth-email-service.ts
index f48d8f9730739d..9403e9d7ee0e6a 100644
--- a/packages/emails/oauth-email-service.ts
+++ b/packages/emails/oauth-email-service.ts
@@ -4,6 +4,8 @@ import type { OAuthClientNotification } from "./templates/admin-oauth-client-not
 import AdminOAuthClientNotification from "./templates/admin-oauth-client-notification";
 import type { OAuthClientApprovedNotification } from "./templates/oauth-client-approved-notification";
 import OAuthClientApprovedEmail from "./templates/oauth-client-approved-notification";
+import type { OAuthClientRejectedNotification } from "./templates/oauth-client-rejected-notification";
+import OAuthClientRejectedEmail from "./templates/oauth-client-rejected-notification";
 
 const sendEmail = (prepare: () => BaseEmail) => {
   return new Promise((resolve, reject) => {
@@ -23,3 +25,7 @@ export const sendAdminOAuthClientNotification = async (input: OAuthClientNotific
 export const sendOAuthClientApprovedNotification = async (input: OAuthClientApprovedNotification) => {
   await sendEmail(() => new OAuthClientApprovedEmail(input));
 };
+
+export const sendOAuthClientRejectedNotification = async (input: OAuthClientRejectedNotification) => {
+  await sendEmail(() => new OAuthClientRejectedEmail(input));
+};
diff --git a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
index cb52fa8d27b2d7..06a5901cd7e984 100644
--- a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
+++ b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
@@ -7,6 +7,7 @@ import { BaseEmailHtml, CallToAction } from "../components";
 type AdminOAuthClientNotification = {
   language: TFunction;
   clientName: string;
+  purpose: string;
   clientId: string;
   redirectUri: string;
   submitterEmail: string;
@@ -15,6 +16,7 @@ type AdminOAuthClientNotification = {
 
 export const AdminOAuthClientNotificationEmail = ({
   clientName,
+  purpose,
   clientId,
   redirectUri,
   submitterEmail,
@@ -71,6 +73,17 @@ export const AdminOAuthClientNotificationEmail = ({
             </td>
             <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{clientName}</td>
           </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+              }}>
+              {language("purpose")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{purpose}</td>
+          </tr>
           <tr style={{ lineHeight: "24px" }}>
             <td
               style={{
diff --git a/packages/emails/src/templates/OAuthClientRejectedNotificationEmail.tsx b/packages/emails/src/templates/OAuthClientRejectedNotificationEmail.tsx
new file mode 100644
index 00000000000000..c9eb745917f1b0
--- /dev/null
+++ b/packages/emails/src/templates/OAuthClientRejectedNotificationEmail.tsx
@@ -0,0 +1,101 @@
+import type { TFunction } from "i18next";
+
+import { APP_NAME, WEBAPP_URL } from "@calcom/lib/constants";
+
+import { BaseEmailHtml, CallToAction } from "../components";
+
+type OAuthClientRejectedNotification = {
+  language: TFunction;
+  userName: string | null;
+  clientName: string;
+  clientId: string;
+  rejectionReason: string;
+};
+
+export const OAuthClientRejectedNotificationEmail = ({
+  userName,
+  clientName,
+  clientId,
+  rejectionReason,
+  language,
+}: OAuthClientRejectedNotification) => {
+  return (
+    <BaseEmailHtml
+      subject={language("oauth_client_rejected_email_subject", { clientName, appName: APP_NAME })}
+      callToAction={
+        <CallToAction
+          label={language("oauth_client_rejected_email_cta")}
+          href={`${WEBAPP_URL}/settings/developer/oauth`}
+          endIconName="white-arrow-right"
+        />
+      }>
+      <p
+        style={{
+          fontWeight: 600,
+          fontSize: "24px",
+          lineHeight: "38px",
+        }}>
+        {language("oauth_client_rejected_email_title", { clientName })}
+      </p>
+      <p style={{ fontWeight: 400 }}>{language("hi_user", { name: userName || language("there") })}!</p>
+      <p style={{ fontWeight: 400, lineHeight: "24px" }}>{language("oauth_client_rejected_email_body")}</p>
+      <table
+        role="presentation"
+        border={0}
+        cellSpacing="0"
+        cellPadding="0"
+        style={{
+          verticalAlign: "top",
+          marginTop: "10px",
+          borderRadius: "6px",
+          borderCollapse: "separate",
+          border: "solid #e5e7eb 1px",
+        }}
+        width="100%">
+        <tbody>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+                width: "30%",
+              }}>
+              {language("client_name")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{clientName}</td>
+          </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                borderBottom: "1px solid #e5e7eb",
+                fontWeight: 600,
+                width: "30%",
+              }}>
+              {language("client_id")}
+            </td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>
+              <code style={{ fontSize: "12px" }}>{clientId}</code>
+            </td>
+          </tr>
+          <tr style={{ lineHeight: "24px" }}>
+            <td
+              style={{
+                padding: "12px",
+                fontWeight: 600,
+              }}>
+              {language("oauth_client_rejected_email_reason_label")}
+            </td>
+            <td style={{ padding: "12px" }}>
+              <span style={{ whiteSpace: "pre-wrap" }}>{rejectionReason}</span>
+            </td>
+          </tr>
+        </tbody>
+      </table>
+      <p style={{ fontWeight: 400, lineHeight: "24px", marginTop: "20px" }}>
+        {language("oauth_client_rejected_email_footer")}
+      </p>
+    </BaseEmailHtml>
+  );
+};
diff --git a/packages/emails/src/templates/index.ts b/packages/emails/src/templates/index.ts
index 2548834c25f442..7989abe6bd4d8b 100644
--- a/packages/emails/src/templates/index.ts
+++ b/packages/emails/src/templates/index.ts
@@ -39,6 +39,7 @@ export { MonthlyDigestEmail } from "./MonthlyDigestEmail";
 export { AdminOrganizationNotificationEmail } from "./AdminOrganizationNotificationEmail";
 export { AdminOAuthClientNotificationEmail } from "./AdminOAuthClientNotificationEmail";
 export { OAuthClientApprovedNotificationEmail } from "./OAuthClientApprovedNotificationEmail";
+export { OAuthClientRejectedNotificationEmail } from "./OAuthClientRejectedNotificationEmail";
 export { BookingRedirectEmailNotification } from "./BookingRedirectEmailNotification";
 export { VerifyEmailChangeEmail } from "./VerifyEmailChangeEmail";
 export { OrganizationCreationEmail } from "./OrganizationCreationEmail";
diff --git a/packages/emails/templates/admin-oauth-client-notification.ts b/packages/emails/templates/admin-oauth-client-notification.ts
index d92a54d6faf6a3..722992bc9750db 100644
--- a/packages/emails/templates/admin-oauth-client-notification.ts
+++ b/packages/emails/templates/admin-oauth-client-notification.ts
@@ -8,6 +8,7 @@ import BaseEmail from "./_base-email";
 export type OAuthClientNotification = {
   t: TFunction;
   clientName: string;
+  purpose: string;
   clientId: string;
   redirectUri: string;
   submitterEmail: string;
@@ -30,6 +31,7 @@ export default class AdminOAuthClientNotification extends BaseEmail {
       subject: `${this.input.t("admin_oauth_notification_email_subject", { clientName: this.input.clientName })}`,
       html: await renderEmail("AdminOAuthClientNotificationEmail", {
         clientName: this.input.clientName,
+        purpose: this.input.purpose,
         clientId: this.input.clientId,
         redirectUri: this.input.redirectUri,
         submitterEmail: this.input.submitterEmail,
diff --git a/packages/emails/templates/oauth-client-rejected-notification.ts b/packages/emails/templates/oauth-client-rejected-notification.ts
new file mode 100644
index 00000000000000..3f5c07b3cfdad3
--- /dev/null
+++ b/packages/emails/templates/oauth-client-rejected-notification.ts
@@ -0,0 +1,49 @@
+import type { TFunction } from "i18next";
+
+import { EMAIL_FROM_NAME } from "@calcom/lib/constants";
+
+import renderEmail from "../src/renderEmail";
+import BaseEmail from "./_base-email";
+
+export type OAuthClientRejectedNotification = {
+  t: TFunction;
+  userEmail: string;
+  userName: string | null;
+  clientName: string;
+  clientId: string;
+  rejectionReason: string;
+};
+
+export default class OAuthClientRejectedEmail extends BaseEmail {
+  input: OAuthClientRejectedNotification;
+
+  constructor(input: OAuthClientRejectedNotification) {
+    super();
+    this.name = "SEND_OAUTH_CLIENT_REJECTED_NOTIFICATION";
+    this.input = input;
+  }
+
+  protected async getNodeMailerPayload(): Promise<Record<string, unknown>> {
+    return {
+      from: `${EMAIL_FROM_NAME} <${this.getMailerOptions().from}>`,
+      to: this.input.userEmail,
+      subject: `${this.input.t("oauth_client_rejected_email_subject", { clientName: this.input.clientName })}`,
+      html: await renderEmail("OAuthClientRejectedNotificationEmail", {
+        userName: this.input.userName,
+        clientName: this.input.clientName,
+        clientId: this.input.clientId,
+        rejectionReason: this.input.rejectionReason,
+        language: this.input.t,
+      }),
+      text: this.getTextBody(),
+    };
+  }
+
+  protected getTextBody(): string {
+    return `${this.input.t("oauth_client_rejected_email_title", { clientName: this.input.clientName })}
+    ${this.input.t("oauth_client_rejected_email_body")}
+
+    ${this.input.t("oauth_client_rejected_email_reason_label")}
+    ${this.input.rejectionReason}`.trim();
+  }
+}
diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index 76ffeaca2d5276..e768dba9050f6c 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -16,10 +16,12 @@ export class OAuthClientRepository {
         redirectUri: true,
         clientType: true,
         name: true,
+        purpose: true,
         logo: true,
         clientId: true,
         isTrusted: true,
         websiteUrl: true,
+        rejectionReason: true,
         approvalStatus: true,
         userId: true,
         createdAt: true,
@@ -42,7 +44,19 @@ export class OAuthClientRepository {
   async findByClientIdIncludeUser(clientId: string) {
     return this.prisma.oAuthClient.findUnique({
       where: { clientId },
-      include: {
+      select: {
+        clientId: true,
+        redirectUri: true,
+        clientType: true,
+        name: true,
+        purpose: true,
+        logo: true,
+        websiteUrl: true,
+        rejectionReason: true,
+        isTrusted: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
         user: {
           select: {
             id: true,
@@ -61,8 +75,10 @@ export class OAuthClientRepository {
         clientId: true,
         redirectUri: true,
         name: true,
+        purpose: true,
         logo: true,
         websiteUrl: true,
+        rejectionReason: true,
         clientType: true,
         approvalStatus: true,
         userId: true,
@@ -81,7 +97,18 @@ export class OAuthClientRepository {
 
   async findAll() {
     return this.prisma.oAuthClient.findMany({
-      include: {
+      select: {
+        clientId: true,
+        redirectUri: true,
+        name: true,
+        purpose: true,
+        logo: true,
+        websiteUrl: true,
+        rejectionReason: true,
+        clientType: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
         user: {
           select: {
             id: true,
@@ -97,7 +124,18 @@ export class OAuthClientRepository {
   async findByStatus(approvalStatus: OAuthClientApprovalStatus) {
     return this.prisma.oAuthClient.findMany({
       where: { approvalStatus },
-      include: {
+      select: {
+        clientId: true,
+        redirectUri: true,
+        name: true,
+        purpose: true,
+        logo: true,
+        websiteUrl: true,
+        rejectionReason: true,
+        clientType: true,
+        approvalStatus: true,
+        userId: true,
+        createdAt: true,
         user: {
           select: {
             id: true,
@@ -112,6 +150,7 @@ export class OAuthClientRepository {
 
   async create(data: {
     name: string;
+    purpose: string;
     redirectUri: string;
     logo?: string;
     websiteUrl?: string;
@@ -119,7 +158,7 @@ export class OAuthClientRepository {
     userId?: number;
     approvalStatus: OAuthClientApprovalStatus;
   }) {
-    const { name, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
+    const { name, purpose, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
 
     const clientId = randomBytes(32).toString("hex");
 
@@ -134,6 +173,7 @@ export class OAuthClientRepository {
     const client = await this.prisma.oAuthClient.create({
       data: {
         name,
+        purpose,
         redirectUri,
         clientId,
         clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
@@ -152,6 +192,7 @@ export class OAuthClientRepository {
     return {
       clientId: client.clientId,
       name: client.name,
+      purpose: client.purpose,
       redirectUri: client.redirectUri,
       logo: client.logo,
       clientType: client.clientType,
@@ -172,6 +213,7 @@ export class OAuthClientRepository {
     clientId: string,
     data: {
       name?: string;
+      purpose?: string;
       redirectUri?: string;
       logo?: string;
       websiteUrl?: string;
diff --git a/packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql b/packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql
new file mode 100644
index 00000000000000..3b931e8bb1a39b
--- /dev/null
+++ b/packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."OAuthClient" ADD COLUMN     "purpose" TEXT NOT NULL DEFAULT '';
diff --git a/packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql b/packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql
new file mode 100644
index 00000000000000..a33909b9679146
--- /dev/null
+++ b/packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."OAuthClient" ADD COLUMN     "rejectionReason" TEXT;
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 8d730a85076305..7982d8e4525874 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1773,19 +1773,21 @@ enum OAuthClientApprovalStatus {
 }
 
 model OAuthClient {
-  clientId       String                    @id @unique
-  redirectUri    String
-  clientSecret   String?
-  clientType     OAuthClientType           @default(CONFIDENTIAL)
-  name           String
-  logo           String?
-  websiteUrl     String?
-  isTrusted      Boolean                   @default(false)
-  accessCodes    AccessCode[]
-  approvalStatus OAuthClientApprovalStatus @default(APPROVED)
-  userId         Int?
-  user           User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
-  createdAt      DateTime                  @default(now())
+  clientId        String                    @id @unique
+  redirectUri     String
+  clientSecret    String?
+  clientType      OAuthClientType           @default(CONFIDENTIAL)
+  name            String
+  purpose         String                    @default("")
+  logo            String?
+  websiteUrl      String?
+  rejectionReason String?
+  isTrusted       Boolean                   @default(false)
+  accessCodes     AccessCode[]
+  approvalStatus  OAuthClientApprovalStatus @default(APPROVED)
+  userId          Int?
+  user            User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
+  createdAt       DateTime                  @default(now())
 
   @@index([userId])
 }
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 9db52c0ffd6205..399e90dc8da7a8 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -6,7 +6,8 @@ import { ZGenerateAuthCodeInputSchema } from "./generateAuthCode.schema";
 import { ZGetClientInputSchema } from "./getClient.schema";
 import { ZListClientsInputSchema } from "./listClients.schema";
 import { ZSubmitClientInputSchema, ZSubmitClientOutputSchema } from "./submitClient.schema";
-import { ZUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
+import { ZUpdateClientInputSchema, ZUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
+import { ZDeleteClientInputSchema } from "./deleteClient.schema";
 
 type _OAuthRouterHandlerCache = {
   getClient?: typeof import("./getClient.handler").getClientHandler;
@@ -15,7 +16,9 @@ type _OAuthRouterHandlerCache = {
   submitClient?: typeof import("./submitClient.handler").submitClientHandler;
   listClients?: typeof import("./listClients.handler").listClientsHandler;
   listUserClients?: typeof import("./listUserClients.handler").listUserClientsHandler;
+  updateClient?: typeof import("./updateClientStatus.handler").updateClientStatusHandler;
   updateClientStatus?: typeof import("./updateClientStatus.handler").updateClientStatusHandler;
+  deleteClient?: typeof import("./deleteClient.handler").deleteClientHandler;
 };
 
 export const oAuthRouter = router({
@@ -74,6 +77,15 @@ export const oAuthRouter = router({
     });
   }),
 
+  updateClient: authedProcedure.input(ZUpdateClientInputSchema).mutation(async ({ ctx, input }) => {
+    const { updateClientStatusHandler } = await import("./updateClientStatus.handler");
+
+    return updateClientStatusHandler({
+      ctx,
+      input,
+    });
+  }),
+
   updateClientStatus: authedAdminProcedure.input(ZUpdateClientStatusInputSchema).mutation(async ({ ctx, input }) => {
     const { updateClientStatusHandler } = await import("./updateClientStatus.handler");
 
@@ -82,4 +94,13 @@ export const oAuthRouter = router({
       input,
     });
   }),
+
+  deleteClient: authedProcedure.input(ZDeleteClientInputSchema).mutation(async ({ ctx, input }) => {
+    const { deleteClientHandler } = await import("./deleteClient.handler");
+
+    return deleteClientHandler({
+      ctx,
+      input,
+    });
+  }),
 });
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
index d3671b8276bec5..c2aa6fc6655b84 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
@@ -11,12 +11,13 @@ type AddClientOptions = {
 };
 
 export const addClientHandler = async ({ ctx, input }: AddClientOptions) => {
-  const { name, redirectUri, logo, websiteUrl, enablePkce } = input;
+  const { name, purpose, redirectUri, logo, websiteUrl, enablePkce } = input;
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   const client = await oAuthClientRepository.create({
     name,
+    purpose,
     redirectUri,
     logo,
     websiteUrl,
@@ -27,6 +28,7 @@ export const addClientHandler = async ({ ctx, input }: AddClientOptions) => {
   return {
     clientId: client.clientId,
     name: client.name,
+    purpose: client.purpose,
     redirectUri: client.redirectUri,
     logo: client.logo,
     clientType: client.clientType,
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
index 46e58db78a685b..0b0fa9781479f8 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
@@ -2,6 +2,7 @@ import { z } from "zod";
 
 export type TAddClientInputSchemaInput = {
   name: string;
+  purpose: string;
   redirectUri: string;
   logo: string;
   websiteUrl?: string;
@@ -10,6 +11,7 @@ export type TAddClientInputSchemaInput = {
 
 export type TAddClientInputSchema = {
   name: string;
+  purpose: string;
   redirectUri: string;
   logo: string;
   websiteUrl?: string;
@@ -18,6 +20,7 @@ export type TAddClientInputSchema = {
 
 export const ZAddClientInputSchema: z.ZodType<TAddClientInputSchema, z.ZodTypeDef, TAddClientInputSchemaInput> = z.object({
   name: z.string(),
+  purpose: z.string().min(1),
   redirectUri: z.string(),
   logo: z.string(),
   websiteUrl: z.string().url().optional(),
diff --git a/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts
new file mode 100644
index 00000000000000..01b865b3293d6d
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts
@@ -0,0 +1,37 @@
+import { TRPCError } from "@trpc/server";
+
+import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
+import type { PrismaClient } from "@calcom/prisma";
+
+import type { TDeleteClientInputSchema } from "./deleteClient.schema";
+
+type DeleteClientOptions = {
+  ctx: {
+    user: {
+      id: number;
+    };
+    prisma: PrismaClient;
+  };
+  input: TDeleteClientInputSchema;
+};
+
+export const deleteClientHandler = async ({ ctx, input }: DeleteClientOptions) => {
+  const { clientId } = input;
+
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
+
+  const existingClient = await oAuthClientRepository.findByClientId(clientId);
+  if (!existingClient) {
+    throw new TRPCError({ code: "NOT_FOUND", message: "OAuth Client not found" });
+  }
+
+  const isOwner = existingClient.userId != null && existingClient.userId === ctx.user.id;
+
+  if (!isOwner) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "You do not have permission to delete this OAuth client" });
+  }
+
+  await oAuthClientRepository.delete(clientId);
+
+  return { clientId };
+};
diff --git a/packages/trpc/server/routers/viewer/oAuth/deleteClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/deleteClient.schema.ts
new file mode 100644
index 00000000000000..993f25cf016caa
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/deleteClient.schema.ts
@@ -0,0 +1,7 @@
+import { z } from "zod";
+
+export const ZDeleteClientInputSchema = z.object({
+  clientId: z.string().min(1),
+});
+
+export type TDeleteClientInputSchema = z.infer<typeof ZDeleteClientInputSchema>;
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
index 5d03429438a302..28c725084d2186 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
@@ -19,13 +19,14 @@ type SubmitClientOptions = {
 };
 
 export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) => {
-  const { name, redirectUri, logo, websiteUrl, enablePkce } = input;
+  const { name, purpose, redirectUri, logo, websiteUrl, enablePkce } = input;
   const userId = ctx.user.id;
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
   const client = await oAuthClientRepository.create({
     name,
+    purpose,
     redirectUri,
     logo,
     websiteUrl,
@@ -39,6 +40,7 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
   await sendAdminOAuthClientNotification({
     t,
     clientName: client.name,
+    purpose: client.purpose,
     clientId: client.clientId,
     redirectUri: client.redirectUri,
     submitterEmail: ctx.user.email,
@@ -48,6 +50,7 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
   return {
     clientId: client.clientId,
     name: client.name,
+    purpose: client.purpose,
     clientSecret: client.clientSecret,
     redirectUri: client.redirectUri,
     logo: client.logo,
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
index 0f270b06029d07..7b2de5213e97fc 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
@@ -2,6 +2,7 @@ import { z } from "zod";
 
 export const ZSubmitClientInputSchema = z.object({
   name: z.string().min(1, "Client name is required"),
+  purpose: z.string().min(1, "Purpose is required"),
   redirectUri: z.string().url("Must be a valid URL"),
   logo: z.preprocess(
     (value) => (typeof value === "string" && value.trim() === "" ? undefined : value),
@@ -17,6 +18,7 @@ export const ZSubmitClientInputSchema = z.object({
 export const ZSubmitClientOutputSchema = z.object({
   clientId: z.string(),
   name: z.string(),
+  purpose: z.string(),
   clientSecret: z.string().optional(),
   redirectUri: z.string(),
   logo: z.string().nullable(),
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index ed3dd5901179ba..513fb47c8070b8 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -1,13 +1,13 @@
 import { TRPCError } from "@trpc/server";
 
-import { sendOAuthClientApprovedNotification } from "@calcom/emails/oauth-email-service";
+import { sendOAuthClientApprovedNotification, sendOAuthClientRejectedNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 import type { PrismaClient } from "@calcom/prisma";
 import { UserPermissionRole } from "@calcom/prisma/enums";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
-import type { TUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
+import type { TUpdateClientInputSchema } from "./updateClientStatus.schema";
 
 type UpdateClientStatusOptions = {
   ctx: {
@@ -17,32 +17,110 @@ type UpdateClientStatusOptions = {
     };
     prisma: PrismaClient;
   };
-  input: TUpdateClientStatusInputSchema;
+  input: TUpdateClientInputSchema;
 };
 
 type UpdateClientStatusOutput = {
   clientId: string;
   name: string;
+  purpose: string;
   approvalStatus: OAuthClientApprovalStatus;
+  redirectUri: string;
+  websiteUrl: string | null;
+  logo: string | null;
+  rejectionReason: string | null;
 };
 
 export const updateClientStatusHandler = async ({
   ctx,
   input,
 }: UpdateClientStatusOptions): Promise<UpdateClientStatusOutput> => {
-  const { clientId, status } = input;
+  const { clientId, status, rejectionReason, name, purpose, redirectUri, websiteUrl, logo } = input;
 
-  // Defense-in-depth: Only instance admins can update OAuth client status
-  if (ctx.user.role !== UserPermissionRole.ADMIN) {
+  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
+
+  const existingClient = await oAuthClientRepository.findByClientId(clientId);
+  if (!existingClient) {
+    throw new TRPCError({ code: "NOT_FOUND", message: "OAuth Client not found" });
+  }
+
+  const isAdmin = ctx.user.role === UserPermissionRole.ADMIN;
+  const isOwner = existingClient.userId != null && existingClient.userId === ctx.user.id;
+
+  if (rejectionReason !== undefined && !isAdmin) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can set a rejection reason" });
+  }
+
+  if (status === "REJECTED" && (!rejectionReason || rejectionReason.trim().length === 0)) {
+    throw new TRPCError({ code: "BAD_REQUEST", message: "Rejection reason is required" });
+  }
+
+  const isUpdatingFields =
+    name !== undefined || purpose !== undefined || redirectUri !== undefined || websiteUrl !== undefined || logo !== undefined;
+  const isUpdatingStatus = status !== undefined;
+
+  if (isUpdatingStatus && !isAdmin) {
     throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can update OAuth client status" });
   }
 
-  const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
+  if (isUpdatingFields && !isAdmin && !isOwner) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "You do not have permission to update this OAuth client" });
+  }
+
+  const triggersReapprovalForOwnerEdit =
+    isOwner &&
+    ((name !== undefined && name !== existingClient.name) ||
+      (logo !== undefined && (logo ?? null) !== (existingClient.logo ?? null)) ||
+      (websiteUrl !== undefined && (websiteUrl ?? null) !== (existingClient.websiteUrl ?? null)));
+
+  const nextApprovalStatus: OAuthClientApprovalStatus =
+    status ?? (triggersReapprovalForOwnerEdit ? "PENDING" : existingClient.approvalStatus);
 
-  // Get client with user info before updating
-  const clientWithUser = await oAuthClientRepository.findByClientIdIncludeUser(clientId);
+  // Get client with user info before updating if we might need to send an email
+  const clientWithUser =
+    isAdmin && (status === "APPROVED" || status === "REJECTED")
+      ? await oAuthClientRepository.findByClientIdIncludeUser(clientId)
+      : null;
 
-  const updatedClient = await oAuthClientRepository.updateStatus(clientId, status);
+  const updateData: {
+    name?: string;
+    purpose?: string;
+    redirectUri?: string;
+    logo?: string | null;
+    websiteUrl?: string | null;
+    approvalStatus?: OAuthClientApprovalStatus;
+    rejectionReason?: string | null;
+  } = {};
+
+  if (name !== undefined) updateData.name = name;
+  if (purpose !== undefined) updateData.purpose = purpose;
+  if (redirectUri !== undefined) updateData.redirectUri = redirectUri;
+  if (logo !== undefined) updateData.logo = logo;
+  if (websiteUrl !== undefined) updateData.websiteUrl = websiteUrl;
+  if (nextApprovalStatus !== existingClient.approvalStatus) updateData.approvalStatus = nextApprovalStatus;
+
+  if (status === "REJECTED") {
+    updateData.rejectionReason = rejectionReason?.trim() ?? null;
+  } else if (status !== undefined) {
+    updateData.rejectionReason = null;
+  } else if (nextApprovalStatus !== existingClient.approvalStatus && nextApprovalStatus !== "REJECTED") {
+    updateData.rejectionReason = null;
+  }
+
+  const updatedClient = await ctx.prisma.oAuthClient.update({
+    where: { clientId },
+    data: updateData,
+    select: {
+      clientId: true,
+      name: true,
+      purpose: true,
+      approvalStatus: true,
+      redirectUri: true,
+      websiteUrl: true,
+      logo: true,
+      rejectionReason: true,
+    },
+  });
 
   // Send approval notification email to user if approved
   if (status === "APPROVED" && clientWithUser?.user) {
@@ -57,9 +135,27 @@ export const updateClientStatusHandler = async ({
     });
   }
 
+  if (status === "REJECTED" && clientWithUser?.user) {
+    const t = await getTranslation("en", "common");
+
+    await sendOAuthClientRejectedNotification({
+      t,
+      userEmail: clientWithUser.user.email,
+      userName: clientWithUser.user.name,
+      clientName: updatedClient.name,
+      clientId: updatedClient.clientId,
+      rejectionReason: rejectionReason?.trim() ?? "",
+    });
+  }
+
   return {
     clientId: updatedClient.clientId,
     name: updatedClient.name,
+    purpose: updatedClient.purpose,
     approvalStatus: updatedClient.approvalStatus,
+    redirectUri: updatedClient.redirectUri,
+    websiteUrl: updatedClient.websiteUrl,
+    logo: updatedClient.logo,
+    rejectionReason: updatedClient.rejectionReason,
   };
 };
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
index 7b134a54ff95df..16a6c2f98e2dd5 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
@@ -2,9 +2,37 @@ import { z } from "zod";
 
 import { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
+export const ZUpdateClientInputSchema = z.object({
+  clientId: z.string(),
+  status: z.nativeEnum(OAuthClientApprovalStatus).optional(),
+  rejectionReason: z.string().min(1).optional(),
+  name: z.string().min(1).optional(),
+  purpose: z.string().min(1).optional(),
+  redirectUri: z.string().url().optional(),
+  logo: z.preprocess(
+    (value) => (typeof value === "string" && value.trim() === "" ? null : value),
+    z.string().nullable().optional()
+  ),
+  websiteUrl: z.preprocess(
+    (value) => (typeof value === "string" && value.trim() === "" ? null : value),
+    z.string().url().nullable().optional()
+  ),
+});
+
+export type TUpdateClientInputSchema = z.infer<typeof ZUpdateClientInputSchema>;
+
 export const ZUpdateClientStatusInputSchema = z.object({
   clientId: z.string(),
   status: z.nativeEnum(OAuthClientApprovalStatus),
+  rejectionReason: z.string().min(1).optional(),
+}).superRefine((val, ctx) => {
+  if (val.status === OAuthClientApprovalStatus.REJECTED && !val.rejectionReason) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      path: ["rejectionReason"],
+      message: "Rejection reason is required",
+    });
+  }
 });
 
 export type TUpdateClientStatusInputSchema = z.infer<typeof ZUpdateClientStatusInputSchema>;

From 74b81741016051024a015f786d549f67204a1b22 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Fri, 9 Jan 2026 16:09:48 +0000
Subject: [PATCH 31/72] fix: address Cubic AI code review feedback

- Add purpose field to plain text email body for accessibility
- Convert NewOAuthClientButton to inline JSX to avoid React anti-pattern
- Trigger re-approval when redirectUri changes for security
- Add e.preventDefault() for Space key to prevent page scroll
- Change default approvalStatus to PENDING for defense-in-depth
- Use oauth_clients translation key for consistency
- Add meaningful alt text to Avatar for accessibility
- Remove onClick from DialogClose to prevent double-run close effects
- Return NOT_FOUND for non-owner delete to prevent resource enumeration

Co-Authored-By: unknown <>
---
 .../(settings-layout)/SettingsLayoutAppDirClient.tsx      | 2 +-
 .../modules/settings/admin/oauth-clients-admin-view.tsx   | 8 +++-----
 .../modules/settings/oauth/OAuthClientCreateDialog.tsx    | 2 +-
 apps/web/modules/settings/oauth/OAuthClientFormFields.tsx | 2 +-
 apps/web/modules/settings/oauth/OAuthClientsList.tsx      | 1 +
 .../emails/templates/admin-oauth-client-notification.ts   | 3 ++-
 .../migration.sql                                         | 2 +-
 packages/prisma/schema.prisma                             | 2 +-
 .../server/routers/viewer/oAuth/deleteClient.handler.ts   | 2 +-
 .../routers/viewer/oAuth/updateClientStatus.handler.ts    | 3 ++-
 10 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index 32145d08e0da0e..273ccf09fd6485 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -128,7 +128,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
           trackingMetadata: { section: "developer", page: "api_keys" },
         },
         {
-          name: "oAuth",
+          name: "oauth_clients",
           href: "/settings/developer/oauth",
           trackingMetadata: { section: "developer", page: "oauth_clients" }
         },
diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 7dd48012e2deeb..1174db109e73b6 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -125,7 +125,7 @@ export default function OAuthClientsAdminView() {
     clientType: client.clientType,
   });
 
-  const NewOAuthClientButton = () => (
+  const newOAuthClientButton = (
     <Button
       color="secondary"
       StartIcon="plus"
@@ -145,7 +145,7 @@ export default function OAuthClientsAdminView() {
     <SettingsHeader
       title={t("oauth_clients_admin")}
       description={t("oauth_clients_admin_description")}
-      CTA={<NewOAuthClientButton />}>
+      CTA={newOAuthClientButton}>
       {hasClients ? (
         <div className="space-y-10">
           <div className="space-y-3">
@@ -180,9 +180,7 @@ export default function OAuthClientsAdminView() {
           Icon="key"
           headline={t("no_oauth_clients")}
           description={t("no_oauth_clients_admin_description")}
-          buttonRaw={
-            <NewOAuthClientButton />
-          }
+          buttonRaw={newOAuthClientButton}
         />
       )}
 
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
index 660a1c1d3258a4..3f6c72649a7b95 100644
--- a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
@@ -120,7 +120,7 @@ export const OAuthClientCreateDialog = ({
             <OAuthClientFormFields form={form} logo={logo} setLogo={setLogo} />
 
             <DialogFooter>
-              <DialogClose onClick={handleClose}>{t("close")}</DialogClose>
+              <DialogClose>{t("close")}</DialogClose>
               <Button type="submit" loading={isSubmitting}>
                 {submitLabel}
               </Button>
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index f9a7ebfb3d7b2e..87799b596969b7 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -138,7 +138,7 @@ export const OAuthClientFormFields = ({
         <div className="space-y-3">
           <div className="flex items-center gap-4">
             <Avatar
-              alt=""
+              alt={t("client_logo")}
               fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
               imageSrc={logo}
               size="lg"
diff --git a/apps/web/modules/settings/oauth/OAuthClientsList.tsx b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
index 89eef3e9398a7c..6d94b86effa89b 100644
--- a/apps/web/modules/settings/oauth/OAuthClientsList.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
@@ -46,6 +46,7 @@ export const OAuthClientsList = ({
           tabIndex={0}
           onKeyDown={(e) => {
             if (e.key === "Enter" || e.key === " ") {
+              e.preventDefault();
               onSelectClient(client);
             }
           }}>
diff --git a/packages/emails/templates/admin-oauth-client-notification.ts b/packages/emails/templates/admin-oauth-client-notification.ts
index 722992bc9750db..26b3ca6d3e7e9e 100644
--- a/packages/emails/templates/admin-oauth-client-notification.ts
+++ b/packages/emails/templates/admin-oauth-client-notification.ts
@@ -44,6 +44,7 @@ export default class AdminOAuthClientNotification extends BaseEmail {
 
   protected getTextBody(): string {
     return `${this.input.t("hi_admin")}, ${this.input.t("admin_oauth_notification_email_title", { clientName: this.input.clientName })}
-    ${this.input.t("admin_oauth_notification_email_body", { submitterEmail: this.input.submitterEmail })}`.trim();
+    ${this.input.t("admin_oauth_notification_email_body", { submitterEmail: this.input.submitterEmail })}
+    ${this.input.t("purpose")}: ${this.input.purpose}`.trim();
   }
 }
diff --git a/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql b/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
index 786fad214e712b..a36e65ff05f294 100644
--- a/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
+++ b/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
@@ -1,2 +1,2 @@
 -- AlterTable
-ALTER TABLE "public"."OAuthClient" ALTER COLUMN "approvalStatus" SET DEFAULT 'approved';
+ALTER TABLE "public"."OAuthClient" ALTER COLUMN "approvalStatus" SET DEFAULT 'pending';
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 7982d8e4525874..0f4546ae296099 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1784,7 +1784,7 @@ model OAuthClient {
   rejectionReason String?
   isTrusted       Boolean                   @default(false)
   accessCodes     AccessCode[]
-  approvalStatus  OAuthClientApprovalStatus @default(APPROVED)
+  approvalStatus  OAuthClientApprovalStatus @default(PENDING)
   userId          Int?
   user            User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
   createdAt       DateTime                  @default(now())
diff --git a/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts
index 01b865b3293d6d..bfaec1bb45f154 100644
--- a/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/deleteClient.handler.ts
@@ -28,7 +28,7 @@ export const deleteClientHandler = async ({ ctx, input }: DeleteClientOptions) =
   const isOwner = existingClient.userId != null && existingClient.userId === ctx.user.id;
 
   if (!isOwner) {
-    throw new TRPCError({ code: "FORBIDDEN", message: "You do not have permission to delete this OAuth client" });
+    throw new TRPCError({ code: "NOT_FOUND", message: "OAuth Client not found" });
   }
 
   await oAuthClientRepository.delete(clientId);
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
index 513fb47c8070b8..9f0567a4e7005f 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
@@ -71,7 +71,8 @@ export const updateClientStatusHandler = async ({
     isOwner &&
     ((name !== undefined && name !== existingClient.name) ||
       (logo !== undefined && (logo ?? null) !== (existingClient.logo ?? null)) ||
-      (websiteUrl !== undefined && (websiteUrl ?? null) !== (existingClient.websiteUrl ?? null)));
+      (websiteUrl !== undefined && (websiteUrl ?? null) !== (existingClient.websiteUrl ?? null)) ||
+      (redirectUri !== undefined && redirectUri !== existingClient.redirectUri));
 
   const nextApprovalStatus: OAuthClientApprovalStatus =
     status ?? (triggersReapprovalForOwnerEdit ? "PENDING" : existingClient.approvalStatus);

From f6b38520b507e6795ae1de1d410e4f2dd30159c4 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 11:27:11 +0100
Subject: [PATCH 32/72] common.json file

---
 apps/web/public/static/locales/en/common.json | 28 +++++++++++++++----
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index e0f338275e3e7e..adc2a130a20ccd 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -305,7 +305,6 @@
   "required": "Required",
   "optional": "Optional",
   "input_type": "Input type",
-  "rejected": "Rejected",
   "unconfirmed": "Unconfirmed",
   "guests": "Guests",
   "guest": "Guest",
@@ -622,7 +621,6 @@
   "no_event_types_have_been_setup": "This user hasn't set up any event types yet.",
   "edit_logo": "Edit logo",
   "upload_a_logo": "Upload a logo",
-  "upload_logo": "Upload logo",
   "remove_logo": "Remove logo",
   "enable": "Enable",
   "code": "Code",
@@ -1016,12 +1014,14 @@
   "create_oauth_client": "Create OAuth Client",
   "create_oauth_client_description": "Create a new OAuth client for third-party integrations",
   "oauth_client_deletion_message": "OAuth client deleted successfully",
+  "delete_oauth_client": "Delete OAuth client",
+  "confirm_delete_oauth_client": "Are you sure you want to delete this OAuth client? This action cannot be undone.",
   "oauth_clients_admin": "OAuth Clients",
   "oauth_clients_admin_description": "Manage and approve OAuth client submissions",
   "new_oauth_client": "New OAuth Client",
-  "new_oauth_client_description": "Submit a new OAuth client for approval",
+  "new_oauth_client_description": "Submit a new OAuth client for approval.",
   "oauth_client_submitted": "OAuth Client Submitted",
-  "oauth_client_submitted_description": "Your OAuth client has been submitted for approval",
+  "oauth_client_submitted_description": "Your OAuth client has been submitted for approval. You will receive an email if it is approved or rejected.",
   "oauth_client_submit_error": "Failed to submit OAuth client",
   "oauth_client_created": "OAuth Client Created",
   "oauth_client_created_description": "Your OAuth client has been created successfully",
@@ -1040,19 +1040,24 @@
   "no_oauth_clients_description": "You haven't created any OAuth clients yet. Create one to get started.",
   "no_oauth_clients_admin_description": "No OAuth clients have been submitted yet.",
   "submit_for_approval": "Submit for Approval",
-  "client_name": "Client Name",
+  "client_name": "Name",
   "client_name_placeholder": "My OAuth App",
+  "purpose": "Purpose",
+  "purpose_placeholder": "Explain what this OAuth client is for and how it will be used",
+  "purpose_tooltip": "Please explain how and what this OAuth client will be used for. This helps us review and approve your request.",
   "redirect_uri": "Redirect URI",
   "website_url": "Website URL",
+  "website_url_tooltip": "For development, you can use a localhost URL (e.g. http://localhost:3000).",
   "authentication_mode": "Authentication Mode",
   "use_pkce": "Use PKCE (recommended for mobile/SPA applications)",
   "upload_logo": "Upload Logo",
   "client_id": "Client ID",
+  "client_secret": "Client Secret",
+  "oauth_client_client_secret_one_time_warning": "This client secret is shown only once. Copy it now — you won’t be able to view it again after closing this dialog.",
   "copy_client_id": "Copy Client ID",
   "client_id_copied": "Client ID copied to clipboard",
   "submitted_by": "Submitted By",
   "approve": "Approve",
-  "reject": "Reject",
   "approved": "Approved",
   "rejected": "Rejected",
   "pending": "Pending",
@@ -1070,6 +1075,15 @@
   "oauth_client_approved_email_cta": "View Your OAuth Clients",
   "oauth_client_approved_email_footer": "You can now use your client ID and secret to integrate with Cal.com.",
   "oauth_client_secret_one_time_warning": "Important: This client secret is shown only once. Store it securely now - you will not be able to view it again.",
+  "reason_for_rejection": "Reason for rejection",
+  "oauth_client_rejection_reason": "Rejection reason",
+  "reject_oauth_client": "Reject OAuth client",
+  "oauth_client_rejected_email_subject": "Your OAuth Client {{clientName}} Has Been Rejected",
+  "oauth_client_rejected_email_title": "OAuth Client Rejected: {{clientName}}",
+  "oauth_client_rejected_email_body": "Unfortunately, your OAuth client submission was rejected.",
+  "oauth_client_rejected_email_cta": "View Your OAuth Clients",
+  "oauth_client_rejected_email_footer": "You can update your OAuth client submission and resubmit it for review.",
+  "oauth_client_rejected_email_reason_label": "Reason for rejection",
   "create_new_team_description": "Create a new team to collaborate with users.",
   "create_new_team": "Create a new team",
   "booking_redirect_uri": "URL of your booking page",
@@ -1398,6 +1412,7 @@
   "success_api_key_created": "API key created successfully",
   "success_api_key_edited": "API key updated successfully",
   "create": "Create",
+  "create_oauth_client": "Create OAuth client",
   "success_api_key_created_bold_tagline": "Save this API key somewhere safe.",
   "you_will_only_view_it_once": "You will not be able to view it again once you close this modal.",
   "copy_to_clipboard": "Copy to clipboard",
@@ -1693,6 +1708,7 @@
   "organizer_name_variable": "Organizer name",
   "app_upgrade_description": "In order to use this feature, you need to upgrade to a Pro account.",
   "invalid_number": "Invalid phone number",
+  "invalid_url": "Invalid URL",
   "invalid_url_error_message": "Invalid URL for {{label}}. Sample URL: {{sampleUrl}}",
   "navigate": "Navigate",
   "open": "Open",

From daf04c45b36a5de2bd8bb6ca2464d371a98a55a9 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 11:37:11 +0100
Subject: [PATCH 33/72] refactor: delete all prisma migrations

---
 .../migration.sql                                   | 13 -------------
 .../migration.sql                                   |  2 --
 .../migration.sql                                   |  2 --
 .../migration.sql                                   |  2 --
 .../migration.sql                                   |  2 --
 5 files changed, 21 deletions(-)
 delete mode 100644 packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
 delete mode 100644 packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql
 delete mode 100644 packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
 delete mode 100644 packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql
 delete mode 100644 packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql

diff --git a/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql b/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
deleted file mode 100644
index b651d75e888638..00000000000000
--- a/packages/prisma/migrations/20251202165107_add_oauth_client_approval_workflow/migration.sql
+++ /dev/null
@@ -1,13 +0,0 @@
--- CreateEnum
-CREATE TYPE "public"."OAuthClientApprovalStatus" AS ENUM ('pending', 'approved', 'rejected');
-
--- AlterTable
-ALTER TABLE "public"."OAuthClient" ADD COLUMN     "approvalStatus" "public"."OAuthClientApprovalStatus" NOT NULL DEFAULT 'pending',
-ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-ADD COLUMN     "userId" INTEGER;
-
--- AddForeignKey
-ALTER TABLE "public"."OAuthClient" ADD CONSTRAINT "OAuthClient_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
-
--- CreateIndex
-CREATE INDEX "OAuthClient_userId_idx" ON "public"."OAuthClient"("userId");
diff --git a/packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql b/packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql
deleted file mode 100644
index ea5298d8136772..00000000000000
--- a/packages/prisma/migrations/20251222143926_add_website_url_to_oauth_client/migration.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- AlterTable
-ALTER TABLE "public"."OAuthClient" ADD COLUMN     "websiteUrl" TEXT;
diff --git a/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql b/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
deleted file mode 100644
index a36e65ff05f294..00000000000000
--- a/packages/prisma/migrations/20260108133500_oauth_client_default_status_as_accepted/migration.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- AlterTable
-ALTER TABLE "public"."OAuthClient" ALTER COLUMN "approvalStatus" SET DEFAULT 'pending';
diff --git a/packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql b/packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql
deleted file mode 100644
index 3b931e8bb1a39b..00000000000000
--- a/packages/prisma/migrations/20260109123547_add_oauth_purpose_field/migration.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- AlterTable
-ALTER TABLE "public"."OAuthClient" ADD COLUMN     "purpose" TEXT NOT NULL DEFAULT '';
diff --git a/packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql b/packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql
deleted file mode 100644
index a33909b9679146..00000000000000
--- a/packages/prisma/migrations/20260109151814_add_rejection_reason_to_oauth/migration.sql
+++ /dev/null
@@ -1,2 +0,0 @@
--- AlterTable
-ALTER TABLE "public"."OAuthClient" ADD COLUMN     "rejectionReason" TEXT;

From 8ee1ee5166bdc16d1b47ca6a0be6b2a40d7bc1dc Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 11:48:12 +0100
Subject: [PATCH 34/72] refactor: have just 1 prisma migration

---
 .../migration.sql                                | 16 ++++++++++++++++
 packages/prisma/schema.prisma                    |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql

diff --git a/packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql b/packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql
new file mode 100644
index 00000000000000..3b711d4886c620
--- /dev/null
+++ b/packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql
@@ -0,0 +1,16 @@
+-- CreateEnum
+CREATE TYPE "public"."OAuthClientApprovalStatus" AS ENUM ('pending', 'approved', 'rejected');
+
+-- AlterTable
+ALTER TABLE "public"."OAuthClient" ADD COLUMN     "approvalStatus" "public"."OAuthClientApprovalStatus" NOT NULL DEFAULT 'approved',
+ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+ADD COLUMN     "purpose" TEXT NOT NULL DEFAULT '',
+ADD COLUMN     "rejectionReason" TEXT,
+ADD COLUMN     "userId" INTEGER,
+ADD COLUMN     "websiteUrl" TEXT;
+
+-- CreateIndex
+CREATE INDEX "OAuthClient_userId_idx" ON "public"."OAuthClient"("userId");
+
+-- AddForeignKey
+ALTER TABLE "public"."OAuthClient" ADD CONSTRAINT "OAuthClient_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."users"("id") ON DELETE SET NULL ON UPDATE CASCADE;
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 375f68ef1dfe72..d4497214c7fd29 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1784,7 +1784,7 @@ model OAuthClient {
   rejectionReason String?
   isTrusted       Boolean                   @default(false)
   accessCodes     AccessCode[]
-  approvalStatus  OAuthClientApprovalStatus @default(PENDING)
+  approvalStatus  OAuthClientApprovalStatus @default(APPROVED)
   userId          Int?
   user            User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
   createdAt       DateTime                  @default(now())

From f4cdd320145ee40669eff6de4f529b91c347a02c Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 13:20:11 +0100
Subject: [PATCH 35/72] revert: some devin changes

---
 .../SettingsLayoutAppDirClient.tsx            | 19 +++++++++++--------
 .../settings/oauth/OAuthClientFormFields.tsx  |  2 +-
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index de12125cc4c507..4827b99d9cc691 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -128,7 +128,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
           trackingMetadata: { section: "developer", page: "api_keys" },
         },
         {
-          name: "oauth_clients",
+          name: "oAuth",
           href: "/settings/developer/oauth",
           trackingMetadata: { section: "developer", page: "oauth_clients" }
         },
@@ -269,7 +269,7 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
     },
   ];
 
-  tabs.find((tab) => {
+  for (const tab of tabs) {
     if (tab.name === "security" && !HOSTED_CAL_FEATURES) {
       tab.children?.push({
         name: "sso_configuration",
@@ -279,21 +279,21 @@ const getTabs = (orgBranding: OrganizationBranding | null) => {
       // TODO: Enable dsync for self hosters
       // tab.children?.push({ name: "directory_sync", href: "/settings/security/dsync" });
     }
+
     if (tab.name === "admin" && IS_CALCOM) {
       tab.children?.push({
         name: "create_org",
         href: "/settings/organizations/new",
         trackingMetadata: { section: "admin", page: "create_org" },
       });
-    }
-    if (tab.name === "admin" && IS_CALCOM) {
+
       tab.children?.push({
         name: "create_license_key",
         href: "/settings/license-key/new",
         trackingMetadata: { section: "admin", page: "create_license_key" },
       });
     }
-  });
+  }
 
   return tabs;
 };
@@ -309,7 +309,7 @@ const organizationAdminKeys = [
   "delegation_credential",
 ];
 
-export interface SettingsPermissions {
+interface SettingsPermissions {
   canViewRoles?: boolean;
   canViewOrganizationBilling?: boolean;
   canUpdateOrganization?: boolean;
@@ -994,14 +994,14 @@ const MobileSettingsContainer = (props: { onSideContainerOpen?: () => void }) =>
   );
 };
 
-export type SettingsLayoutProps = {
+type SettingsLayoutProps = {
   children: React.ReactNode;
   containerClassName?: string;
   teamFeatures?: Record<number, TeamFeatures>;
   permissions?: SettingsPermissions;
 } & ComponentProps<typeof Shell>;
 
-export default function SettingsLayoutAppDirClient({
+function SettingsLayoutAppDirClient({
   children,
   teamFeatures,
   permissions,
@@ -1090,3 +1090,6 @@ const SidebarContainerElement = ({
     </>
   );
 };
+
+export type { SettingsLayoutProps, SettingsPermissions };
+export default SettingsLayoutAppDirClient;
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index 87799b596969b7..56b2ad23d8b836 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -138,7 +138,7 @@ export const OAuthClientFormFields = ({
         <div className="space-y-3">
           <div className="flex items-center gap-4">
             <Avatar
-              alt={t("client_logo")}
+              alt={t("logo")}
               fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
               imageSrc={logo}
               size="lg"

From 9b43e0a71b1a3df5cc87a295a7095d09f41a77da Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 13:35:26 +0100
Subject: [PATCH 36/72] fix: typecheck

---
 .../web/modules/settings/admin/oauth-view.tsx | 11 ++++++++++
 .../oauth/OAuthClientCreateDialog.tsx         | 20 ++++++-------------
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-view.tsx b/apps/web/modules/settings/admin/oauth-view.tsx
index a2fb75d344a6d4..c6262963f7958e 100644
--- a/apps/web/modules/settings/admin/oauth-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-view.tsx
@@ -10,6 +10,7 @@ import { Button } from "@calcom/ui/components/button";
 import { Form } from "@calcom/ui/components/form";
 import { Label } from "@calcom/ui/components/form";
 import { Switch } from "@calcom/ui/components/form";
+import { TextArea } from "@calcom/ui/components/form";
 import { TextField } from "@calcom/ui/components/form";
 import { Icon } from "@calcom/ui/components/icon";
 import { ImageUploader } from "@calcom/ui/components/image-uploader";
@@ -18,6 +19,7 @@ import { Tooltip } from "@calcom/ui/components/tooltip";
 
 type FormValues = {
   name: string;
+  purpose: string;
   redirectUri: string;
   logo: string;
   enablePkce: boolean;
@@ -26,6 +28,7 @@ type FormValues = {
 export default function OAuthView() {
   const oAuthForm = useForm<FormValues>({
     defaultValues: {
+      purpose: "",
       logo: "",
       enablePkce: false,
     },
@@ -54,6 +57,7 @@ export default function OAuthView() {
           handleSubmit={(values) => {
             mutation.mutate({
               name: values.name,
+              purpose: values.purpose,
               redirectUri: values.redirectUri,
               logo: values.logo,
               enablePkce: values.enablePkce,
@@ -69,6 +73,13 @@ export default function OAuthView() {
               className="mb-3"
               required
             />
+
+            <div className="mb-3">
+              <Label htmlFor="purpose" className="text-emphasis mb-2 block text-sm font-medium">
+                Purpose
+              </Label>
+              <TextArea {...oAuthForm.register("purpose")} id="purpose" placeholder="" required />
+            </div>
             <TextField
               {...oAuthForm.register("redirectUri")}
               label="Redirect URI"
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
index 3f6c72649a7b95..1dea5a8005e266 100644
--- a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
@@ -88,20 +88,7 @@ export const OAuthClientCreateDialog = ({
       <DialogContent
         enableOverflow
         type="creation"
-        title={
-          resultClient ? (
-            <>
-              {resultClient.approvalStatus === "PENDING" ? (
-                <span className="mb-2 flex items-center justify-start">
-                  <Badge variant="orange">{t("pending")}</Badge>
-                </span>
-              ) : null}
-              <span>{resultTitle}</span>
-            </>
-          ) : (
-            title
-          )
-        }
+        title={resultClient ? resultTitle : title}
         description={resultClient ? resultDescription : description}>
         {!resultClient ? (
           <Form
@@ -129,6 +116,11 @@ export const OAuthClientCreateDialog = ({
         ) : (
           <>
             <div className="space-y-4">
+              {resultClient.approvalStatus === "PENDING" ? (
+                <div className="flex items-center justify-start">
+                  <Badge variant="orange">{t("pending")}</Badge>
+                </div>
+              ) : null}
               <div>
                 <div className="text-subtle mb-1 text-sm">{t("client_name")}</div>
                 <div className="text-emphasis font-medium">{resultClient.name}</div>

From db38f71b54b2bcb700d57d0251bd709313064658 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 17:28:39 +0100
Subject: [PATCH 37/72] test: owner OAuth crud

---
 .../SettingsLayoutAppDirClient.tsx            |   5 +-
 .../settings/developer/oauth-clients-view.tsx |   1 +
 .../oauth/OAuthClientCreateDialog.tsx         |  17 +-
 .../oauth/OAuthClientDetailsDialog.tsx        |  32 +-
 .../settings/oauth/OAuthClientFormFields.tsx  |   2 +
 .../settings/oauth/OAuthClientsList.tsx       |   3 +-
 apps/web/playwright/fixtures/cal2.png         | Bin 0 -> 28734 bytes
 .../oauth/oauth-client-owner-crud.e2e.ts      | 663 ++++++++++++++++++
 .../admin-oauth-client-notification.test.ts   |  88 +++
 .../viewer/oAuth/submitClient.handler.test.ts | 115 +++
 10 files changed, 907 insertions(+), 19 deletions(-)
 create mode 100644 apps/web/playwright/fixtures/cal2.png
 create mode 100644 apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
 create mode 100644 packages/emails/templates/admin-oauth-client-notification.test.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/submitClient.handler.test.ts

diff --git a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
index 4827b99d9cc691..36da2d99fe23af 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(settings-layout)/SettingsLayoutAppDirClient.tsx
@@ -525,7 +525,7 @@ const TeamListCollapsible = ({ teamFeatures }: { teamFeatures?: Record<number, T
           if (!teamMenuState[index]) {
             return null;
           }
-          if (teamMenuState.some((teamState) => teamState.teamId === team.id))
+          if (teamMenuState.some((teamState) => teamState.teamId === team.id)) {
             return (
               <Collapsible
                 className="cursor-pointer"
@@ -658,6 +658,9 @@ const TeamListCollapsible = ({ teamFeatures }: { teamFeatures?: Record<number, T
                 </CollapsibleContent>
               </Collapsible>
             );
+          }
+
+          return null;
         })}
     </>
   );
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 483b5b5f75a065..44e1b7c223bbec 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -122,6 +122,7 @@ const OAuthClientsView = () => {
       StartIcon="plus"
       size="sm"
       variant="fab"
+      data-testid="open-oauth-client-create-dialog"
       onClick={() => setShowDialog(true)}>
       {t("new")}
     </Button>
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
index 1dea5a8005e266..140c0c380feb0e 100644
--- a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
@@ -103,19 +103,20 @@ export const OAuthClientCreateDialog = ({
                 enablePkce: values.enablePkce,
               });
             }}
-            className="space-y-4">
+            className="space-y-4"
+            data-testid="oauth-client-create-form">
             <OAuthClientFormFields form={form} logo={logo} setLogo={setLogo} />
 
             <DialogFooter>
               <DialogClose>{t("close")}</DialogClose>
-              <Button type="submit" loading={isSubmitting}>
+              <Button type="submit" loading={isSubmitting} data-testid="oauth-client-create-submit">
                 {submitLabel}
               </Button>
             </DialogFooter>
           </Form>
         ) : (
           <>
-            <div className="space-y-4">
+            <div className="space-y-4" data-testid="oauth-client-submitted-modal">
               {resultClient.approvalStatus === "PENDING" ? (
                 <div className="flex items-center justify-start">
                   <Badge variant="orange">{t("pending")}</Badge>
@@ -129,7 +130,9 @@ export const OAuthClientCreateDialog = ({
               <div>
                 <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
                 <div className="flex">
-                  <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                  <code
+                    data-testid="oauth-client-submitted-client-id"
+                    className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                     {resultClient.clientId}
                   </code>
                   <Tooltip side="top" content={t("copy_to_clipboard")}>
@@ -154,7 +157,9 @@ export const OAuthClientCreateDialog = ({
                 <div>
                   <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
                   <div className="flex">
-                    <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                    <code
+                      data-testid="oauth-client-submitted-client-secret"
+                      className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                       {resultClient.clientSecret}
                     </code>
                     <Tooltip side="top" content={t("copy_to_clipboard")}>
@@ -182,7 +187,7 @@ export const OAuthClientCreateDialog = ({
               ) : null}
             </div>
             <DialogFooter className="mt-6">
-              <Button type="button" onClick={handleClose}>
+              <Button type="button" onClick={handleClose} data-testid="oauth-client-submitted-done">
                 {t("done")}
               </Button>
             </DialogFooter>
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
index ead7a0b90ad5a5..eaed9b16defdbf 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -284,6 +284,7 @@ export const OAuthClientDetailsDialog = ({
       <DialogContent enableOverflow type="creation"> 
         {client ? (
           <form
+            data-testid="oauth-client-details-form"
             className="space-y-4"
             onSubmit={form.handleSubmit((values) => {
               if (!canEdit) return;
@@ -313,7 +314,9 @@ export const OAuthClientDetailsDialog = ({
             <div>
               <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
               <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                <code
+                  data-testid="oauth-client-details-client-id"
+                  className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
                   {client.clientId}
                 </code>
                 <Tooltip side="top" content={t("copy_to_clipboard")}> 
@@ -348,6 +351,7 @@ export const OAuthClientDetailsDialog = ({
                       type="button"
                       color="destructive"
                       StartIcon="trash"
+                      data-testid="oauth-client-details-delete-trigger"
                       loading={isDeletePending}
                       className="w-auto"
                       onClick={() => setIsDeleteConfirmOpen(true)}>
@@ -357,14 +361,20 @@ export const OAuthClientDetailsDialog = ({
                       <ConfirmationDialogContent
                         variety="danger"
                         title={t("delete_oauth_client")}
-                        confirmBtnText={t("delete")}
                         cancelBtnText={t("cancel")}
                         isPending={isDeletePending}
-                        loadingText={t("deleting")}
-                        onConfirm={() => {
-                          if (!client) return;
-                          onDelete?.(client.clientId);
-                        }}>
+                        confirmBtn={
+                          <DialogClose
+                            data-testid="oauth-client-details-delete-confirm"
+                            color="primary"
+                            loading={isDeletePending}
+                            onClick={() => {
+                              if (!client) return;
+                              onDelete?.(client.clientId);
+                            }}>
+                            {isDeletePending ? t("deleting") : t("delete")}
+                          </DialogClose>
+                        }>
                         <p className="mb-4">{t("confirm_delete_oauth_client")}</p>
                       </ConfirmationDialogContent>
                     </Dialog>
@@ -376,7 +386,7 @@ export const OAuthClientDetailsDialog = ({
             <DialogFooter className="mt-6">
               {showAdminActions ? (
                 <div className="flex w-full items-center justify-end gap-2">
-                  <DialogClose color="minimal">{t("close")}</DialogClose>
+                  <DialogClose color="minimal" data-testid="oauth-client-details-close">{t("close")}</DialogClose>
                   {showReject ? (
                     <Button
                       type="button"
@@ -406,14 +416,14 @@ export const OAuthClientDetailsDialog = ({
                 </div>
               ) : canEdit ? (
                 <div className="flex w-full items-center justify-end gap-2">
-                  <DialogClose color="minimal">{t("close")}</DialogClose>
-                  <Button type="submit" loading={isUpdatePending}>
+                  <DialogClose color="minimal" data-testid="oauth-client-details-close">{t("close")}</DialogClose>
+                  <Button type="submit" loading={isUpdatePending} data-testid="oauth-client-details-save">
                     {t("save")}
                   </Button>
                 </div>
               ) : (
                 <div className="flex w-full items-center justify-end">
-                  <DialogClose color="minimal">{t("close")}</DialogClose>
+                  <DialogClose color="minimal" data-testid="oauth-client-details-close">{t("close")}</DialogClose>
                 </div>
               )}
             </DialogFooter>
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index 56b2ad23d8b836..113b1d3ec25aa5 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -125,6 +125,7 @@ export const OAuthClientFormFields = ({
         <Label className="text-emphasis mb-2 block text-sm font-medium">{t("authentication_mode")}</Label>
         <div className="flex items-center space-x-3">
           <Switch
+            data-testid="oauth-client-pkce-toggle"
             checked={form.watch("enablePkce")}
             onCheckedChange={(checked) => form.setValue("enablePkce", checked)}
             disabled={isFormDisabled || isPkceLocked}
@@ -148,6 +149,7 @@ export const OAuthClientFormFields = ({
                 target="avatar"
                 id="avatar-upload"
                 buttonMsg={t("upload_logo")}
+                testId="oauth-client-logo"
                 handleAvatarChange={(newLogo: string) => {
                   setLogo(newLogo);
                   form.setValue("logo", newLogo);
diff --git a/apps/web/modules/settings/oauth/OAuthClientsList.tsx b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
index 6d94b86effa89b..d3a4d366f5becb 100644
--- a/apps/web/modules/settings/oauth/OAuthClientsList.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
@@ -34,10 +34,11 @@ export const OAuthClientsList = ({
   const { t } = useLocale();
 
   return (
-    <div className="border-subtle rounded-lg border">
+    <div className="border-subtle rounded-lg border" data-testid="oauth-clients-list">
       {clients.map((client, index) => (
         <div
           key={client.clientId}
+          data-testid={`oauth-client-list-item-${client.clientId}`}
           className={`hover:bg-subtle flex cursor-pointer items-center justify-between p-4 transition-colors ${
             index !== clients.length - 1 ? "border-subtle border-b" : ""
           }`}
diff --git a/apps/web/playwright/fixtures/cal2.png b/apps/web/playwright/fixtures/cal2.png
new file mode 100644
index 0000000000000000000000000000000000000000..264554918609db394010ae9a45342bb1a4e084d1
GIT binary patch
literal 28734
zcmZs?WmH_<)-2q(Td>A8xRc=S1Pwuh2MYvucXtVHA-F?u3p50GcXxNUZ|6DZeD^)~
zzCRdyG^5Av-fPV@t7cVon6jcY8Zsd=2n0ftm61>ZfuI6`zaT_-;6KmnfzH5%*HKc_
z@so|Iql=-v2}r@v(bm$&(bD`2xwDDAgSm}0Ckr>rdnWR)j*hkte5|Zi|Nk3UZ0yZg
z&$F_$fSVxM%4j)&Kp2L9|DcM53(Y|wn^IW`QB~KB<2JVpYRS~s*RY|ol9Q~HtjFJ}
z1mI|>U_%~w_}Fh?8%$gXw(V`{Ni)jhb9qI0v;K2<1Ldj{t}2dXcf_`oh^Vr)DZG?v
zN_taeR%%wNP$>tMw~vH`sk*wli@KV+hWhp8&h(X|nyG}bgs}kDDE26}JR*e%Cafr`
zN91RGUvfl$8F*?;M1OKb(7!HlNU*>QXwW|wF;Qqg;4L7Le=f?gBESoB5J-IrMO(TS
z^^6(DsJoqH=vrZwsI@{fEoeWCau!3mh|&a6Nw}5i;~-IHr+eh2Rn^6XS~A`C<!s37
z!`ExPB++#<_<`~(zf~Cgk13^ytOIMjzbK#IA1#b2<vKZIH8$Ki1W)Ta@$1#9NAY%j
zSRK?v0W(*(A)uqVD;WE+nGWrp{Z!={xI4w*Q;=5D?!ZRgPL^IJ+G!<uyUcTO^D2m=
zxRqG1Z|FWfN@bC@KD*_Er`~HCXht`~6_-^f=C?K)zz#p+w*Ee6(^C^Z=oU|a$cO?u
zC&iZjbh$XNXq0eQGm(0ONyFGr*)o>NW$XguclX5jswADRmI=7bGGC>v^&_nOS(*h>
zKoN{K4l0%YCS71rqcCc)qW&xC-tV(ts2NJt1TLzSf<Aq3^NsgU&GM&QT!oohS>`GX
zp(%*r@i_RT>5U{4ibMCi*=+}?KU6+84t^}ZqC^Q~`-w5Pev5virRtYZc|y-(0Ix`u
zMc~#{it^evoff9*RiF+r`21m6<A(VD9tYL?7n@1`5g8M*@F=U;cU&=7_Q2EI4u+E0
zc+}VxP-rZ)v|5as#2;tGL`1CX-yh{DRbOuoBL);$$}Dj)6*Q%(eu;qh-V)0ke>z&J
zf>d(UMbhz>f7#dID8iSk$v6zQ2;*}VdU@!xIb16b$X8>${>U!2$hVM*h^}crhIn{L
z(SZIk{=>DtA=V5t$XrUd4ZafhqEn<hl(N3w)pX|~>kSPORz<Nfbg7M8!A#N9F0#rv
zGKI{Pmfl;=b3ekmc=+4Gj|{TY%v_Y)l|RGl7(eZ!d72Y@m43!y)S!MFgJo^OvdXiR
z0!jEbeIuS}(+!=Iq2)G?E&y9|_BlU!N<c1uMiO`yFqdXnXULbbzUT}-ii;GT@B^xW
zA>pMW9ij8QZuo?ou>4vz72-e5V&tKJu=(!p1I1)d_5D-|reGNi_7Eb(rVZ;ZF=})J
z^=DFK_{Wu1IQ^6{Y7G6sDQue^%GZbBi!X4mVCwdiOWHTm!?0pg%(h(-MV~TN^w(4(
zd(afChiT!mHL4Xg<BmQkFV>7nz>ji&HvG`kK7g8Aq1890;Ti=i7S<;G=3JGuT!%2(
zU=V!`g2~=}AmvTJ8V#Ak!0-%?9cAdJisWcGO8PGCR;>2A@<FDjQJf2QY9&SY0Iy|Y
zGKMkpqT!-P_DE6Q<acDXu*RO*Il8r*30`+4BkS{k^B?>fGm~o~jYn#;N0;lIHD_2+
zOjytxMBozW4=V;8%kFET8!lCNGic{8!zXSn9-Bkq%j38sJJy7TU}0qx2Gf%#BosYC
zy`35=wqcpRJ~vV;_Rop`*TKj6ccXY;MInQ+y>2W@!ZSd_{;qL6-Kgj$p0Z-5tQ5cB
zm8Z>JqJPSSDOU<nk|;~{B2c0n?c4dbeoGu1dpQHBYT!Hc_0AD4T)5?tC<E31)@yR8
z8F(LRl4O*=eoVN~NHg=?RxB8)Ck-70>oe3H)O4lBM-3zrinl)IzITkLG(o2&EYI3-
z&9Io2jXzk@$GfG=*utswrJi0Ep>E6gU!S0wzW~h||EyJDb2v4$)3*3ZM3{KM;S^gm
z&L38B=klc+nPpIk;vnE{0dz3$c7wRFALcT6<Ipq`txE343w+^S^dK>^W?<`vmtX0*
zrAc9b;Hh2(X<a;LAeE{1^pu=$kV5m%Od}RdZ<~1pE1IpnX^Z^gNoKB@X_jAN`?s+J
zq5p4JRn;PYmzHcuJSx7DEFm~n<W>9mR6lo0W4KdanqptiD@um>uyy8G_wec4a7Vhx
zfLtXZbyH@%PCecKdOPZ+VDi8skIW3mr{Y9N@o!Y!mm8M-r7wt89W@;H)vuK@_ZSl2
ze@Qqzmq0V6IQX@kgKm3t!LsI7G7?lr@(*_hE;6uUf-a%1qaPJb1*bOeXWUE>FMr~C
zD-BaH7-@1z=E{6Oz9mZgs^@y}2F_5A59#Zuh05zF{!GqBIuEUTkO-<Up~)ku=oFQ)
z_<ySCjr=p~Dbmm1<bEQkyj$fY4kWQl)L(w)SRu-?C!u%CH?YM#5ZQifqbzcI+3wJ6
zjBCQ9E`Nzv&vN%w|69lZr<|dI7f?SSR)_%~Q)x};-4}VBQoCDm5^|&~(9ZY9pQTnr
zA0>uMJbbCl<(RMo5FLjHNK4o$QK&Ny79xY|MChcRGMn95Ws4=F4(B&G=6dZFo#gkw
zC)jA+zAf{4>xQZ{;Wkv)XH<0gHWBOZXZgbZ{m2}0Kjq!n1bk6UJFFTJnJSK7rplR^
zvOy0taY~j_CZk3i1S^p3Ee)HMesP62hlM&y%Z;NLq)e50d8t179O_AiR&mBg7s?z{
zScozv5&#f`fVBWFbis*a(7Yp4v(>>b-F6Cc>8QgWK)OX@y%O0Tx{!7Wh*w<$^;iMo
zkGu6!acyoidQ5o2BN@6WVWu+=&5yRu7oe;`$qK@x>m=9Cn4YqZ=jyVSH&mDm?38L8
zhf&%*s`_(P5*|rCigB_k#9}#9^(9VqE$~;!D3q8nF7_%bBx!57xmWHKME@-8zaKVK
z!Q?v`Jx7JA++f4fqj^8?6CM38b1_V@l8A%cS_#27m&g?NEpP|h+qB{0%rfst`}d~b
zb2DI=@R+`Ve~*k!;*u4ac=dpquVFu7p6Bu-ZFB<jRF)tX?SHb0?>{(xzIAabo{r0q
zl?qfH9P_ZT2q)3w+w-#X2$6PsTAz>%g`#^FERGlXu_B`yjWw~W8HD9@NI<Xr6Zy}&
zmULi2tL&%Y$N^cNMVCh9Q70Vr3;V2spL~cdPKfyQK_+B(T1z%WLwg@o$$n7)ON|MV
zA^&>`PkW?L{U8|RKw}{;=>8U4f;rSHNQ9MG6jQ=WWd_*~-b*C?gs_eweyT^7VbI{+
zhG|${W`1T~v-!Ke;J<tJpRGGsDbnH3%TYo6+{uOW-k}da$0z8vtWRiS8$Tp8?7<>{
z0vAzsqH<=CTu+wwn_J%3H<Xd;sxItFRD_URcC}@=Y*7jN)CD(u>1vB1<<`RKkzB=K
zLQozDB|x|S({=yVd?mHGU@xAigM$}>nn~R^JZIKbZTe}4l9HzE9OjNW!Ye7_H&c?P
zMyB_AUR}9mLpAvl($$&v|A@ygR>jd5uE_p(&1L@WL|^ENX%h*M0-@n2+G%PGB?S(4
zVKIw5@N|h*Fk{I4zFb45UM0?I>@Tr?R={&mk^(Fx=OzWMrCoJ&wvpe_)xOTve8aoq
zv!J+)$FHYLX39)bodC4=?}?ZqOwv0bEmM3YrkPyLwh@Q-|GjSi+6K^p1UVvw1u1U=
z`O{RHa5&+PF6GtA44K-h$rK`KjCca8+)v#qV}=#aF_4q80xYb5BF=0<lvFO>C~lV7
zGh%nM=0CeS9rDi!{m(%yYDP1p6CkZyXGl@19t}xSxeD3NO4PRDGl0TVVU_n*<G8-L
zieHOM9bfvDFKzE7bgs-<YgpJtSm|wvkoG5};;U+a2G98D;BZUn5JQQH>w&GGGQZ7T
z&PV|JU7B`LO+12<{>rTDsf1DME<~vOwIaI@`d?cH`ft3X#teSHC7Whh<aH1xRpqDJ
zUz7n0^YPw9W<;w$ATH3o;=7b<aL(J*>%=_eS@A?^?}s4Lt!u>c|Am%|knj{p=KQ`M
zyVkk65E%b<@u#kKxW~PxP(;wZgNrn39zE<0Vx2(4yc}(k@e{pNU(I)UMwA2+4U*)R
zN6A7gjrX+r;4n>r{x+Y>@DG!S>w5@PyxS$Z)V}r<|5uy)r@+6G`(Y+)6k=Y`Hib6d
z7~u9-8vGm~NOPg0cMf+A>n_S5rc!)nn{vW)@$ToXtbe&A49)xAHEJu=HP7hrBu0yL
zJ;BEKccA#m@$b$4_tBH!El|t0$gm+c%Yymn@l5#<J~C%q;B$hVx?3H12&M@ud!7ml
zIw#5OaRy~&^Zktj*Bd6$&L2sq(o})X(dl_f$*NNS0}m*%pefL$OWmDkC<(DCB*bu}
zuDmhFWdcRWLxY3h4Sz-#%>j#Uq?XT_ok!^Edoj=h{&tp0J{@qts8{ka`+7-AmX-g%
z7F?3@2{TlRqWOU3AhBQ1K$^O<>w(o!QV8QQtB5teV&JWx$RGJW%$}uJG)J{ND<`Ee
zrExHZ!W2Ck1?E6vJ<O`cBR40KnS64VT{Wx3z6s$^G`=uiGtE`P#rw576t}D?0$cj2
zP0l;+@84nO|DUZ6h0jsRX8MP_!TKTtz3oi7V*2^*4&J;}iUgJVn?VUwr6SfODc)<z
zf7bUu1KT*JH)36fO)G(?30GuNvuHZr<#WjlQUUG*<M&;`&qE=afjVj_Cmp<KPa@r|
zX<;fkGPR<?sUo3|*W)DNdU9wePb{}D59Dk=*!<3D4Pah)T^9sw9lWMh?2)j`yR>D#
zzr_rmDAJa*8FZ(lzs6~eNaS^8uZr(!ORKdAtZu(+yT?Z-oXeeaO{{v!`0lOgE_C6N
z(W^1FsR>Zo|H1Y?V*4qFb1&QSq14BlS=I6pDjw@0sVep7lP(qjgIA1u^?|6<I_+21
zqQc)QN+#uSs>0(2k<(7Pl3Wb4m*VO$m3%1==?BsaeutH$CD=l3FGXswz8}Q7G{W1L
zAh*q`7ET~Vo%^_dK@Ho{)88d7QTn}U@mxkNOOAQ|afme{)R*q!bc4+Nplu*TO84D6
z271A}*>rZTPfmWy`f;+~q?xbh?53-W&hkqO>yu2PF7xqWP>;Ibx5yUNP=BW&oaXQ6
z*F?DfM0@|=koNCE8P!juXsS_#b;bKyMUj#;eqw6sG?a&ct0gktbW8TLn??VaWNjp8
z_5{LuUcH+N@nwm=@OVs3`TM#9#{adGpqY!G`OBFH5E%u3bLB*ZiQa6S4TPI{6MOr0
zmkN?Um<R!PfO&R7u&6ycn?HAR_IR25PbI!M^(JCX<qYmBn4}q|6?g<;5jM&<L<PLO
zc(bV$4hd3Q`973%coW+2K;e!5(pl)Yk$8^<clu4GSS_|y!i}N#{_Hat9K4Q=ZV%#C
zKw0@gU5O>;>i{*#K>@O5nd-oxC+_HgLs)u*I<ZYDKpNo<Tw@?%js%U6XePl?xSsnb
ziTvWLK0|Ya_7&mFgw)NxQjG{)0y>028ja;5dQ&ol4fW~RMrqSbxDBR0A;{p1t>M~=
zE)nvf@E5Jak-M~^)`SmK)3PuXnA9&Rlq((9&<3`|Cl%;SgZ`U5VD_K52{a0wbJa%d
z7FS<u>+65k)lHL3xqEnwudc=fAYlB=&4ux}ITCfzz$fmt)1ZhX0KpPVBO^?{!>$pu
zqcey!+!;zu5%l1i*njtHzU)mXrEMlu7hAPm7az!XjW`1ZEVbFH3HveT-4Bu2147;o
znd?}SR7|msdR`TJ>|#}9Y+A)XNAoq+1`y~B*NrfqofM<keq#eLyvqJN)Gl8`8SDts
zG2o-kTHD&%cwE;&dT!geWqNIdhco3}Bboeh!=}rR)Lqh)eSGzXT6mU=Qhb@gR*Mvz
zbaA&$nD!>{q@y3g$wM!`V*0I-ITBoX8!1_>lV>U#ZS^@5dmL43)>{%N^6gX0X9*CL
zmzS?)Fp|_0Hi{+r@|DZe!1REnBEf!kM!jEFTHP8q!WpYvPW3G3s-R+oUwHIf*Wri-
z-KTKT(Q1DZV|E#wgv(b%hc7Cjc7diCq6px5T)u|Dh)$)HpalBC2i;vl*J91Gp&Hll
z=1mgFXYfD`CNX!p?Pi92QsnJ^&SKvoOsRWmpNm|1MfG0K(RlNzP_cWe_*1pxzKZ2y
zJzD$g^Xd6n7slq^c&>fbWjWVYdH$?yIjTZV)f(AK3985sJs2quD3H#xHZo>cs72n}
zQ2S7RJ}aXMaz@xY)BFpY-gPjiDHBWM8g%PvNh$lc8B0z2L6Sb$sk<)JTN?@DqG!gi
zR=OK#gW#al8q>{$S9=)X&0<eSBiUcJ!;@nNw{=7}kb)k9wvV&o5GeM{I8nvXE`C{e
z!KFYIxyOoi6{l76U_sXgPd$VVum%58XjR@m-<~h>DlvrhKRQFL&lGoXK-n4Q$0NJ%
ztK&Hwsu^EeLS1xLK7OXR*C<&MOI0kiTlguN!uyTJ`?aOTZdTWYB6$#Eml1p{4=Xyw
z4d6o{NTnEuxL4G}gFlH?Kl-rZk*+5y9fVj=A4Z5-^n09x2Roh3TcD!t=JVg}z1!h#
z4+H90>?A~SCNc^DQwmsrQUmEI!k`$>t<O4k-MC+^34w}*G>NbjI@f}yr>QIwV^>U!
z!0?vRC-qHh{wN^O>ivjImCfq!l0<-f|I~TIf(h&2EL<FqRZ;!<M7^5L^oVE4wF|BB
zZX?1FJg_QqSgrO(>`cH(Vg1E*R7>IY_}291u=n}aHLIS(s_lKE19|`fTME?Tes2)I
zUSv`d*4+kvdnoWVJKmvf+4E{9(GLy;8)T!QApe=TG(MoE(?(-UB)!yE^HqMG<?^Hn
zd^&D8MU53pk%^H*(y(mq&^+UZVnavt8F_ibd8;vGZGKQS{N*j~i4&jMIzeAa$-5|_
zX@(W<f#FoR7j$pdCC>=m&B7{6KNt>^cL8rcXtMs{fDX!}J$R)jTYrq3t4EuBx2!8x
zZ)LR9cz!ozCKQ6g+6+5XMNZzp!6D9-K@5wqdc4IG-SSOlH|KI{bYoR8_w{BG&VQ5z
z#1k#Tkm$FDYL;O~BXm<8WB4Z&>!b$JmH?0H4ek`}q%(S>A?1L=u<#Zq6xh3W`^iS!
z+p!e+wwr-Yy4pX87T?=k>sjfV8}ANEOz4xC-+l-y>i9=`xKov{Lci^E=WgApL}X}-
zkOHpbKA_MnNl*EB+@mW8e$nUXy2Wk~`NRvqz!!bFC#S%;&KTHXiNawSnB_+l?DsKO
zYTbzJktc~sYXg1b;Ss_>q4{wkE{dI?S?pAiP2t$jvL&m*p0Rj;fhBw%7QFT1Il|j$
zJ2qZT#;8$Yt3hBt4e1DqWj*?#TBS|7SMkx@9W9i$!XI`~I`Ao7)Vk1QWf%J8BYp4%
zE;jtQP{d5{KmZ(#O*gx5=uPXvcXibGD!QUwiy7^BnMM&1vi3-X(jRbFh|rZGlXg97
zfqAnb4b$Mjr$f}h)t36wQWT);Lh7w-e$>=pFE1}w^jdxU#@G{0649SPYt$1-Ad|1+
zW<d#T)3i977dnD(2ha=85-UC7O4ZAKH+d>9lQ3KVlow$Il;A$=+{M#%7jOvZA%one
zJFi|THPn=+35?p*stEjWJ%TL`7m+U_oGC7go8jAe1|%u3vV&ydf<z@#XK<a!F)zkN
zH-R&k#H=07SmBD#k&4QLUx7?BddTy7;xCLr$``7T&b3)w_~M_e=Z=(_nYp*WFU6I9
z9T;TZS<95igu=|s4CZuZ8WDc=%<z8rLhQ0+_tn~3{h*-pd1c68EjmiARDIoJwFT~Q
zrmez%9Z7?ZN2lW*Wsl&OfMM&an)~EBLphk&P;Qx?{MHmSks>jX@0{cK6b{1!p#^1h
z_L6G^KSy@uD8kV{H}XA04B{pte!D2&!Fp7u;Z!8jv{S>;zt2n8W`fR{V*Z}*z675D
z05PZOP^Z(ZZU|5n6lVNm>m`?FE21ra$|K6Cz-qhhq?*}|3f`_IYUtT@u^s+ux-Icr
zv?Jd7rFC_6^#j1f!`bpK8=p%eCcRehsn@B8T_+N4$AEF(f%H6AUKeh!!>C|{jnAVt
zfUF_f=p_2Gh*0pkMQmr%me;VESI9G^Z-pP+wr}|YL-YlA+;C7R3{sRKFP^vf0}9|F
zTewtnRcm*9r}XzY?_Of}^gt5u0gz|y%BPgaA$JKw2KNeI!-3N+8t9~CE(XN8WU|i8
zeX+s%Pp>xvf0hn;5IWQPR@(_U$s0HIidKnqZy+lQUJAA_Qgd`#XIP(ZiI`Yfiwmw*
z8))SB9-J$UP{pprZ&S$+^}fN^3M*G(`uFp3DquS+235IG;q1L2vSo)N1<TK#<|yy)
z-+rZ|;!sVHsKo62l8gfNj=N#4`LLoZl7Mroq@!v{ao2|Ybsk|sbBF}t+iXR*uFG<e
z@bkVB+zos|q%&ld;kNaHgx4N6M(_rl<#nUgdTeFWg&=eW6-mO+WplXycg>cZW;5s7
zJYp8-w;i@zYQOBE?+Fnl$El(1yebwk*Dq;c;DI^Uc<OC_oWT~dh_ejF_2;eg=mhO^
zA!lJjuZg+)9|~ND7qupn8_bpZYlaHVkL7T-iVF6^$$u&)frCjwI?-3YZ(T&2^zAYs
z<3uype}jpO1no0_0WU<+A&*^;97GA%R=m*p9flbUi=Fj0U>^$CjZqMymW@S>dN$wF
zc&ZC-)PD$q-d*DS{8))18{&`y@7%#A&n+MT697To`o&u}-|1_6m?rM)$FFl^*kyK%
z6|DqjV{MBaX7OF2{!${-`#{Re&Y^&<!}cC(>>B|*+j~0>FskVX!=B9GH}E2zaAKH(
z!7RGXIC4o$aRJtf1dif_f7;(q+Y!(45&@;jWZkq4u$_A5(=_{mp9lvhC)P_|x67{2
z*R$uNuTP^q=YO!r7Z)S+pAR(d?nh7mjOT_JYSGv?Es-;ni#@R?G$LbLrRjP8z@qvL
zpm1a@s~F=has6<d8e^Jey?z_@5G~y{vJ_#rN#BVhUp}n3CU2{*Cguuq;mSFRPD6zP
zFNE!rd2L-?4*g`HJWbTjj;S$+!Uwdz@!7?YlM_;&=z!lZdH_9wjb0lw9IG=ZH!ec7
z_QV8PN|T#_Z3A`U@+OAC>|bCf_G$7a&GS^~3F0LCoa>H>?dzj}hq=1FhKls#k7meB
zm`x5~9HDbvtPWyidfrC6c>~q)PQH#Hz|UdlcOgfpF>-<V&wMx7wDk125BUaKN!s-~
zBT_!~WY1n+dnYHsh_%`HC7t>)%KR^R&GXek>B2_JTzxocX&hgzEyN1wVJ2hKRZ%}#
ztM=av-WFH3V>DR`%TM-A%DjUP!$W*YEqfYfv)_`@@xI>%zqi0S%E%xH6J6mE1PMQ1
zO*Y=|RIZ(^cU83I==7gxRPSj`lve%@XZ1dhXgu#BI`2ebUAt|66|`?EQ(3g#x5514
zN-Dsrq-&f8zp$|Im-RAfR)ILpM*if<Ca`_ZTnBjl!^6Ya>}<^Q<E_!{$@1JU6BP9d
z9lt0d?jJ2J+D>0kGWczYp$31kdEBrAeU#-he3x%a+l`1c0=naoG}YISCVN&+YgoH%
z%qW{ZN}c_**^&3XWHIwKriPt=kif#;0zfxcQ6HEloJSv9o({^@m9BE=MQ^RXMk~{A
zM`u(o>+pj?=l~lm@@krzSWxLIf^2yV@+aBkfv&00yB~pPv@@iYBH)HhqmU5^G*GI9
z{*HI~&kV^mc6YY4=p+Y!Rs=n&%r9xmv})iF_4Gq>rDN!r+kB&Uh;X7|rqlJb%oBH(
z+#KRQG~jr_uP)Cu86lvP387MeL0(CrN2|0Mw$OO2dXc;iJ71RWkigv5#GkdLW%!9;
z-QC^C=jX$gTU-pgg3&bZFD^A}cHUpz+%#KMc3!xb>MYh9vdJZ`ihcXWA1(ai$|T@K
zVLFl)g@jG>WhjLmoO6i-?d9dg<9bGZbG#S=;FjU_sy^gELr+3UNy$%NMX*akVw}rk
zrgkq(YERy9HfVWw)-A0dNRFimHv4|aY;0)?x@+uVxijD5w{`qxbuVexYs)p>(PD#!
zllM2@v#D`-zI{+gYbw7HYN|YZQ%3m_qOb3<_6T%RYWTa{v(W{n!Om8<OWXAz{LP;c
zED!)6;(jp!)xTv)R1nQDAaEU_r@m{?3p|s-WI<Hp?TW|w5a%dRVv6snILDTj{L_VQ
zc{6^y+QkjOgBEk$C4SmDX|d~7@<uIINsvN@_fsuE%6{zBI4j_8qgO)1{@jA<y0wmQ
z7FFqm>s(KU8C@zAZxOS1b6KSum|xamx!7}ezRB+M;;B>b$-9&7iYygFiZ=LbDYaCH
zdDMj#e5v{sga95}oek-d=Bu{fMi#i)Gn#8Pr$Q$=3RQlicctZ|FPpCd7B+t~qGyjj
z!hZ@q#A}LPrb@W)D1~06Q^IG=z4l=_XG&2_BT>Z1N0<-8X`>rozXRLH9ZWP+Db1Dc
zbgcLBV66RNhX4HcbEY<%*A6>`kVQt?7NNoW6z^&OT)4@rHa{OuZd5m%an<W>fqa&~
z{3mQ4aEjr85P@qpBu{s69o^nby4vKDX36LE+4Z~|-)?UV0?qG_*_p{RFp4Ih#sepp
zlo8PI``QXP0nlmbX(mzC-(N+y1%(nRL031#-H_<x#@Cm}zpHI9nkASMBAO_+)JdJP
z;=o!?a+Q@<hDq687F!Bkoc0dbhRDAaF+5BKDxzW*5A-803j9?7t-U(u|N8Rs+O;Cs
zvK&X1d|0V@3~AzCY+$l-gnM{!_j*tR4f#T@1{uPOBESERm-W$Sft6>3gNI2dl!vHk
zv|;RK`v}n}W}u$f-lmeEgH8EtR)e{+`hPPfua#R-*$osIt~YK*_tuOG29Ukp_0C=N
z;2~-gQfN!n=G4{cYPeVT_+p}`rD^|2>wZ=V5Bz!nFF5x2tz$W_xSg?B3$-$m;r)8S
zLCrMcF;mg?D!fXnDN~yPQibPj3%kvV-B*HfXsG;PoL@G)ZZ)PFOU?Uz^|1*7@{@>>
za@>aVzZ$;mPoSJXEX<xoWWVBkn=KR7w_y!jQ`z2~v)HEl7A@W(pFj1(veOPW<)YCn
z((r1|uJLNZq;ahih27;uz(t*9+V?^*E;?m`;L{1cvXn<xBD?|SS8H?8PY&2C4>t|#
zOZjru7SkV|)^B|}9<D39svR(w;;;!updb)bZ2#2X4>%y~4_@1Sr$K%*^&i3Gd?i(F
z0lJy|GO0-)f(;)c30z+vS7T~MdGQs76$bFu=gqfZJ13_PAzC7Y1(U;8DeY_ThSD4a
zUS4je8xQeaz6^i!K?tN$%lGekhssk@&O{ZIprjXy;k8GV;`4;WHuOC`%h%V4rzD2M
z<vm?sZ5*4-I@`}WH0JW&4KksZN=<i2e&b<9OVvZ7M(p5CmjQIfuCWrkzo6j!9|p`1
zakd{Trr}jX9N1{sY*qv^oMyCsKQLQIz5@pw&+*uAAzHUxd(722gb<>(X1=xCdw!C0
zf92d3%+7lA$gc&ea4!AYl>|XeNeUWVy=Q4X_0llf_#<m=NrT6CiJqq&8|67uuw&Y~
z|95>?be>jUA92e*-!qhbhYR7iZJY>!A3T-&q;>8|wx|Er*>hEsWCr<dyV#I^Qmksw
z5w=)n3^O^~V+!wGM~HAF=jdmDU=lS5hFh%G4QNxGER9$@J&Pv{_ALMW`Lo?Yr=(`p
z8Z~hGbMLwVI*}#Vvc|(DKk1t}OqrkvOzHH3PUs6GMxXHl*$fD2Ms(eUgznZc{z3)E
zu}Bir-O$kLXl)U$H9yiV4NPuNWEUL1o`1~<9|DH(6}k6qOG~xOEsGn1QI)*8tE8U0
zUx`{LZHZuXG2eT6nBGxg(pUGcs1#0{iiM`l)vID36p+*&lPIzPiVk8P=P-}g`9CU@
zx83gOSsxV!q`GG8Gz$}YUzHGGl-od62nXK8<wAmdw5#6r9ZqMZ*XcPuI+Oad^Y}w*
zIe6CpB%IHWjzCVmFNv01P6hXlkD>8J22_Z2IuCvfl=|7r)}ujUYslIn+s-;s0Ga{c
zBu5zt47#0@O2SdVsU^LT+@#B>poSY=V}xZh>~!@!^6?_x&2)kK{8@^w3zxB<T=%PH
z!tH#06alB{MosoJ>hHU5*3Bqp8<5C~VpKDwWyZ*(%CPCQvwW99<6b9<-LccG(L!XZ
zK`?#Pel)X76^_@_#9<ISOtB+;a@##~3a1PD?^pfTp!P~{+~`b6h6KCO%$-hr+KB!z
zNTZ$6c^rm*$mOad#lnI#w3yOYcm`?PJ9_7G?l^X^xSSly%1d;^<{#`B06HA`)hj%;
zDi9%^w^i!CmMDJb*fbjn+)KW^mpc$=wa9fn&=7M?-y?Bs0{w|?-X}cb-W~wB>;SGw
zWs>T;mxB;HXaa$g=9`RcXy43iyrG(<Se~NPK>a<PuQ-qCu6ebM%cjZ~4Z~^DSxu5x
zh67Nwb3Y6(Oe3k7P9<-9ex3%%;n-Nl-6xbfPb(XnUi!ie=-kk8y2v(<+YRpa`zQ{|
zw;r*VtgnUgss5v$J2j0*zqY?xSvg%#eO@NlwS#}8KZ<m3DKh`;Ymma{#P_nE`|8VX
z)U$P5Uo3ZF+V6*p+N#S00J4Vewa}6+P)I@!G@!;C^rn2}k&H{9@N#d;T9^Qpe0E~)
zSJ<ahpH~+qo_ic{0o>vaTNzGc3n4qXfv<xBP|SB%g|9G!Nvyr0GwNS$Zfqs)lvc9k
zpTQ>>0V@1RRys<CFHf82siR)#yO}<IOu1A#+FF)inhAwr*ITvIt}>$?=wPI-DsqF4
z2+QtT(*ZQ1?TT8MV<R@00>h4al3PIwBHlM-FMV~I%~ziJ&Ro@B&$Sv44lu~4r=S<H
zK%CnH!P}K@miScm@tb@5b)BP+JKk+!wIwA6o8(tn-rMVVcelijypye4Rfa8#jFU)K
zuNX4M+8xb~F`q1ueRhN8+5J1+p7jvfbktkrBPiA@V?w8}8^K#YEbZFOq?(oD26z%|
zBa1#FODM9RN{>D*W0DmFO)BXJ-u}LA19f^)9|Wu!>`9}14&F(^^W5tqgItq6(@8~>
z!t|i#W3eqULXm<+o`qqIIYq|7oKsBchBIaJcdtU%r<#p>jvZ{@NyJ|IAQ~rk&HDwT
zM(gGgu_Jkj$m3JZNur0o+Zd$>v`50ca|fwSIN|V8(ZoSS)_2^k*H$(m=J~NTT@92P
zot=}4y%*aye&z#Kqn#v2&u`H?Jvp6D`EuZzTO^Yqc05wG_3K@;dLeGTq#^yE3f4EX
z@5}&k8^XqvqE2Yww+E`&`gl#XrKG9ta8eXSY}=5zz$HBxs;+aNb-NbHITF8^e0Zex
zp;kos6TW6r&}KA0`tkAc#nJMb8b#g8<YYiEnGZ2QBu{1<_iXH(&OO9iMx>!rcnmpS
zwiCG5ras{}b8@v!1M|3W>8hP9QEA($$!-$#pO#*q)_m38)W4#$=}^l0&PNx9+}MwN
z?be_{4!irr)1H=<XVR4Y$d-&`y$w;1fGKQ;-Z(~h3T(qMX$zTj^)Y&S$Dr;t_sRfv
zKt>+Q;Kc?cQo#bn%$*XXe5m=3x$4bxve$F1p;Ug10uw)n{l0FB4sqh?i)=MeBqMfR
zUn$Hy{@M-JeOI2c>TF-t#jmk)E33P)5F!7+t)fhIVRv{~NA$DvH>BX25j}s^W+WXX
zdA06=(V#8^`?f!@$pPOnebZ3)&u&+02;8igL7M7>I*9Ta?~pX~FTGn22W}0H?#|gh
z5zOh7gcEN^P&~FGGq4cXDV`rFM38osJJ@vZRjfeOS!w*p&&NIWTAfaLXHru7a&enT
zt<(qzs~|S`$#(!BefpVL%wO6*;c_(R2k1lhokBdgix^i1`>*udLc*djI((CXx2?Nv
zJg2Rf6lUKFST{<NgSmnoR?B2C0$(ukPohy*4c;Qa-ir|i=Q|f7);2T%*cpa<Z!(qT
z>9<DkXri0twlm-OkakNoIfcpwqto%84nA8;i7#(53(dFd9RUb^vA?tShtOqx<^g9L
z$~4!2483un&LGG5;$*~dI@iyZQWW|@F_uLP5HJ_M6M8vUT5G(&+(zfjpBVeJU3HVV
zvU_m9%ytT00OiXIB5vA5S8jiP9>E4>38TTJKuyZ$cujrve8PT>Oi&b(ygznb8A|K`
zi}Phdftnse_}S3l1CV%}(Ib(-@~1eC9cvxRCfsNRkuAS01k#gVNjPJNw>wZ#bl5WL
zwse?$2DJ^f2#VEJcHPp0b0WK=aV{9h0_;TQ462s-CP#<il1D-+bS3Fp5>#*ZANX$?
z?;Fp4${F;HY~0}bgvNe2sLZgVLk{C&AhHPg2;kb&{bhvSZj3CI_(!(CcFVlwj1{P0
z1Nkka=;&5xW~Dt@&z_#8{R!D+hNY6RRU>$LMjMSJ+aQh;pJ0m>AqT$fd!l`EU33=!
zmdjA`rASu>JMNUTBtgMaf{g^he)OLT*0Nvrv&SX`#7@3xaCVNRrh$mpL1IPA?<de>
zYpiUobKBd=q+@mr@>PH_*XdbvYt1<1cSbPsttBBUFzc>qw6~(%E_-17nirazX9DK=
zy-~iu9!>RCD+-8akwM?360Svu*R<xjib>9`+yPuLi(ubGY(Gz$_erI4IFlIGSQBxu
z3Yc?KOp&vKMzTXxwYM$J4Qy=4f(|QR5uUP-7XkTKUqK?z#inTxmW7AuQ<6Ah6H$l*
zdhZCt0M*0!xO=@TWPR%wn?kT7LxA08Z%(-v4zaY`fq2i>mx5wvD)-S2@YH2Lyh6Te
zpJz^h%m60y1%V|Z#BNK57M*x5Mu!E3mT{A^uD;H&Gcb(p8oA%EOo?J?jM<w%(U48w
zSAhs$-=3b-d(WF#sFAGRs)guFe5;sDt;kr?D;AZM!BV3gjC!7);McGwi)n^i2Leab
zFd*F|I0!hLfJ_W|KdTc^U+?U)uRl~hD7-n_JP2qjW!eqsfTsPYKq1|Bs}Bnd4|HI5
z^9kc2;S*OTokq;fUM1gX6Y6O?Jf7Pxy!RRg*KI0e@b)kY3JP~?2*RNNgXzShv6SZX
z4JszxUKTqYf!#%qb|!%=)P1Y^(mgoW>PGeO__%EJkybt>91aEVZ%^%LwA=J#<iZe_
zY<Z6woXPLJCf%?aOq+ej8E6X{iTfpw*b4!0KfIy+GE>Hkqhft^{U^ELzRWIQ)|I9R
zK=blPz##Bd0n<U5ZVTSy&9P*CI|iWql-H3s?2dH(l{vI(qD8f}`Q-;y?OZ`%sjPav
z(dKK5jt^QXE=Sd_qaG^(i#D$mKRn+N_xhQC=k-K9wZ!VJrvP1D-)u~4sIQO42uEKZ
z&gND&AT;R+6E8|V_QieuMivHuUu4Y)FG4RVKba0logrTxe*up?|GRgHaW>bQZ4Ot(
zfHyG3Z`pJ7%+8djpU>sSteyJ!;D%t3iP+f09JUGDZ_xn;BO1Q0BNAS=8(v!a=P3qJ
zWMT@>j|i|j@AINZ-+4d5W;icUKJAZ(s4h|WX8OLpeg*&t)55%{O$rJY-bu-(sIq|x
zB{Kxw@N}gu$lay<g@|W1c61K3irc~!YrJOk8u?UGTG4rA6#cQrJ5`D;(zgOdq^&C0
zuPX#&^SqY~FrZdrhSRyJ(udtwh6|QVOWQc4qlkkXMzq2iD_h@O?v93-<S#)<q718C
zrC-Daay-%gaKOjWu0Y3Q(Ft`J)kV&ME+GhZeB(Gpe$1PMWaA@X#N)aL%JRHGTJku3
zHMrbSP<d~J_}+kzZ5YS$QBB~YkLs`B^w+5yWNASK7)Xq_hAlt3e8T!^WkrwA^KAKF
z1*a|<(YkhYrvSCW{ZtJsXn{(sJu*fj-G>ynNUGvwoJM2MJ9_E0*@M>j>gREu-2Mb7
z9ZejJsq?@K))N#s-^w;jHP3KA5Nq9Lw&~U~%Z$QeE>{Vn<NR2{nTYW{BFSBS@K=@R
zz5Ua5rP6w$hPqf$s&msG-;N@>uSo9;%w2zsb?;vy|MFW;%O<1C7+QyiXTb?)t_k~a
zrm{C6Mj(>0(i3Cld}I)kr#BQ8e_-RGQB^$cXRZZG-i@~n3E)R3^*M^Un^!vRfCM~J
z1fmr=$klos147zdy%mw3`~BMtr<<m`5T85!6dpTd-zpM)RDTqJ30w9;;X|u41aXcE
zV2=ts!ve=<n|kz0Rl&N2CR73iR=O{BAjQt;`+)SpF17b&u{t&)&=^Y}>7q#m(+cro
z+bLxOF$dZz?{sx!l&0o;i6bIdKBFJ+mrM&k1kK7hl4L|X?DJd?FqWQok-dNbNnTRP
zhIOhBReVvT$?RdHQ))K{#&r+kaXt|-x)DJ3L=N~o!80@JP217m)(yqFD<aexe?FZY
ztpawt>K(l#6-4#&D`)i#Z6U|7>m&ba(9K69NRw|4OcPSq<$($6Lmq3+)icpdTlAuJ
zI|(2rim)UHIh#yUC@Fw_hYgFx$d2X$^p~Az^;}PE?(TYpq5=0?ZDfrE-Fo+|Q23Rg
z;rT3NuEB;CbzAV8X41mL*Y&$kc<Wa+BR5tVaRIgZ`E=Z*V33PJr)Wh3nUD9zC?JSr
z|Hw7Uj<i6@A7O7){nX@@6|m@~c|PHw`TAhNB;>^oxWRn#+3YYhX<Oc&6oQ*1BRO5w
z9<)E~YHOoA7gx?%%Cy^|=6?(AL9j6~hoDkw>m)2ZC=9gB=Xeo90HonxeSp{VK6kS{
zp$p&v1wibq;3hyUjZxwxkLNYnFR;4O7@KLOt1&w}cuiK^)EHfC9ac^3B0ToDDgCHy
zJg!eM7#lZ>-o7U%RKH%qzL>!W()RJj1Rw`Xp6DpEZ0|Q-%er?Bug~<6B;2I;2V77h
z?k@ZcPxZw^HNC`~7*tY`68f)DDM`_hL;_6}(9haKs%2~y!G>Mg^}Zt7+C*EZ{gpMB
zV}>bB?uHm-LXlZnq=~^kA3w?x<i1ZCVHI8#`CuVM16yU>&kN@E_Jru!v?DWtF;9Wn
znCR~qYS0~yd%;^*BEO2VnkI!<*PuuEo}ce#Q+xG+=J)IKtC+^@N5pBr>v^>M7VeTi
zpkd6F&H!5cRwdiDtpuf>&QJKA>zxj7zAQABIM=ZeKuebF^5}USpWaO*w+G^9`Jgvh
zwlBDKPP628Bq=P9U}7#og0BzlE{F9Ym!pET4Sf7u-d?wr=gX(w_#U@Mew%YA*0_t#
zAXD<p{<Y)NR$_HN7`C<m>0slrhp$@dylf~V6paDdFIVVG4{h32W~0{c-IR}+8eL#(
zy}75mI1n941jA{wJ)u`0S6r&U?K*?R+!WI*vX;M5wn+#3p{!kXN3h$RRQoY6<&!}f
zYtdhsJ;n{rH$Kj`_e8J?V4U#Sj#Ai0ZRv3}XF>AZ_kVkwc4xm{(aw+gmCyas70`Zj
zNiYoY{R?9F?RUJ*Ezu=fQ43+ct=xTHlr%0$NGEH6#QEpc`<BQSa@jf4XyW`BkbDYA
z{OpDs62+#QdUP*&@k{aaK#)OB&S8b+C%Jc9gL?O#1A2VuNm;p7`QIo(oT6E{l;|{n
z1V{^?h}-(lZ2ODT(Lx=g(lqv4rQ<NBz>WY6p-}$QR_uB{jD<>$5B~5)Dk}Rpe*+$Q
z6Xu%k%4j-W;DD}e)OZI3ewUL!<qe(~+N-WzBqEM&5}9X5tL<d3r|s6=`Y#vwp3mR(
zyOd5FVRUtMt4N6G2l;)pv#cO?OLmv+uZ{N>Yonv$rD%0+GJJSDfHmsV0hmn@Su0tw
z$5Y*d#TapR#0aeIPaMBru5AoXR|IA9nVT%=Ih6N{r2s@uV&X+eGN)K23pN~!?Q+|;
zHAsX1TOY1_>mjOMI6H*FOtfRu(?K3DyQIW?j&v$n?r)L?P0stMV*Z*dvCi<f$f)o3
z6B6J7!r=Kvo69Eph&;XDn9Y2G+Faj%wlMy~1{^ebR5r(j@%hF;GM-cQC#lgVC4qAZ
zja_1OQza8}gaaz+Xn?%jK>^DD?n%)EtLt|Gho+2D?>^I-JD@lE0(YKR4tr~bj7E+I
z0_;e<!Yp?Nz$&rSz7F%3-aKK+)ZvO~@jiC|=o8mz{<X~|G5GW`liy`Sd-a8e)axpy
zZ|A{qkqa=$f6aTR6y*Cu`cp4{N){SjrLaqqu$UO@(W3(Q<FcId<v)EQh$a^N3EPOh
zVk(N8k){d6KJq5*3+E4}OV5R0FA;Df;~pmll$30g;C(Mgg~^7873>cSbWXohqdKk=
z(}omgdk;*PA5K5}vYjqN!8)HTMQdnOGW^EDaC@n!U@6mSf_{GXvPe7`ZEz*nvet+O
z(j^AdjErha#Sp9vqlr9Ow}gtkqL5CRn?9uZSV2L+qSAFN*eO=q>Q|^BoM|WlyTY?g
zfrI@dBNR0dd;*Ca+S+#PrS3amFxK+%^&O{W+<(}joxrT=3+_Jx#>`pz>XTG={%!QM
z{8>fg&n>GT#vMbcoa`n8I6U>oCv+2Oi0y((r9*mdCU3JI1`|F=es6CnEb<BNdyQ+h
z-mkIU8xu7-i7&~}VF^)XKsyfXYXbB&NM}$XgyR$9rzE%EI4b#n4JPl08h+cYJ*>Kg
z$rkk|Z0Pqg2oVRDy5ps0y>@3EFt<j}4^Da{K>{>J&FHAW*tdDNsZ>-HgGezpKJKTX
z?<HA|*9qT$Cc46w!Y?~u`gndZ$l5i6Cd7lXjWDsi90f3>;$2iNG)^Cc^A~24XC9u0
zznb*b^|geDdS4ZP^U1bU@)mkaKQn=VpnJW(6cba$>I|RZJ!K&$L7s~F9lzEDd=ub@
z4yAMB7pq!y%*W~R0#%KOA#et=TpS^4&1DgNcG}gzDED}F5_mkSIgwYbto<4Ly*sdU
z;UgXpIIue?M#=wSER_AJE?|(v^80vQWg(!G-jO%QkOnC;khpo7XXVTH;fF7x%lD8I
z_bzu@fQPtk<(}<<!?r`rDIG+A+bcieFH#g1MV!KAsTng}s;>r<@J>;RC0*&d=oKCY
zos2h9n#>E9mmkH{wUf3ecw$$Yo4di_#jdxd#pD9cq!!%}j7mcC__w>Rmi+$i7`Sjj
zU*+|v?&#!#mR4AQdo))KGq0ma5Z!kA)Q+MqbMP68*9~whIe!hL+Kzcbag%D*S(e+y
zfA#yp|L7NhFtyr!z5ReF4Ep-bDv|%ICu=R1yS3QyS99y0TJuR5xqi>5(sW?d&&kd0
ziW<h)A{yyDbLlV$F}C<IWLg7c18LWI6eXrZKWIM-)05~NZq<!E-)+XYAc%5PhkU!A
zbm?Dy52R0A&+m639fl9@<N^fKStVC7H;yCE{ZS9DBWB@)4ZoaZH1!#$K}go&iBU`R
z9apzAHY<HR2$z?oAz%$*ju@5nj$;@Qz)yqlvwB~iA3JoXbA9CUSj*}_@{^r_qZun}
z=BY&Tn}Hr4pBTvKNGaJgED)$sA4x+ks29DwAr8TC`PnYKum-f}7cY<PJiq%<`5UAV
z0XZ%KarS_BbDTeFE-?X%mr}U0Wg@~e#6|yoTYMLg35u-=1LRJ09%Z<w0i&MiZXo7|
z4BtV`jJ>e1$nJKL*GhsV>UeLp2pLFZ1e|@MZv<eFDOj_?n&jqW`OrJ-hebFnzE0bk
zuesJloZXS;Y*rpE99)4$UEFqEdwY0AMXrI^2_A!0dcy0M_Lsg}Y!Sr$rFRZHOew*t
z-L9n)%s46O1+}kNM&04b+d0bY#lqLdn`d!dn(f|gr5niNAwpPU1{--{99MzSS)Vt4
zv-N=a_%WcsWxt<GX#{N@nixav*u>Y);>7n(W4L$*J^8m&=Q_i5tXbdqFI}e$U*{G!
z@K3Z|OZ|j{{&aZ!w;iuR0zm#!<X)LcSy>3D?7c(h$7%FRVj3tt;GSrL+>NF!4@3kk
zu^*L{`03m>&c{@C6oIH~GqbZHXhd9hlu|t@{mMTBy@4#?ggJqA$2q}(Zd6=E*`-ru
zWdIRHEj7`HlunYqm|0>POyl$zLP5d;^ZqW|Ei5y*Swe=HQDA%R&elZt?Xn9uS;)*I
zegUD^5Ua&{N`o*vvQT!IV8iBf4=Erj=*XApqCk%b8DE@5=~!gZ_1w|EYkKwCKRu1{
zRBT#NE10%j*Lu*9CVc=gl4wm=%Lx;;kpe?HXze6)9!LNce#Q!#{o2;N^Zk?J4Z-$B
zuF6dCli1%cl!e|n77FLe2P8SF%|=O^%1D*#RQZC<n-M}Eb9I9gX<0TD<IL;ejdcP2
zvh#!1SdE-G!45&nql~vhrytD4kWm|i#)A7C2ff?pN#hYg=bywX6dQc6bKYh?t01Ui
ze9qwSF;;UNG0-nA<Epa)LIt{g+xA&}G}I`|qrl_g&N*v+CUE5M2g^$tz7BuNgtPeQ
z>ik{_2D1**N>@CQ(0)djHFm+lI>Gqet|>m}PvX9cQEJgK3lNV8X6p!qS_kHe*5L2v
zjVHUmOUbV@vR=~JgA)|>eC@D%TD%77As~EKF&4YaSg4jK{!e+o=lu#@Obz7u-$Dtt
z=^9A2>Pr7shSr%=$z}u*e3)Bhu4NH0^*n8*K-S+sqw?;IyP*P%2pvEN7#u?u8>RW^
zX@&q3?dU>5OFS3s`-!^eBah*6&h>u5X>W_3uQ(XmbU;Mz8w$^+FP!Zh+&(+*R<!7k
z_DYPUIK4^HO^36DA|-Mc0XwjT+^=JvHTfbVYOi9X;xC5qAn|bKNn=b~axelXXoSaA
zRmp^{ugi_;p0B2p-1}j`pYJ0XkpT$*<bG-VBC+km=~etM>aw2J6<YFMbW_c>gAO9`
zzFg0r+vfh_CzM8O24Y1o)?)DC24^de3kg6U6qI><e5^JdCcL`3fu*jg$G~BEU09Uf
z$Z#0>xSDJeSv;45ZJ+MLzc0e^!AAPpF=c$zFIq(pieP+Fg#qRGTo5NvP_l{l5tpRE
z+@D{-F@<GFIjEfrbsMa{QNQRP*LXKp)@Hekrl>;~qp`Z;*s~sGJ7k4HfSlPvk4x%+
zZS6~3duJ^~Lmt?|p1US*L?c+Zo^IRC%}hU|0`pzCCyZq9k!<j_)u2UWKX4V>`7Y+6
zpr<A74Krpff;k`x9#*zTkBlh7VtB^ke7N5!FxBxK?><l_v57EM8B;XSOGR#p=6d%z
zDQsqD=I3l;#8t+3|AOKs+2NlFH4bzP-tVDziM`(LB|`nxt$dYB(xFCGqY*}UiBEpC
zD;-DEE8inMS6>kr#I9?@if0^SWQ&+vSR^e*3t}Z?C#%?eB}-W-s}HjPmXbV|frCd8
z{clL}TV)#_+k!c=nMw5KS}kA=#J}BjHDnEbLh3Y(To>tunypf^1kH#=vcpUk4l<WW
z4Jk5zrc+4g!+i)Harc-H8ZAv>4?d}2F|L`fViZ4t1C;rEG15YEc&)l_KkHNR%#bCu
zA6F=Sr?bHnF2kaIDLl-~R3*w>^X&x++2~zP9VjJMu?^cTKvJ^_al}C4Iqs_;Xy;hT
zIfIzgZ42wR)YGW!6#jaV4HfVb7+0^Y<uf^k(Pj@__`(AW+`Vy?yh%SlQwg8)jIFyz
z;%QS_m{tE}581-{Ec=Y$s(>DTLCh#HJ9LfdXs{j$wRzBwL1Lx`GIQE9MXW;}TM_u@
zOTpkmteZlrX-V2FS4xglnmWqTr$j`?8fzb2y%Ao%8<(QX-zZ9gFjG)$L%zp6Knxs}
zMj>r$WL56Ccikj@+hX9IQO^~SNuDuBu(?r3$Z#MQaAmV0^Y&68i&uC{B(Xt04lQ~D
z&$f*G@VKhq-RyMesof*d7deBCoZ*n+I3e43P;x5^Q+{@Jwm?x94^gX>xr!*guI}{m
zLv>0^@L`L+y>YxXSpDr~Fr<7C)rmjulQs{?eSqbh)C#qDI;K8Aexi|WH)40uPiwRh
z7-rq}7LG)Oc?hEDeTr7qyaauL>VLf0P^y{&1b&OfFbv&$7ix<q*>_Wne#9(BswPWX
ziZ383Qn_%$4KloXZ$@z&EGn*9LREUYUjV-*0I-|DEMq@w^r(SR(#qqNMSxX3AuJ4=
zc0Dfvukm@z<89z=+0da)i}SG<kX^lS()iWC&%eIaAR13+tp@%K{BG|<>&`&i=sVO|
zk9hXr=xB6-m%CgyyQnK(sCyea2ZTLGz9=AGQtrCAxDu>7U?1dXo+hbB6a1BP`w4sD
zO0L8xNi%6E;vN<9K-k4LHoY9gz2XX^_r2d1l85oiv!9p1W;Q~6%j?7^%DU^PPUMT9
zEIljEm)HaRLIA<^>$0uAs#F1AjQVUbCM9clIqBN}*Vb8wMb)<Lp6(bxVCW9%?h=ra
zZs`zEx<R@dq(M@o8)+m5qy?0e9=cO<sJ(c<_dAaL?EU=3f5XgL_qx}0pV#j^uimTF
z+P4h@*$#Uy?C%eB@;{OCW4sv`CjRV>vh-3yX7r>x+@p$u?jiW>q9(mAZGN`eaGC2U
zTr|DIVLC!2-)uOUA(P7-Aq=$NvC{*u9{Q!TwYb2bWS9b|_=ySuSvA5OVitZ9rmKSi
zF<(r;e>WV@Xp})OLrL!!{^jxS!911EF3sTzos8t&Mn7tJhy)5(M#Jxgg%~xzb%NH-
z<Tqwn)+XRxS5(P|@m+Xn)Odg?waNDvsOf(6nFHBp<*EM)ePwD&HCt<1i*g@qVq0!)
z`{4rwKyIVc)3-a^zh-2#d6bOWWik@wbil<Dv1>M{`@b;f`4wRvD67XlbZOrKuGFj5
zwZ%SBzv;E%rJk7OcbT^u<#t%OSPwp=1=$lkahHi0cWMN|@9rNzZ(bZ;qHQd{q#=;D
zoF3(D0ScSEkBs0H$oYM*4Ob)Rlx$UH>c{3wEkG*FhUfA~HY$K*a!)XQEiFX_+$Mj+
z+o(yS-(e#0W2VC|zZ*Q+-R-Fje6Rx!1{FQdOT^$&0*qILeL&gf(uXZ*HeYY`?NA86
zR}@7nLklgqKbCl7D*utMrVD0!f7ksa%BYqX2e^n@s!BeTx4uH)?7T=8D=Hacu9}*O
zc*ci`M>&j9;DST7zNXF@cJ4yV-ua43+yg`f0J0s!*=7CK0nNzan)nDTOiqS;vmB&N
zQ)+8)fy;Bh`sRD>NRses%)75Qww+asOF55^gz6p|nfSrB=6!h4!SS<Z0~il>^L&r6
zmsarN6C5@GxxyWh2&S~nS_m6MmWzAef46cip`0tyv<W&1@JPog9)s)HSw86pygE7(
zU5Fkb6UDIWl}_I}$K~$|c%IQPy5H5dU`AI@RrXJvki*~dRQ<@rMnSwp`Fp<e=XAoh
zGm#Rfq#!WA58vaZsZ&pmu-j>+=>rA@1;w%W!h1$9b6-)Fdy!Q?!=S7q?s6|jN5_H1
z)kjYww=w=_2^njur#OS74}jIq9!^$c^h_Sw$<*KEt2TQckpkZd_2`Js_);2lB8DVP
z9k97@P-i))+Ho@(%O!(~oTMjrqdCLEGwAYbVIiWj#)nE(cuQMf7bAgv0)3Y9^GrJW
z?Lu}hJg6dIadE)~wpY3lBG`$p#i*9PLnegddHg51G%tV@&^PcCD34RCOKhe=0KLPN
z=X>=w$GcaNi;aNI>9~*y)Ab9#3S#fJe*Gr7k^d$C&6csGjFVHXt&`fyCicSjwrQtM
zuY9+JkAD;Tu?3f+04&jL_He#+2e-SgKnB$urYivS@yCQs-ZtUiT^~bI%e6Lr^cDQ;
z$L9{*&abD-r%u0p3Pf0K-y%9(X%JO&*e0qTI@Z=}D(~t7o;R1hdaD|rnYE>c7Br9X
z`q_5GIto-ZiCcQ0>D6j^htp&pyc$Y<(F9{+#@bjhsnk*#kS*QUR`-ZDp>g(-n()$-
zbca$0xGx^<iufR*5G2Z<%qJ4ab?1i^pn&&;M>3;-TMn%6+erjvcf&l4+|P=K_?o18
z5+l>4d{K86LHDDsPFv<dBrl6J$Ar#`w4A4Qo(S^qGsw6Ddfx@T1uenxvayLda7$e7
zW!HJ1y#?qhQD-pL?!gfx6n6;|(g01srcrhtr=9_yzg@bgp331e$8fxFQCnMbn~3a#
zx6Z0-yTIRa?)i+ENzT=JL9b(yXb>cfBX79K-0_r!yS9Jr5Bg9^62i+>vV&r7=u>R_
z8ij|~FaHjYd3aINs!&xxcP*#sVF1DMLyq6Rh2P^F(|+Qvd;XljH6C)WN$H<iUI^Ry
zji5K2MiHETdzGzwl1>9l8^mxW$lwxfr$54IOp!K^SM=Y%;{-#3LBa~3^jC-9jmYG<
z0cYj9tgN$|YoqXM;|F-Ymd00ig(5jJTr>xh&eZxial%|ksEwU)SU>Bye2-mjGRU4J
ze`bkNsW@0VU!vCb^HY5%8gnRw_8{?20R$F24x{Uz#{r)X*!mRLniN`jm&HiQW}eaj
z)-9c~GjBZaxG*l&-6l3zJODq;JQ#CZ5guZWhC_f*0t(t-HWi$wqA(BX>+K(1i8+wG
zLg#C04&n7^=F=K9$4C?8?J<XoKzAlXy*}!HGa-&TK(Q5CZ5hhrjk+xhsa?V5J^Vr3
zQwyijrqM>f)Bnm$Y8OK=!97$`<M}{yPBtMaW7_G%f84r(bIT(mA9it3q3q%8!2~Bx
zEuv65rC(<T@A!R>(Qij|^*?(#K=A^te&nFT2%kaZ9oIk+%ZNpEtiB&%=mg)q&w!io
zH-E6D`@x}OPsQmxm+1?D=AX2=?X15sh2e8_-B@HQQPt=P0K_|av(qZhXlm$ZBW$7I
zLbA?PX|$hN{FnfiyW@PjrDt~Eie7WP%BK~?1^t5nVqqrXH81-G_gR@BLG;*r$$e_a
zWsLtsUP~)Q^l4P@8%^zsh0|2x#JhH30F<7$2h_grAk&*(V&hz4KNRD|W@Eyoudic)
zH7xmQV|zmHTVBx^gipnO@jG@PY-&U4%g%&!Y}&KAsTH<=y`hy4<4X|tlwe~;o>Edo
ztb%JbgBm>=s`0fV0*e89|95<F#|eg@Dt1P%U$W)M(RzQ*dK&on_f00ZKaqWQJLP_a
zIc>)1T9Q0ve^Q^kIcdpK8skL*rH*ciZTzqRA-NEs6P@*QJ~9#I`H)VQH;Tv(BV^_*
zIn$WA;qaz;qWZxjrZB1vNIv{!I{Ws?AFEI<K?A#2`#g_b#z*lk3=!$MNoT*(@pinq
zQg|L`&vRzJUpoe_lCtJKo6D3+s{0#4v}j$D@B-254WZVZJYVPgv%zOX8J@QTLc7X4
zPk^C$V&4{02;9q9;{4!nOk#_<8sk6TJ;<K*CH8DVOMsdc@@pjke42p50+=|tT-K44
zv*=rP#{f>nZJY7{M*?v#Hyrd_eL8lW$pIZ1?C!@c&fjx$sDm!RhK;l2wd#LUs^*7J
z?u;F{uuCy34CdvwoqoUMz0nQur=!kK57%qA#Cb9{J2aUkdz5J}^B1H5UlgNqPS|L=
zaYXT(i9x`L0uTQO2iJbMio!Kft?!$|bLWTZVOJh#amzY;bH)%Q=OyWr8rqEKM5_gy
zn*z63B31@fWGVE080Z-Rc7d()asj%Cvqmc&YZP4K2;bVhpmCVx&ctB;)4k387N?ro
z&Uo(b(SgPl3p@l_Q<rp48^vvV9J07_g_9F7@cF%+6DqIrAA!ieExg>9tfBp-`N3q4
zt#~afKCI1-^H}VuU@SmIhJSX!tOVS)r^XL^-f7q2y2<y{PX>YXohOH%U3aknScnto
zcVlk92txrngNdWtX8J@u!kM3?wHU))HkhDQ3~!wGibuKp2e3SRvQ=mLYH105G!e|6
z9{s&9zR4F;u#gx>lp%O9fym_}>H($uKhP=Q90Bxg%2E!avUFFT`=FIhy5FLHVEgP)
zZmsHz&mz4Oy>TQBT>da+wzu_2pdrzy0Zy}vplX|&a_td{pgvE`+Zkg3>K}-dyfBZm
zx9f9gS&jgDPG~f^9f5z(Tg=8gZi6)QhX@r55`QNVlkg@g@vi~WM}G)1ljUkxr+&+$
z2e1^;fmQ=3r?A)x2{?;{%{S~oGcC8N3ssZd$ZJrv`UDB8+4FvjhsSbufthmM@!?4F
zNTgQwSx<hE=>U?h5d51Aj{cLtYqFy1R8~F#r-iuHr{n9J&2GO*@hw&=Cpe_(pt1$K
z{fo~4KWBG(eBDL7*zDB*3_U=lQ0+w{-C5#?H<--FbA&TR97vUUx5j@KS0vNrDvhQz
zDVJjyH11;E?*u+lE%}UkeOuqkSmyoa)*Qe3^ysDUKJXcMa7D0C%27PRgPC45I>lC{
zyZ~%@pR7jHEpM%yAji3)b&d}QyMI=L?Kx1Vcz(~WBz%~%hW^<|kSS4&U|K^kW4WQ4
zu29;z5{8&_q4e?nTAT`PKj|V{Y;lqqAOG6+65BCSMHl~9QdCTtXz&+QWAV_11{>V2
zvoR-VNwy<E=nS^=vIN@9jGA@B`pKZ|O_GZ)6Y<EF01VyUy}bDMM7Vd)n8W9wk_Z&e
z8SQLy1ed5(dYa(X@!aESeYjer3F}!KS6%uDFtcj;_j+;pTqYz0myee{4Q}Q5XS&jp
zD_kGXUnpnskr3wu7O>P-u3X)+4%z(L;Sx<?!U~Dl<uNQh6r~spwlb)zdND5Q^zuS?
z(4xJ((N?{-NO|hV$DRC7kyJh)ptG8Pf-q?L=@BoMC^y1wq8%<s3|}SkXZlsvz18<Z
zMoa`OT@h@pA}+5LmrT)X{g15}J6t_xLtB`Qg4|jIrpvfRKK1C$xhcGXqLH6@t=FdV
zVYo{^2iK>Eyn!i^O_;&PKpSQp=)?k)Fg5^&hWfmhI(nM(WI%Ds=B3t)eK{J^=b)U;
zjX6~^0SD)d#(z^e22$GEynRvD@Ey-j4K8$#ixXjKe62Xcqz54D(SYSqQiA2$7Eq*2
z@X=OCL$bH$;0^zR<<W>&x)6y0u>jH&CRt83VowD2!P(Z+9YdA>vYQ;wX6rGq0Z_C(
zwMepe7k>7_b~{2<K4K18K*n$W%UpHubJATfesA3F$xaz?V}4CagOulejxKfz^{+ds
zIyp2>(o@~rO+P7PU~0VGSsdZn68*VnbDCcYoR)ZVuf!;Zd>30j6-z}M*|%G0gDs)b
z)G5Pe3ymK}Ub35ZrabxGss`s^#*v5;0rKic!=yB>lcT+XBjD)-j?PMV%q^WTtRJ|O
zFqhm&sPw#Gv5T>D`8J*z^d}r@C|wv2(x_NxXhf=W5WGJIsU_n;JlUtf`@z7}0%maN
z2QU}-^g=5T@^Jl#i<E&A;>ttY!r~i<I{s*;9@_Qth)g}gY*z&zB~0L^f<pQH74k)S
z{o~`PpZ_=rLA1rG?~_wEHlVV@GeVsW=i8)ViXndbA!RLPhwwsWwpH#rN5vY*(LEg!
zMis`iX9zSH2^(e`1MxTaJ5If^oSo1-+@Eb5#~HKoa5xd<lwTi-X~b7Y4}@?`OuiwQ
z!p<|kx$UT4i!Qn(j$Lg4jZ%I}pWT8UjR@B)CopUYRXhkeus5&osc`y31lATcv^*Zr
z%wvg7{kQ|akXRJSe|zqtXJs}1HI^-9Wq8mk#{v-Lg0v-9Id*_@Z+2LWc|Pg=Y5YK^
z`4ZDe=yjfs+G@;^E6I>DvF3r#D09(wRM5~?ed|frU7gzw4nvL*0HpyIHfV;|0|Ksu
zvt$@_gd~n8`zS+#bLs3d-lCIp<Pkrx_EasdF^AYJ#B#2N;$~p3JAz`dg|IvY>d5zX
z<pWwUAY1^od$Z$mOtvG8{J8tc1n>p1cp#$gG~;8rrVE~aA_e`Smc(o6=VqihARmNi
zsfmYYcb^j;F0}DZNL6^DQ;4{OByS*r&sL@Iqs{5Vv1~#gPKxUXEOngKOloR4b~NbF
zs&by(b)@7yykWEb*;tm{g)46afQh+#d9glWx}Exdu^x(u2F|M2OCR8I3jBny2F!RO
zW-9eIL|1QdfN#fg#6;`;C%J|r>4{GEJ+U+Hm2058;bzMx-9T<e=Nknk0PkO24@N!K
zG89E7&y&$&M3#c?CiS&GG*hjwp;CoG$vrtD-9^|P3~FA9Q+wYZ9o`N5GQ!`IckP6n
zBJA#^eFY)(0u{oYC*V|B?FTTkR6SRPF4?}{AcR+yDq*1A!^0nArky0F4-0x*M8aNg
z)kjE-`mNWByFmsNZi5tF&{5Mz9?#>2;*p<AC&hKih{FXkk*7yafn-3ELn}`XEoV`f
zwhK~tu+-Vk)D=O&A$~#yCyDMoaNAjd>;8y9cce}imQ!in@D_M;39Atbf_bE<2alKA
zf6vTd`@f5@%7X5<*)K*MZJq+Kjq~3zK}%ry+V&>449aC#2jwT$%jAXWdb8^dn773@
z08*jX@+Ic|&7h>Tnv-B_V%}N=ByrT*oF~|wF&t>sLc5>t?rwnZSBdjGDdbJf``&XB
zvwjw88^XtfaOdz)bA`){9ft`ZX9LCW&TtiYL^{44Z$18?Z9><`r(Y?n%BV*)MYQ5d
zYfxHjKKm7lYcUg(*7^uLa9O$CF@JZbum>jM!JKVy8t}WKH0_>yx~RNI+T;$nrTogK
z)_o#`^K3aZy<b<YGH4o!uP&7La>yLFZcr#@6Y34l9W4NU!0O{{OWkFBb?f@M*MH!}
z%pi#vt#kp?bl(d4`~a<81k7r-^p!~j=ho0ByE#Ch4v0EF=2%TAv=EUuZG&vS(=Q%#
zr=xy9$XxG06hzK;>3~(j(D~aJ=p|22shLAUQj#2PQBd9Pg4D4$KIR_~rXo7poB?~#
zD>bziyV~LTX0bcH+%g*yluW3%!=>%gMcc&sce~oY$zo#a+z;nSjq0RcC4TP4qDcT+
zLYnm5y*yTM$sr3?B-sW-%rPQbY;ov60w6@7%p$^Rp=m`N<tYxHtv9PEYw2xHQZ4=E
zae;OWz+rVB2f9Z7WBfpwAQIM>*3v#3g;|?x?EmT9McskU-Isf97<r(hZ(V2CVU+LJ
z)N**Y!~^lt*#=dC<x@Zt_p1f0R$I>UFGMx*BfgU1-Li<Z#Jo#KyldC5-}>LtuF4I~
z{d&+H5;^P8K*4kGrP5L{=IlLYzL%{P+A8`9=iWUtSI^8qB~n2PTF<uH#_sR`i|7}c
z8&r;yG~ZxD+;tXTyY_f@(%-)N;P{N00krHHZPGTj!K0LyNx-8eYjNHp@0a}`(>&YA
zzIx?nYax(40@V0V5Ys$Agxp-zb1kb|4|=bkXk1_}9q1Gtzzf!x-jf6NyuQ2Dr+{aD
zw_=I0h^ZFmZI5x2rpbkF{+CJE$4=5=>#d}s)tdo9z)xVf^u98k!7JaJg~ixbTmi#t
zE@oI+ZwtOU#u+;`526>jGGxbz;w*|8TE1*3ojcVJ`1hdYrFlQBGK^zxnR2i?F%?!z
zZSDe4WwnHW`^nOAvBV2vnMU7Pfn0)InaT^|e*Ap*r^$oNu@kU9|Ea^vFn#0zUUoRT
zEDZ7U(nt1_UDRgBaQUm^BtS`?umRX9T1>$u#Ut<6c9T@a{!Ztg0=ob{P+wigtwrE)
zWoW88!fE|BzAQl#or@f#@&{!LQ~@?TV}OVhM%_zK0{wJt0X(l2@FuMVvsT?#BO^N9
z{3^ApZj4@9#hIb@0<pkrb>p}_Fuwco^25cIXJ24WY0!nzRX4GwPD%VP1Qc>G+d7Mp
zP>^L`P@)Y#FUmIT{5>Q^5^@SteGHQ^A#vEUaE4Fe=Fj8>kLaINT%ml=_~@x%%>`z}
zBuU56Ybv2J<A!gG{S!u)nrLmC0fz2T5lF4;p>2Id9a>p2={O%@)dvpass_$1E3nxX
zi?j9qOdhM4Yggya@Ci`~4cyioH$vY5S5z9O#g~6?v7E_|L}F$D^0E(CGLG298$MD*
zbSCfoeD~yJ(DVtW*KxIA=lwT(HLe9fDKq_liWMK9eNDH$i{g{rCscprpm&gx@UBC|
zmAIh}_`BHt&1qHQrId<rt7rmtXgOs5VVIcBBsct)6Ac{U>@}=k{sKI;HtetWvK<{t
z!N3xx-pdl}e|NQ(Zs-Wv>Ata2&f`%*C+yr`2ZRIQa8hHo+UP>ibvx#?{;NRd*yby>
z-g1qUssp09`!4nI<7MqB(C^=<-x~do%xg8Gy~{;eAMeriIP~41pW)em$AwkI#_op{
zW?5KzfcALR(hWQq$B+RJJ0sIH&F1U<t`?UKxh229WBMK5+#DuXL~IfpYycxNs&8=I
z_A^556vHbqwUS{zJt0L4o@6H73hjBF1>SG;c^`foe1@fmuqzR96TaU+5`I}yLH0rs
z1C^{Dfu<?<i~rPMOh-%0jtDaIHHur;*<bo@zpmPH<p&RGRf_+W+^~&1Z5|yRF6A_^
z4<SOwW(9>jVgLy%TO%2D)<?F$feZ&QK8pbcTCtzGqPUiWageg#g=U{$3Xg8x;<0Fz
zzku5m{vw<Zy3$1l7??qxhkp`)jSHStw<8WHC=1%#nbd|-7op$p0SMw|rgpQ(<Jm4c
z<`jSl_(NiVR>z2$lP6J$RS0H{b)V*3m8g%`HJ-b>JG39Dc>$U$vf8kPrLbL-N?7=C
zxq+az)}P(1BjV19W)u2;QTTAFO{N;>-cY5O_$Yl0h}c=u=Nd?5VbiHIj0%RB^(0V;
z8VyQRi%fAYXYt#eetx=n@wi6yM67C12Y2M)usdOuq*w~cWmA@+&H!{L&d#v>hfR3^
z7kQIss*ow0*j|OjKV(N^X*sd73=oL{36f8@YWj`4?ndrw{h0y|q`=_{5rqIj8U_D_
z=Zb(eN{_ZkRM(0GxwtEm@6|EHG(UiJqWcuV^JpRZv5T?|kMEt~U$YxMhGvJ2&o+6G
z3O&=lqG2uP-{HjOYadF@Cx1kPg>7G8$;>psVNJpDrn(h7Wu!om5-5dZo>8f>g(h!U
zd1>8mFWoj@laFERZ4#Ixid<<*&(3q9g=N8^TsQ)907FmtaC)!fo$B|{8|9WD*laHy
z_yoN*NTi$#$X3v{ia5?_b|@?_M|bM@hCGiZFAW9((H4Sm<t6-Y|I9PpR@NHy%Kk_f
zvc9_5jUK4tiAgtk<X<_aSS#mH=Hw|-7wP0Kl(&S%?b!z9hV4z2n%}n$zqhlKVNB8B
zwMhU_Dd5=c?&)a(=n=r@5?>vy#<LqX0|_O4%lj3Va|`KEp@hob5mtvV8w>$#OCClQ
z#uNw;D#Z=-nx5@L&&dOT61PM!0~DIy+kNZ2CMXY=ng|w~9s08PYoAeb*B-u1Q4=N0
zhNarP(fJWQTK)XVr(QzWpvmk?!mun7bT}@nFoW)VH0keP0+xCkDd)Qf`b={RSvyvu
z+-5WzPGPb^ayKj>Anf_tRxdVN0JN!on=3;Cxd_s>?{J43ni!{1`8I<6V0wu1!8!>d
zanLUoA&$ghKJ$gfJs@0+$a*3#9x#lU0mu>X<K0keAG-qFsl;OtQE~tC%bPt|uMU@E
zfdx#RJqGKwbIz2L>ZkeYaB_*&x#BOa&_ud}P+d*;oS2X)>_!B%UPAViqWA>`5l0x`
zEeZhP193n@?>S@(z$ANsJShMbqgln9$y@M}k)k>#(C$Ohma~0by5WjWlc;KACW>dh
z-#f~iR-f3gbvu{$dnv;%>6-qeQHqXmwjbl%U9SWy@6;_^`VaMycx5*QKzRagB`C?O
zxUE$tr|n~5f<0xW+q)h@+1pRV`Ra+CqLQ86osHJN?toW(P-~d<EdpeD<0Sj{UTANq
z>IX-R2%6lmIPJX1DkGCooGl?7@^LG7O-3Cyn252i|8cM`Q}`ZgAqLU|7EC=Ks%bo7
zG`Z)#(rK^^?W{BU6v$(&wO|MitxW!Xndu}ov#eCnkJaZs=2Bys@oR(u-qHKAD!vDK
zVgy-p|CF}xlzg<&ClnL@cu2}?()(q;R*k?WFJLy)OY3Wl{-q}<64%ykh_<##(Y&FH
z=I8Jp3^(UNvxJxihr(+0F~V}3hJ3AJp@=1kH4t7@d#?J)IHor8>2mr(=tNea0J&nz
zXMwDw-2O$Lf%Fw}F%h4No&s;dU8Ob+a{Ld<HLKZ>SGBzlwoP9reyrtT_JZG0>s<?@
z5}`q0i6^p+N5hW<D4lNFVtt+x;mxr*3kZiQMj;-WyLF66OT!5}+PhSoF*|S3v6(<i
z^EMZvv_>1ng3h<J>AA0?5b1;JGRl)-FCR=O<lYhwt&%joVl89D*iH&u30n(Hx<{bt
ztwBfW0pX$a*OBNYVZME3>e7;O^N7<GbX;m8L3`RVPE*9zC0vxPS(otep`TyzJXzyI
zY|kpJjSh(Mw_>{~4wNS1hcL@o1%f@`JE!EfwWQH5;nDvx&Qhh;^kFZ15ThejNvUZ2
z7rtskC@^<GOT%k|{84Xoz<PmK^R;g3g-olomDwwb4>t)0HvMdUR(N^psUIRm2Z-6<
zIKRUV(6f4|y8|(7ZwdU6;#bFhxKi)ngM3HR3dTl8I74sS=T%0QR?dBOOcl#iUC{^K
zH@sMdQ?DzezY+5}W~YsdEB?V7!^8Z;e?X@d?o*ch*@2Srm~L#aAx{o-FZHp6#ETPU
zb4i^1V!d`Y#BR>pxtTn3Mo@@t64$z}7DKSu>+kpNyRIUKUh2p^3Y4KlOj)+Ca9)R&
zl6Cfngl3m=0c}Wq1M^}i#3`I8>-OUh$!?rRji{_qsm3&Y$YXHKC?Wedp#yq0(+IP%
z*budji8q`o=pte8T{OX<&(4K!`pXAC>(9JwwlOyJ2ai52K7EE^u8nS5yxFN6AzJxl
zb`0H%L3PmPR1l=EOhzX#Dqfa2MSX;s9czV0clG+iYrIfFIFpY=$FP^A9Y|^>Wkr;H
zbOxs-Z(fTeMBCgrAiI46E3}rno+}JAAV*edx)(mavixG_kKzpnQ78G>T2Tbw#c@MF
z{y9*;gzYJuL~8Ij-(_df29?9IfTsNv<87)pO!>Ea?|weE$@f;&hoP6RjcC%-oy>jK
z9yn^mHWVtcHUtpV)>LseJ~l_7Im!bu$J#jmm<gdl7!2a)P-H*z#lhiBHbYbtLa+X+
z3A4+2@bT_q>Pz`?%%eoRMe4ZTRjaQ6eIE_0QM(Z}dE1$G?VQ&sUZ7d<s%&68&igCf
zbTd|HDOJWRQF2WZJRr>Vzp>01|4lv3ng=C=C@q9`qe3sMI%OW#m@AHwNLLolwuPj6
zqLWq7H4wV+WPhfvzccBdYqAJd_n%l6n!283F*yc(8bktvSvh2e3y3XPWWK!zyX+9W
z+}K|=_NaYFo9a_ryRSC-^<U%XK@A%7Cu5mN;#_MosTNJNwkqF#?Z{q61>RRk;%}9U
zy@=<U#?D1L8CIGktKpRE<XMVaxYQhXCE4Gh`?myLg-q-MKPBOFpZDVG;UL02_)&h2
z`VKm%|Mhk*9tkhH=P|oMV~AyTWY;H<tY(xBwJcSme*9O=$oz6q(4~Fjxl&CyKIVhK
z#fqzpT876QD1r#LU5qpSJp2{=os#(VltB-;ayKrrXhtx%Tp74qKQR9HZiShvby9uO
zKiOikMZEm%tU%4jtdTHZm;t1)N@CZKGUtDRyl2LiQsfa}C}(>GB*~XeFT{4NnDO(h
z;95&1B%91EmW<di$cO(Udi^WBj$HUC$CK?hh~8FT81%gRg-!j92;6IW3ar3vEUn1y
zx|%FAQe|o+irNTsRB|Gug|ycmLdrLbe-dvd%B*Rg9R2j6UdhpHpk#4OjC2*uP@40A
z_-KR3ZB-Mp9n4Fy4Kw|ejAYl4JP+@1da8hw#`_PpTMl|-S4{s5C$Hl9y0Jx?U(~`a
zJc+lJSQL<Q5s!v#t<6Z9f8S7$0<*xA6`!m_pz-^nFs@vXHDu$oX;ZCpb0PK8Rz1pg
z^X<`28NL5G3YEdoKhnHOWvz;4=v;+&NgQpp$!Qr;)P1)EKeCgjMI)^1Y3cePv1^cG
z(}MWY?xMAJ-iWY4FAOSx1naM0empcq3bzAeu(rWtfzPATxY|`SNO!lwh~{!dui~|N
zQ|g>*THZ%;roQs(;eY%~TUro)J$@BQ|2TZj<!z71QxV%t3f7E<M**xF`#%#5%J46(
z{of~^&fQ|Y7FsKsk)IqPkR!LMirk6oJ;nHFEa5>F)79IM90|Mq5dME>lUrQLFk7RM
zE?B8e%KX%o)2HA?iwZGFut>N2L5eX*#nALS^l2tR?&Gz^-$Wcr*7*HT$!QmdG%m`R
zwR7*>GY#ac*u<ZDPbZ|EA0nSB-dnvA8-y|BioI3eW}QM4NHo}y1SxVDGK8r}hCTLr
zspOoPb3K&(>qG*qB<unWER_J#v(KbtDDcNDZgw+{(@s(JQ)X+m42Yff@i(-L51*5v
zM)dpcdK#09L<){1Demqzol^fcC*s!^fw18BXoY!p;MZa}EulKE!#`@bkIVSCy!}jB
zP*H{8u_AB5V2fH-RX9C!JN%lGU;iH7RAbFJKed#SR&8rv+z}ruUFM@?XzkyqUL1WD
z+nEn^GdfUw;V-D1Bum76s#9*s3Bgr4avu|<NBoKVrdg52+2}t!iRLsi!}mD?R~ZqH
zoSf9+wIT@be`E83Cxx53k%u~hz=IRi!QdZ{$@7lSb9Y-vhi|Kh&=VIO*`gKHAeG3e
zTG%D2NCMu6AU2rDygm@y7-^?msF=md*ttlVwyC)zMEI>wfBBjwY7LGgEn1d3jQP*k
zc_Bjq^sf@Yya0L}0|t<+L)pmZ5$PY7ny5BWeCpatf2u^e5$i-&G<PkfUmuO==$SM`
zOI@>8G%%;Of21AB5<atG8GK!QVl%%2@sQw}4jp8hvZ1ikdo*9rmEyr#2u@9u{DleE
zM4Z_)zB-|vR=m`ZTqyl-*Io*t;8-DHmd{b2PSPkeDK28tFwM@K>P_M;t?rQ4N3`fc
zbpw+fDvUzCei{e?^$WlNs+^p}hgIu`kS3swpVw5+Qx`MPMlTi!{?F>B{(lnFJ+?D-
zE2k<WXiW=p{Db_Cs>H6i=T)t;Mml{%QE7ZV)&r<2+Ho+^DLcG&Kjci!%0dP41ixMB
zYIKE{)*wl@O~b<Dasp3z;JKoH<hC1#OSAS|+iVT|ECPAuS9wr<THt8nEPcm3ipNlE
z>rI`JLS7yRq(lFIBap)05on+bWwuzei;F~tfiEF4I%=15l$W|IYh!g>EOVhP4u|yB
zV(`h%o;)eh+C~X6BOrVWF&F=GIr`xs3AP2<$V5&VwqF?k_qc=qW<#gG1D;EDQjuIE
z_lXIvi5XZJD*05*?fxvWM7Q$xBj;uXeBLw_SjX8EZro4uB*gEa`@BNwMs!x_L`!&c
zEbGCz48=d1@IwT=NntXOZcZ*CFt=V^c_JvT4-=!?qW)cbFsUx^tJV0hw^u2-+d~{Z
zFc1qU3th_~Bm<YT*1(VOR@AKuvapISO#NrrG$AIEt8O`tcCCy&xrcFJf;Ex`5Jn#b
zV^YL02`QtUIo|i!DmNlc%l&BJa?H=Aty_sTL)&#e(_C$*$lnP#ebj5j&vFzc__W#8
zbd3oF|Cy_fSRQv#-<;rq3Q7Ce^bl-YjgBVpR{tX{{|*#)-9+PzJO2zccb1h_%&XqX
zFhSxllt6!ZIl6G2T2LH}B>kWT^_mf4l0z{IGJ}7mJ`DHbvg;kT^YE9<7nEHdR#M`f
zS4xgUUR*g~v9!v!hQ(x<cH*~{Lulk@4XuAUw-RDxbauj{IY7Z%X*44ah(9?}>MRt9
z&Z@rJ8rQmX##a3y=HB^?^d1;qg1P_jnjxwnC~o9OT{!tL8ZDIp4e0U{9Fh{RP%;-a
zi}?`Nk_;AlSlBQ9W!tis{?1N~#Gj)g*H&0Zh|m;$3igLXU8sS{CDe+iU8>S6O~+1(
zCrpZ8l0}sEw<QMjX9NTPn@#@T;aaKHJQaD7?-C(X#OP-d$hJ=Q=VWhEG?`>Or{FZ;
zl)hxC2}6ejGfTUe1KxtS#864n2>MR1aH_E?+Rvi{rgxpcEL<T59$`G~)zJ+4N2V2K
z^#b!L645r51H8MV2sO46d*a_P$fzd0s01hY4n_US@9hhdSL=qJfP$&JN1mqR&v`(E
zd^G>aqVKOGLUYGC{w3p~iiK=-%^hrB-AOSEOaqIeeiutJo@%dMQ<79VOZnw8y(OQ%
z`AuP3fl=~tK~BD-=7W2Ry!iF7#Xna+Ul^5ivRE2xL4_(4A$Y|0$Um3QR)=b4)C+8=
z!Ah;<D_b#7D}mNTT`%<o@&y)!rt=d)ylUFByj1s{@>6Yq;+3zKL-$-k={l^Yw~)xU
zHdNk?5z?0Yk7)oQ|1${U%d5DNzRz+3HzV?POFMM?p>hF(A=AZDU>xkJ_tSRSY4(k^
zQ#)~?J{}<UR>7~;op_5`|N1$q4rrGunIW#HeVU)|x(DdLuO)QYMteK^W})3Lo2BAo
zbRY$*SH91>UDY{^%0!X@{f%5uhyR0YhE;E7X$JBTqE4skpJjF*Ljmb9(|@gIr5~P9
zKN+;*>2`9idviM>TC>^ulX=UGts{F5?q6%+Ff=3)n+)ox0>+mc32ZV)qwrXT#&Ry;
z&}1_xnQPx7Xp7jo_00gQw05@7DN3zpo}zFoAKw2=Uby=2j`Kf%UT`mhk}EIcMZ>CB
z!TioyKz1W1vQ3#Bs}}hLXjb}cj|0<KqOS@bfsIe^L4ReY1G-Yc=p(vgnvdkGCDFhC
z?P}qGrn~`Tg1yF*q_AWpNTD{2Pb;>gyHK6C(DmFTb06=j$iBxZvJ8Y6KEmAMf8J3S
ztMLxR(#qLJ5C@~Pmm&+eG;Fk)br!OSdyU&hu||q_V?5H3^lvkfrVA_$3UeB=jW!C4
zh_(oN8zjAN<-g;Zv7H3a=2#q&Ui^t44azGLKu@QAx#fEBO;$$kPXy|9L%m9n;^{IY
xu&3MN{QK7aJc{7or`!GaGW~bfRnHUd)a|d=K9`bhz$`yF#n-B`HPU7w{|8Q(6j1;G

literal 0
HcmV?d00001

diff --git a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
new file mode 100644
index 00000000000000..b90396003f4f20
--- /dev/null
+++ b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
@@ -0,0 +1,663 @@
+import { expect, type Locator, type Page } from "@playwright/test";
+import path from "node:path";
+
+import type { PrismaClient } from "@calcom/prisma";
+import type { OAuthClientType } from "@calcom/prisma/enums";
+
+import { test } from "../lib/fixtures";
+
+async function loginAsSeededAdminAndGoToOAuthSettings(page: Page) {
+  await page.goto("/auth/login");
+
+  // Seeded admin user from scripts/seed.ts
+  await page.getByTestId("login-form").locator("#email").fill("admin@example.com");
+  await page.getByTestId("login-form").locator("#password").fill("ADMINadmin2022!");
+
+  const responsePromise = page.waitForResponse(/\/api\/auth\/callback\/credentials/);
+  await page.getByTestId("login-form").locator('[type="submit"]').click();
+  await responsePromise;
+
+  await page.goto("/settings/developer/oauth");
+}
+
+type CreateOAuthClientInput = {
+  name: string;
+  purpose: string;
+  redirectUri: string;
+  websiteUrl?: string;
+  enablePkce: boolean;
+  logoFileName?: string;
+};
+
+type CreateOAuthClientResult = {
+  clientId: string;
+  clientSecret: string | null;
+};
+
+type UpdateOAuthClientInput = {
+  clientId: string;
+  name: string;
+  purpose: string;
+  redirectUri: string;
+  websiteUrl: string;
+  logoFileName?: string;
+};
+
+type ExpectedOAuthClientDetails = {
+  clientId: string;
+  name: string;
+  purpose: string;
+  redirectUri: string;
+  websiteUrl: string;
+  pkceEnabled: boolean;
+  hasLogo: boolean;
+};
+
+type TruthyExpectation = { kind: "truthy" };
+const TRUTHY: TruthyExpectation = { kind: "truthy" };
+
+type OAuthClientDbExpectations = {
+  name?: string;
+  purpose?: string;
+  redirectUri?: string;
+  websiteUrl?: string | null;
+  approvalStatus?: string;
+  clientType?: OAuthClientType;
+  clientSecret?: string | null | TruthyExpectation;
+  logo?: string | null | TruthyExpectation;
+};
+
+const oAuthClientSelect = {
+  clientId: true,
+  name: true,
+  purpose: true,
+  redirectUri: true,
+  websiteUrl: true,
+  approvalStatus: true,
+  clientType: true,
+  clientSecret: true,
+  logo: true,
+} as const;
+
+async function createOAuthClient(page: Page, input: CreateOAuthClientInput): Promise<CreateOAuthClientResult> {
+  await goToOAuthSettings(page);
+
+  await page.getByTestId("open-oauth-client-create-dialog").click();
+
+  const form = getOAuthClientCreateForm(page);
+  await getOAuthClientCreateNameInput(form).fill(input.name);
+  await getOAuthClientCreatePurposeInput(form).fill(input.purpose);
+  await getOAuthClientCreateRedirectUriInput(form).fill(input.redirectUri);
+  if (input.websiteUrl) {
+    await getOAuthClientCreateWebsiteUrlInput(form).fill(input.websiteUrl);
+  }
+
+  if (input.logoFileName) {
+    await uploadOAuthClientLogo(page, input.logoFileName);
+  }
+
+  const pkceToggle = getOAuthClientPkceToggle(page);
+  if (input.enablePkce) {
+    await pkceToggle.click();
+    await expect(pkceToggle).toHaveAttribute("data-state", "checked");
+  } else {
+    await expect(pkceToggle).toHaveAttribute("data-state", "unchecked");
+  }
+
+  await page.getByTestId("oauth-client-create-submit").click();
+
+  const submitted = getOAuthClientSubmittedModal(page);
+  await expect(submitted).toBeVisible();
+  await expect(page.getByTestId("dialog-title")).toHaveText("OAuth Client Submitted");
+  await expect(submitted.getByText(input.name)).toBeVisible();
+
+  const clientId = ((await page.getByTestId("oauth-client-submitted-client-id").textContent()) ?? "").trim();
+  expect(clientId.length).toBeGreaterThan(1);
+
+  const secretLocator = page.getByTestId("oauth-client-submitted-client-secret");
+  const clientSecret = input.enablePkce
+    ? null
+    : ((await secretLocator.textContent()) ?? "").trim();
+
+  if (input.enablePkce) {
+    await expect(secretLocator).toHaveCount(0);
+  } else {
+    expect(clientSecret?.length).toBeGreaterThan(1);
+  }
+
+  await page.getByTestId("oauth-client-submitted-done").click();
+
+  await expectOAuthClientInList(page, { clientId, name: input.name });
+
+  return { clientId, clientSecret };
+}
+
+async function updateOAuthClient(page: Page, input: UpdateOAuthClientInput): Promise<void> {
+  await goToOAuthSettings(page);
+
+  const details = await openOAuthClientDetails(page, input.clientId);
+  await getOAuthClientDetailsNameInput(details).fill(input.name);
+  await getOAuthClientDetailsPurposeInput(details).fill(input.purpose);
+  await getOAuthClientDetailsRedirectUriInput(details).fill(input.redirectUri);
+  await getOAuthClientDetailsWebsiteUrlInput(details).fill(input.websiteUrl);
+
+  if (input.logoFileName) {
+    await uploadOAuthClientLogo(page, input.logoFileName);
+  }
+
+  const updateResponsePromise = page.waitForResponse((res) => res.url().includes("/api/trpc/oAuth/updateClient"));
+  await page.getByTestId("oauth-client-details-save").click();
+  const updateResponse = await updateResponsePromise;
+  expect(updateResponse.ok()).toBe(true);
+
+  await closeOAuthClientDetails(page);
+
+  await expectOAuthClientInList(page, { clientId: input.clientId, name: input.name });
+}
+
+async function deleteOAuthClient(page: Page, clientId: string, expectedNameToDisappear: string): Promise<void> {
+  await goToOAuthSettings(page);
+
+  await openOAuthClientDetails(page, clientId);
+  await page.getByTestId("oauth-client-details-delete-trigger").click();
+  await expect(page.getByTestId("oauth-client-details-delete-confirm")).toBeVisible();
+
+  const deleteResponsePromise = page.waitForResponse((res) => res.url().includes("/api/trpc/oAuth/deleteClient"));
+  await page.getByTestId("oauth-client-details-delete-confirm").click();
+  const deleteResponse = await deleteResponsePromise;
+  expect(deleteResponse.ok()).toBe(true);
+
+  await expect(getOAuthClientDetailsForm(page)).toHaveCount(0);
+  await expect(getOAuthClientList(page).getByText(expectedNameToDisappear)).toHaveCount(0);
+  await expect(getOAuthClientListItem(page, clientId)).toHaveCount(0);
+}
+
+async function closeOAuthClientDetails(page: Page): Promise<void> {
+  const details = getOAuthClientDetailsForm(page);
+  if (!(await details.isVisible())) return;
+  await page.getByTestId("oauth-client-details-close").click();
+  await expect(details).toHaveCount(0);
+}
+
+async function openOAuthClientDetails(page: Page, clientId: string): Promise<Locator> {
+  const details = getOAuthClientDetailsForm(page);
+  if (await details.isVisible()) {
+    const visibleClientId = ((await details.getByTestId("oauth-client-details-client-id").textContent()) ?? "").trim();
+    if (visibleClientId === clientId) return details;
+
+    await closeOAuthClientDetails(page);
+  }
+
+  await getOAuthClientListItem(page, clientId).click();
+  await expect(details).toBeVisible();
+  await expect(details.getByTestId("oauth-client-details-client-id")).toHaveText(clientId);
+  return details;
+}
+
+async function expectOAuthClientDeletedInDb(prisma: PrismaClient, clientId: string): Promise<void> {
+  const dbClientAfterDelete = await prisma.oAuthClient.findUnique({ where: { clientId }, select: { clientId: true } });
+  expect(dbClientAfterDelete).toBeNull();
+}
+
+async function expectOAuthClientInDb(
+  prisma: PrismaClient,
+  clientId: string,
+  expected: OAuthClientDbExpectations
+): Promise<void> {
+  const dbClient = await prisma.oAuthClient.findUniqueOrThrow({ where: { clientId }, select: oAuthClientSelect });
+
+  if (expected.name !== undefined) expect(dbClient.name).toBe(expected.name);
+  if (expected.purpose !== undefined) expect(dbClient.purpose).toBe(expected.purpose);
+  if (expected.redirectUri !== undefined) expect(dbClient.redirectUri).toBe(expected.redirectUri);
+  if (expected.websiteUrl !== undefined) expect(dbClient.websiteUrl).toBe(expected.websiteUrl);
+  if (expected.approvalStatus !== undefined) expect(dbClient.approvalStatus).toBe(expected.approvalStatus);
+  if (expected.clientType !== undefined) expect(dbClient.clientType as OAuthClientType).toBe(expected.clientType);
+
+  if (expected.clientSecret !== undefined) {
+    if (typeof expected.clientSecret === "object" && expected.clientSecret?.kind === "truthy") {
+      expect(dbClient.clientSecret).toBeTruthy();
+    } else {
+      expect(dbClient.clientSecret).toBe(expected.clientSecret);
+    }
+  }
+
+  if (expected.logo !== undefined) {
+    if (typeof expected.logo === "object" && expected.logo?.kind === "truthy") {
+      expect(dbClient.logo).toBeTruthy();
+    } else {
+      expect(dbClient.logo).toBe(expected.logo);
+    }
+  }
+}
+
+async function expectOAuthClientDetails(details: Locator, expected: ExpectedOAuthClientDetails): Promise<void> {
+  await expect(details.getByTestId("oauth-client-details-client-id")).toHaveText(expected.clientId);
+  await expect(getOAuthClientDetailsNameInput(details)).toHaveValue(expected.name);
+  await expect(getOAuthClientDetailsPurposeInput(details)).toHaveValue(expected.purpose);
+  await expect(getOAuthClientDetailsRedirectUriInput(details)).toHaveValue(expected.redirectUri);
+  await expect(getOAuthClientDetailsWebsiteUrlInput(details)).toHaveValue(expected.websiteUrl);
+
+  const pkceToggle = details.page().getByTestId("oauth-client-pkce-toggle");
+  await expect(pkceToggle).toHaveAttribute("data-state", expected.pkceEnabled ? "checked" : "unchecked");
+
+  await expect(details.locator('img[alt="Logo"][src]')).toHaveCount(expected.hasLogo ? 1 : 0);
+}
+
+async function expectOAuthClientInList(page: Page, input: { clientId: string; name: string }): Promise<void> {
+  const row = getOAuthClientListItem(page, input.clientId);
+  await expect(row).toBeVisible();
+  await expect(row.getByText(input.name)).toBeVisible();
+  await expect(row.getByText("Pending")).toBeVisible();
+}
+
+async function goToOAuthSettings(page: Page): Promise<void> {
+  if (page.url().includes("/settings/developer/oauth")) return;
+  await page.goto("/settings/developer/oauth");
+}
+
+async function uploadOAuthClientLogo(page: Page, fileName: string): Promise<void> {
+  await page.getByTestId("open-upload-oauth-client-logo-dialog").click();
+  const [fileChooser] = await Promise.all([
+    page.waitForEvent("filechooser"),
+    page.getByTestId("open-upload-oauth-client-logo-filechooser").click(),
+  ]);
+  await fileChooser.setFiles(getFixturePath(fileName));
+  await page.getByTestId("upload-oauth-client-logo").click();
+}
+
+test.describe.configure({ mode: "parallel" });
+
+test.describe("OAuth client creation", () => {
+  test.afterEach(async ({ users, prisma }, testInfo) => {
+    const testPrefix = `e2e-oauth-client-creation-${testInfo.testId}-`;
+
+    // Clean up any clients created by the e2e tests (by naming convention)
+    await prisma.oAuthClient.deleteMany({
+      where: {
+        name: {
+          startsWith: testPrefix,
+        },
+      },
+    });
+
+    await users.deleteAll();
+  });
+
+  test("cannot be created without required fields (name, purpose, redirect uri)", async ({ page }) => {
+    await loginAsSeededAdminAndGoToOAuthSettings(page);
+
+    await page.getByTestId("open-oauth-client-create-dialog").click();
+
+    const form = page.getByTestId("oauth-client-create-form");
+    await expect(form).toBeVisible();
+
+    // Submit immediately - should trigger native browser required field validation
+    await page.getByTestId("oauth-client-create-submit").click();
+
+    // Playwright can assert native validation message via validationMessage.
+    // This matches Chrome's default: "Please fill out this field."
+    const nameInput = form.locator("#name");
+    const purposeInput = form.locator("#purpose");
+    const redirectUriInput = form.locator("#redirectUri");
+
+    await expect(nameInput).toHaveJSProperty("validationMessage", "Please fill out this field.");
+
+    // Fill name, submit -> purpose should be flagged
+    await nameInput.fill("Test OAuth Client");
+    await page.getByTestId("oauth-client-create-submit").click();
+    await expect(purposeInput).toHaveJSProperty("validationMessage", "Please fill out this field.");
+
+    // Fill purpose, submit -> redirect URI should be flagged
+    await purposeInput.fill("Test purpose");
+    await page.getByTestId("oauth-client-create-submit").click();
+    await expect(redirectUriInput).toHaveJSProperty("validationMessage", "Please fill out this field.");
+  });
+
+  test("creates a private (confidential) OAuth client with minimal fields; submitted modal shows id+secret; list/details/DB reflect values", async ({ page, prisma }, testInfo) => {
+    await loginAsSeededAdminAndGoToOAuthSettings(page);
+
+    const testPrefix = `e2e-oauth-client-creation-${testInfo.testId}-`;
+    const clientName = `${testPrefix}private-minimal-${Date.now()}`;
+    const purpose = "Used for E2E testing (minimal)";
+    const redirectUri = "https://example.com/callback";
+
+    // Ensure PKCE is off (private/confidential)
+    const { clientId, clientSecret } = await createOAuthClient(page, {
+      name: clientName,
+      purpose,
+      redirectUri,
+      enablePkce: false,
+    });
+    expect(clientSecret?.length).toBeGreaterThan(1);
+
+    const details = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(details, {
+      clientId,
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl: "",
+      pkceEnabled: false,
+      hasLogo: false,
+    });
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl: null,
+      approvalStatus: "PENDING",
+      clientType: "CONFIDENTIAL",
+      clientSecret: TRUTHY,
+      logo: null,
+    });
+
+    const editedName = `${testPrefix}private-minimal-edited-${Date.now()}`;
+    const editedPurpose = "Updated purpose (minimal)";
+    const editedRedirectUri = "https://example.com/updated-callback";
+    const editedWebsiteUrl = "https://updated.example.com";
+
+    await updateOAuthClient(page, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      logoFileName: "cal2.png",
+    });
+
+    const editedDetails = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(editedDetails, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      pkceEnabled: false,
+      hasLogo: true,
+    });
+    await closeOAuthClientDetails(page);
+
+    await page.reload();
+    const editedDetailsAfterReload = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(editedDetailsAfterReload, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      pkceEnabled: false,
+      hasLogo: true,
+    });
+    await closeOAuthClientDetails(page);
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      approvalStatus: "PENDING",
+      clientType: "CONFIDENTIAL",
+      clientSecret: TRUTHY,
+      logo: TRUTHY,
+    });
+
+    await deleteOAuthClient(page, clientId, editedName);
+
+    await expectOAuthClientDeletedInDb(prisma, clientId);
+  });
+
+  test("creates a private (confidential) OAuth client; submitted modal shows id+secret; list/details/DB reflect values", async ({ page, prisma }, testInfo) => {
+    await loginAsSeededAdminAndGoToOAuthSettings(page);
+
+    const testPrefix = `e2e-oauth-client-creation-${testInfo.testId}-`;
+    const clientName = `${testPrefix}private-${Date.now()}`;
+    const purpose = "Used for E2E testing";
+    const redirectUri = "https://example.com/callback";
+    const websiteUrl = "https://example.com";
+
+    // Upload logo using ImageUploader testIds
+    // Ensure PKCE is off (private/confidential)
+    const { clientId, clientSecret } = await createOAuthClient(page, {
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl,
+      enablePkce: false,
+      logoFileName: "cal.png",
+    });
+    expect(clientSecret?.length).toBeGreaterThan(1);
+
+    const details = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(details, {
+      clientId,
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl,
+      pkceEnabled: false,
+      hasLogo: true,
+    });
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl,
+      approvalStatus: "PENDING",
+      clientType: "CONFIDENTIAL",
+      clientSecret: TRUTHY,
+      logo: TRUTHY,
+    });
+
+    const editedName = `${testPrefix}private-edited-${Date.now()}`;
+    const editedPurpose = "Updated purpose (full private)";
+    const editedRedirectUri = "https://example.com/full-private-updated";
+    const editedWebsiteUrl = "https://full-private.example.com";
+
+    await updateOAuthClient(page, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      logoFileName: "cal2.png",
+    });
+
+    const editedDetails = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(editedDetails, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      pkceEnabled: false,
+      hasLogo: true,
+    });
+    await closeOAuthClientDetails(page);
+
+    await page.reload();
+    const editedDetailsAfterReload = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(editedDetailsAfterReload, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      pkceEnabled: false,
+      hasLogo: true,
+    });
+    await closeOAuthClientDetails(page);
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      approvalStatus: "PENDING",
+      clientType: "CONFIDENTIAL",
+      clientSecret: TRUTHY,
+      logo: TRUTHY,
+    });
+
+    await deleteOAuthClient(page, clientId, editedName);
+
+    await expectOAuthClientDeletedInDb(prisma, clientId);
+  });
+
+  test("creates a public (PKCE) OAuth client; submitted modal shows id but no secret; list/details/DB reflect values", async ({ page, prisma }, testInfo) => {
+    await loginAsSeededAdminAndGoToOAuthSettings(page);
+
+    const testPrefix = `e2e-oauth-client-creation-${testInfo.testId}-`;
+    const clientName = `${testPrefix}public-${Date.now()}`;
+    const purpose = "Used for E2E testing (public)";
+    const redirectUri = "https://example.com/callback";
+    const websiteUrl = "https://example.com";
+
+    // Enable PKCE
+    // For public (PKCE) clients we should not show a client secret
+    const { clientId } = await createOAuthClient(page, {
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl,
+      enablePkce: true,
+    });
+
+    const details = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(details, {
+      clientId,
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl,
+      pkceEnabled: true,
+      hasLogo: false,
+    });
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      name: clientName,
+      purpose,
+      redirectUri,
+      websiteUrl,
+      approvalStatus: "PENDING",
+      clientType: "PUBLIC",
+      clientSecret: null,
+      logo: null,
+    });
+
+    const editedName = `${testPrefix}public-edited-${Date.now()}`;
+    const editedPurpose = "Updated purpose (public)";
+    const editedRedirectUri = "https://example.com/public-updated";
+    const editedWebsiteUrl = "https://public-updated.example.com";
+
+    await updateOAuthClient(page, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      logoFileName: "cal2.png",
+    });
+
+    const editedDetails = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(editedDetails, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      pkceEnabled: true,
+      hasLogo: true,
+    });
+    await closeOAuthClientDetails(page);
+
+    await page.reload();
+    const editedDetailsAfterReload = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(editedDetailsAfterReload, {
+      clientId,
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      pkceEnabled: true,
+      hasLogo: true,
+    });
+    await closeOAuthClientDetails(page);
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      name: editedName,
+      purpose: editedPurpose,
+      redirectUri: editedRedirectUri,
+      websiteUrl: editedWebsiteUrl,
+      approvalStatus: "PENDING",
+      clientType: "PUBLIC",
+      clientSecret: null,
+      logo: TRUTHY,
+    });
+
+    await deleteOAuthClient(page, clientId, editedName);
+
+    await expectOAuthClientDeletedInDb(prisma, clientId);
+  });
+});
+
+function getFixturePath(fileName: string): string {
+  return path.join(path.dirname(__filename), "..", "fixtures", fileName);
+}
+
+function getOAuthClientCreateForm(page: Page): Locator {
+  return page.getByTestId("oauth-client-create-form");
+}
+
+function getOAuthClientSubmittedModal(page: Page): Locator {
+  return page.getByTestId("oauth-client-submitted-modal");
+}
+
+function getOAuthClientList(page: Page): Locator {
+  return page.getByTestId("oauth-clients-list");
+}
+
+function getOAuthClientListItem(page: Page, clientId: string): Locator {
+  return page.getByTestId(`oauth-client-list-item-${clientId}`);
+}
+
+function getOAuthClientDetailsForm(page: Page): Locator {
+  return page.getByTestId("oauth-client-details-form");
+}
+
+function getOAuthClientPkceToggle(page: Page): Locator {
+  return page.getByTestId("oauth-client-pkce-toggle");
+}
+
+function getOAuthClientCreateNameInput(form: Locator): Locator {
+  return form.locator("#name");
+}
+
+function getOAuthClientCreatePurposeInput(form: Locator): Locator {
+  return form.locator("#purpose");
+}
+
+function getOAuthClientCreateRedirectUriInput(form: Locator): Locator {
+  return form.locator("#redirectUri");
+}
+
+function getOAuthClientCreateWebsiteUrlInput(form: Locator): Locator {
+  return form.locator("#websiteUrl");
+}
+
+function getOAuthClientDetailsNameInput(details: Locator): Locator {
+  return details.locator("#name");
+}
+
+function getOAuthClientDetailsPurposeInput(details: Locator): Locator {
+  return details.locator("#purpose");
+}
+
+function getOAuthClientDetailsRedirectUriInput(details: Locator): Locator {
+  return details.locator("#redirectUri");
+}
+
+function getOAuthClientDetailsWebsiteUrlInput(details: Locator): Locator {
+  return details.locator("#websiteUrl");
+}
diff --git a/packages/emails/templates/admin-oauth-client-notification.test.ts b/packages/emails/templates/admin-oauth-client-notification.test.ts
new file mode 100644
index 00000000000000..5ea94d07f0e377
--- /dev/null
+++ b/packages/emails/templates/admin-oauth-client-notification.test.ts
@@ -0,0 +1,88 @@
+import { describe, expect, it } from "vitest";
+
+import type { TFunction } from "i18next";
+
+import AdminOAuthClientNotification from "./admin-oauth-client-notification";
+
+class TestAdminOAuthClientNotification extends AdminOAuthClientNotification {
+  public async getPayload() {
+    return await this.getNodeMailerPayload();
+  }
+}
+
+describe("AdminOAuthClientNotification", () => {
+  it("renders a node mailer payload containing the submitted client information", async () => {
+    const t = ((key: string, vars?: Record<string, unknown>) => {
+      if (key === "admin_oauth_notification_email_subject") {
+        return `New OAuth Client: ${String(vars?.clientName ?? "")}`;
+      }
+
+      if (key === "admin_oauth_notification_email_title") {
+        return `New OAuth Client: ${String(vars?.clientName ?? "")}`;
+      }
+
+      if (key === "hi_admin") return "Hi Administrator";
+
+      if (key === "admin_oauth_notification_email_body") {
+        return `A new OAuth client has been submitted by ${String(vars?.submitterEmail ?? "")} and is awaiting your review.`;
+      }
+
+      if (key === "admin_oauth_notification_email_cta") return "Review OAuth Clients";
+      if (key === "admin_oauth_notification_email_footer") {
+        return "Please review this submission and approve or reject it in the admin dashboard.";
+      }
+
+      if (key === "client_name") return "Name";
+      if (key === "purpose") return "Purpose";
+      if (key === "client_id") return "Client ID";
+      if (key === "redirect_uri") return "Redirect URI";
+      if (key === "submitted_by") return "Submitted By";
+
+      return key;
+    }) as unknown as TFunction;
+
+    const input = {
+      t,
+      clientName: "My Client",
+      purpose: "My Purpose",
+      clientId: "client_123",
+      redirectUri: "https://example.com/callback",
+      submitterEmail: "submitter@example.com",
+      submitterName: "Submitter Name",
+    };
+
+    const email = new TestAdminOAuthClientNotification(input);
+    const payload = await email.getPayload();
+
+    expect(payload).toEqual(
+      expect.objectContaining({
+        to: "team@cal.com",
+        subject: `New OAuth Client: ${input.clientName}`,
+      })
+    );
+
+    const html = "html" in payload ? (payload.html as string) : "";
+    expect(html).toContain(`New OAuth Client: ${input.clientName}`);
+    expect(html).toContain("Hi Administrator!");
+    expect(html).toContain(
+      `A new OAuth client has been submitted by ${input.submitterEmail} and is awaiting your review.`
+    );
+    expect(html).toContain("Review OAuth Clients");
+    expect(html).toContain("Please review this submission and approve or reject it in the admin dashboard.");
+
+    expect(html).toContain(">Name<");
+    expect(html).toContain(input.clientName);
+
+    expect(html).toContain(">Purpose<");
+    expect(html).toContain(input.purpose);
+
+    expect(html).toContain(">Client ID<");
+    expect(html).toContain(input.clientId);
+
+    expect(html).toContain(">Redirect URI<");
+    expect(html).toContain(input.redirectUri);
+
+    expect(html).toContain(">Submitted By<");
+    expect(html).toContain(`${input.submitterName} (${input.submitterEmail})`);
+  });
+});
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.test.ts
new file mode 100644
index 00000000000000..33db6342e18fee
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.test.ts
@@ -0,0 +1,115 @@
+import { describe, expect, it, vi, beforeEach } from "vitest";
+
+import type { TFunction } from "i18next";
+
+import type { PrismaClient } from "@calcom/prisma";
+
+import { submitClientHandler } from "./submitClient.handler";
+
+const mocks = vi.hoisted(() => {
+  return {
+    createOAuthClient: vi.fn(),
+    sendAdminOAuthClientNotification: vi.fn(),
+    getTranslation: vi.fn(),
+  };
+});
+
+vi.mock("@calcom/features/oauth/repositories/OAuthClientRepository", () => ({
+  OAuthClientRepository: class {
+    constructor() {}
+    create = mocks.createOAuthClient;
+  },
+}));
+
+vi.mock("@calcom/emails/oauth-email-service", () => ({
+  sendAdminOAuthClientNotification: mocks.sendAdminOAuthClientNotification,
+}));
+
+vi.mock("@calcom/lib/server/i18n", () => ({
+  getTranslation: mocks.getTranslation,
+}));
+
+describe("submitClientHandler", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("creates an OAuth client and sends the admin notification email with expected parameters", async () => {
+    const t = ((key: string, vars?: Record<string, unknown>) => {
+      if (key === "admin_oauth_notification_email_subject") {
+        return `admin_oauth_notification_email_subject:${String(vars?.clientName ?? "")}`;
+      }
+      return key;
+    }) as unknown as TFunction;
+
+    mocks.getTranslation.mockResolvedValue(t);
+
+    const createdClient = {
+      clientId: "client_123",
+      name: "My Test Client",
+      purpose: "My test purpose",
+      redirectUri: "https://example.com/callback",
+      logo: "https://example.com/logo.png",
+      clientType: "CONFIDENTIAL",
+      clientSecret: "plain-secret",
+      isPkceEnabled: false,
+      approvalStatus: "PENDING",
+    };
+
+    mocks.createOAuthClient.mockResolvedValue(createdClient);
+    mocks.sendAdminOAuthClientNotification.mockResolvedValue({});
+
+    const ctx = {
+      user: {
+        id: 42,
+        email: "submitter@example.com",
+        name: "Submitter Name",
+      },
+      prisma: {} as unknown as PrismaClient,
+    };
+
+    const input = {
+      name: createdClient.name,
+      purpose: createdClient.purpose,
+      redirectUri: createdClient.redirectUri,
+      logo: createdClient.logo,
+      websiteUrl: "https://example.com",
+      enablePkce: false,
+    };
+
+    const result = await submitClientHandler({ ctx, input });
+
+    expect(mocks.createOAuthClient).toHaveBeenCalledWith({
+      name: input.name,
+      purpose: input.purpose,
+      redirectUri: input.redirectUri,
+      logo: input.logo,
+      websiteUrl: input.websiteUrl,
+      enablePkce: input.enablePkce,
+      userId: ctx.user.id,
+      approvalStatus: "PENDING",
+    });
+
+    expect(mocks.sendAdminOAuthClientNotification).toHaveBeenCalledWith({
+      t,
+      clientName: createdClient.name,
+      purpose: createdClient.purpose,
+      clientId: createdClient.clientId,
+      redirectUri: createdClient.redirectUri,
+      submitterEmail: ctx.user.email,
+      submitterName: ctx.user.name,
+    });
+
+    expect(result).toEqual({
+      clientId: createdClient.clientId,
+      name: createdClient.name,
+      purpose: createdClient.purpose,
+      clientSecret: createdClient.clientSecret,
+      redirectUri: createdClient.redirectUri,
+      logo: createdClient.logo,
+      clientType: createdClient.clientType,
+      approvalStatus: createdClient.approvalStatus,
+      isPkceEnabled: input.enablePkce,
+    });
+  });
+});

From a8d168858137e56678d19b021d533b2eec1f2ba9 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Mon, 12 Jan 2026 20:28:32 +0100
Subject: [PATCH 38/72] test: admin OAuth approval / rejection

---
 .../admin/oauth-clients-admin-view.tsx        |   7 +-
 .../oauth/OAuthClientDetailsDialog.tsx        |   6 +-
 .../settings/oauth/OAuthClientFormFields.tsx  |   2 +-
 .../oauth/oauth-client-admin.e2e.ts           | 146 ++++++
 .../playwright/oauth/oauth-client-helpers.ts  | 131 ++++++
 ...oauth-client-approved-notification.test.ts |  78 ++++
 ...oauth-client-rejected-notification.test.ts |  84 ++++
 .../routers/viewer/oAuth/addClient.schema.ts  |   5 +-
 .../oAuth/updateClientStatus.handler.test.ts  | 431 ++++++++++++++++++
 9 files changed, 884 insertions(+), 6 deletions(-)
 create mode 100644 apps/web/playwright/oauth/oauth-client-admin.e2e.ts
 create mode 100644 apps/web/playwright/oauth/oauth-client-helpers.ts
 create mode 100644 packages/emails/templates/oauth-client-approved-notification.test.ts
 create mode 100644 packages/emails/templates/oauth-client-rejected-notification.test.ts
 create mode 100644 packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 1174db109e73b6..cf526790169af4 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -131,6 +131,7 @@ export default function OAuthClientsAdminView() {
       StartIcon="plus"
       size="sm"
       variant="fab"
+      data-testid="open-admin-oauth-client-create-dialog"
       onClick={() => setShowAddDialog(true)}>
       {t("new")}
     </Button>
@@ -148,7 +149,7 @@ export default function OAuthClientsAdminView() {
       CTA={newOAuthClientButton}>
       {hasClients ? (
         <div className="space-y-10">
-          <div className="space-y-3">
+          <div className="space-y-3" data-testid="oauth-client-admin-pending-section">
             <h2 className="text-emphasis text-base font-semibold">{t("pending")}</h2>
             <OAuthClientsList
               clients={(pendingClients ?? []).map(toClientDetails)}
@@ -157,7 +158,7 @@ export default function OAuthClientsAdminView() {
             />
           </div>
 
-          <div className="space-y-3">
+          <div className="space-y-3" data-testid="oauth-client-admin-rejected-section">
             <h2 className="text-emphasis text-base font-semibold">{t("rejected")}</h2>
             <OAuthClientsList
               clients={(rejectedClients ?? []).map(toClientDetails)}
@@ -166,7 +167,7 @@ export default function OAuthClientsAdminView() {
             />
           </div>
 
-          <div className="space-y-3">
+          <div className="space-y-3" data-testid="oauth-client-admin-approved-section">
             <h2 className="text-emphasis text-base font-semibold">{t("approved")}</h2>
             <OAuthClientsList
               clients={(approvedClients ?? []).map(toClientDetails)}
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
index eaed9b16defdbf..f330217a25f361 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -306,7 +306,7 @@ export const OAuthClientDetailsDialog = ({
             ) : null}
 
             {approvalStatus === "REJECTED" && client.rejectionReason ? (
-              <div className="text-subtle text-sm">
+              <div className="text-subtle text-sm" data-testid="oauth-client-details-rejection-reason-display">
                 <span className="font-medium">{t("oauth_client_rejection_reason")}:</span> {client.rejectionReason}
               </div>
             ) : null}
@@ -392,6 +392,7 @@ export const OAuthClientDetailsDialog = ({
                       type="button"
                       color="primary"
                       StartIcon="x"
+                      data-testid="oauth-client-details-reject-trigger"
                       loading={isStatusChangePending}
                       className="not-disabled:hover:!bg-error not-disabled:hover:!text-white not-disabled:hover:!border-semantic-error"
                       onClick={() => {
@@ -407,6 +408,7 @@ export const OAuthClientDetailsDialog = ({
                       type="button"
                       color="primary"
                       StartIcon="check"
+                      data-testid="oauth-client-details-approve-trigger"
                       loading={isStatusChangePending}
                       className="not-disabled:hover:!bg-cal-success not-disabled:hover:!text-white not-disabled:hover:!border-cal-success"
                       onClick={() => onApprove?.(client.clientId)}>
@@ -438,6 +440,7 @@ export const OAuthClientDetailsDialog = ({
                     type="button"
                     color="primary"
                     StartIcon="x"
+                    data-testid="oauth-client-details-reject-confirm"
                     loading={isStatusChangePending}
                     className="not-disabled:hover:!bg-error not-disabled:hover:!text-white not-disabled:hover:!border-semantic-error"
                     onClick={handleConfirmReject}>
@@ -448,6 +451,7 @@ export const OAuthClientDetailsDialog = ({
                   <Label htmlFor="oauth-rejection-reason">{t("reason_for_rejection")}</Label>
                   <TextArea
                     id="oauth-rejection-reason"
+                    data-testid="oauth-client-details-rejection-reason"
                     value={rejectionReason}
                     onChange={(e) => {
                       setRejectionReason(e.target.value);
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index 113b1d3ec25aa5..c6a3d679106429 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -117,7 +117,7 @@ export const OAuthClientFormFields = ({
         }
         type="url"
         id="websiteUrl"
-        placeholder="https://example.com"
+        placeholder={isFormDisabled ? undefined : "https://example.com"}
         disabled={isFormDisabled}
       />
 
diff --git a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
new file mode 100644
index 00000000000000..45dfd7fc44d488
--- /dev/null
+++ b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
@@ -0,0 +1,146 @@
+import { expect, type Page } from "@playwright/test";
+
+import type { PrismaClient } from "@calcom/prisma";
+
+import { test } from "../lib/fixtures";
+import {
+  closeOAuthClientDetails,
+  createApprovedOAuthClientAsAdmin,
+  createPendingOAuthClient,
+  goToAdminOAuthSettings,
+  loginAsSeededAdmin,
+  openOAuthClientDetailsFromList,
+} from "./oauth-client-helpers";
+
+async function expectClientStatusInDb(
+  prisma: PrismaClient,
+  clientId: string,
+  status: "PENDING" | "APPROVED" | "REJECTED"
+) {
+  await expect
+    .poll(async () => {
+      const row = await prisma.oAuthClient.findUnique({
+        where: { clientId },
+        select: { approvalStatus: true },
+      });
+
+      return row?.approvalStatus ?? null;
+    })
+    .toBe(status);
+}
+
+async function expectClientInAdminSection(page: Page, sectionTestId: string, clientId: string): Promise<void> {
+  const section = page.getByTestId(sectionTestId);
+  await expect(section).toBeVisible();
+  await expect(section.getByTestId(`oauth-client-list-item-${clientId}`)).toBeVisible();
+}
+
+async function expectClientNotInAdminSection(page: Page, sectionTestId: string, clientId: string): Promise<void> {
+  const section = page.getByTestId(sectionTestId);
+  await expect(section).toBeVisible();
+  await expect(section.getByTestId(`oauth-client-list-item-${clientId}`)).toHaveCount(0);
+}
+
+test.describe.configure({ mode: "parallel" });
+
+test.describe("OAuth clients admin", () => {
+  test.afterEach(async ({ users, prisma }, testInfo) => {
+    const testPrefix = `e2e-oauth-client-admin-${testInfo.testId}-`;
+
+    await prisma.oAuthClient.deleteMany({
+      where: {
+        name: {
+          startsWith: testPrefix,
+        },
+      },
+    });
+
+    await users.deleteAll();
+  });
+
+  test("can manage pending/approved/rejected clients and can create approved clients as admin", async ({ page, prisma }, testInfo) => {
+    await loginAsSeededAdmin(page);
+
+    const testPrefix = `e2e-oauth-client-admin-${testInfo.testId}-`;
+
+    const makeClientInput = (name: string) => ({
+      name,
+      purpose: "Used for E2E testing (admin)",
+      redirectUri: "https://example.com/callback",
+      websiteUrl: "https://example.com",
+      logoFileName: "cal.png",
+    });
+
+    const pending1Name = `${testPrefix}pending-1-${Date.now()}`;
+    const pending2Name = `${testPrefix}pending-2-${Date.now()}`;
+    const pending3Name = `${testPrefix}pending-3-${Date.now()}`;
+
+    const toBeApproved = await createPendingOAuthClient(page, makeClientInput(pending1Name));
+    const toBeRejected = await createPendingOAuthClient(page, makeClientInput(pending2Name));
+    const staysPending = await createPendingOAuthClient(page, makeClientInput(pending3Name));
+
+    await goToAdminOAuthSettings(page);
+
+    await expectClientInAdminSection(page, "oauth-client-admin-pending-section", toBeApproved.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-pending-section", toBeRejected.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-pending-section", staysPending.clientId);
+
+    // Preview a pending client (readonly)
+    const pendingDetails = await openOAuthClientDetailsFromList(page, toBeApproved.clientId);
+
+    await expect(pendingDetails.locator("#name")).toBeDisabled();
+    await expect(pendingDetails.locator("#purpose")).toBeDisabled();
+    await expect(pendingDetails.locator("#redirectUri")).toBeDisabled();
+    await expect(pendingDetails.locator("#websiteUrl")).toBeDisabled();
+
+    // Upload/delete actions should be hidden for admin view
+    await expect(page.getByTestId("open-upload-oauth-client-logo-dialog")).toHaveCount(0);
+    await expect(page.getByTestId("oauth-client-details-delete-trigger")).toHaveCount(0);
+
+    // Approve pending1
+    await page.getByTestId("oauth-client-details-approve-trigger").click();
+    await closeOAuthClientDetails(page);
+
+    await expectClientStatusInDb(prisma, toBeApproved.clientId, "APPROVED");
+
+    await expectClientNotInAdminSection(page, "oauth-client-admin-pending-section", toBeApproved.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-approved-section", toBeApproved.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-pending-section", staysPending.clientId);
+
+    // Reject pending2
+    const rejectionReason = `Not acceptable (${testPrefix}reason-${Date.now()})`;
+    await openOAuthClientDetailsFromList(page, toBeRejected.clientId);
+    await page.getByTestId("oauth-client-details-reject-trigger").click();
+    await page.getByTestId("oauth-client-details-rejection-reason").fill(rejectionReason);
+    await page.getByTestId("oauth-client-details-reject-confirm").click();
+    await closeOAuthClientDetails(page);
+
+    await expectClientStatusInDb(prisma, toBeRejected.clientId, "REJECTED");
+
+    const rejectedDetails = await openOAuthClientDetailsFromList(page, toBeRejected.clientId);
+    await expect(rejectedDetails.getByTestId("oauth-client-details-rejection-reason-display")).toContainText(
+      rejectionReason
+    );
+    await closeOAuthClientDetails(page);
+
+    await expectClientNotInAdminSection(page, "oauth-client-admin-pending-section", toBeRejected.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-rejected-section", toBeRejected.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-pending-section", staysPending.clientId);
+
+    // Reload to ensure list queries show consistent counts
+    await page.reload();
+
+    await expectClientInAdminSection(page, "oauth-client-admin-approved-section", toBeApproved.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-rejected-section", toBeRejected.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-pending-section", staysPending.clientId);
+
+    // Admin can create an approved client from admin page
+    const adminCreatedName = `${testPrefix}admin-created-${Date.now()}`;
+    const adminCreated = await createApprovedOAuthClientAsAdmin(page, makeClientInput(adminCreatedName));
+
+    await expectClientStatusInDb(prisma, adminCreated.clientId, "APPROVED");
+
+    // Should now be in approved list
+    await expect(page.getByTestId(`oauth-client-list-item-${adminCreated.clientId}`)).toBeVisible();
+  });
+});
diff --git a/apps/web/playwright/oauth/oauth-client-helpers.ts b/apps/web/playwright/oauth/oauth-client-helpers.ts
new file mode 100644
index 00000000000000..12298acd164e9b
--- /dev/null
+++ b/apps/web/playwright/oauth/oauth-client-helpers.ts
@@ -0,0 +1,131 @@
+import { expect, type Locator, type Page } from "@playwright/test";
+import path from "node:path";
+
+export async function loginAsSeededAdmin(page: Page) {
+  await page.goto("/auth/login");
+  await page.getByTestId("login-form").locator("#email").fill("admin@example.com");
+  await page.getByTestId("login-form").locator("#password").fill("ADMINadmin2022!");
+
+  const responsePromise = page.waitForResponse(/\/api\/auth\/callback\/credentials/);
+  await page.getByTestId("login-form").locator('[type="submit"]').click();
+  await responsePromise;
+}
+
+export async function goToDeveloperOAuthSettings(page: Page): Promise<void> {
+  if (page.url().includes("/settings/developer/oauth")) return;
+  await page.goto("/settings/developer/oauth");
+}
+
+export async function goToAdminOAuthSettings(page: Page): Promise<void> {
+  if (page.url().includes("/settings/admin/oauth")) return;
+  await page.goto("/settings/admin/oauth");
+}
+
+type CreateOAuthClientInput = {
+  name: string;
+  purpose: string;
+  redirectUri: string;
+  websiteUrl: string;
+  logoFileName: string;
+};
+
+type CreateOAuthClientResult = {
+  clientId: string;
+  clientSecret: string;
+};
+
+export async function createPendingOAuthClient(page: Page, input: CreateOAuthClientInput): Promise<CreateOAuthClientResult> {
+  await goToDeveloperOAuthSettings(page);
+
+  await page.getByTestId("open-oauth-client-create-dialog").click();
+
+  const form = page.getByTestId("oauth-client-create-form");
+  await form.locator("#name").fill(input.name);
+  await form.locator("#purpose").fill(input.purpose);
+  await form.locator("#redirectUri").fill(input.redirectUri);
+  await form.locator("#websiteUrl").fill(input.websiteUrl);
+
+  await uploadOAuthClientLogo(page, input.logoFileName);
+
+  const pkceToggle = page.getByTestId("oauth-client-pkce-toggle");
+  await expect(pkceToggle).toHaveAttribute("data-state", "unchecked");
+
+  await page.getByTestId("oauth-client-create-submit").click();
+
+  const submitted = page.getByTestId("oauth-client-submitted-modal");
+  await expect(submitted).toBeVisible();
+
+  const clientId = ((await page.getByTestId("oauth-client-submitted-client-id").textContent()) ?? "").trim();
+  expect(clientId.length).toBeGreaterThan(1);
+
+  const clientSecret = ((await page.getByTestId("oauth-client-submitted-client-secret").textContent()) ?? "").trim();
+  expect(clientSecret.length).toBeGreaterThan(1);
+
+  await page.getByTestId("oauth-client-submitted-done").click();
+
+  return { clientId, clientSecret };
+}
+
+export async function createApprovedOAuthClientAsAdmin(
+  page: Page,
+  input: CreateOAuthClientInput
+): Promise<CreateOAuthClientResult> {
+  await goToAdminOAuthSettings(page);
+
+  await page.getByTestId("open-admin-oauth-client-create-dialog").click();
+
+  const form = page.getByTestId("oauth-client-create-form");
+  await form.locator("#name").fill(input.name);
+  await form.locator("#purpose").fill(input.purpose);
+  await form.locator("#redirectUri").fill(input.redirectUri);
+  await form.locator("#websiteUrl").fill(input.websiteUrl);
+
+  await uploadOAuthClientLogo(page, input.logoFileName);
+
+  const pkceToggle = page.getByTestId("oauth-client-pkce-toggle");
+  await expect(pkceToggle).toHaveAttribute("data-state", "unchecked");
+
+  await page.getByTestId("oauth-client-create-submit").click();
+
+  const submitted = page.getByTestId("oauth-client-submitted-modal");
+  await expect(submitted).toBeVisible();
+
+  const clientId = ((await page.getByTestId("oauth-client-submitted-client-id").textContent()) ?? "").trim();
+  expect(clientId.length).toBeGreaterThan(1);
+
+  const clientSecret = ((await page.getByTestId("oauth-client-submitted-client-secret").textContent()) ?? "").trim();
+  expect(clientSecret.length).toBeGreaterThan(1);
+
+  await page.getByTestId("oauth-client-submitted-done").click();
+
+  return { clientId, clientSecret };
+}
+
+export async function openOAuthClientDetailsFromList(page: Page, clientId: string): Promise<Locator> {
+  const details = page.getByTestId("oauth-client-details-form");
+  await page.getByTestId(`oauth-client-list-item-${clientId}`).click();
+  await expect(details).toBeVisible();
+  await expect(details.getByTestId("oauth-client-details-client-id")).toHaveText(clientId);
+  return details;
+}
+
+export async function closeOAuthClientDetails(page: Page): Promise<void> {
+  const details = page.getByTestId("oauth-client-details-form");
+  if (!(await details.isVisible())) return;
+  await page.getByTestId("oauth-client-details-close").click();
+  await expect(details).toHaveCount(0);
+}
+
+async function uploadOAuthClientLogo(page: Page, fileName: string): Promise<void> {
+  await page.getByTestId("open-upload-oauth-client-logo-dialog").click();
+  const [fileChooser] = await Promise.all([
+    page.waitForEvent("filechooser"),
+    page.getByTestId("open-upload-oauth-client-logo-filechooser").click(),
+  ]);
+  await fileChooser.setFiles(getFixturePath(fileName));
+  await page.getByTestId("upload-oauth-client-logo").click();
+}
+
+function getFixturePath(fileName: string): string {
+  return path.join(path.dirname(__filename), "..", "fixtures", fileName);
+}
diff --git a/packages/emails/templates/oauth-client-approved-notification.test.ts b/packages/emails/templates/oauth-client-approved-notification.test.ts
new file mode 100644
index 00000000000000..46b2200c8c008c
--- /dev/null
+++ b/packages/emails/templates/oauth-client-approved-notification.test.ts
@@ -0,0 +1,78 @@
+import { describe, expect, it } from "vitest";
+
+import type { TFunction } from "i18next";
+
+import OAuthClientApprovedEmail from "./oauth-client-approved-notification";
+
+class TestOAuthClientApprovedEmail extends OAuthClientApprovedEmail {
+  public async getPayload() {
+    return await this.getNodeMailerPayload();
+  }
+}
+
+describe("OAuthClientApprovedEmail", () => {
+  it("renders a node mailer payload containing the approved client information", async () => {
+    const t = ((key: string, vars?: Record<string, unknown>) => {
+      if (key === "oauth_client_approved_email_subject") {
+        return `OAuth Client Approved: ${String(vars?.clientName ?? "")}`;
+      }
+
+      if (key === "oauth_client_approved_email_title") {
+        return `OAuth Client Approved: ${String(vars?.clientName ?? "")}`;
+      }
+
+      if (key === "hi_user") return `Hi ${String(vars?.name ?? "")}`;
+      if (key === "there") return "there";
+
+      if (key === "oauth_client_approved_email_body") {
+        return "Great news! Your OAuth client has been approved and is now ready to use.";
+      }
+
+      if (key === "oauth_client_approved_email_footer") {
+        return "You can now use your client ID and secret to integrate with Cal.com.";
+      }
+
+      if (key === "oauth_client_approved_email_cta") return "View Your OAuth Clients";
+
+      if (key === "client_name") return "Name";
+      if (key === "client_id") return "Client ID";
+
+      return key;
+    }) as unknown as TFunction;
+
+    const input = {
+      t,
+      userEmail: "admin@example.com",
+      userName: "Admin Example",
+      clientName: "pkce",
+      clientId: "client_123",
+    };
+
+    const email = new TestOAuthClientApprovedEmail(input);
+    const payload = await email.getPayload();
+
+    expect(payload).toEqual(
+      expect.objectContaining({
+        to: input.userEmail,
+        subject: `OAuth Client Approved: ${input.clientName}`,
+      })
+    );
+
+    const html = "html" in payload ? (payload.html as string) : "";
+
+    expect(html).toContain(`OAuth Client Approved: ${input.clientName}`);
+    expect(html).toContain("Hi Admin Example!");
+    expect(html).toContain("Great news! Your OAuth client has been approved and is now ready to use.");
+
+    expect(html).toContain(">Name<");
+    expect(html).toContain(input.clientName);
+
+    expect(html).toContain(">Client ID<");
+    expect(html).toContain(input.clientId);
+
+    expect(html).toContain("View Your OAuth Clients");
+    expect(html).toContain("/settings/developer/oauth");
+
+    expect(html).toContain("You can now use your client ID and secret to integrate with Cal.com.");
+  });
+});
diff --git a/packages/emails/templates/oauth-client-rejected-notification.test.ts b/packages/emails/templates/oauth-client-rejected-notification.test.ts
new file mode 100644
index 00000000000000..55a5f05123c06d
--- /dev/null
+++ b/packages/emails/templates/oauth-client-rejected-notification.test.ts
@@ -0,0 +1,84 @@
+import { describe, expect, it } from "vitest";
+
+import type { TFunction } from "i18next";
+
+import OAuthClientRejectedEmail from "./oauth-client-rejected-notification";
+
+class TestOAuthClientRejectedEmail extends OAuthClientRejectedEmail {
+  public async getPayload() {
+    return await this.getNodeMailerPayload();
+  }
+}
+
+describe("OAuthClientRejectedEmail", () => {
+  it("renders a node mailer payload containing the rejected client information and rejection reason", async () => {
+    const t = ((key: string, vars?: Record<string, unknown>) => {
+      if (key === "oauth_client_rejected_email_subject") {
+        return `OAuth Client Rejected: ${String(vars?.clientName ?? "")}`;
+      }
+
+      if (key === "oauth_client_rejected_email_title") {
+        return `OAuth Client Rejected: ${String(vars?.clientName ?? "")}`;
+      }
+
+      if (key === "hi_user") return `Hi ${String(vars?.name ?? "")}`;
+      if (key === "there") return "there";
+
+      if (key === "oauth_client_rejected_email_body") {
+        return "Unfortunately, your OAuth client submission was rejected.";
+      }
+
+      if (key === "oauth_client_rejected_email_reason_label") return "Reason for rejection";
+
+      if (key === "oauth_client_rejected_email_footer") {
+        return "You can update your OAuth client submission and resubmit it for review.";
+      }
+
+      if (key === "oauth_client_rejected_email_cta") return "View Your OAuth Clients";
+
+      if (key === "client_name") return "Name";
+      if (key === "client_id") return "Client ID";
+
+      return key;
+    }) as unknown as TFunction;
+
+    const input = {
+      t,
+      userEmail: "admin@example.com",
+      userName: "Admin Example",
+      clientName: "pkce",
+      clientId: "client_123",
+      rejectionReason: "we dont support your usecase",
+    };
+
+    const email = new TestOAuthClientRejectedEmail(input);
+    const payload = await email.getPayload();
+
+    expect(payload).toEqual(
+      expect.objectContaining({
+        to: input.userEmail,
+        subject: `OAuth Client Rejected: ${input.clientName}`,
+      })
+    );
+
+    const html = "html" in payload ? (payload.html as string) : "";
+
+    expect(html).toContain(`OAuth Client Rejected: ${input.clientName}`);
+    expect(html).toContain("Hi Admin Example!");
+    expect(html).toContain("Unfortunately, your OAuth client submission was rejected.");
+
+    expect(html).toContain(">Name<");
+    expect(html).toContain(input.clientName);
+
+    expect(html).toContain(">Client ID<");
+    expect(html).toContain(input.clientId);
+
+    expect(html).toContain("Reason for rejection");
+    expect(html).toContain(input.rejectionReason);
+
+    expect(html).toContain("View Your OAuth Clients");
+    expect(html).toContain("/settings/developer/oauth");
+
+    expect(html).toContain("You can update your OAuth client submission and resubmit it for review.");
+  });
+});
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
index 0b0fa9781479f8..6cbf9a195c83c9 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
@@ -23,6 +23,9 @@ export const ZAddClientInputSchema: z.ZodType<TAddClientInputSchema, z.ZodTypeDe
   purpose: z.string().min(1),
   redirectUri: z.string(),
   logo: z.string(),
-  websiteUrl: z.string().url().optional(),
+  websiteUrl: z
+    .union([z.literal(""), z.string().url("Must be a valid URL")])
+    .optional()
+    .transform((value) => (value === "" ? undefined : value)),
   enablePkce: z.boolean().optional().default(false),
 });
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts
new file mode 100644
index 00000000000000..1ebe20e9be4036
--- /dev/null
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts
@@ -0,0 +1,431 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+import type { TFunction } from "i18next";
+
+import type { PrismaClient } from "@calcom/prisma";
+import { OAuthClientApprovalStatus, UserPermissionRole } from "@calcom/prisma/enums";
+
+import { updateClientStatusHandler } from "./updateClientStatus.handler";
+
+const mocks = vi.hoisted(() => {
+  return {
+    findByClientId: vi.fn(),
+    findByClientIdIncludeUser: vi.fn(),
+    sendOAuthClientApprovedNotification: vi.fn(),
+    sendOAuthClientRejectedNotification: vi.fn(),
+    getTranslation: vi.fn(),
+  };
+});
+
+const CLIENT_ID = "client_123";
+const OWNER_USER_ID = 42;
+
+const USER_EMAIL = "admin@example.com";
+const USER_NAME = "Admin Example";
+
+const CLIENT_NAME = "My Client";
+const CLIENT_PURPOSE = "My purpose";
+const REDIRECT_URI = "https://example.com/callback";
+
+const REJECTION_REASON_TRIMMED = "we dont support your usecase";
+const REJECTION_REASON_RAW = "  we dont support your usecase ";
+
+vi.mock("@calcom/features/oauth/repositories/OAuthClientRepository", () => ({
+  OAuthClientRepository: class {
+    constructor() {}
+    findByClientId = mocks.findByClientId;
+    findByClientIdIncludeUser = mocks.findByClientIdIncludeUser;
+  },
+}));
+
+vi.mock("@calcom/emails/oauth-email-service", () => ({
+  sendOAuthClientApprovedNotification: mocks.sendOAuthClientApprovedNotification,
+  sendOAuthClientRejectedNotification: mocks.sendOAuthClientRejectedNotification,
+}));
+
+vi.mock("@calcom/lib/server/i18n", () => ({
+  getTranslation: mocks.getTranslation,
+}));
+
+describe("updateClientStatusHandler", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("updates status to APPROVED (admin) and sends approved notification email with expected parameters", async () => {
+    const t = ((key: string, vars?: Record<string, unknown>) => {
+      if (key === "oauth_client_approved_email_subject") {
+        return `OAuth Client Approved: ${String(vars?.clientName ?? "")}`;
+      }
+      return key;
+    }) as unknown as TFunction;
+
+    mocks.getTranslation.mockResolvedValue(t);
+
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "PENDING",
+    });
+
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
+      clientId: CLIENT_ID,
+      user: {
+        email: USER_EMAIL,
+        name: USER_NAME,
+      },
+    });
+
+    const prismaUpdate = vi.fn().mockResolvedValue({
+      clientId: CLIENT_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      approvalStatus: "APPROVED",
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      rejectionReason: null,
+    });
+
+    const ctx = {
+      user: {
+        id: 1,
+        role: UserPermissionRole.ADMIN,
+      },
+      prisma: {
+        oAuthClient: {
+          update: prismaUpdate,
+        },
+      } as unknown as PrismaClient,
+    };
+
+    const input = {
+      clientId: CLIENT_ID,
+      status: OAuthClientApprovalStatus.APPROVED,
+    };
+
+    const result = await updateClientStatusHandler({ ctx, input });
+
+    expect(prismaUpdate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { clientId: input.clientId },
+        data: {
+          approvalStatus: "APPROVED",
+          rejectionReason: null,
+        },
+      })
+    );
+
+    expect(mocks.getTranslation).toHaveBeenCalledWith("en", "common");
+
+    expect(mocks.sendOAuthClientApprovedNotification).toHaveBeenCalledWith({
+      t,
+      userEmail: USER_EMAIL,
+      userName: USER_NAME,
+      clientName: CLIENT_NAME,
+      clientId: CLIENT_ID,
+    });
+
+    expect(result).toEqual({
+      clientId: CLIENT_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      approvalStatus: "APPROVED",
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      rejectionReason: null,
+    });
+  });
+
+  it("updates status to REJECTED (admin) and sends rejected notification email with trimmed rejection reason", async () => {
+    const t = ((key: string, vars?: Record<string, unknown>) => {
+      if (key === "oauth_client_rejected_email_subject") {
+        return `OAuth Client Rejected: ${String(vars?.clientName ?? "")}`;
+      }
+      return key;
+    }) as unknown as TFunction;
+
+    mocks.getTranslation.mockResolvedValue(t);
+
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "PENDING",
+    });
+
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
+      clientId: CLIENT_ID,
+      user: {
+        email: USER_EMAIL,
+        name: USER_NAME,
+      },
+    });
+
+    const prismaUpdate = vi.fn().mockResolvedValue({
+      clientId: CLIENT_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      approvalStatus: "REJECTED",
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      rejectionReason: REJECTION_REASON_TRIMMED,
+    });
+
+    const ctx = {
+      user: {
+        id: 1,
+        role: UserPermissionRole.ADMIN,
+      },
+      prisma: {
+        oAuthClient: {
+          update: prismaUpdate,
+        },
+      } as unknown as PrismaClient,
+    };
+
+    const input = {
+      clientId: CLIENT_ID,
+      status: OAuthClientApprovalStatus.REJECTED,
+      rejectionReason: REJECTION_REASON_RAW,
+    };
+
+    await updateClientStatusHandler({ ctx, input });
+
+    expect(prismaUpdate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { clientId: input.clientId },
+        data: {
+          approvalStatus: "REJECTED",
+          rejectionReason: REJECTION_REASON_TRIMMED,
+        },
+      })
+    );
+
+    expect(mocks.getTranslation).toHaveBeenCalledWith("en", "common");
+
+    expect(mocks.sendOAuthClientRejectedNotification).toHaveBeenCalledWith({
+      t,
+      userEmail: USER_EMAIL,
+      userName: USER_NAME,
+      clientName: CLIENT_NAME,
+      clientId: CLIENT_ID,
+      rejectionReason: REJECTION_REASON_TRIMMED,
+    });
+  });
+
+  it("throws FORBIDDEN when a non-admin attempts to set rejectionReason", async () => {
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "PENDING",
+    });
+
+    const ctx = {
+      user: {
+        id: 2,
+        role: UserPermissionRole.USER,
+      },
+      prisma: {
+        oAuthClient: {
+          update: vi.fn(),
+        },
+      } as unknown as PrismaClient,
+    };
+
+    const input = {
+      clientId: CLIENT_ID,
+      rejectionReason: "nope",
+    };
+
+    await expect(updateClientStatusHandler({ ctx, input })).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "Only admins can set a rejection reason",
+    });
+  });
+
+  it("throws BAD_REQUEST when rejecting without a non-empty rejectionReason", async () => {
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "PENDING",
+    });
+
+    const ctx = {
+      user: {
+        id: 1,
+        role: UserPermissionRole.ADMIN,
+      },
+      prisma: {
+        oAuthClient: {
+          update: vi.fn(),
+        },
+      } as unknown as PrismaClient,
+    };
+
+    await expect(
+      updateClientStatusHandler({
+        ctx,
+        input: {
+          clientId: CLIENT_ID,
+          status: OAuthClientApprovalStatus.REJECTED,
+          rejectionReason: " ",
+        },
+      })
+    ).rejects.toMatchObject({
+      code: "BAD_REQUEST",
+      message: "Rejection reason is required",
+    });
+  });
+
+  it("throws FORBIDDEN when a non-admin attempts to update status", async () => {
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "PENDING",
+    });
+
+    const ctx = {
+      user: {
+        id: 2,
+        role: UserPermissionRole.USER,
+      },
+      prisma: {
+        oAuthClient: {
+          update: vi.fn(),
+        },
+      } as unknown as PrismaClient,
+    };
+
+    await expect(
+      updateClientStatusHandler({
+        ctx,
+        input: {
+          clientId: CLIENT_ID,
+          status: OAuthClientApprovalStatus.APPROVED,
+        },
+      })
+    ).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "Only admins can update OAuth client status",
+    });
+  });
+
+  it("throws FORBIDDEN when a non-owner, non-admin attempts to update client fields", async () => {
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "PENDING",
+    });
+
+    const ctx = {
+      user: {
+        id: 999,
+        role: UserPermissionRole.USER,
+      },
+      prisma: {
+        oAuthClient: {
+          update: vi.fn(),
+        },
+      } as unknown as PrismaClient,
+    };
+
+    await expect(
+      updateClientStatusHandler({
+        ctx,
+        input: {
+          clientId: CLIENT_ID,
+          name: "New Name",
+        },
+      })
+    ).rejects.toMatchObject({
+      code: "FORBIDDEN",
+      message: "You do not have permission to update this OAuth client",
+    });
+  });
+
+  it("sets approvalStatus to PENDING when an owner edits a previously approved client (reapproval flow)", async () => {
+    mocks.findByClientId.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      approvalStatus: "APPROVED",
+    });
+
+    const prismaUpdate = vi.fn().mockResolvedValue({
+      clientId: CLIENT_ID,
+      name: "My Client v2",
+      purpose: CLIENT_PURPOSE,
+      approvalStatus: "PENDING",
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      rejectionReason: null,
+    });
+
+    const ctx = {
+      user: {
+        id: 42,
+        role: UserPermissionRole.USER,
+      },
+      prisma: {
+        oAuthClient: {
+          update: prismaUpdate,
+        },
+      } as unknown as PrismaClient,
+    };
+
+    await updateClientStatusHandler({
+      ctx,
+      input: {
+        clientId: CLIENT_ID,
+        name: "My Client v2",
+      },
+    });
+
+    expect(prismaUpdate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { clientId: CLIENT_ID },
+        data: {
+          name: "My Client v2",
+          approvalStatus: "PENDING",
+          rejectionReason: null,
+        },
+      })
+    );
+
+    expect(mocks.sendOAuthClientApprovedNotification).not.toHaveBeenCalled();
+    expect(mocks.sendOAuthClientRejectedNotification).not.toHaveBeenCalled();
+  });
+});

From 44dbc67cebe9d72561974a380dc497caac5bd06d Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 12 Jan 2026 20:00:20 +0000
Subject: [PATCH 39/72] fix: address Cubic AI review feedback (confidence 9/10
 issues)

- schema.prisma: Remove @default("") from purpose field to make it required
- schema.prisma: Use UTC-aware timezone expression for createdAt default
- OAuthClientFormFields.tsx: Localize redirect URI placeholder using t()
- common.json: Add redirect_uri_placeholder translation key

Co-Authored-By: unknown <>
---
 apps/web/modules/settings/oauth/OAuthClientFormFields.tsx | 2 +-
 apps/web/public/static/locales/en/common.json             | 1 +
 packages/prisma/schema.prisma                             | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index c6a3d679106429..ed766119208706 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -98,7 +98,7 @@ export const OAuthClientFormFields = ({
         label={t("redirect_uri")}
         type="url"
         id="redirectUri"
-        placeholder="https://example.com/callback"
+        placeholder={t("redirect_uri_placeholder")}
         required
         disabled={isFormDisabled}
       />
diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index adc2a130a20ccd..593d10c9500bda 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1046,6 +1046,7 @@
   "purpose_placeholder": "Explain what this OAuth client is for and how it will be used",
   "purpose_tooltip": "Please explain how and what this OAuth client will be used for. This helps us review and approve your request.",
   "redirect_uri": "Redirect URI",
+  "redirect_uri_placeholder": "https://example.com/callback",
   "website_url": "Website URL",
   "website_url_tooltip": "For development, you can use a localhost URL (e.g. http://localhost:3000).",
   "authentication_mode": "Authentication Mode",
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 2f0e979f387764..ebce4ffd25a567 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1782,7 +1782,7 @@ model OAuthClient {
   clientSecret    String?
   clientType      OAuthClientType           @default(CONFIDENTIAL)
   name            String
-  purpose         String                    @default("")
+  purpose         String
   logo            String?
   websiteUrl      String?
   rejectionReason String?
@@ -1791,7 +1791,7 @@ model OAuthClient {
   approvalStatus  OAuthClientApprovalStatus @default(APPROVED)
   userId          Int?
   user            User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
-  createdAt       DateTime                  @default(now())
+  createdAt       DateTime                  @default(dbgenerated("timezone('UTC', now())"))
 
   @@index([userId])
 }

From fe44f1f05fbe93dc456ded9273a63be36136d16a Mon Sep 17 00:00:00 2001
From: "cubic-dev-ai[bot]" <1082092+cubic-dev-ai[bot]@users.noreply.github.com>
Date: Tue, 13 Jan 2026 10:30:54 +0000
Subject: [PATCH 40/72] cubic changes

---
 packages/prisma/schema.prisma | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index ebce4ffd25a567..bc1951d0790964 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1791,7 +1791,7 @@ model OAuthClient {
   approvalStatus  OAuthClientApprovalStatus @default(APPROVED)
   userId          Int?
   user            User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
-  createdAt       DateTime                  @default(dbgenerated("timezone('UTC', now())"))
+  createdAt       DateTime                  @default(now())
 
   @@index([userId])
 }

From ddaa1118baaf02644c35f0da94c3bb00c9806b84 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 12:02:41 +0100
Subject: [PATCH 41/72] refactor: dont log sensitive info and rethrow error

---
 packages/emails/oauth-email-service.ts | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/packages/emails/oauth-email-service.ts b/packages/emails/oauth-email-service.ts
index 9403e9d7ee0e6a..51663b2eb94d65 100644
--- a/packages/emails/oauth-email-service.ts
+++ b/packages/emails/oauth-email-service.ts
@@ -7,15 +7,17 @@ import OAuthClientApprovedEmail from "./templates/oauth-client-approved-notifica
 import type { OAuthClientRejectedNotification } from "./templates/oauth-client-rejected-notification";
 import OAuthClientRejectedEmail from "./templates/oauth-client-rejected-notification";
 
-const sendEmail = (prepare: () => BaseEmail) => {
-  return new Promise((resolve, reject) => {
-    try {
-      const email = prepare();
-      resolve(email.sendEmail());
-    } catch (e) {
-      reject(console.error(`${prepare.constructor.name}.sendEmail failed`, e));
-    }
-  });
+const sendEmail = async (prepare: () => BaseEmail) => {
+  let email: BaseEmail | undefined;
+
+  try {
+    email = prepare();
+    return await email.sendEmail();
+  } catch (e) {
+    const errorName = e instanceof Error ? e.name : "UnknownError";
+    console.error(`${email?.constructor?.name ?? "Email"}.sendEmail oauth-email-service failed (${errorName})`);
+    throw e;
+  }
 };
 
 export const sendAdminOAuthClientNotification = async (input: OAuthClientNotification) => {

From 91f1f1cb350e68422f2d9ed749ff467f0606ac07 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 12:09:05 +0100
Subject: [PATCH 42/72] cubic feedback

---
 apps/web/public/static/locales/en/common.json | 1 -
 packages/emails/oauth-email-service.ts        | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 593d10c9500bda..4c04c7407d878e 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1413,7 +1413,6 @@
   "success_api_key_created": "API key created successfully",
   "success_api_key_edited": "API key updated successfully",
   "create": "Create",
-  "create_oauth_client": "Create OAuth client",
   "success_api_key_created_bold_tagline": "Save this API key somewhere safe.",
   "you_will_only_view_it_once": "You will not be able to view it again once you close this modal.",
   "copy_to_clipboard": "Copy to clipboard",
diff --git a/packages/emails/oauth-email-service.ts b/packages/emails/oauth-email-service.ts
index 51663b2eb94d65..ef94c2ce34935a 100644
--- a/packages/emails/oauth-email-service.ts
+++ b/packages/emails/oauth-email-service.ts
@@ -15,7 +15,7 @@ const sendEmail = async (prepare: () => BaseEmail) => {
     return await email.sendEmail();
   } catch (e) {
     const errorName = e instanceof Error ? e.name : "UnknownError";
-    console.error(`${email?.constructor?.name ?? "Email"}.sendEmail oauth-email-service failed (${errorName})`);
+    console.error(`${email?.constructor?.name ?? "Email"}.sendEmail oauth-email-service failed (${errorName})`, e);
     throw e;
   }
 };

From 60fd4db9c04d205cab633395e6ab3649641e05ef Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 12:54:55 +0100
Subject: [PATCH 43/72] refactor: make oauth client purpose optional

---
 .../migration.sql                                               | 2 +-
 packages/prisma/schema.prisma                                   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
 rename packages/prisma/migrations/{20260112104713_new_oauth_client_properties => 20260113115410_new_oauth_client_properties}/migration.sql (93%)

diff --git a/packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql b/packages/prisma/migrations/20260113115410_new_oauth_client_properties/migration.sql
similarity index 93%
rename from packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql
rename to packages/prisma/migrations/20260113115410_new_oauth_client_properties/migration.sql
index 3b711d4886c620..0049c6b31f322f 100644
--- a/packages/prisma/migrations/20260112104713_new_oauth_client_properties/migration.sql
+++ b/packages/prisma/migrations/20260113115410_new_oauth_client_properties/migration.sql
@@ -4,7 +4,7 @@ CREATE TYPE "public"."OAuthClientApprovalStatus" AS ENUM ('pending', 'approved',
 -- AlterTable
 ALTER TABLE "public"."OAuthClient" ADD COLUMN     "approvalStatus" "public"."OAuthClientApprovalStatus" NOT NULL DEFAULT 'approved',
 ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
-ADD COLUMN     "purpose" TEXT NOT NULL DEFAULT '',
+ADD COLUMN     "purpose" TEXT,
 ADD COLUMN     "rejectionReason" TEXT,
 ADD COLUMN     "userId" INTEGER,
 ADD COLUMN     "websiteUrl" TEXT;
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index bc1951d0790964..dd7ce374dc2851 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1782,7 +1782,7 @@ model OAuthClient {
   clientSecret    String?
   clientType      OAuthClientType           @default(CONFIDENTIAL)
   name            String
-  purpose         String
+  purpose         String?
   logo            String?
   websiteUrl      String?
   rejectionReason String?

From 6691d50925154bdff60891f5cc90c3a1a2845eec Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:03:51 +0100
Subject: [PATCH 44/72] refactor: admin/oauth not allowed if not logged in

---
 .../(admin-layout)/admin/oAuth/page.tsx       | 22 ++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
index 931c84d14e452b..28bc8c212f3a7b 100644
--- a/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
+++ b/apps/web/app/(use-page-wrapper)/settings/(admin-layout)/admin/oAuth/page.tsx
@@ -1,7 +1,24 @@
 import { _generateMetadata, getTranslate } from "app/_utils";
+import { cookies, headers } from "next/headers";
+import { redirect } from "next/navigation";
+
+import { getServerSession } from "@calcom/features/auth/lib/getServerSession";
+
+import { buildLegacyRequest } from "@lib/buildLegacyCtx";
 
 import OAuthClientsAdminView from "~/settings/admin/oauth-clients-admin-view";
 
+const Page = async () => {
+  const session = await getServerSession({ req: buildLegacyRequest(await headers(), await cookies()) });
+  await getTranslate();
+
+  if (!session) {
+    redirect("/auth/login?callbackUrl=/settings/admin/oauth");
+  }
+
+  return <OAuthClientsAdminView />;
+};
+
 export const generateMetadata = async () =>
   await _generateMetadata(
     (t) => t("oauth_clients_admin"),
@@ -11,9 +28,4 @@ export const generateMetadata = async () =>
     "/settings/admin/oauth"
   );
 
-const Page = async () => {
-  const t = await getTranslate();
-  return <OAuthClientsAdminView />;
-};
-
 export default Page;

From 1a7453e38eef06abf277c17fa3ba03c4b341d744 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:11:37 +0100
Subject: [PATCH 45/72] refactor: admin view skeleton

---
 .../admin/oauth-clients-admin-skeleton.tsx    | 76 +++++++------------
 1 file changed, 29 insertions(+), 47 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx
index 5dba0972d6421a..c3e028851b0df5 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-skeleton.tsx
@@ -5,55 +5,37 @@ import { SkeletonText, SkeletonContainer } from "@calcom/ui/components/skeleton"
 export const OAuthClientsAdminSkeleton = () => {
   return (
     <SkeletonContainer>
-      <div className="mb-4 flex justify-end">
-        <div className="bg-emphasis h-9 w-36 rounded-md" />
+      <div className="mb-8">
+        <SkeletonText className="h-7 w-64" />
+        <div className="mt-2 flex items-start justify-between gap-4">
+          <SkeletonText className="h-4 w-full max-w-xl" />
+          <div className="bg-emphasis h-9 w-20 rounded-md" />
+        </div>
       </div>
-      <div className="border-subtle overflow-hidden rounded-lg border">
-        <table className="w-full">
-          <thead className="bg-subtle">
-            <tr>
-              <th className="px-4 py-3 text-left">
-                <SkeletonText className="h-4 w-20" />
-              </th>
-              <th className="px-4 py-3 text-left">
-                <SkeletonText className="h-4 w-20" />
-              </th>
-              <th className="px-4 py-3 text-left">
-                <SkeletonText className="h-4 w-20" />
-              </th>
-              <th className="px-4 py-3 text-left">
-                <SkeletonText className="h-4 w-16" />
-              </th>
-              <th className="px-4 py-3 text-left">
-                <SkeletonText className="h-4 w-16" />
-              </th>
-            </tr>
-          </thead>
-          <tbody className="divide-subtle divide-y">
-            {[1, 2, 3].map((i) => (
-              <tr key={i}>
-                <td className="px-4 py-3">
-                  <div className="flex items-center gap-3">
-                    <div className="bg-emphasis h-8 w-8 rounded-full" />
-                    <SkeletonText className="h-4 w-24" />
+
+      <div className="space-y-10">
+        {[1, 2, 3].map((section) => (
+          <div key={section} className="space-y-3">
+            <SkeletonText className="h-5 w-24" />
+            <div className="border-subtle rounded-lg border">
+              {[1, 2, 3].map((row) => (
+                <div
+                  // eslint-disable-next-line react/no-array-index-key
+                  key={`${section}-${row}`}
+                  className={`flex items-center justify-between p-4 ${row !== 3 ? "border-subtle border-b" : ""}`}>
+                  <div className="flex items-center gap-4">
+                    <div className="bg-emphasis h-10 w-10 rounded-full" />
+                    <SkeletonText className="h-4 w-40" />
+                  </div>
+                  <div className="flex items-center gap-4">
+                    <SkeletonText className="h-5 w-20 rounded-full" />
+                    <div className="bg-emphasis h-5 w-5 rounded" />
                   </div>
-                </td>
-                <td className="px-4 py-3">
-                  <SkeletonText className="h-4 w-40" />
-                </td>
-                <td className="px-4 py-3">
-                  <SkeletonText className="h-4 w-24" />
-                </td>
-                <td className="px-4 py-3">
-                  <SkeletonText className="h-5 w-16 rounded-full" />
-                </td>
-                <td className="px-4 py-3">
-                  <div className="bg-emphasis h-8 w-8 rounded" />
-                </td>
-              </tr>
-            ))}
-          </tbody>
-        </table>
+                </div>
+              ))}
+            </div>
+          </div>
+        ))}
       </div>
     </SkeletonContainer>
   );

From 279528621564981850be4a37496dd4eea5168ea5 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:18:51 +0100
Subject: [PATCH 46/72] refactor: rename state

---
 .../settings/admin/oauth-clients-admin-view.tsx        | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index cf526790169af4..3e8125b8663345 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -24,7 +24,7 @@ type OAuthClientRow = RouterOutputs["viewer"]["oAuth"]["listClients"][number];
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
   const utils = trpc.useUtils();
-  const [showAddDialog, setShowAddDialog] = useState(false);
+  const [showCreateDialog, setShowCreateDialog] = useState(false);
   const [createdClient, setCreatedClient] = useState<OAuthClientDetails | null>(null);
   const [selectedClient, setSelectedClient] = useState<OAuthClientDetails | null>(null);
 
@@ -93,7 +93,7 @@ export default function OAuthClientsAdminView() {
   };
 
   const handleCloseDialog = () => {
-    setShowAddDialog(false);
+    setShowCreateDialog(false);
     setCreatedClient(null);
   };
 
@@ -132,7 +132,7 @@ export default function OAuthClientsAdminView() {
       size="sm"
       variant="fab"
       data-testid="open-admin-oauth-client-create-dialog"
-      onClick={() => setShowAddDialog(true)}>
+      onClick={() => setShowCreateDialog(true)}>
       {t("new")}
     </Button>
   );
@@ -186,8 +186,8 @@ export default function OAuthClientsAdminView() {
       )}
 
       <OAuthClientCreateDialog
-        open={showAddDialog}
-        onOpenChange={setShowAddDialog}
+        open={showCreateDialog}
+        onOpenChange={setShowCreateDialog}
         title={t("create_oauth_client")}
         submitLabel={t("create")}
         isSubmitting={addMutation.isPending}

From 32d61ba6719b811b6b8f2a82353c07aa82eb0bdd Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:27:23 +0100
Subject: [PATCH 47/72] refactor: get rid of redundant mapping

---
 .../admin/oauth-clients-admin-view.tsx        | 21 +++----------------
 .../oauth/OAuthClientDetailsDialog.tsx        |  2 +-
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 3e8125b8663345..31c8c8c07cb967 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -4,7 +4,6 @@ import { useState } from "react";
 
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
-import type { RouterOutputs } from "@calcom/trpc/react";
 
 import { OAuthClientsAdminSkeleton } from "./oauth-clients-admin-skeleton";
 import { Button } from "@calcom/ui/components/button";
@@ -19,8 +18,6 @@ import {
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
 
-type OAuthClientRow = RouterOutputs["viewer"]["oAuth"]["listClients"][number];
-
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
   const utils = trpc.useUtils();
@@ -113,18 +110,6 @@ export default function OAuthClientsAdminView() {
     return <OAuthClientsAdminSkeleton />;
   }
 
-  const toClientDetails = (client: OAuthClientRow): OAuthClientDetails => ({
-    clientId: client.clientId,
-    name: client.name,
-    purpose: client.purpose,
-    redirectUri: client.redirectUri,
-    websiteUrl: client.websiteUrl,
-    logo: client.logo,
-    approvalStatus: client.approvalStatus,
-    rejectionReason: client.rejectionReason,
-    clientType: client.clientType,
-  });
-
   const newOAuthClientButton = (
     <Button
       color="secondary"
@@ -152,7 +137,7 @@ export default function OAuthClientsAdminView() {
           <div className="space-y-3" data-testid="oauth-client-admin-pending-section">
             <h2 className="text-emphasis text-base font-semibold">{t("pending")}</h2>
             <OAuthClientsList
-              clients={(pendingClients ?? []).map(toClientDetails)}
+              clients={pendingClients ?? []}
               onSelectClient={(client) => setSelectedClient(client)}
               showStatus
             />
@@ -161,7 +146,7 @@ export default function OAuthClientsAdminView() {
           <div className="space-y-3" data-testid="oauth-client-admin-rejected-section">
             <h2 className="text-emphasis text-base font-semibold">{t("rejected")}</h2>
             <OAuthClientsList
-              clients={(rejectedClients ?? []).map(toClientDetails)}
+              clients={rejectedClients ?? []}
               onSelectClient={(client) => setSelectedClient(client)}
               showStatus
             />
@@ -170,7 +155,7 @@ export default function OAuthClientsAdminView() {
           <div className="space-y-3" data-testid="oauth-client-admin-approved-section">
             <h2 className="text-emphasis text-base font-semibold">{t("approved")}</h2>
             <OAuthClientsList
-              clients={(approvedClients ?? []).map(toClientDetails)}
+              clients={approvedClients ?? []}
               onSelectClient={(client) => setSelectedClient(client)}
               showStatus
             />
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
index f330217a25f361..d570398eeb1eb8 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -23,7 +23,7 @@ import { OAuthClientFormFields } from "./OAuthClientFormFields";
 export type OAuthClientDetails = {
   clientId: string;
   name: string;
-  purpose?: string;
+  purpose?: string | null;
   redirectUri?: string;
   websiteUrl?: string | null;
   logo?: string | null;

From d8ba093317424fad3a8ff5c0359a2116893bc4e3 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:33:22 +0100
Subject: [PATCH 48/72] refactor: remove redundant handler

---
 apps/web/modules/settings/developer/oauth-clients-view.tsx | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 44e1b7c223bbec..bbfca250a1112d 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -108,10 +108,6 @@ const OAuthClientsView = () => {
     setSubmittedClient(null);
   };
 
-  const handleCloseClientDialog = () => {
-    setSelectedClient(null);
-  };
-
   if (isLoading) {
     return <OAuthClientsSkeleton />;
   }
@@ -174,7 +170,7 @@ const OAuthClientsView = () => {
 
       <OAuthClientDetailsDialog
         open={Boolean(selectedClient)}
-        onOpenChange={(open) => !open && handleCloseClientDialog()}
+        onOpenChange={(open) => !open && setSelectedClient(null)}
         client={selectedClient}
         onUpdate={(values) => {
           updateClientMutation.mutate({

From 14d5d921d25601d9c43ded0645a4b5541ecfd757 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:35:10 +0100
Subject: [PATCH 49/72] refactor: remove redundant handler

---
 .../modules/settings/developer/oauth-clients-view.tsx  | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index bbfca250a1112d..a13efe7b09f835 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -103,11 +103,15 @@ const OAuthClientsView = () => {
     });
   };
 
-  const handleCloseDialog = () => {
+  const handleCloseCreateDialog = () => {
     setShowDialog(false);
     setSubmittedClient(null);
   };
 
+  const handleCloseDetailsDialog = () => {
+    setSelectedClient(null);
+  };
+
   if (isLoading) {
     return <OAuthClientsSkeleton />;
   }
@@ -165,12 +169,12 @@ const OAuthClientsView = () => {
         resultClient={submittedClient}
         resultTitle={t("oauth_client_submitted")}
         resultDescription={t("oauth_client_submitted_description")}
-        onClose={handleCloseDialog}
+        onClose={handleCloseCreateDialog}
       />
 
       <OAuthClientDetailsDialog
         open={Boolean(selectedClient)}
-        onOpenChange={(open) => !open && setSelectedClient(null)}
+        onOpenChange={(open) => !open && handleCloseDetailsDialog()}
         client={selectedClient}
         onUpdate={(values) => {
           updateClientMutation.mutate({

From bc146ab390c794fe2298ddfe747878167a81cd22 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 18:46:40 +0100
Subject: [PATCH 50/72] refactor: re-usable new oauth client button

---
 .../admin/oauth-clients-admin-view.tsx        | 15 +++++---------
 .../settings/developer/oauth-clients-view.tsx | 20 +++++--------------
 .../settings/oauth/NewOAuthClientButton.tsx   | 20 +++++++++++++++++++
 3 files changed, 30 insertions(+), 25 deletions(-)
 create mode 100644 apps/web/modules/settings/oauth/NewOAuthClientButton.tsx

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 31c8c8c07cb967..e26c149b622e99 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -6,7 +6,6 @@ import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
 
 import { OAuthClientsAdminSkeleton } from "./oauth-clients-admin-skeleton";
-import { Button } from "@calcom/ui/components/button";
 import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
@@ -17,6 +16,7 @@ import {
 } from "../oauth/OAuthClientCreateDialog";
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
+import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
 
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
@@ -111,15 +111,10 @@ export default function OAuthClientsAdminView() {
   }
 
   const newOAuthClientButton = (
-    <Button
-      color="secondary"
-      StartIcon="plus"
-      size="sm"
-      variant="fab"
-      data-testid="open-admin-oauth-client-create-dialog"
-      onClick={() => setShowCreateDialog(true)}>
-      {t("new")}
-    </Button>
+    <NewOAuthClientButton
+      dataTestId="open-admin-oauth-client-create-dialog"
+      onClick={() => setShowCreateDialog(true)}
+    />
   );
 
   const hasClients =
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index a13efe7b09f835..82c3576edc3f39 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -3,7 +3,6 @@
 import { useState } from "react";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 import { trpc } from "@calcom/trpc/react";
-import { Button } from "@calcom/ui/components/button";
 import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
@@ -14,6 +13,7 @@ import {
 } from "../oauth/OAuthClientCreateDialog";
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
+import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
 
 import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 
@@ -116,23 +116,15 @@ const OAuthClientsView = () => {
     return <OAuthClientsSkeleton />;
   }
 
-  const NewOAuthClientButton = () => (
-    <Button
-      color="secondary"
-      StartIcon="plus"
-      size="sm"
-      variant="fab"
-      data-testid="open-oauth-client-create-dialog"
-      onClick={() => setShowDialog(true)}>
-      {t("new")}
-    </Button>
+  const newOAuthClientButton = (
+    <NewOAuthClientButton dataTestId="open-oauth-client-create-dialog" onClick={() => setShowDialog(true)} />
   );
 
   return (
     <SettingsHeader
       title={t("oauth_clients")}
       description={t("oauth_clients_description")}
-      CTA={<NewOAuthClientButton />}>
+      CTA={newOAuthClientButton}>
       {oAuthClients && oAuthClients.length > 0 ? (
         <OAuthClientsList
           clients={oAuthClients.map((client) => ({
@@ -153,9 +145,7 @@ const OAuthClientsView = () => {
           Icon="key"
           headline={t("no_oauth_clients")}
           description={t("no_oauth_clients_description")}
-          buttonRaw={
-            <NewOAuthClientButton />
-          }
+          buttonRaw={newOAuthClientButton}
         />
       )}
 
diff --git a/apps/web/modules/settings/oauth/NewOAuthClientButton.tsx b/apps/web/modules/settings/oauth/NewOAuthClientButton.tsx
new file mode 100644
index 00000000000000..bd59bced70ae45
--- /dev/null
+++ b/apps/web/modules/settings/oauth/NewOAuthClientButton.tsx
@@ -0,0 +1,20 @@
+"use client";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+import { Button } from "@calcom/ui/components/button";
+
+export const NewOAuthClientButton = ({
+  onClick,
+  dataTestId,
+}: {
+  onClick: () => void;
+  dataTestId: string;
+}) => {
+  const { t } = useLocale();
+
+  return (
+    <Button color="secondary" StartIcon="plus" size="sm" variant="fab" data-testid={dataTestId} onClick={onClick}>
+      {t("new")}
+    </Button>
+  );
+};

From e9e0018b421091a4968ed273591bdfc2560c1dc8 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Tue, 13 Jan 2026 20:18:35 +0100
Subject: [PATCH 51/72] refactor: dialogs

---
 .../admin/oauth-clients-admin-view.tsx        |  12 +-
 .../settings/developer/oauth-clients-view.tsx |  10 +-
 .../oauth/AdminOAuthClientCreateDialog.tsx    |  51 ++++
 .../oauth/OAuthClientCreateDialog.tsx         | 228 +++++++-----------
 .../oauth/OAuthClientResultDialog.tsx         | 150 ++++++++++++
 5 files changed, 297 insertions(+), 154 deletions(-)
 create mode 100644 apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index e26c149b622e99..0216f7bec95a81 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -10,10 +10,8 @@ import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import {
-  OAuthClientCreateDialog,
-  type OAuthClientCreateFormValues,
-} from "../oauth/OAuthClientCreateDialog";
+import { AdminOAuthClientCreateDialog } from "../oauth/AdminOAuthClientCreateDialog";
+import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateDialog";
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
 import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
@@ -165,16 +163,12 @@ export default function OAuthClientsAdminView() {
         />
       )}
 
-      <OAuthClientCreateDialog
+      <AdminOAuthClientCreateDialog
         open={showCreateDialog}
         onOpenChange={setShowCreateDialog}
-        title={t("create_oauth_client")}
-        submitLabel={t("create")}
         isSubmitting={addMutation.isPending}
         onSubmit={handleAddClient}
         resultClient={createdClient}
-        resultTitle={t("oauth_client_created")}
-        resultDescription={t("oauth_client_created_description")}
         clientSecretInfoKey="copy_client_secret_info"
         onClose={handleCloseDialog}
       />
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 82c3576edc3f39..df0ae3914d8f74 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -7,10 +7,8 @@ import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import {
-  OAuthClientCreateDialog,
-  type OAuthClientCreateFormValues,
-} from "../oauth/OAuthClientCreateDialog";
+import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateDialog";
+import { OAuthClientCreateDialog } from "../oauth/OAuthClientCreateDialog";
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
 import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
@@ -152,13 +150,9 @@ const OAuthClientsView = () => {
       <OAuthClientCreateDialog
         open={showDialog}
         onOpenChange={setShowDialog}
-        title={t("create_oauth_client")}
-        submitLabel={t("create")}
         isSubmitting={submitMutation.isPending}
         onSubmit={handleSubmit}
         resultClient={submittedClient}
-        resultTitle={t("oauth_client_submitted")}
-        resultDescription={t("oauth_client_submitted_description")}
         onClose={handleCloseCreateDialog}
       />
 
diff --git a/apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx
new file mode 100644
index 00000000000000..a49c2d6df7a16e
--- /dev/null
+++ b/apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx
@@ -0,0 +1,51 @@
+"use client";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+import { OAuthClientResultDialog } from "./OAuthClientResultDialog";
+import type { OAuthClientCreateFormValues } from "./OAuthClientCreateDialog";
+import { OAuthClientCreateDialogContent } from "./OAuthClientCreateDialog";
+
+type AdminOAuthClientCreateDialogProps = {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  isSubmitting: boolean;
+  onSubmit: (values: OAuthClientCreateFormValues) => void;
+  resultClient: OAuthClientDetails | null;
+  clientSecretInfoKey?: string;
+  onClose: () => void;
+};
+
+export function AdminOAuthClientCreateDialog(
+  {
+    resultClient,
+    clientSecretInfoKey,
+    ...rest
+  }: AdminOAuthClientCreateDialogProps
+) {
+  const { t } = useLocale();
+
+  if (resultClient) {
+    return (
+      <OAuthClientResultDialog
+        open={rest.open}
+        onOpenChange={rest.onOpenChange}
+        title={t("oauth_client_created")}
+        description={t("oauth_client_created_description")}
+        resultClient={resultClient}
+        clientSecretInfoKey={clientSecretInfoKey}
+        onClose={rest.onClose}
+      />
+    );
+  }
+
+  return (
+    <OAuthClientCreateDialogContent
+      {...rest}
+      title={t("create_oauth_client")}
+      description={t("create_oauth_client_description")}
+      submitLabel={t("create")}
+    />
+  );
+}
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
index 140c0c380feb0e..5f554b573dc5fb 100644
--- a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
@@ -3,20 +3,16 @@
 import { useState } from "react";
 import { useForm } from "react-hook-form";
 
-import { Dialog } from "@calcom/features/components/controlled-dialog";
-import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 
-import { Alert } from "@calcom/ui/components/alert";
-import { Badge } from "@calcom/ui/components/badge";
+import { OAuthClientResultDialog } from "./OAuthClientResultDialog";
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+import { OAuthClientFormFields } from "./OAuthClientFormFields";
+
+import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { Button } from "@calcom/ui/components/button";
 import { DialogClose, DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
 import { Form } from "@calcom/ui/components/form";
-import { showToast } from "@calcom/ui/components/toast";
-import { Tooltip } from "@calcom/ui/components/tooltip";
-
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
-import { OAuthClientFormFields } from "./OAuthClientFormFields";
 
 export type OAuthClientCreateFormValues = {
   name: string;
@@ -27,35 +23,77 @@ export type OAuthClientCreateFormValues = {
   enablePkce: boolean;
 };
 
-export const OAuthClientCreateDialog = ({
-  open,
-  onOpenChange,
-  title,
-  description,
-  submitLabel,
-  isSubmitting,
-  onSubmit,
-  resultClient,
-  resultTitle,
-  resultDescription,
-  clientSecretInfoKey,
-  onClose,
-}: {
+type BaseOAuthClientCreateDialogContentProps = {
   open: boolean;
   onOpenChange: (open: boolean) => void;
+  isSubmitting: boolean;
+  onSubmit: (values: OAuthClientCreateFormValues) => void;
+  onClose: () => void;
   title: string;
-  description?: string;
+  description: string;
   submitLabel: string;
+};
+
+export type OAuthClientCreateDialogProps = {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
   isSubmitting: boolean;
   onSubmit: (values: OAuthClientCreateFormValues) => void;
   resultClient: OAuthClientDetails | null;
-  resultTitle: string;
-  resultDescription?: string;
   clientSecretInfoKey?: string;
   onClose: () => void;
-}) => {
+};
+
+export function OAuthClientCreateDialog({
+  open,
+  onOpenChange,
+  isSubmitting,
+  onSubmit,
+  resultClient,
+  clientSecretInfoKey,
+  onClose,
+}: OAuthClientCreateDialogProps) {
+  const { t } = useLocale();
+
+  if (resultClient) {
+    return (
+      <OAuthClientResultDialog
+        open={open}
+        onOpenChange={onOpenChange}
+        title={t("oauth_client_submitted")}
+        description={t("oauth_client_submitted_description")}
+        resultClient={resultClient}
+        clientSecretInfoKey={clientSecretInfoKey}
+        onClose={onClose}
+      />
+    );
+  }
+
+  return (
+    <OAuthClientCreateDialogContent
+      open={open}
+      onOpenChange={onOpenChange}
+      isSubmitting={isSubmitting}
+      onSubmit={onSubmit}
+      onClose={onClose}
+      title={t("create_oauth_client")}
+      description={t("create_oauth_client_description")}
+      submitLabel={t("create")}
+    />
+  );
+}
+
+export function OAuthClientCreateDialogContent({
+  open,
+  onOpenChange,
+  isSubmitting,
+  onSubmit,
+  onClose,
+  title,
+  description,
+  submitLabel,
+}: BaseOAuthClientCreateDialogContentProps) {
   const { t } = useLocale();
-  const { copyToClipboard } = useCopy();
   const [logo, setLogo] = useState("");
 
   const form = useForm<OAuthClientCreateFormValues>({
@@ -85,115 +123,31 @@ export const OAuthClientCreateDialog = ({
 
   return (
     <Dialog open={open} onOpenChange={handleOpenChange}>
-      <DialogContent
-        enableOverflow
-        type="creation"
-        title={resultClient ? resultTitle : title}
-        description={resultClient ? resultDescription : description}>
-        {!resultClient ? (
-          <Form
-            form={form}
-            handleSubmit={(values) => {
-              onSubmit({
-                name: values.name.trim() || "",
-                purpose: values.purpose.trim() || "",
-                redirectUri: values.redirectUri.trim() || "",
-                websiteUrl: values.websiteUrl.trim() || "",
-                logo: values.logo,
-                enablePkce: values.enablePkce,
-              });
-            }}
-            className="space-y-4"
-            data-testid="oauth-client-create-form">
-            <OAuthClientFormFields form={form} logo={logo} setLogo={setLogo} />
-
-            <DialogFooter>
-              <DialogClose>{t("close")}</DialogClose>
-              <Button type="submit" loading={isSubmitting} data-testid="oauth-client-create-submit">
-                {submitLabel}
-              </Button>
-            </DialogFooter>
-          </Form>
-        ) : (
-          <>
-            <div className="space-y-4" data-testid="oauth-client-submitted-modal">
-              {resultClient.approvalStatus === "PENDING" ? (
-                <div className="flex items-center justify-start">
-                  <Badge variant="orange">{t("pending")}</Badge>
-                </div>
-              ) : null}
-              <div>
-                <div className="text-subtle mb-1 text-sm">{t("client_name")}</div>
-                <div className="text-emphasis font-medium">{resultClient.name}</div>
-              </div>
-
-              <div>
-                <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-                <div className="flex">
-                  <code
-                    data-testid="oauth-client-submitted-client-id"
-                    className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                    {resultClient.clientId}
-                  </code>
-                  <Tooltip side="top" content={t("copy_to_clipboard")}>
-                    <Button
-                      onClick={() => {
-                        copyToClipboard(resultClient.clientId, {
-                          onSuccess: () => showToast(t("client_id_copied"), "success"),
-                          onFailure: () => showToast(t("error"), "error"),
-                        });
-                      }}
-                      type="button"
-                      size="sm"
-                      className="rounded-l-none"
-                      StartIcon="clipboard">
-                      {t("copy")}
-                    </Button>
-                  </Tooltip>
-                </div>
-              </div>
-
-              {resultClient.clientSecret ? (
-                <div>
-                  <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
-                  <div className="flex">
-                    <code
-                      data-testid="oauth-client-submitted-client-secret"
-                      className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                      {resultClient.clientSecret}
-                    </code>
-                    <Tooltip side="top" content={t("copy_to_clipboard")}>
-                      <Button
-                        onClick={() => {
-                          copyToClipboard(resultClient.clientSecret ?? "", {
-                            onSuccess: () => showToast(t("client_secret_copied"), "success"),
-                            onFailure: () => showToast(t("error"), "error"),
-                          });
-                        }}
-                        type="button"
-                        size="sm"
-                        className="rounded-l-none"
-                        StartIcon="clipboard">
-                        {t("copy")}
-                      </Button>
-                    </Tooltip>
-                  </div>
-                  <Alert
-                    severity="warning"
-                    message={t(clientSecretInfoKey ?? "oauth_client_client_secret_one_time_warning")}
-                    className="mt-3"
-                  />
-                </div>
-              ) : null}
-            </div>
-            <DialogFooter className="mt-6">
-              <Button type="button" onClick={handleClose} data-testid="oauth-client-submitted-done">
-                {t("done")}
-              </Button>
-            </DialogFooter>
-          </>
-        )}
+      <DialogContent enableOverflow type="creation" title={title} description={description}>
+        <Form
+          form={form}
+          handleSubmit={(values) => {
+            onSubmit({
+              name: values.name.trim() || "",
+              purpose: values.purpose.trim() || "",
+              redirectUri: values.redirectUri.trim() || "",
+              websiteUrl: values.websiteUrl.trim() || "",
+              logo: values.logo,
+              enablePkce: values.enablePkce,
+            });
+          }}
+          className="space-y-4"
+          data-testid="oauth-client-create-form">
+          <OAuthClientFormFields form={form} logo={logo} setLogo={setLogo} />
+
+          <DialogFooter>
+            <DialogClose>{t("close")}</DialogClose>
+            <Button type="submit" loading={isSubmitting} data-testid="oauth-client-create-submit">
+              {submitLabel}
+            </Button>
+          </DialogFooter>
+        </Form>
       </DialogContent>
     </Dialog>
   );
-};
+}
diff --git a/apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx
new file mode 100644
index 00000000000000..c80b0f10f40cb8
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx
@@ -0,0 +1,150 @@
+"use client";
+
+import { useCopy } from "@calcom/lib/hooks/useCopy";
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { Dialog } from "@calcom/features/components/controlled-dialog";
+
+import { Alert } from "@calcom/ui/components/alert";
+import { Badge } from "@calcom/ui/components/badge";
+import { Button } from "@calcom/ui/components/button";
+import { DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
+import { showToast } from "@calcom/ui/components/toast";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+
+export function OAuthClientResultDialog({
+  open,
+  onOpenChange,
+  title,
+  description,
+  resultClient,
+  clientSecretInfoKey,
+  onClose,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  title: string;
+  description: string;
+  resultClient: OAuthClientDetails;
+  clientSecretInfoKey?: string;
+  onClose: () => void;
+}) {
+  const handleOpenChange = (nextOpen: boolean) => {
+    if (!nextOpen) {
+      onClose();
+      return;
+    }
+    onOpenChange(nextOpen);
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={handleOpenChange}>
+      <DialogContent enableOverflow type="creation" title={title} description={description}>
+        <OAuthClientCreateDialogResult
+          resultClient={resultClient}
+          clientSecretInfoKey={clientSecretInfoKey}
+          onDone={onClose}
+        />
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+function OAuthClientCreateDialogResult({
+  resultClient,
+  clientSecretInfoKey,
+  onDone,
+}: {
+  resultClient: OAuthClientDetails;
+  clientSecretInfoKey?: string;
+  onDone: () => void;
+}) {
+  const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
+
+  const showPendingBadge = resultClient.approvalStatus === "PENDING";
+
+  return (
+    <>
+      <div className="space-y-4" data-testid="oauth-client-submitted-modal">
+        {showPendingBadge ? (
+          <div className="flex items-center justify-start">
+            <Badge variant="orange">{t("pending")}</Badge>
+          </div>
+        ) : null}
+
+        <div>
+          <div className="text-subtle mb-1 text-sm">{t("client_name")}</div>
+          <div className="text-emphasis font-medium">{resultClient.name}</div>
+        </div>
+
+        <div>
+          <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
+          <div className="flex">
+            <code
+              data-testid="oauth-client-submitted-client-id"
+              className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+              {resultClient.clientId}
+            </code>
+            <Tooltip side="top" content={t("copy_to_clipboard")}>
+              <Button
+                onClick={() => {
+                  copyToClipboard(resultClient.clientId, {
+                    onSuccess: () => showToast(t("client_id_copied"), "success"),
+                    onFailure: () => showToast(t("error"), "error"),
+                  });
+                }}
+                type="button"
+                size="sm"
+                className="rounded-l-none"
+                StartIcon="clipboard">
+                {t("copy")}
+              </Button>
+            </Tooltip>
+          </div>
+        </div>
+
+        {resultClient.clientSecret ? (
+          <div>
+            <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
+            <div className="flex">
+              <code
+                data-testid="oauth-client-submitted-client-secret"
+                className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                {resultClient.clientSecret}
+              </code>
+              <Tooltip side="top" content={t("copy_to_clipboard")}>
+                <Button
+                  onClick={() => {
+                    copyToClipboard(resultClient.clientSecret ?? "", {
+                      onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                      onFailure: () => showToast(t("error"), "error"),
+                    });
+                  }}
+                  type="button"
+                  size="sm"
+                  className="rounded-l-none"
+                  StartIcon="clipboard">
+                  {t("copy")}
+                </Button>
+              </Tooltip>
+            </div>
+            <Alert
+              severity="warning"
+              message={t(clientSecretInfoKey ?? "oauth_client_client_secret_one_time_warning")}
+              className="mt-3"
+            />
+          </div>
+        ) : null}
+      </div>
+
+      <DialogFooter className="mt-6">
+        <Button type="button" onClick={onDone} data-testid="oauth-client-submitted-done">
+          {t("done")}
+        </Button>
+      </DialogFooter>
+    </>
+  );
+}

From 100e0a11c6a6f901e89c7355c8051cb0bbeb43bf Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 12:21:33 +0100
Subject: [PATCH 52/72] refactor: modals

---
 .../admin/oauth-clients-admin-view.tsx        |   9 +-
 .../settings/developer/oauth-clients-view.tsx |   8 +-
 .../oauth/AdminOAuthClientCreateDialog.tsx    |  51 ------
 .../oauth/AdminOAuthClientCreateFlow.tsx      |  35 ++++
 .../settings/oauth/OAuthClientCreateFlow.tsx  |  45 +++++
 ...eDialog.tsx => OAuthClientCreateModal.tsx} |  67 +-------
 .../oauth/OAuthClientDetailsDialog.tsx        | 162 ++----------------
 .../settings/oauth/OAuthClientFormFields.tsx  |   2 +-
 .../oauth/OAuthClientPreviewDialog.tsx        | 130 ++++++++++++++
 .../oauth/OAuthClientResultDialog.tsx         | 150 ----------------
 10 files changed, 240 insertions(+), 419 deletions(-)
 delete mode 100644 apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx
 create mode 100644 apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx
 rename apps/web/modules/settings/oauth/{OAuthClientCreateDialog.tsx => OAuthClientCreateModal.tsx} (61%)
 create mode 100644 apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
 delete mode 100644 apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 0216f7bec95a81..fb947fd7a24c4b 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -10,8 +10,8 @@ import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import { AdminOAuthClientCreateDialog } from "../oauth/AdminOAuthClientCreateDialog";
-import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateDialog";
+import { AdminOAuthClientCreateFlow } from "../oauth/AdminOAuthClientCreateFlow";
+import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateModal";
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
 import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
@@ -163,13 +163,12 @@ export default function OAuthClientsAdminView() {
         />
       )}
 
-      <AdminOAuthClientCreateDialog
+      <AdminOAuthClientCreateFlow
         open={showCreateDialog}
         onOpenChange={setShowCreateDialog}
         isSubmitting={addMutation.isPending}
         onSubmit={handleAddClient}
-        resultClient={createdClient}
-        clientSecretInfoKey="copy_client_secret_info"
+        createdClient={createdClient}
         onClose={handleCloseDialog}
       />
 
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index df0ae3914d8f74..7d21136b29155b 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -7,8 +7,8 @@ import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateDialog";
-import { OAuthClientCreateDialog } from "../oauth/OAuthClientCreateDialog";
+import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateModal";
+import { OAuthClientCreateFlow } from "../oauth/OAuthClientCreateFlow";
 import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
 import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
@@ -147,12 +147,12 @@ const OAuthClientsView = () => {
         />
       )}
 
-      <OAuthClientCreateDialog
+      <OAuthClientCreateFlow
         open={showDialog}
         onOpenChange={setShowDialog}
         isSubmitting={submitMutation.isPending}
         onSubmit={handleSubmit}
-        resultClient={submittedClient}
+        createdClient={submittedClient}
         onClose={handleCloseCreateDialog}
       />
 
diff --git a/apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx
deleted file mode 100644
index a49c2d6df7a16e..00000000000000
--- a/apps/web/modules/settings/oauth/AdminOAuthClientCreateDialog.tsx
+++ /dev/null
@@ -1,51 +0,0 @@
-"use client";
-
-import { useLocale } from "@calcom/lib/hooks/useLocale";
-
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
-import { OAuthClientResultDialog } from "./OAuthClientResultDialog";
-import type { OAuthClientCreateFormValues } from "./OAuthClientCreateDialog";
-import { OAuthClientCreateDialogContent } from "./OAuthClientCreateDialog";
-
-type AdminOAuthClientCreateDialogProps = {
-  open: boolean;
-  onOpenChange: (open: boolean) => void;
-  isSubmitting: boolean;
-  onSubmit: (values: OAuthClientCreateFormValues) => void;
-  resultClient: OAuthClientDetails | null;
-  clientSecretInfoKey?: string;
-  onClose: () => void;
-};
-
-export function AdminOAuthClientCreateDialog(
-  {
-    resultClient,
-    clientSecretInfoKey,
-    ...rest
-  }: AdminOAuthClientCreateDialogProps
-) {
-  const { t } = useLocale();
-
-  if (resultClient) {
-    return (
-      <OAuthClientResultDialog
-        open={rest.open}
-        onOpenChange={rest.onOpenChange}
-        title={t("oauth_client_created")}
-        description={t("oauth_client_created_description")}
-        resultClient={resultClient}
-        clientSecretInfoKey={clientSecretInfoKey}
-        onClose={rest.onClose}
-      />
-    );
-  }
-
-  return (
-    <OAuthClientCreateDialogContent
-      {...rest}
-      title={t("create_oauth_client")}
-      description={t("create_oauth_client_description")}
-      submitLabel={t("create")}
-    />
-  );
-}
diff --git a/apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx b/apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx
new file mode 100644
index 00000000000000..e027264b8df656
--- /dev/null
+++ b/apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx
@@ -0,0 +1,35 @@
+"use client";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { OAuthClientPreviewDialog } from "./OAuthClientPreviewDialog";
+import { OAuthClientCreateDialog } from "./OAuthClientCreateModal";
+import type { OAuthClientCreateFlowProps } from "./OAuthClientCreateFlow";
+
+export function AdminOAuthClientCreateFlow(
+  {
+    createdClient,
+    ...rest
+  }: OAuthClientCreateFlowProps
+) {
+  const { t } = useLocale();
+
+  if (createdClient) {
+    return (
+      <OAuthClientPreviewDialog
+        open={rest.open}
+        onOpenChange={rest.onOpenChange}
+        title={t("oauth_client_created")}
+        description={t("oauth_client_created_description")}
+        client={createdClient}
+        onClose={rest.onClose}
+      />
+    );
+  }
+
+  return (
+    <OAuthClientCreateDialog
+      {...rest}
+    />
+  );
+}
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx
new file mode 100644
index 00000000000000..83f1363530ff11
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx
@@ -0,0 +1,45 @@
+"use client";
+
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { OAuthClientPreviewDialog } from "./OAuthClientPreviewDialog";
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+import { OAuthClientCreateDialog, type OAuthClientCreateDialogProps } from "./OAuthClientCreateModal";
+
+export type OAuthClientCreateFlowProps = OAuthClientCreateDialogProps & {
+  createdClient: OAuthClientDetails | null;
+};
+
+export function OAuthClientCreateFlow({
+  open,
+  onOpenChange,
+  isSubmitting,
+  onSubmit,
+  createdClient,
+  onClose,
+}: OAuthClientCreateFlowProps) {
+  const { t } = useLocale();
+
+  if (createdClient) {
+    return (
+      <OAuthClientPreviewDialog
+        open={open}
+        onOpenChange={onOpenChange}
+        title={t("oauth_client_submitted")}
+        description={t("oauth_client_submitted_description")}
+        client={createdClient}
+        onClose={onClose}
+      />
+    );
+  }
+
+  return (
+    <OAuthClientCreateDialog
+      open={open}
+      onOpenChange={onOpenChange}
+      isSubmitting={isSubmitting}
+      onSubmit={onSubmit}
+      onClose={onClose}
+    />
+  );
+}
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateModal.tsx
similarity index 61%
rename from apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
rename to apps/web/modules/settings/oauth/OAuthClientCreateModal.tsx
index 5f554b573dc5fb..1c3dfe7568dfee 100644
--- a/apps/web/modules/settings/oauth/OAuthClientCreateDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientCreateModal.tsx
@@ -1,3 +1,4 @@
+
 "use client";
 
 import { useState } from "react";
@@ -5,8 +6,6 @@ import { useForm } from "react-hook-form";
 
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 
-import { OAuthClientResultDialog } from "./OAuthClientResultDialog";
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
 import { OAuthClientFormFields } from "./OAuthClientFormFields";
 
 import { Dialog } from "@calcom/features/components/controlled-dialog";
@@ -23,24 +22,11 @@ export type OAuthClientCreateFormValues = {
   enablePkce: boolean;
 };
 
-type BaseOAuthClientCreateDialogContentProps = {
-  open: boolean;
-  onOpenChange: (open: boolean) => void;
-  isSubmitting: boolean;
-  onSubmit: (values: OAuthClientCreateFormValues) => void;
-  onClose: () => void;
-  title: string;
-  description: string;
-  submitLabel: string;
-};
-
 export type OAuthClientCreateDialogProps = {
   open: boolean;
   onOpenChange: (open: boolean) => void;
   isSubmitting: boolean;
   onSubmit: (values: OAuthClientCreateFormValues) => void;
-  resultClient: OAuthClientDetails | null;
-  clientSecretInfoKey?: string;
   onClose: () => void;
 };
 
@@ -49,51 +35,9 @@ export function OAuthClientCreateDialog({
   onOpenChange,
   isSubmitting,
   onSubmit,
-  resultClient,
-  clientSecretInfoKey,
   onClose,
 }: OAuthClientCreateDialogProps) {
   const { t } = useLocale();
-
-  if (resultClient) {
-    return (
-      <OAuthClientResultDialog
-        open={open}
-        onOpenChange={onOpenChange}
-        title={t("oauth_client_submitted")}
-        description={t("oauth_client_submitted_description")}
-        resultClient={resultClient}
-        clientSecretInfoKey={clientSecretInfoKey}
-        onClose={onClose}
-      />
-    );
-  }
-
-  return (
-    <OAuthClientCreateDialogContent
-      open={open}
-      onOpenChange={onOpenChange}
-      isSubmitting={isSubmitting}
-      onSubmit={onSubmit}
-      onClose={onClose}
-      title={t("create_oauth_client")}
-      description={t("create_oauth_client_description")}
-      submitLabel={t("create")}
-    />
-  );
-}
-
-export function OAuthClientCreateDialogContent({
-  open,
-  onOpenChange,
-  isSubmitting,
-  onSubmit,
-  onClose,
-  title,
-  description,
-  submitLabel,
-}: BaseOAuthClientCreateDialogContentProps) {
-  const { t } = useLocale();
   const [logo, setLogo] = useState("");
 
   const form = useForm<OAuthClientCreateFormValues>({
@@ -123,7 +67,11 @@ export function OAuthClientCreateDialogContent({
 
   return (
     <Dialog open={open} onOpenChange={handleOpenChange}>
-      <DialogContent enableOverflow type="creation" title={title} description={description}>
+      <DialogContent
+        enableOverflow
+        type="creation"
+        title={t("create_oauth_client")}
+        description={t("create_oauth_client_description")}>
         <Form
           form={form}
           handleSubmit={(values) => {
@@ -143,7 +91,7 @@ export function OAuthClientCreateDialogContent({
           <DialogFooter>
             <DialogClose>{t("close")}</DialogClose>
             <Button type="submit" loading={isSubmitting} data-testid="oauth-client-create-submit">
-              {submitLabel}
+              {t("create")}
             </Button>
           </DialogFooter>
         </Form>
@@ -151,3 +99,4 @@ export function OAuthClientCreateDialogContent({
     </Dialog>
   );
 }
+
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
index d570398eeb1eb8..e0b8bdc61ac04a 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -7,17 +7,14 @@ import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { useCopy } from "@calcom/lib/hooks/useCopy";
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 
-import { Avatar } from "@calcom/ui/components/avatar";
-import { Alert } from "@calcom/ui/components/alert";
 import { Badge } from "@calcom/ui/components/badge";
 import { Button } from "@calcom/ui/components/button";
 import { ConfirmationDialogContent, DialogClose, DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
-import { Icon } from "@calcom/ui/components/icon";
 import { showToast } from "@calcom/ui/components/toast";
 import { Tooltip } from "@calcom/ui/components/tooltip";
 import { Label, TextArea } from "@calcom/ui/components/form";
 
-import type { OAuthClientCreateFormValues } from "./OAuthClientCreateDialog";
+import type { OAuthClientCreateFormValues } from "./OAuthClientCreateModal";
 import { OAuthClientFormFields } from "./OAuthClientFormFields";
 
 export type OAuthClientDetails = {
@@ -34,151 +31,6 @@ export type OAuthClientDetails = {
   clientType?: string;
 };
 
-const getStatusBadgeVariant = (status: string) => {
-  switch (status) {
-    case "APPROVED":
-      return { variant: "success" as const, labelKey: "approved" as const };
-    case "REJECTED":
-      return { variant: "red" as const, labelKey: "rejected" as const };
-    case "PENDING":
-    default:
-      return { variant: "orange" as const, labelKey: "pending" as const };
-  }
-};
-
-export const OAuthClientDetailsContent = ({
-  client,
-  showRedirectUri = true,
-  showStatusBadge = true,
-  showStatusBadgeTopLeft = false,
-  showStatusNote = true,
-  clientSecretInfoKey = "oauth_client_client_secret_one_time_warning",
-}: {
-  client: OAuthClientDetails;
-  showRedirectUri?: boolean;
-  showStatusBadge?: boolean;
-  showStatusBadgeTopLeft?: boolean;
-  showStatusNote?: boolean;
-  clientSecretInfoKey?: string;
-}) => {
-  const { t } = useLocale();
-  const { copyToClipboard } = useCopy();
-
-  const approvalStatus = client.approvalStatus;
-
-  return (
-    <div className="space-y-4">
-      {showStatusBadge && showStatusBadgeTopLeft && approvalStatus ? (
-        <div className="flex items-center justify-start">
-          <Badge variant={getStatusBadgeVariant(approvalStatus).variant}>
-            {t(getStatusBadgeVariant(approvalStatus).labelKey)}
-          </Badge>
-        </div>
-      ) : null}
-      <div className="flex items-center gap-4">
-        <Avatar
-          alt={client.name}
-          imageSrc={client.logo || undefined}
-          fallback={<Icon name="key" className="text-subtle h-6 w-6" />}
-          size="lg"
-        />
-        <div>
-          <div className="text-emphasis font-medium">{client.name}</div>
-          {showRedirectUri ? (
-            <div className="text-subtle mt-1 space-y-1 text-sm">
-              {client.redirectUri ? (
-                <div>
-                  <span className="font-medium">{t("redirect_uri")}:</span> {client.redirectUri}
-                </div>
-              ) : null}
-              {client.websiteUrl ? (
-                <div>
-                  <span className="font-medium">{t("website_url")}:</span> {client.websiteUrl}
-                </div>
-              ) : null}
-            </div>
-          ) : null}
-          {showStatusBadge && !showStatusBadgeTopLeft && approvalStatus ? (
-            <Badge variant={getStatusBadgeVariant(approvalStatus).variant}>
-              {t(getStatusBadgeVariant(approvalStatus).labelKey)}
-            </Badge>
-          ) : null}
-        </div>
-      </div>
-
-      <div>
-        <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-        <div className="flex">
-          <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-            {client.clientId}
-          </code>
-          <Tooltip side="top" content={t("copy_to_clipboard")}>
-            <Button
-              onClick={() => {
-                copyToClipboard(client.clientId, {
-                  onSuccess: () => showToast(t("client_id_copied"), "success"),
-                  onFailure: () => showToast(t("error"), "error"),
-                });
-              }}
-              type="button"
-              size="sm"
-              className="rounded-l-none"
-              StartIcon="clipboard">
-              {t("copy")}
-            </Button>
-          </Tooltip>
-        </div>
-      </div>
-
-      {client.clientSecret ? (
-        <div>
-          <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
-          <div className="flex">
-            <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-              {client.clientSecret}
-            </code>
-            <Tooltip side="top" content={t("copy_to_clipboard")}>
-              <Button
-                onClick={() => {
-                  copyToClipboard(client.clientSecret ?? "", {
-                    onSuccess: () => showToast(t("client_secret_copied"), "success"),
-                    onFailure: () => showToast(t("error"), "error"),
-                  });
-                }}
-                type="button"
-                size="sm"
-                className="rounded-l-none"
-                StartIcon="clipboard">
-                {t("copy")}
-              </Button>
-            </Tooltip>
-          </div>
-          <Alert severity="warning" message={t(clientSecretInfoKey)} className="mt-3" />
-        </div>
-      ) : null}
-
-      {showStatusNote && approvalStatus === "APPROVED" ? (
-        <p className="text-subtle text-sm">{t("oauth_client_approved_note")}</p>
-      ) : null}
-
-      {showStatusNote && approvalStatus === "PENDING" ? (
-        <p className="text-subtle text-sm">{t("oauth_client_pending_approval")}</p>
-      ) : null}
-
-      {showStatusNote && approvalStatus === "REJECTED" ? (
-        <div className="space-y-2">
-          <p className="text-error text-sm">{t("oauth_client_rejected")}</p>
-          {client.rejectionReason ? (
-            <p className="text-subtle text-sm">
-              <span className="font-medium">{t("oauth_client_rejection_reason")}:</span> {client.rejectionReason}
-            </p>
-          ) : null}
-        </div>
-      ) : null}
-    </div>
-  );
-};
-
 export const OAuthClientDetailsDialog = ({
   open,
   onOpenChange,
@@ -473,3 +325,15 @@ export const OAuthClientDetailsDialog = ({
     </Dialog>
   );
 };
+
+function getStatusBadgeVariant (status: string) {
+  switch (status) {
+    case "APPROVED":
+      return { variant: "success" as const, labelKey: "approved" as const };
+    case "REJECTED":
+      return { variant: "red" as const, labelKey: "rejected" as const };
+    case "PENDING":
+    default:
+      return { variant: "orange" as const, labelKey: "pending" as const };
+  }
+};
\ No newline at end of file
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index ed766119208706..9aa12d335bb4c6 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -13,7 +13,7 @@ import { Icon } from "@calcom/ui/components/icon";
 import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { Tooltip } from "@calcom/ui/components/tooltip";
 
-import type { OAuthClientCreateFormValues } from "./OAuthClientCreateDialog";
+import type { OAuthClientCreateFormValues } from "./OAuthClientCreateModal";
 
 export const OAuthClientFormFields = ({
   form,
diff --git a/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
new file mode 100644
index 00000000000000..a7f0e9f3330fb4
--- /dev/null
+++ b/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
@@ -0,0 +1,130 @@
+"use client";
+
+import { useCopy } from "@calcom/lib/hooks/useCopy";
+import { useLocale } from "@calcom/lib/hooks/useLocale";
+
+import { Dialog } from "@calcom/features/components/controlled-dialog";
+
+import { Alert } from "@calcom/ui/components/alert";
+import { Badge } from "@calcom/ui/components/badge";
+import { Button } from "@calcom/ui/components/button";
+import { DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
+import { showToast } from "@calcom/ui/components/toast";
+import { Tooltip } from "@calcom/ui/components/tooltip";
+
+import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+
+export function OAuthClientPreviewDialog({
+  open,
+  onOpenChange,
+  title,
+  description,
+  client,
+  onClose,
+}: {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  title: string;
+  description: string;
+  client: OAuthClientDetails;
+  onClose: () => void;
+}) {
+  const { t } = useLocale();
+  const { copyToClipboard } = useCopy();
+
+  const handleOpenChange = (nextOpen: boolean) => {
+    if (!nextOpen) {
+      onClose();
+      return;
+    }
+    onOpenChange(nextOpen);
+  };
+
+  const showPendingBadge = client.approvalStatus === "PENDING";
+
+  return (
+    <Dialog open={open} onOpenChange={handleOpenChange}>
+      <DialogContent enableOverflow type="creation" title={title} description={description}>
+        <>
+          <div className="space-y-4" data-testid="oauth-client-submitted-modal">
+            {showPendingBadge ? (
+              <div className="flex items-center justify-start">
+                <Badge variant="orange">{t("pending")}</Badge>
+              </div>
+            ) : null}
+
+            <div>
+              <div className="text-subtle mb-1 text-sm">{t("client_name")}</div>
+              <div className="text-emphasis font-medium">{client.name}</div>
+            </div>
+
+            <div>
+              <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
+              <div className="flex">
+                <code
+                  data-testid="oauth-client-submitted-client-id"
+                  className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                  {client.clientId}
+                </code>
+                <Tooltip side="top" content={t("copy_to_clipboard")}>
+                  <Button
+                    onClick={() => {
+                      copyToClipboard(client.clientId, {
+                        onSuccess: () => showToast(t("client_id_copied"), "success"),
+                        onFailure: () => showToast(t("error"), "error"),
+                      });
+                    }}
+                    type="button"
+                    size="sm"
+                    className="rounded-l-none"
+                    StartIcon="clipboard">
+                    {t("copy")}
+                  </Button>
+                </Tooltip>
+              </div>
+            </div>
+
+            {client.clientSecret ? (
+              <div>
+                <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
+                <div className="flex">
+                  <code
+                    data-testid="oauth-client-submitted-client-secret"
+                    className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
+                    {client.clientSecret}
+                  </code>
+                  <Tooltip side="top" content={t("copy_to_clipboard")}>
+                    <Button
+                      onClick={() => {
+                        copyToClipboard(client.clientSecret ?? "", {
+                          onSuccess: () => showToast(t("client_secret_copied"), "success"),
+                          onFailure: () => showToast(t("error"), "error"),
+                        });
+                      }}
+                      type="button"
+                      size="sm"
+                      className="rounded-l-none"
+                      StartIcon="clipboard">
+                      {t("copy")}
+                    </Button>
+                  </Tooltip>
+                </div>
+                <Alert
+                  severity="warning"
+                  message={t("oauth_client_client_secret_one_time_warning")}
+                  className="mt-3"
+                />
+              </div>
+            ) : null}
+          </div>
+
+          <DialogFooter className="mt-6">
+            <Button type="button" onClick={onClose} data-testid="oauth-client-submitted-done">
+              {t("done")}
+            </Button>
+          </DialogFooter>
+        </>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx
deleted file mode 100644
index c80b0f10f40cb8..00000000000000
--- a/apps/web/modules/settings/oauth/OAuthClientResultDialog.tsx
+++ /dev/null
@@ -1,150 +0,0 @@
-"use client";
-
-import { useCopy } from "@calcom/lib/hooks/useCopy";
-import { useLocale } from "@calcom/lib/hooks/useLocale";
-
-import { Dialog } from "@calcom/features/components/controlled-dialog";
-
-import { Alert } from "@calcom/ui/components/alert";
-import { Badge } from "@calcom/ui/components/badge";
-import { Button } from "@calcom/ui/components/button";
-import { DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
-import { showToast } from "@calcom/ui/components/toast";
-import { Tooltip } from "@calcom/ui/components/tooltip";
-
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
-
-export function OAuthClientResultDialog({
-  open,
-  onOpenChange,
-  title,
-  description,
-  resultClient,
-  clientSecretInfoKey,
-  onClose,
-}: {
-  open: boolean;
-  onOpenChange: (open: boolean) => void;
-  title: string;
-  description: string;
-  resultClient: OAuthClientDetails;
-  clientSecretInfoKey?: string;
-  onClose: () => void;
-}) {
-  const handleOpenChange = (nextOpen: boolean) => {
-    if (!nextOpen) {
-      onClose();
-      return;
-    }
-    onOpenChange(nextOpen);
-  };
-
-  return (
-    <Dialog open={open} onOpenChange={handleOpenChange}>
-      <DialogContent enableOverflow type="creation" title={title} description={description}>
-        <OAuthClientCreateDialogResult
-          resultClient={resultClient}
-          clientSecretInfoKey={clientSecretInfoKey}
-          onDone={onClose}
-        />
-      </DialogContent>
-    </Dialog>
-  );
-}
-
-function OAuthClientCreateDialogResult({
-  resultClient,
-  clientSecretInfoKey,
-  onDone,
-}: {
-  resultClient: OAuthClientDetails;
-  clientSecretInfoKey?: string;
-  onDone: () => void;
-}) {
-  const { t } = useLocale();
-  const { copyToClipboard } = useCopy();
-
-  const showPendingBadge = resultClient.approvalStatus === "PENDING";
-
-  return (
-    <>
-      <div className="space-y-4" data-testid="oauth-client-submitted-modal">
-        {showPendingBadge ? (
-          <div className="flex items-center justify-start">
-            <Badge variant="orange">{t("pending")}</Badge>
-          </div>
-        ) : null}
-
-        <div>
-          <div className="text-subtle mb-1 text-sm">{t("client_name")}</div>
-          <div className="text-emphasis font-medium">{resultClient.name}</div>
-        </div>
-
-        <div>
-          <div className="text-subtle mb-1 text-sm">{t("client_id")}</div>
-          <div className="flex">
-            <code
-              data-testid="oauth-client-submitted-client-id"
-              className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-              {resultClient.clientId}
-            </code>
-            <Tooltip side="top" content={t("copy_to_clipboard")}>
-              <Button
-                onClick={() => {
-                  copyToClipboard(resultClient.clientId, {
-                    onSuccess: () => showToast(t("client_id_copied"), "success"),
-                    onFailure: () => showToast(t("error"), "error"),
-                  });
-                }}
-                type="button"
-                size="sm"
-                className="rounded-l-none"
-                StartIcon="clipboard">
-                {t("copy")}
-              </Button>
-            </Tooltip>
-          </div>
-        </div>
-
-        {resultClient.clientSecret ? (
-          <div>
-            <div className="text-subtle mb-1 text-sm">{t("client_secret")}</div>
-            <div className="flex">
-              <code
-                data-testid="oauth-client-submitted-client-secret"
-                className="bg-subtle text-default w-full truncate rounded-md rounded-r-none px-2 py-1 align-middle font-mono text-sm">
-                {resultClient.clientSecret}
-              </code>
-              <Tooltip side="top" content={t("copy_to_clipboard")}>
-                <Button
-                  onClick={() => {
-                    copyToClipboard(resultClient.clientSecret ?? "", {
-                      onSuccess: () => showToast(t("client_secret_copied"), "success"),
-                      onFailure: () => showToast(t("error"), "error"),
-                    });
-                  }}
-                  type="button"
-                  size="sm"
-                  className="rounded-l-none"
-                  StartIcon="clipboard">
-                  {t("copy")}
-                </Button>
-              </Tooltip>
-            </div>
-            <Alert
-              severity="warning"
-              message={t(clientSecretInfoKey ?? "oauth_client_client_secret_one_time_warning")}
-              className="mt-3"
-            />
-          </div>
-        ) : null}
-      </div>
-
-      <DialogFooter className="mt-6">
-        <Button type="button" onClick={onDone} data-testid="oauth-client-submitted-done">
-          {t("done")}
-        </Button>
-      </DialogFooter>
-    </>
-  );
-}

From 44a0f67653d87d918fad4ecc3bc2d74efcc998db Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 12:51:27 +0100
Subject: [PATCH 53/72] refactor: handler names, dialog, skeleton

---
 .../admin/oauth-clients-admin-view.tsx        |   2 +-
 .../developer/oauth-clients-skeleton.tsx      |  21 +-
 .../oauth/OAuthClientDetailsDialog.tsx        | 189 ++++++++++--------
 .../settings/oauth/OAuthClientFormFields.tsx  |  14 +-
 .../server/routers/viewer/oAuth/_router.tsx   |  24 +--
 ...ent.handler.ts => createClient.handler.ts} |   4 +-
 ...lient.schema.ts => createClient.schema.ts} |   6 +-
 ...r.test.ts => updateClient.handler.test.ts} |   2 +-
 ...tus.handler.ts => updateClient.handler.ts} |   2 +-
 ...tatus.schema.ts => updateClient.schema.ts} |  10 +-
 10 files changed, 135 insertions(+), 139 deletions(-)
 rename packages/trpc/server/routers/viewer/oAuth/{addClient.handler.ts => createClient.handler.ts} (89%)
 rename packages/trpc/server/routers/viewer/oAuth/{addClient.schema.ts => createClient.schema.ts} (72%)
 rename packages/trpc/server/routers/viewer/oAuth/{updateClientStatus.handler.test.ts => updateClient.handler.test.ts} (99%)
 rename packages/trpc/server/routers/viewer/oAuth/{updateClientStatus.handler.ts => updateClient.handler.ts} (98%)
 rename packages/trpc/server/routers/viewer/oAuth/{updateClientStatus.schema.ts => updateClient.schema.ts} (78%)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index fb947fd7a24c4b..ac27488e14fae5 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -52,7 +52,7 @@ export default function OAuthClientsAdminView() {
     },
   });
 
-  const updateStatusMutation = trpc.viewer.oAuth.updateClientStatus.useMutation({
+  const updateStatusMutation = trpc.viewer.oAuth.updateClient.useMutation({
     onSuccess: async (data) => {
       showToast(
         t("oauth_client_status_updated", { name: data.name, status: data.approvalStatus }),
diff --git a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
index 22e4eef89c590a..6697e907d1c1f5 100644
--- a/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-skeleton.tsx
@@ -7,8 +7,12 @@ const skeletonItems = Array(3).fill(undefined);
 export const OAuthClientsSkeleton = () => {
   return (
     <SkeletonContainer>
-      <div className="mb-4 flex justify-end">
-        <div className="bg-emphasis h-9 w-36 rounded-md" />
+      <div className="mb-8">
+        <SkeletonText className="h-7 w-64" />
+        <div className="mt-2 flex items-start justify-between gap-4">
+          <SkeletonText className="h-4 w-full max-w-xl" />
+          <div className="bg-emphasis h-9 w-20 rounded-md" />
+        </div>
       </div>
       <div className="border-subtle rounded-lg border">
         {skeletonItems.map((i, index) => (
@@ -17,16 +21,13 @@ export const OAuthClientsSkeleton = () => {
             className={`flex items-center justify-between p-4 ${
               index !== skeletonItems.length - 1 ? "border-subtle border-b" : ""
             }`}>
-            <div className="mb-0.5 flex items-center gap-4">
-              <div className="bg-emphasis h-8 w-8 rounded-full" />
-              <div className="mt-0.5 flex flex-col">
-                <SkeletonText className="h-4 w-32" />
-                <SkeletonText className="mt-2 h-4 w-48" />
-              </div>
+            <div className="flex items-center gap-4">
+              <div className="bg-emphasis h-10 w-10 rounded-full" />
+              <SkeletonText className="h-4 w-40" />
             </div>
             <div className="flex items-center gap-4">
-              <SkeletonText className="h-5 w-16 rounded-full" />
-              <div className="bg-emphasis h-5 w-5 rounded-full" />
+              <SkeletonText className="h-5 w-20 rounded-full" />
+              <div className="bg-emphasis h-5 w-5 rounded" />
             </div>
           </div>
         ))}
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
index e0b8bdc61ac04a..c41025fcdfe097 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -113,9 +113,6 @@ export const OAuthClientDetailsDialog = ({
   const canEdit = Boolean(onUpdate) && !isFormDisabled;
   const canDelete = Boolean(onDelete) && !showAdminActions;
 
-  const showApprove = Boolean(onApprove) && (approvalStatus === "PENDING" || approvalStatus === "REJECTED");
-  const showReject = Boolean(onReject) && (approvalStatus === "PENDING" || approvalStatus === "APPROVED");
-
   const handleConfirmReject = () => {
     if (!client) return;
 
@@ -131,6 +128,71 @@ export const OAuthClientDetailsDialog = ({
     setShowRejectionReasonError(false);
   };
 
+  const clientId = client?.clientId;
+
+  const footerActions = (() => {
+    const closeButton = (
+      <DialogClose color="minimal" data-testid="oauth-client-details-close">
+        {t("close")}
+      </DialogClose>
+    );
+
+    if (showAdminActions) {
+      const canReject = Boolean(onReject) && (approvalStatus === "PENDING" || approvalStatus === "APPROVED");
+      const canApprove = Boolean(onApprove) && (approvalStatus === "PENDING" || approvalStatus === "REJECTED");
+
+      return (
+        <div className="flex w-full items-center justify-end gap-2">
+          {closeButton}
+          {canReject ? (
+            <Button
+              type="button"
+              color="primary"
+              StartIcon="x"
+              data-testid="oauth-client-details-reject-trigger"
+              loading={isStatusChangePending}
+              className="not-disabled:hover:!bg-error not-disabled:hover:!text-white not-disabled:hover:!border-semantic-error"
+              onClick={() => {
+                setIsRejectConfirmOpen(true);
+                setRejectionReason("");
+                setShowRejectionReasonError(false);
+              }}>
+              {t("reject")}
+            </Button>
+          ) : null}
+          {canApprove ? (
+            <Button
+              type="button"
+              color="primary"
+              StartIcon="check"
+              data-testid="oauth-client-details-approve-trigger"
+              loading={isStatusChangePending}
+              className="not-disabled:hover:!bg-cal-success not-disabled:hover:!text-white not-disabled:hover:!border-cal-success"
+              onClick={() => {
+                if (!clientId) return;
+                onApprove?.(clientId);
+              }}>
+              {t("approve")}
+            </Button>
+          ) : null}
+        </div>
+      );
+    }
+
+    if (canEdit) {
+      return (
+        <div className="flex w-full items-center justify-end gap-2">
+          {closeButton}
+          <Button type="submit" loading={isUpdatePending} data-testid="oauth-client-details-save">
+            {t("save")}
+          </Button>
+        </div>
+      );
+    }
+
+    return <div className="flex w-full items-center justify-end">{closeButton}</div>;
+  })();
+
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
       <DialogContent enableOverflow type="creation"> 
@@ -193,93 +255,48 @@ export const OAuthClientDetailsDialog = ({
               form={form}
               logo={logo}
               setLogo={setLogo}
-              isFormDisabled={isFormDisabled}
+              isClientReadOnly={isFormDisabled}
               isPkceLocked
-              showLogoActions={!showAdminActions}
-              logoFooter={
-                canDelete ? (
-                  <>
-                    <Button
-                      type="button"
-                      color="destructive"
-                      StartIcon="trash"
-                      data-testid="oauth-client-details-delete-trigger"
-                      loading={isDeletePending}
-                      className="w-auto"
-                      onClick={() => setIsDeleteConfirmOpen(true)}>
-                      {t("delete_oauth_client")}
-                    </Button>
-                    <Dialog open={isDeleteConfirmOpen} onOpenChange={setIsDeleteConfirmOpen}>
-                      <ConfirmationDialogContent
-                        variety="danger"
-                        title={t("delete_oauth_client")}
-                        cancelBtnText={t("cancel")}
-                        isPending={isDeletePending}
-                        confirmBtn={
-                          <DialogClose
-                            data-testid="oauth-client-details-delete-confirm"
-                            color="primary"
-                            loading={isDeletePending}
-                            onClick={() => {
-                              if (!client) return;
-                              onDelete?.(client.clientId);
-                            }}>
-                            {isDeletePending ? t("deleting") : t("delete")}
-                          </DialogClose>
-                        }>
-                        <p className="mb-4">{t("confirm_delete_oauth_client")}</p>
-                      </ConfirmationDialogContent>
-                    </Dialog>
-                  </>
-                ) : null
-              }
             />
 
+            {canDelete ? (
+              <div className="pt-2">
+                <Button
+                  type="button"
+                  color="destructive"
+                  StartIcon="trash"
+                  data-testid="oauth-client-details-delete-trigger"
+                  loading={isDeletePending}
+                  className="w-auto"
+                  onClick={() => setIsDeleteConfirmOpen(true)}>
+                  {t("delete_oauth_client")}
+                </Button>
+                <Dialog open={isDeleteConfirmOpen} onOpenChange={setIsDeleteConfirmOpen}>
+                  <ConfirmationDialogContent
+                    variety="danger"
+                    title={t("delete_oauth_client")}
+                    cancelBtnText={t("cancel")}
+                    isPending={isDeletePending}
+                    confirmBtn={
+                      <DialogClose
+                        data-testid="oauth-client-details-delete-confirm"
+                        color="primary"
+                        loading={isDeletePending}
+                        onClick={() => {
+                          if (!client) return;
+                          onDelete?.(client.clientId);
+                        }}>
+                        {isDeletePending ? t("deleting") : t("delete")}
+                      </DialogClose>
+                    }>
+                    <p className="mb-4">{t("confirm_delete_oauth_client")}</p>
+                  </ConfirmationDialogContent>
+                </Dialog>
+              </div>
+            ) : null}
+
             <DialogFooter className="mt-6">
-              {showAdminActions ? (
-                <div className="flex w-full items-center justify-end gap-2">
-                  <DialogClose color="minimal" data-testid="oauth-client-details-close">{t("close")}</DialogClose>
-                  {showReject ? (
-                    <Button
-                      type="button"
-                      color="primary"
-                      StartIcon="x"
-                      data-testid="oauth-client-details-reject-trigger"
-                      loading={isStatusChangePending}
-                      className="not-disabled:hover:!bg-error not-disabled:hover:!text-white not-disabled:hover:!border-semantic-error"
-                      onClick={() => {
-                        setIsRejectConfirmOpen(true);
-                        setRejectionReason("");
-                        setShowRejectionReasonError(false);
-                      }}>
-                      {t("reject")}
-                    </Button>
-                  ) : null}
-                  {showApprove ? (
-                    <Button
-                      type="button"
-                      color="primary"
-                      StartIcon="check"
-                      data-testid="oauth-client-details-approve-trigger"
-                      loading={isStatusChangePending}
-                      className="not-disabled:hover:!bg-cal-success not-disabled:hover:!text-white not-disabled:hover:!border-cal-success"
-                      onClick={() => onApprove?.(client.clientId)}>
-                      {t("approve")}
-                    </Button>
-                  ) : null}
-                </div>
-              ) : canEdit ? (
-                <div className="flex w-full items-center justify-end gap-2">
-                  <DialogClose color="minimal" data-testid="oauth-client-details-close">{t("close")}</DialogClose>
-                  <Button type="submit" loading={isUpdatePending} data-testid="oauth-client-details-save">
-                    {t("save")}
-                  </Button>
-                </div>
-              ) : (
-                <div className="flex w-full items-center justify-end">
-                  <DialogClose color="minimal" data-testid="oauth-client-details-close">{t("close")}</DialogClose>
-                </div>
-              )}
+              {footerActions}
             </DialogFooter>
 
             <Dialog open={isRejectConfirmOpen} onOpenChange={setIsRejectConfirmOpen}>
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
index 9aa12d335bb4c6..a67498235b0832 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
@@ -1,7 +1,6 @@
 "use client";
 
 import { useMemo } from "react";
-import type { ReactNode } from "react";
 import type { Dispatch, SetStateAction } from "react";
 import type { RegisterOptions, UseFormReturn } from "react-hook-form";
 
@@ -19,20 +18,18 @@ export const OAuthClientFormFields = ({
   form,
   logo,
   setLogo,
-  logoFooter,
-  isFormDisabled,
+  isClientReadOnly,
   isPkceLocked,
-  showLogoActions = true,
 }: {
   form: UseFormReturn<OAuthClientCreateFormValues>;
   logo: string;
   setLogo: Dispatch<SetStateAction<string>>;
-  logoFooter?: ReactNode;
-  isFormDisabled?: boolean;
+  isClientReadOnly?: boolean;
   isPkceLocked?: boolean;
-  showLogoActions?: boolean;
 }) => {
   const { t } = useLocale();
+  const isFormDisabled = Boolean(isClientReadOnly);
+  const allowUploadingLogo = !isFormDisabled;
 
   const redirectUriValidation: RegisterOptions<OAuthClientCreateFormValues, "redirectUri"> = useMemo(
     () => ({
@@ -144,7 +141,7 @@ export const OAuthClientFormFields = ({
               imageSrc={logo}
               size="lg"
             />
-            {showLogoActions ? (
+            {allowUploadingLogo ? (
               <ImageUploader
                 target="avatar"
                 id="avatar-upload"
@@ -159,7 +156,6 @@ export const OAuthClientFormFields = ({
               />
             ) : null}
           </div>
-          {showLogoActions && logoFooter ? <div className="pt-2">{logoFooter}</div> : null}
         </div>
       </div>
     </>
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 399e90dc8da7a8..91aa44f5eacf0b 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -1,23 +1,22 @@
 import authedProcedure, { authedAdminProcedure } from "@calcom/trpc/server/procedures/authedProcedure";
 
 import { router } from "../../../trpc";
-import { ZAddClientInputSchema } from "./addClient.schema";
+import { ZCreateClientInputSchema } from "./createClient.schema";
 import { ZGenerateAuthCodeInputSchema } from "./generateAuthCode.schema";
 import { ZGetClientInputSchema } from "./getClient.schema";
 import { ZListClientsInputSchema } from "./listClients.schema";
 import { ZSubmitClientInputSchema, ZSubmitClientOutputSchema } from "./submitClient.schema";
-import { ZUpdateClientInputSchema, ZUpdateClientStatusInputSchema } from "./updateClientStatus.schema";
+import { ZUpdateClientInputSchema } from "./updateClient.schema";
 import { ZDeleteClientInputSchema } from "./deleteClient.schema";
 
 type _OAuthRouterHandlerCache = {
   getClient?: typeof import("./getClient.handler").getClientHandler;
-  addClient?: typeof import("./addClient.handler").addClientHandler;
+  addClient?: typeof import("./createClient.handler").addClientHandler;
   generateAuthCode?: typeof import("./generateAuthCode.handler").generateAuthCodeHandler;
   submitClient?: typeof import("./submitClient.handler").submitClientHandler;
   listClients?: typeof import("./listClients.handler").listClientsHandler;
   listUserClients?: typeof import("./listUserClients.handler").listUserClientsHandler;
-  updateClient?: typeof import("./updateClientStatus.handler").updateClientStatusHandler;
-  updateClientStatus?: typeof import("./updateClientStatus.handler").updateClientStatusHandler;
+  updateClient?: typeof import("./updateClient.handler").updateClientStatusHandler;
   deleteClient?: typeof import("./deleteClient.handler").deleteClientHandler;
 };
 
@@ -30,8 +29,8 @@ export const oAuthRouter = router({
     });
   }),
 
-  addClient: authedAdminProcedure.input(ZAddClientInputSchema).mutation(async ({ ctx, input }) => {
-    const { addClientHandler } = await import("./addClient.handler");
+  addClient: authedAdminProcedure.input(ZCreateClientInputSchema).mutation(async ({ ctx, input }) => {
+    const { addClientHandler } = await import("./createClient.handler");
 
     return addClientHandler({
       ctx,
@@ -78,16 +77,7 @@ export const oAuthRouter = router({
   }),
 
   updateClient: authedProcedure.input(ZUpdateClientInputSchema).mutation(async ({ ctx, input }) => {
-    const { updateClientStatusHandler } = await import("./updateClientStatus.handler");
-
-    return updateClientStatusHandler({
-      ctx,
-      input,
-    });
-  }),
-
-  updateClientStatus: authedAdminProcedure.input(ZUpdateClientStatusInputSchema).mutation(async ({ ctx, input }) => {
-    const { updateClientStatusHandler } = await import("./updateClientStatus.handler");
+    const { updateClientStatusHandler } = await import("./updateClient.handler");
 
     return updateClientStatusHandler({
       ctx,
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
similarity index 89%
rename from packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
rename to packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
index c2aa6fc6655b84..035d98800e1b4b 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
@@ -1,13 +1,13 @@
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 import type { PrismaClient } from "@calcom/prisma";
 
-import type { TAddClientInputSchema } from "./addClient.schema";
+import type { TCreateClientInputSchema } from "./createClient.schema";
 
 type AddClientOptions = {
   ctx: {
     prisma: PrismaClient;
   };
-  input: TAddClientInputSchema;
+  input: TCreateClientInputSchema;
 };
 
 export const addClientHandler = async ({ ctx, input }: AddClientOptions) => {
diff --git a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/createClient.schema.ts
similarity index 72%
rename from packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
rename to packages/trpc/server/routers/viewer/oAuth/createClient.schema.ts
index 6cbf9a195c83c9..02a0c61af28099 100644
--- a/packages/trpc/server/routers/viewer/oAuth/addClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/createClient.schema.ts
@@ -1,6 +1,6 @@
 import { z } from "zod";
 
-export type TAddClientInputSchemaInput = {
+export type TCreateClientInputSchemaInput = {
   name: string;
   purpose: string;
   redirectUri: string;
@@ -9,7 +9,7 @@ export type TAddClientInputSchemaInput = {
   enablePkce?: boolean;
 };
 
-export type TAddClientInputSchema = {
+export type TCreateClientInputSchema = {
   name: string;
   purpose: string;
   redirectUri: string;
@@ -18,7 +18,7 @@ export type TAddClientInputSchema = {
   enablePkce: boolean;
 };
 
-export const ZAddClientInputSchema: z.ZodType<TAddClientInputSchema, z.ZodTypeDef, TAddClientInputSchemaInput> = z.object({
+export const ZCreateClientInputSchema: z.ZodType<TCreateClientInputSchema, z.ZodTypeDef, TCreateClientInputSchemaInput> = z.object({
   name: z.string(),
   purpose: z.string().min(1),
   redirectUri: z.string(),
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
similarity index 99%
rename from packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts
rename to packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
index 1ebe20e9be4036..c1bd753817ff80 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.test.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
@@ -5,7 +5,7 @@ import type { TFunction } from "i18next";
 import type { PrismaClient } from "@calcom/prisma";
 import { OAuthClientApprovalStatus, UserPermissionRole } from "@calcom/prisma/enums";
 
-import { updateClientStatusHandler } from "./updateClientStatus.handler";
+import { updateClientStatusHandler } from "./updateClient.handler";
 
 const mocks = vi.hoisted(() => {
   return {
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
similarity index 98%
rename from packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
rename to packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 9f0567a4e7005f..5d9c1f23b11e1e 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -7,7 +7,7 @@ import type { PrismaClient } from "@calcom/prisma";
 import { UserPermissionRole } from "@calcom/prisma/enums";
 import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
-import type { TUpdateClientInputSchema } from "./updateClientStatus.schema";
+import type { TUpdateClientInputSchema } from "./updateClient.schema";
 
 type UpdateClientStatusOptions = {
   ctx: {
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts
similarity index 78%
rename from packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
rename to packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts
index 16a6c2f98e2dd5..2e329b9bac0701 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClientStatus.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts
@@ -17,14 +17,6 @@ export const ZUpdateClientInputSchema = z.object({
     (value) => (typeof value === "string" && value.trim() === "" ? null : value),
     z.string().url().nullable().optional()
   ),
-});
-
-export type TUpdateClientInputSchema = z.infer<typeof ZUpdateClientInputSchema>;
-
-export const ZUpdateClientStatusInputSchema = z.object({
-  clientId: z.string(),
-  status: z.nativeEnum(OAuthClientApprovalStatus),
-  rejectionReason: z.string().min(1).optional(),
 }).superRefine((val, ctx) => {
   if (val.status === OAuthClientApprovalStatus.REJECTED && !val.rejectionReason) {
     ctx.addIssue({
@@ -35,4 +27,4 @@ export const ZUpdateClientStatusInputSchema = z.object({
   }
 });
 
-export type TUpdateClientStatusInputSchema = z.infer<typeof ZUpdateClientStatusInputSchema>;
+export type TUpdateClientInputSchema = z.infer<typeof ZUpdateClientInputSchema>;

From 350799d9b99124266f249a1d5fd2f0f3e8fe26fc Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 13:06:40 +0100
Subject: [PATCH 54/72] fix: purpose being null

---
 .../src/templates/AdminOAuthClientNotificationEmail.tsx       | 4 ++--
 packages/emails/templates/admin-oauth-client-notification.ts  | 4 ++--
 .../trpc/server/routers/viewer/oAuth/submitClient.schema.ts   | 2 +-
 .../trpc/server/routers/viewer/oAuth/updateClient.handler.ts  | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
index 06a5901cd7e984..5916c897f00863 100644
--- a/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
+++ b/packages/emails/src/templates/AdminOAuthClientNotificationEmail.tsx
@@ -7,7 +7,7 @@ import { BaseEmailHtml, CallToAction } from "../components";
 type AdminOAuthClientNotification = {
   language: TFunction;
   clientName: string;
-  purpose: string;
+  purpose: string | null;
   clientId: string;
   redirectUri: string;
   submitterEmail: string;
@@ -82,7 +82,7 @@ export const AdminOAuthClientNotificationEmail = ({
               }}>
               {language("purpose")}
             </td>
-            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{purpose}</td>
+            <td style={{ padding: "12px", borderBottom: "1px solid #e5e7eb" }}>{purpose ?? ""}</td>
           </tr>
           <tr style={{ lineHeight: "24px" }}>
             <td
diff --git a/packages/emails/templates/admin-oauth-client-notification.ts b/packages/emails/templates/admin-oauth-client-notification.ts
index 26b3ca6d3e7e9e..81ac94f41eecf8 100644
--- a/packages/emails/templates/admin-oauth-client-notification.ts
+++ b/packages/emails/templates/admin-oauth-client-notification.ts
@@ -8,7 +8,7 @@ import BaseEmail from "./_base-email";
 export type OAuthClientNotification = {
   t: TFunction;
   clientName: string;
-  purpose: string;
+  purpose: string | null;
   clientId: string;
   redirectUri: string;
   submitterEmail: string;
@@ -45,6 +45,6 @@ export default class AdminOAuthClientNotification extends BaseEmail {
   protected getTextBody(): string {
     return `${this.input.t("hi_admin")}, ${this.input.t("admin_oauth_notification_email_title", { clientName: this.input.clientName })}
     ${this.input.t("admin_oauth_notification_email_body", { submitterEmail: this.input.submitterEmail })}
-    ${this.input.t("purpose")}: ${this.input.purpose}`.trim();
+    ${this.input.t("purpose")}: ${this.input.purpose ?? ""}`.trim();
   }
 }
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
index 7b2de5213e97fc..5f6b3adcf2d343 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
@@ -18,7 +18,7 @@ export const ZSubmitClientInputSchema = z.object({
 export const ZSubmitClientOutputSchema = z.object({
   clientId: z.string(),
   name: z.string(),
-  purpose: z.string(),
+  purpose: z.string().nullable(),
   clientSecret: z.string().optional(),
   redirectUri: z.string(),
   logo: z.string().nullable(),
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 5d9c1f23b11e1e..945c20ae07a016 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -23,7 +23,7 @@ type UpdateClientStatusOptions = {
 type UpdateClientStatusOutput = {
   clientId: string;
   name: string;
-  purpose: string;
+  purpose: string | null;
   approvalStatus: OAuthClientApprovalStatus;
   redirectUri: string;
   websiteUrl: string | null;

From 44ce7bdd5d393be15d61b1c99f5716b6735e7ac9 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 13:28:26 +0100
Subject: [PATCH 55/72] refactor: rename handler and delete old oauth admin
 page

---
 .../admin/oauth-clients-admin-view.tsx        |   2 +-
 .../web/modules/settings/admin/oauth-view.tsx | 191 ------------------
 .../server/routers/viewer/oAuth/_router.tsx   |  17 +-
 .../viewer/oAuth/createClient.handler.ts      |   2 +-
 4 files changed, 5 insertions(+), 207 deletions(-)
 delete mode 100644 apps/web/modules/settings/admin/oauth-view.tsx

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index ac27488e14fae5..879c7286295837 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -33,7 +33,7 @@ export default function OAuthClientsAdminView() {
     status: "APPROVED",
   });
 
-  const addMutation = trpc.viewer.oAuth.addClient.useMutation({
+  const addMutation = trpc.viewer.oAuth.createClient.useMutation({
     onSuccess: async (data) => {
       setCreatedClient({
         clientId: data.clientId,
diff --git a/apps/web/modules/settings/admin/oauth-view.tsx b/apps/web/modules/settings/admin/oauth-view.tsx
deleted file mode 100644
index c6262963f7958e..00000000000000
--- a/apps/web/modules/settings/admin/oauth-view.tsx
+++ /dev/null
@@ -1,191 +0,0 @@
-"use client";
-
-import { useState } from "react";
-import { useForm } from "react-hook-form";
-
-import { useLocale } from "@calcom/lib/hooks/useLocale";
-import { trpc } from "@calcom/trpc/react";
-import { Avatar } from "@calcom/ui/components/avatar";
-import { Button } from "@calcom/ui/components/button";
-import { Form } from "@calcom/ui/components/form";
-import { Label } from "@calcom/ui/components/form";
-import { Switch } from "@calcom/ui/components/form";
-import { TextArea } from "@calcom/ui/components/form";
-import { TextField } from "@calcom/ui/components/form";
-import { Icon } from "@calcom/ui/components/icon";
-import { ImageUploader } from "@calcom/ui/components/image-uploader";
-import { showToast } from "@calcom/ui/components/toast";
-import { Tooltip } from "@calcom/ui/components/tooltip";
-
-type FormValues = {
-  name: string;
-  purpose: string;
-  redirectUri: string;
-  logo: string;
-  enablePkce: boolean;
-};
-
-export default function OAuthView() {
-  const oAuthForm = useForm<FormValues>({
-    defaultValues: {
-      purpose: "",
-      logo: "",
-      enablePkce: false,
-    },
-  });
-  const [clientSecret, setClientSecret] = useState("");
-  const [clientId, setClientId] = useState("");
-  const [logo, setLogo] = useState("");
-  const { t } = useLocale();
-
-  const mutation = trpc.viewer.oAuth.addClient.useMutation({
-    onSuccess: async (data) => {
-      setClientSecret(data.clientSecret || "");
-      setClientId(data.clientId);
-      showToast(`Successfully added ${data.name} as new client`, "success");
-    },
-    onError: (error) => {
-      showToast(`Adding client failed: ${error.message}`, "error");
-    },
-  });
-
-  return (
-    <div>
-      {!clientId ? (
-        <Form
-          form={oAuthForm}
-          handleSubmit={(values) => {
-            mutation.mutate({
-              name: values.name,
-              purpose: values.purpose,
-              redirectUri: values.redirectUri,
-              logo: values.logo,
-              enablePkce: values.enablePkce,
-            });
-          }}>
-          <div className="">
-            <TextField
-              {...oAuthForm.register("name")}
-              label="Client name"
-              type="text"
-              id="name"
-              placeholder=""
-              className="mb-3"
-              required
-            />
-
-            <div className="mb-3">
-              <Label htmlFor="purpose" className="text-emphasis mb-2 block text-sm font-medium">
-                Purpose
-              </Label>
-              <TextArea {...oAuthForm.register("purpose")} id="purpose" placeholder="" required />
-            </div>
-            <TextField
-              {...oAuthForm.register("redirectUri")}
-              label="Redirect URI"
-              type="text"
-              id="redirectUri"
-              placeholder=""
-              required
-            />
-
-            <div className="mb-5 mt-5">
-              <Label className="text-emphasis mb-2 block text-sm font-medium">Authentication Mode</Label>
-              <div className="flex items-center space-x-3">
-                <Switch 
-                  checked={oAuthForm.watch("enablePkce")}
-                  onCheckedChange={(checked) => oAuthForm.setValue("enablePkce", checked)}
-                />
-                <span className="text-default text-sm">
-                  Use PKCE (recommended for mobile/SPA applications)
-                </span>
-              </div>
-            </div>
-
-            <div className="mb-5 mt-5 flex items-center">
-              <Avatar
-                alt=""
-                fallback={<Icon name="plus" className="text-subtle h-6 w-6" />}
-                className="mr-5 items-center"
-                imageSrc={logo}
-                size="lg"
-              />
-              <ImageUploader
-                target="avatar"
-                id="avatar-upload"
-                buttonMsg="Upload Logo"
-                handleAvatarChange={(newLogo: string) => {
-                  setLogo(newLogo);
-                  oAuthForm.setValue("logo", newLogo);
-                }}
-                imageSrc={logo}
-              />
-            </div>
-          </div>
-          <Button type="submit" className="mt-3">
-            {t("add_client")}
-          </Button>
-        </Form>
-      ) : (
-        <div>
-          <div className="text-emphasis mb-5 text-xl font-semibold">{oAuthForm.getValues("name")}</div>
-          <div className="mb-2 font-medium">{t("client_id")}</div>
-          <div className="flex">
-            <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
-              {clientId}
-            </code>
-            <Tooltip side="top" content="Copy to Clipboard">
-              <Button
-                onClick={() => {
-                  navigator.clipboard.writeText(clientId);
-                  showToast(t("client_id_copied"), "success");
-                }}
-                type="button"
-                className="rounded-l-none text-base"
-                StartIcon="clipboard">
-                {t("copy")}
-              </Button>
-            </Tooltip>
-          </div>
-          {clientSecret ? (
-            <>
-              <div className="mb-2 mt-4 font-medium">{t("client_secret")}</div>
-              <div className="flex">
-                <code className="bg-subtle text-default w-full truncate rounded-md rounded-r-none py-[6px] pl-2 pr-2 align-middle font-mono">
-                  {clientSecret}
-                </code>
-                <Tooltip side="top" content="Copy to Clipboard">
-                  <Button
-                    onClick={() => {
-                      navigator.clipboard.writeText(clientSecret);
-                      setClientSecret("");
-                      showToast(t("client_secret_copied"), "success");
-                    }}
-                    type="button"
-                    className="rounded-l-none text-base"
-                    StartIcon="clipboard">
-                    {t("copy")}
-                  </Button>
-                </Tooltip>
-              </div>
-              <div className="text-subtle text-sm">{t("copy_client_secret_info")}</div>
-            </>
-          ) : (
-            <div className="text-subtle mt-4 text-sm">
-              This client uses PKCE authentication (no client secret required).
-            </div>
-          )}
-          <Button
-            onClick={() => {
-              setClientId("");
-              setLogo("");
-              oAuthForm.reset();
-            }}
-            className="mt-5">
-            {t("add_new_client")}
-          </Button>
-        </div>
-      )}
-    </div>
-  );
-}
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 91aa44f5eacf0b..0bd31ca631e6bd 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -9,17 +9,6 @@ import { ZSubmitClientInputSchema, ZSubmitClientOutputSchema } from "./submitCli
 import { ZUpdateClientInputSchema } from "./updateClient.schema";
 import { ZDeleteClientInputSchema } from "./deleteClient.schema";
 
-type _OAuthRouterHandlerCache = {
-  getClient?: typeof import("./getClient.handler").getClientHandler;
-  addClient?: typeof import("./createClient.handler").addClientHandler;
-  generateAuthCode?: typeof import("./generateAuthCode.handler").generateAuthCodeHandler;
-  submitClient?: typeof import("./submitClient.handler").submitClientHandler;
-  listClients?: typeof import("./listClients.handler").listClientsHandler;
-  listUserClients?: typeof import("./listUserClients.handler").listUserClientsHandler;
-  updateClient?: typeof import("./updateClient.handler").updateClientStatusHandler;
-  deleteClient?: typeof import("./deleteClient.handler").deleteClientHandler;
-};
-
 export const oAuthRouter = router({
   getClient: authedProcedure.input(ZGetClientInputSchema).query(async ({ input }) => {
     const { getClientHandler } = await import("./getClient.handler");
@@ -29,10 +18,10 @@ export const oAuthRouter = router({
     });
   }),
 
-  addClient: authedAdminProcedure.input(ZCreateClientInputSchema).mutation(async ({ ctx, input }) => {
-    const { addClientHandler } = await import("./createClient.handler");
+  createClient: authedAdminProcedure.input(ZCreateClientInputSchema).mutation(async ({ ctx, input }) => {
+    const { createClientHandler } = await import("./createClient.handler");
 
-    return addClientHandler({
+    return createClientHandler({
       ctx,
       input,
     });
diff --git a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
index 035d98800e1b4b..42ee564354e60e 100644
--- a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
@@ -10,7 +10,7 @@ type AddClientOptions = {
   input: TCreateClientInputSchema;
 };
 
-export const addClientHandler = async ({ ctx, input }: AddClientOptions) => {
+export const createClientHandler = async ({ ctx, input }: AddClientOptions) => {
   const { name, purpose, redirectUri, logo, websiteUrl, enablePkce } = input;
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);

From c958f964c95012d6e634ed2a1818b145c9d4ad61 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 13:35:27 +0100
Subject: [PATCH 56/72] fix: purpose in submission

---
 apps/web/modules/settings/admin/oauth-clients-admin-view.tsx | 2 +-
 apps/web/modules/settings/developer/oauth-clients-view.tsx   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 879c7286295837..644494d23e89a3 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -39,7 +39,7 @@ export default function OAuthClientsAdminView() {
         clientId: data.clientId,
         clientSecret: data.clientSecret,
         name: data.name,
-        purpose: data.purpose,
+        purpose: data.purpose ?? "",
         approvalStatus: "APPROVED",
         redirectUri: data.redirectUri,
         logo: data.logo || null,
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 7d21136b29155b..6daf968e889d11 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -40,7 +40,7 @@ const OAuthClientsView = () => {
       setSubmittedClient({
         clientId: data.clientId,
         name: data.name,
-        purpose: data.purpose,
+        purpose: data.purpose ?? "",
         clientSecret: data.clientSecret,
         approvalStatus: data.approvalStatus ?? "PENDING",
         isPkceEnabled: data.isPkceEnabled,

From 54ec8b909b7c7160e7441c3f47f96ac10e198c00 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 12:52:46 +0000
Subject: [PATCH 57/72] refactor: handler names

---
 .../admin/oauth-clients-admin-view.tsx         |  2 +-
 .../settings/developer/oauth-clients-view.tsx  | 17 +++--------------
 .../server/routers/viewer/oAuth/_router.tsx    | 12 ++++++------
 .../viewer/oAuth/createClient.handler.ts       |  1 +
 ...s => submitClientForReview.handler.test.ts} |  0
 ...ler.ts => submitClientForReview.handler.ts} |  5 ++---
 ...hema.ts => submitClientForReview.schema.ts} |  0
 .../viewer/oAuth/updateClient.handler.test.ts  | 18 +++++++++---------
 .../viewer/oAuth/updateClient.handler.ts       |  8 ++++----
 9 files changed, 26 insertions(+), 37 deletions(-)
 rename packages/trpc/server/routers/viewer/oAuth/{submitClient.handler.test.ts => submitClientForReview.handler.test.ts} (100%)
 rename packages/trpc/server/routers/viewer/oAuth/{submitClient.handler.ts => submitClientForReview.handler.ts} (88%)
 rename packages/trpc/server/routers/viewer/oAuth/{submitClient.schema.ts => submitClientForReview.schema.ts} (100%)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 644494d23e89a3..a6b3937d721c56 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -40,7 +40,7 @@ export default function OAuthClientsAdminView() {
         clientSecret: data.clientSecret,
         name: data.name,
         purpose: data.purpose ?? "",
-        approvalStatus: "APPROVED",
+        approvalStatus: data.approvalStatus ?? "APPROVED",
         redirectUri: data.redirectUri,
         logo: data.logo || null,
       });
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 6daf968e889d11..0d3efc1d6c8dc7 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -15,17 +15,6 @@ import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
 
 import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 
-type SubmitClientMutationResult = {
-  clientId: string;
-  name: string;
-  purpose: string;
-  isPkceEnabled?: boolean;
-  clientSecret?: string;
-  redirectUri?: string;
-  logo?: string | null;
-  approvalStatus?: string;
-};
-
 const OAuthClientsView = () => {
   const { t } = useLocale();
   const utils = trpc.useUtils();
@@ -35,14 +24,14 @@ const OAuthClientsView = () => {
 
   const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listUserClients.useQuery();
 
-  const submitMutation = trpc.viewer.oAuth.submitClient.useMutation({
-    onSuccess: async (data: SubmitClientMutationResult) => {
+  const submitMutation = trpc.viewer.oAuth.submitClientForReview.useMutation({
+    onSuccess: async (data) => {
       setSubmittedClient({
         clientId: data.clientId,
         name: data.name,
         purpose: data.purpose ?? "",
         clientSecret: data.clientSecret,
-        approvalStatus: data.approvalStatus ?? "PENDING",
+        approvalStatus: data.approvalStatus ?? "APPROVED",
         isPkceEnabled: data.isPkceEnabled,
       });
       showToast(t("oauth_client_submitted"), "success");
diff --git a/packages/trpc/server/routers/viewer/oAuth/_router.tsx b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
index 0bd31ca631e6bd..2e565eaa93156c 100644
--- a/packages/trpc/server/routers/viewer/oAuth/_router.tsx
+++ b/packages/trpc/server/routers/viewer/oAuth/_router.tsx
@@ -5,7 +5,7 @@ import { ZCreateClientInputSchema } from "./createClient.schema";
 import { ZGenerateAuthCodeInputSchema } from "./generateAuthCode.schema";
 import { ZGetClientInputSchema } from "./getClient.schema";
 import { ZListClientsInputSchema } from "./listClients.schema";
-import { ZSubmitClientInputSchema, ZSubmitClientOutputSchema } from "./submitClient.schema";
+import { ZSubmitClientInputSchema, ZSubmitClientOutputSchema } from "./submitClientForReview.schema";
 import { ZUpdateClientInputSchema } from "./updateClient.schema";
 import { ZDeleteClientInputSchema } from "./deleteClient.schema";
 
@@ -36,13 +36,13 @@ export const oAuthRouter = router({
     });
   }),
 
-  submitClient: authedProcedure
+  submitClientForReview: authedProcedure
     .input(ZSubmitClientInputSchema)
     .output(ZSubmitClientOutputSchema)
     .mutation(async ({ ctx, input }) => {
-      const { submitClientHandler } = await import("./submitClient.handler");
+      const { submitClientForReviewHandler } = await import("./submitClientForReview.handler");
 
-      return submitClientHandler({
+      return submitClientForReviewHandler({
         ctx,
         input,
       });
@@ -66,9 +66,9 @@ export const oAuthRouter = router({
   }),
 
   updateClient: authedProcedure.input(ZUpdateClientInputSchema).mutation(async ({ ctx, input }) => {
-    const { updateClientStatusHandler } = await import("./updateClient.handler");
+    const { updateClientHandler } = await import("./updateClient.handler");
 
-    return updateClientStatusHandler({
+    return updateClientHandler({
       ctx,
       input,
     });
diff --git a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
index 42ee564354e60e..0a5b2831385f81 100644
--- a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
@@ -34,5 +34,6 @@ export const createClientHandler = async ({ ctx, input }: AddClientOptions) => {
     clientType: client.clientType,
     clientSecret: client.clientSecret,
     isPkceEnabled: enablePkce,
+    approvalStatus: client.approvalStatus,
   };
 };
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.test.ts
similarity index 100%
rename from packages/trpc/server/routers/viewer/oAuth/submitClient.handler.test.ts
rename to packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.test.ts
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
similarity index 88%
rename from packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
rename to packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
index 28c725084d2186..a72759ab3bac19 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
@@ -4,7 +4,7 @@ import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuth
 
 import type { PrismaClient } from "@calcom/prisma";
 
-import type { TSubmitClientInputSchema } from "./submitClient.schema";
+import type { TSubmitClientInputSchema } from "./submitClientForReview.schema";
 
 type SubmitClientOptions = {
   ctx: {
@@ -18,7 +18,7 @@ type SubmitClientOptions = {
   input: TSubmitClientInputSchema;
 };
 
-export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) => {
+export const submitClientForReviewHandler = async ({ ctx, input }: SubmitClientOptions) => {
   const { name, purpose, redirectUri, logo, websiteUrl, enablePkce } = input;
   const userId = ctx.user.id;
 
@@ -35,7 +35,6 @@ export const submitClientHandler = async ({ ctx, input }: SubmitClientOptions) =
     approvalStatus: "PENDING",
   });
 
-  // Send email notification to team@cal.com
   const t = await getTranslation("en", "common");
   await sendAdminOAuthClientNotification({
     t,
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.schema.ts
similarity index 100%
rename from packages/trpc/server/routers/viewer/oAuth/submitClient.schema.ts
rename to packages/trpc/server/routers/viewer/oAuth/submitClientForReview.schema.ts
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
index c1bd753817ff80..686fcbfbd9dd59 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
@@ -5,7 +5,7 @@ import type { TFunction } from "i18next";
 import type { PrismaClient } from "@calcom/prisma";
 import { OAuthClientApprovalStatus, UserPermissionRole } from "@calcom/prisma/enums";
 
-import { updateClientStatusHandler } from "./updateClient.handler";
+import { updateClientHandler } from "./updateClient.handler";
 
 const mocks = vi.hoisted(() => {
   return {
@@ -47,7 +47,7 @@ vi.mock("@calcom/lib/server/i18n", () => ({
   getTranslation: mocks.getTranslation,
 }));
 
-describe("updateClientStatusHandler", () => {
+describe("updateClientHandler", () => {
   beforeEach(() => {
     vi.clearAllMocks();
   });
@@ -109,7 +109,7 @@ describe("updateClientStatusHandler", () => {
       status: OAuthClientApprovalStatus.APPROVED,
     };
 
-    const result = await updateClientStatusHandler({ ctx, input });
+    const result = await updateClientHandler({ ctx, input });
 
     expect(prismaUpdate).toHaveBeenCalledWith(
       expect.objectContaining({
@@ -201,7 +201,7 @@ describe("updateClientStatusHandler", () => {
       rejectionReason: REJECTION_REASON_RAW,
     };
 
-    await updateClientStatusHandler({ ctx, input });
+    await updateClientHandler({ ctx, input });
 
     expect(prismaUpdate).toHaveBeenCalledWith(
       expect.objectContaining({
@@ -253,7 +253,7 @@ describe("updateClientStatusHandler", () => {
       rejectionReason: "nope",
     };
 
-    await expect(updateClientStatusHandler({ ctx, input })).rejects.toMatchObject({
+    await expect(updateClientHandler({ ctx, input })).rejects.toMatchObject({
       code: "FORBIDDEN",
       message: "Only admins can set a rejection reason",
     });
@@ -283,7 +283,7 @@ describe("updateClientStatusHandler", () => {
     };
 
     await expect(
-      updateClientStatusHandler({
+      updateClientHandler({
         ctx,
         input: {
           clientId: CLIENT_ID,
@@ -321,7 +321,7 @@ describe("updateClientStatusHandler", () => {
     };
 
     await expect(
-      updateClientStatusHandler({
+      updateClientHandler({
         ctx,
         input: {
           clientId: CLIENT_ID,
@@ -358,7 +358,7 @@ describe("updateClientStatusHandler", () => {
     };
 
     await expect(
-      updateClientStatusHandler({
+      updateClientHandler({
         ctx,
         input: {
           clientId: CLIENT_ID,
@@ -406,7 +406,7 @@ describe("updateClientStatusHandler", () => {
       } as unknown as PrismaClient,
     };
 
-    await updateClientStatusHandler({
+    await updateClientHandler({
       ctx,
       input: {
         clientId: CLIENT_ID,
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 945c20ae07a016..43241a8dae95b7 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -9,7 +9,7 @@ import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
 
 import type { TUpdateClientInputSchema } from "./updateClient.schema";
 
-type UpdateClientStatusOptions = {
+type UpdateClientOptions = {
   ctx: {
     user: {
       id: number;
@@ -20,7 +20,7 @@ type UpdateClientStatusOptions = {
   input: TUpdateClientInputSchema;
 };
 
-type UpdateClientStatusOutput = {
+type UpdateClientOutput = {
   clientId: string;
   name: string;
   purpose: string | null;
@@ -31,10 +31,10 @@ type UpdateClientStatusOutput = {
   rejectionReason: string | null;
 };
 
-export const updateClientStatusHandler = async ({
+export const updateClientHandler = async ({
   ctx,
   input,
-}: UpdateClientStatusOptions): Promise<UpdateClientStatusOutput> => {
+}: UpdateClientOptions): Promise<UpdateClientOutput> => {
   const { clientId, status, rejectionReason, name, purpose, redirectUri, websiteUrl, logo } = input;
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);

From 1c6f03941ab079653000c8f1b89f3344715cb901 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 12:54:25 +0000
Subject: [PATCH 58/72] refactor: rename

---
 .../web/modules/settings/admin/oauth-clients-admin-view.tsx | 6 +++---
 apps/web/modules/settings/developer/oauth-clients-view.tsx  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index a6b3937d721c56..987d46c00022c3 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -33,7 +33,7 @@ export default function OAuthClientsAdminView() {
     status: "APPROVED",
   });
 
-  const addMutation = trpc.viewer.oAuth.createClient.useMutation({
+  const createMutation = trpc.viewer.oAuth.createClient.useMutation({
     onSuccess: async (data) => {
       setCreatedClient({
         clientId: data.clientId,
@@ -77,7 +77,7 @@ export default function OAuthClientsAdminView() {
   });
 
   const handleAddClient = (values: OAuthClientCreateFormValues) => {
-    addMutation.mutate({
+    createMutation.mutate({
       name: values.name,
       purpose: values.purpose,
       redirectUri: values.redirectUri,
@@ -166,7 +166,7 @@ export default function OAuthClientsAdminView() {
       <AdminOAuthClientCreateFlow
         open={showCreateDialog}
         onOpenChange={setShowCreateDialog}
-        isSubmitting={addMutation.isPending}
+        isSubmitting={createMutation.isPending}
         onSubmit={handleAddClient}
         createdClient={createdClient}
         onClose={handleCloseDialog}
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 0d3efc1d6c8dc7..579877f3d4e11c 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -24,7 +24,7 @@ const OAuthClientsView = () => {
 
   const { data: oAuthClients, isLoading } = trpc.viewer.oAuth.listUserClients.useQuery();
 
-  const submitMutation = trpc.viewer.oAuth.submitClientForReview.useMutation({
+  const submitForReviewMutation = trpc.viewer.oAuth.submitClientForReview.useMutation({
     onSuccess: async (data) => {
       setSubmittedClient({
         clientId: data.clientId,
@@ -80,7 +80,7 @@ const OAuthClientsView = () => {
   });
 
   const handleSubmit = (values: OAuthClientCreateFormValues) => {
-    submitMutation.mutate({
+    submitForReviewMutation.mutate({
       name: values.name,
       purpose: values.purpose,
       redirectUri: values.redirectUri,
@@ -139,7 +139,7 @@ const OAuthClientsView = () => {
       <OAuthClientCreateFlow
         open={showDialog}
         onOpenChange={setShowDialog}
-        isSubmitting={submitMutation.isPending}
+        isSubmitting={submitForReviewMutation.isPending}
         onSubmit={handleSubmit}
         createdClient={submittedClient}
         onClose={handleCloseCreateDialog}

From b6ebb1512223723bd23cbcbca046e993e8376433 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 13:32:35 +0000
Subject: [PATCH 59/72] refactor: update handler

---
 .../viewer/oAuth/updateClient.handler.ts      | 281 +++++++++++++-----
 1 file changed, 209 insertions(+), 72 deletions(-)

diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 43241a8dae95b7..63900900fc8ca8 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -35,29 +35,37 @@ export const updateClientHandler = async ({
   ctx,
   input,
 }: UpdateClientOptions): Promise<UpdateClientOutput> => {
-  const { clientId, status, rejectionReason, name, purpose, redirectUri, websiteUrl, logo } = input;
+  const {
+    clientId,
+    status: requestedApprovalStatus,
+    rejectionReason,
+    name,
+    purpose,
+    redirectUri,
+    websiteUrl,
+    logo,
+  } = input;
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
-  const existingClient = await oAuthClientRepository.findByClientId(clientId);
-  if (!existingClient) {
+  const isAdmin = ctx.user.role === UserPermissionRole.ADMIN;
+
+  const clientWithUser = await oAuthClientRepository.findByClientIdIncludeUser(clientId);
+  if (!clientWithUser) {
     throw new TRPCError({ code: "NOT_FOUND", message: "OAuth Client not found" });
   }
-
-  const isAdmin = ctx.user.role === UserPermissionRole.ADMIN;
-  const isOwner = existingClient.userId != null && existingClient.userId === ctx.user.id;
+  const isOwner = clientWithUser.userId != null && clientWithUser.userId === ctx.user.id;
 
   if (rejectionReason !== undefined && !isAdmin) {
     throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can set a rejection reason" });
   }
 
-  if (status === "REJECTED" && (!rejectionReason || rejectionReason.trim().length === 0)) {
+  if (requestedApprovalStatus === "REJECTED" && (!rejectionReason || rejectionReason.trim().length === 0)) {
     throw new TRPCError({ code: "BAD_REQUEST", message: "Rejection reason is required" });
   }
 
-  const isUpdatingFields =
-    name !== undefined || purpose !== undefined || redirectUri !== undefined || websiteUrl !== undefined || logo !== undefined;
-  const isUpdatingStatus = status !== undefined;
+  const isUpdatingFields = hasAnyFieldsChanged({ name, purpose, redirectUri, websiteUrl, logo });
+  const isUpdatingStatus = requestedApprovalStatus !== undefined;
 
   if (isUpdatingStatus && !isAdmin) {
     throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can update OAuth client status" });
@@ -67,46 +75,40 @@ export const updateClientHandler = async ({
     throw new TRPCError({ code: "FORBIDDEN", message: "You do not have permission to update this OAuth client" });
   }
 
-  const triggersReapprovalForOwnerEdit =
-    isOwner &&
-    ((name !== undefined && name !== existingClient.name) ||
-      (logo !== undefined && (logo ?? null) !== (existingClient.logo ?? null)) ||
-      (websiteUrl !== undefined && (websiteUrl ?? null) !== (existingClient.websiteUrl ?? null)) ||
-      (redirectUri !== undefined && redirectUri !== existingClient.redirectUri));
-
-  const nextApprovalStatus: OAuthClientApprovalStatus =
-    status ?? (triggersReapprovalForOwnerEdit ? "PENDING" : existingClient.approvalStatus);
-
-  // Get client with user info before updating if we might need to send an email
-  const clientWithUser =
-    isAdmin && (status === "APPROVED" || status === "REJECTED")
-      ? await oAuthClientRepository.findByClientIdIncludeUser(clientId)
-      : null;
-
-  const updateData: {
-    name?: string;
-    purpose?: string;
-    redirectUri?: string;
-    logo?: string | null;
-    websiteUrl?: string | null;
-    approvalStatus?: OAuthClientApprovalStatus;
-    rejectionReason?: string | null;
-  } = {};
+  const shouldTriggerReapprovalForOwnerEdit = triggersReapprovalForOwnerEdit({
+    isAdmin,
+    isOwner,
+    currentClient: {
+      name: clientWithUser.name,
+      logo: clientWithUser.logo,
+      websiteUrl: clientWithUser.websiteUrl,
+      redirectUri: clientWithUser.redirectUri,
+    },
+    proposedUpdates: {
+      name,
+      logo,
+      websiteUrl,
+      redirectUri,
+    },
+  });
 
-  if (name !== undefined) updateData.name = name;
-  if (purpose !== undefined) updateData.purpose = purpose;
-  if (redirectUri !== undefined) updateData.redirectUri = redirectUri;
-  if (logo !== undefined) updateData.logo = logo;
-  if (websiteUrl !== undefined) updateData.websiteUrl = websiteUrl;
-  if (nextApprovalStatus !== existingClient.approvalStatus) updateData.approvalStatus = nextApprovalStatus;
+  const nextApprovalStatus = computeNextApprovalStatus({
+    requestedApprovalStatus: requestedApprovalStatus,
+    triggersReapprovalForOwnerEdit: shouldTriggerReapprovalForOwnerEdit,
+    existingApprovalStatus: clientWithUser.approvalStatus,
+  });
 
-  if (status === "REJECTED") {
-    updateData.rejectionReason = rejectionReason?.trim() ?? null;
-  } else if (status !== undefined) {
-    updateData.rejectionReason = null;
-  } else if (nextApprovalStatus !== existingClient.approvalStatus && nextApprovalStatus !== "REJECTED") {
-    updateData.rejectionReason = null;
-  }
+  const updateData = buildUpdateClientUpdateData({
+    name,
+    purpose,
+    redirectUri,
+    logo,
+    websiteUrl,
+    requestedApprovalStatus,
+    rejectionReason,
+    nextApprovalStatus,
+    existingApprovalStatus: clientWithUser.approvalStatus,
+  });
 
   const updatedClient = await ctx.prisma.oAuthClient.update({
     where: { clientId },
@@ -123,31 +125,16 @@ export const updateClientHandler = async ({
     },
   });
 
-  // Send approval notification email to user if approved
-  if (status === "APPROVED" && clientWithUser?.user) {
-    const t = await getTranslation("en", "common");
-
-    await sendOAuthClientApprovedNotification({
-      t,
-      userEmail: clientWithUser.user.email,
-      userName: clientWithUser.user.name,
-      clientName: updatedClient.name,
-      clientId: updatedClient.clientId,
-    });
-  }
-
-  if (status === "REJECTED" && clientWithUser?.user) {
-    const t = await getTranslation("en", "common");
-
-    await sendOAuthClientRejectedNotification({
-      t,
-      userEmail: clientWithUser.user.email,
-      userName: clientWithUser.user.name,
-      clientName: updatedClient.name,
+  await notifyOwnerAboutAdminReview({
+    isAdmin,
+    requestedApprovalStatus,
+    clientWithUser,
+    updatedClient: {
       clientId: updatedClient.clientId,
-      rejectionReason: rejectionReason?.trim() ?? "",
-    });
-  }
+      name: updatedClient.name,
+    },
+    rejectionReason,
+  });
 
   return {
     clientId: updatedClient.clientId,
@@ -160,3 +147,153 @@ export const updateClientHandler = async ({
     rejectionReason: updatedClient.rejectionReason,
   };
 };
+
+function toNullableString(value: string | null | undefined) {
+  return value ?? null;
+}
+
+function hasAnyFieldsChanged(fields: Record<string, unknown>) {
+  return Object.values(fields).some((value) => value !== undefined);
+}
+
+type ClientFieldsForReapprovalCheck = {
+  name: string;
+  logo: string | null;
+  websiteUrl: string | null;
+  redirectUri: string;
+};
+
+function triggersReapprovalForOwnerEdit(params: {
+  isAdmin: boolean;
+  isOwner: boolean;
+  currentClient: ClientFieldsForReapprovalCheck;
+  proposedUpdates: Partial<{
+    name: string;
+    logo: string | null;
+    websiteUrl: string | null;
+    redirectUri: string;
+  }>;
+}) {
+  const { isAdmin, isOwner, currentClient, proposedUpdates } = params;
+  if (isAdmin) return false;
+  if (!isOwner) return false;
+
+  if (proposedUpdates.name !== undefined && proposedUpdates.name !== currentClient.name) return true;
+  if (
+    proposedUpdates.logo !== undefined &&
+    toNullableString(proposedUpdates.logo) !== toNullableString(currentClient.logo)
+  )
+    return true;
+  if (
+    proposedUpdates.websiteUrl !== undefined &&
+    toNullableString(proposedUpdates.websiteUrl) !== toNullableString(currentClient.websiteUrl)
+  )
+    return true;
+  if (proposedUpdates.redirectUri !== undefined && proposedUpdates.redirectUri !== currentClient.redirectUri) return true;
+
+  return false;
+}
+
+function computeNextApprovalStatus(params: {
+  requestedApprovalStatus: OAuthClientApprovalStatus | undefined;
+  triggersReapprovalForOwnerEdit: boolean;
+  existingApprovalStatus: OAuthClientApprovalStatus;
+}): OAuthClientApprovalStatus {
+  const { requestedApprovalStatus, triggersReapprovalForOwnerEdit, existingApprovalStatus } = params;
+  if (requestedApprovalStatus !== undefined) return requestedApprovalStatus;
+  if (triggersReapprovalForOwnerEdit) return "PENDING";
+  return existingApprovalStatus;
+}
+
+type NotifyOwnerAboutAdminReviewParams = {
+  isAdmin: boolean;
+  requestedApprovalStatus: OAuthClientApprovalStatus | undefined;
+  clientWithUser: Awaited<ReturnType<OAuthClientRepository["findByClientIdIncludeUser"]>> | null;
+  updatedClient: {
+    clientId: string;
+    name: string;
+  };
+  rejectionReason: string | undefined;
+};
+
+async function notifyOwnerAboutAdminReview(params: NotifyOwnerAboutAdminReviewParams) {
+  const { isAdmin, requestedApprovalStatus, clientWithUser, updatedClient, rejectionReason } = params;
+  if (!isAdmin) return;
+  if (requestedApprovalStatus !== "APPROVED" && requestedApprovalStatus !== "REJECTED") return;
+  if (!clientWithUser?.user) return;
+
+  const t = await getTranslation("en", "common");
+
+  if (requestedApprovalStatus === "APPROVED") {
+    await sendOAuthClientApprovedNotification({
+      t,
+      userEmail: clientWithUser.user.email,
+      userName: clientWithUser.user.name,
+      clientName: updatedClient.name,
+      clientId: updatedClient.clientId,
+    });
+    return;
+  }
+
+  await sendOAuthClientRejectedNotification({
+    t,
+    userEmail: clientWithUser.user.email,
+    userName: clientWithUser.user.name,
+    clientName: updatedClient.name,
+    clientId: updatedClient.clientId,
+    rejectionReason: rejectionReason?.trim() ?? "",
+  });
+}
+
+type UpdateOAuthClientData = {
+  name?: string;
+  purpose?: string;
+  redirectUri?: string;
+  logo?: string | null;
+  websiteUrl?: string | null;
+  approvalStatus?: OAuthClientApprovalStatus;
+  rejectionReason?: string | null;
+};
+
+function buildUpdateClientUpdateData(params: {
+  name: string | undefined;
+  purpose: string | undefined;
+  redirectUri: string | undefined;
+  logo: string | null | undefined;
+  websiteUrl: string | null | undefined;
+  requestedApprovalStatus: OAuthClientApprovalStatus | undefined;
+  rejectionReason: string | undefined;
+  nextApprovalStatus: OAuthClientApprovalStatus;
+  existingApprovalStatus: OAuthClientApprovalStatus;
+}): UpdateOAuthClientData {
+  const {
+    name,
+    purpose,
+    redirectUri,
+    logo,
+    websiteUrl,
+    requestedApprovalStatus,
+    rejectionReason,
+    nextApprovalStatus,
+    existingApprovalStatus,
+  } = params;
+
+  const updateData: UpdateOAuthClientData = {};
+
+  if (name !== undefined) updateData.name = name;
+  if (purpose !== undefined) updateData.purpose = purpose;
+  if (redirectUri !== undefined) updateData.redirectUri = redirectUri;
+  if (logo !== undefined) updateData.logo = logo;
+  if (websiteUrl !== undefined) updateData.websiteUrl = websiteUrl;
+  if (nextApprovalStatus !== existingApprovalStatus) updateData.approvalStatus = nextApprovalStatus;
+
+  if (requestedApprovalStatus === "REJECTED") {
+    updateData.rejectionReason = rejectionReason?.trim() ?? null;
+  } else if (requestedApprovalStatus !== undefined) {
+    updateData.rejectionReason = null;
+  } else if (nextApprovalStatus !== existingApprovalStatus && nextApprovalStatus !== "REJECTED") {
+    updateData.rejectionReason = null;
+  }
+
+  return updateData;
+}

From 52dc3844b12ee4c31875ea68382a3c238e555bda Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 16:13:58 +0000
Subject: [PATCH 60/72] refactor: rename approvalStatus -> status

---
 .../admin/oauth-clients-admin-view.tsx        |  6 +-
 .../settings/developer/oauth-clients-view.tsx |  6 +-
 .../oauth/OAuthClientDetailsDialog.tsx        | 16 ++---
 .../oauth/OAuthClientPreviewDialog.tsx        |  2 +-
 .../settings/oauth/OAuthClientsList.tsx       |  2 +-
 .../oauth/oauth-client-admin.e2e.ts           |  4 +-
 .../oauth/oauth-client-owner-crud.e2e.ts      | 18 ++---
 .../repositories/OAuthClientRepository.ts     | 32 ++++-----
 .../migration.sql                             |  9 ++-
 packages/prisma/schema.prisma                 | 14 ++--
 .../viewer/oAuth/createClient.handler.ts      |  4 +-
 .../viewer/oAuth/listClients.schema.ts        |  4 +-
 .../submitClientForReview.handler.test.ts     | 10 +--
 .../oAuth/submitClientForReview.handler.ts    |  4 +-
 .../oAuth/submitClientForReview.schema.ts     |  2 +-
 .../viewer/oAuth/updateClient.handler.test.ts | 71 +++++++++---------
 .../viewer/oAuth/updateClient.handler.ts      | 72 +++++++++----------
 .../viewer/oAuth/updateClient.schema.ts       |  6 +-
 18 files changed, 143 insertions(+), 139 deletions(-)
 rename packages/prisma/migrations/{20260113115410_new_oauth_client_properties => 20260114154054_add_oauth_client_properties}/migration.sql (52%)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 987d46c00022c3..6e8916b29aa0c8 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -40,7 +40,7 @@ export default function OAuthClientsAdminView() {
         clientSecret: data.clientSecret,
         name: data.name,
         purpose: data.purpose ?? "",
-        approvalStatus: data.approvalStatus ?? "APPROVED",
+        status: data.status ?? "APPROVED",
         redirectUri: data.redirectUri,
         logo: data.logo || null,
       });
@@ -55,7 +55,7 @@ export default function OAuthClientsAdminView() {
   const updateStatusMutation = trpc.viewer.oAuth.updateClient.useMutation({
     onSuccess: async (data) => {
       showToast(
-        t("oauth_client_status_updated", { name: data.name, status: data.approvalStatus }),
+        t("oauth_client_status_updated", { name: data.name, status: data.status }),
         "success"
       );
 
@@ -64,7 +64,7 @@ export default function OAuthClientsAdminView() {
         if (prev.clientId !== data.clientId) return prev;
         return {
           ...prev,
-          approvalStatus: data.approvalStatus,
+          status: data.status,
           rejectionReason: data.rejectionReason,
         };
       });
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 579877f3d4e11c..8811e570dfc178 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -31,7 +31,7 @@ const OAuthClientsView = () => {
         name: data.name,
         purpose: data.purpose ?? "",
         clientSecret: data.clientSecret,
-        approvalStatus: data.approvalStatus ?? "APPROVED",
+        status: data.status ?? "APPROVED",
         isPkceEnabled: data.isPkceEnabled,
       });
       showToast(t("oauth_client_submitted"), "success");
@@ -67,7 +67,7 @@ const OAuthClientsView = () => {
           redirectUri: data.redirectUri,
           websiteUrl: data.websiteUrl,
           logo: data.logo,
-          approvalStatus: data.approvalStatus,
+          status: data.status,
           rejectionReason: data.rejectionReason,
         };
       });
@@ -121,7 +121,7 @@ const OAuthClientsView = () => {
             redirectUri: client.redirectUri,
             websiteUrl: client.websiteUrl,
             logo: client.logo,
-            approvalStatus: client.approvalStatus,
+            status: client.status,
             rejectionReason: client.rejectionReason,
             clientType: client.clientType,
           }))}
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
index c41025fcdfe097..4fca2892d6b8b0 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
@@ -24,7 +24,7 @@ export type OAuthClientDetails = {
   redirectUri?: string;
   websiteUrl?: string | null;
   logo?: string | null;
-  approvalStatus?: string;
+  status?: string;
   rejectionReason?: string | null;
   clientSecret?: string;
   isPkceEnabled?: boolean;
@@ -106,7 +106,7 @@ export const OAuthClientDetailsDialog = ({
     });
   }, [client, form]);
 
-  const approvalStatus = client?.approvalStatus;
+  const status = client?.status;
 
   const showAdminActions = Boolean(onApprove) || Boolean(onReject);
   const isFormDisabled = showAdminActions;
@@ -138,8 +138,8 @@ export const OAuthClientDetailsDialog = ({
     );
 
     if (showAdminActions) {
-      const canReject = Boolean(onReject) && (approvalStatus === "PENDING" || approvalStatus === "APPROVED");
-      const canApprove = Boolean(onApprove) && (approvalStatus === "PENDING" || approvalStatus === "REJECTED");
+      const canReject = Boolean(onReject) && (status === "PENDING" || status === "APPROVED");
+      const canApprove = Boolean(onApprove) && (status === "PENDING" || status === "REJECTED");
 
       return (
         <div className="flex w-full items-center justify-end gap-2">
@@ -211,15 +211,15 @@ export const OAuthClientDetailsDialog = ({
                 logo: values.logo,
               });
             })}>
-            {approvalStatus ? (
+            {status ? (
               <div className="flex items-center justify-start">
-                <Badge variant={getStatusBadgeVariant(approvalStatus).variant}>
-                  {t(getStatusBadgeVariant(approvalStatus).labelKey)}
+                <Badge variant={getStatusBadgeVariant(status).variant}>
+                  {t(getStatusBadgeVariant(status).labelKey)}
                 </Badge>
               </div>
             ) : null}
 
-            {approvalStatus === "REJECTED" && client.rejectionReason ? (
+            {status === "REJECTED" && client.rejectionReason ? (
               <div className="text-subtle text-sm" data-testid="oauth-client-details-rejection-reason-display">
                 <span className="font-medium">{t("oauth_client_rejection_reason")}:</span> {client.rejectionReason}
               </div>
diff --git a/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx b/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
index a7f0e9f3330fb4..1d695053ae5ac9 100644
--- a/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
@@ -40,7 +40,7 @@ export function OAuthClientPreviewDialog({
     onOpenChange(nextOpen);
   };
 
-  const showPendingBadge = client.approvalStatus === "PENDING";
+  const showPendingBadge = client.status === "PENDING";
 
   return (
     <Dialog open={open} onOpenChange={handleOpenChange}>
diff --git a/apps/web/modules/settings/oauth/OAuthClientsList.tsx b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
index d3a4d366f5becb..ee723d73d69839 100644
--- a/apps/web/modules/settings/oauth/OAuthClientsList.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
@@ -63,7 +63,7 @@ export const OAuthClientsList = ({
             </div>
           </div>
           <div className="flex items-center gap-4">
-            {showStatus && client.approvalStatus ? getStatusBadge(client.approvalStatus, t) : null}
+            {showStatus && client.status ? getStatusBadge(client.status, t) : null}
             <Icon name="chevron-right" className="text-subtle h-5 w-5" />
           </div>
         </div>
diff --git a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
index 45dfd7fc44d488..235f3527068dee 100644
--- a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
+++ b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
@@ -21,10 +21,10 @@ async function expectClientStatusInDb(
     .poll(async () => {
       const row = await prisma.oAuthClient.findUnique({
         where: { clientId },
-        select: { approvalStatus: true },
+        select: { status: true },
       });
 
-      return row?.approvalStatus ?? null;
+      return row?.status ?? null;
     })
     .toBe(status);
 }
diff --git a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
index b90396003f4f20..989468844261aa 100644
--- a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
+++ b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
@@ -61,7 +61,7 @@ type OAuthClientDbExpectations = {
   purpose?: string;
   redirectUri?: string;
   websiteUrl?: string | null;
-  approvalStatus?: string;
+  status?: string;
   clientType?: OAuthClientType;
   clientSecret?: string | null | TruthyExpectation;
   logo?: string | null | TruthyExpectation;
@@ -73,7 +73,7 @@ const oAuthClientSelect = {
   purpose: true,
   redirectUri: true,
   websiteUrl: true,
-  approvalStatus: true,
+  status: true,
   clientType: true,
   clientSecret: true,
   logo: true,
@@ -210,7 +210,7 @@ async function expectOAuthClientInDb(
   if (expected.purpose !== undefined) expect(dbClient.purpose).toBe(expected.purpose);
   if (expected.redirectUri !== undefined) expect(dbClient.redirectUri).toBe(expected.redirectUri);
   if (expected.websiteUrl !== undefined) expect(dbClient.websiteUrl).toBe(expected.websiteUrl);
-  if (expected.approvalStatus !== undefined) expect(dbClient.approvalStatus).toBe(expected.approvalStatus);
+  if (expected.status !== undefined) expect(dbClient.status).toBe(expected.status);
   if (expected.clientType !== undefined) expect(dbClient.clientType as OAuthClientType).toBe(expected.clientType);
 
   if (expected.clientSecret !== undefined) {
@@ -346,7 +346,7 @@ test.describe("OAuth client creation", () => {
       purpose,
       redirectUri,
       websiteUrl: null,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       clientType: "CONFIDENTIAL",
       clientSecret: TRUTHY,
       logo: null,
@@ -396,7 +396,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       clientType: "CONFIDENTIAL",
       clientSecret: TRUTHY,
       logo: TRUTHY,
@@ -444,7 +444,7 @@ test.describe("OAuth client creation", () => {
       purpose,
       redirectUri,
       websiteUrl,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       clientType: "CONFIDENTIAL",
       clientSecret: TRUTHY,
       logo: TRUTHY,
@@ -494,7 +494,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       clientType: "CONFIDENTIAL",
       clientSecret: TRUTHY,
       logo: TRUTHY,
@@ -540,7 +540,7 @@ test.describe("OAuth client creation", () => {
       purpose,
       redirectUri,
       websiteUrl,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       clientType: "PUBLIC",
       clientSecret: null,
       logo: null,
@@ -590,7 +590,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       clientType: "PUBLIC",
       clientSecret: null,
       logo: TRUTHY,
diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index e768dba9050f6c..eb02d17cd194df 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -2,7 +2,7 @@ import { randomBytes } from "node:crypto";
 
 import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
 import type { PrismaClient } from "@calcom/prisma";
-import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+import type { OAuthClientStatus } from "@calcom/prisma/enums";
 
 export class OAuthClientRepository {
   constructor(private readonly prisma: PrismaClient) {}
@@ -22,7 +22,7 @@ export class OAuthClientRepository {
         isTrusted: true,
         websiteUrl: true,
         rejectionReason: true,
-        approvalStatus: true,
+        status: true,
         userId: true,
         createdAt: true,
       },
@@ -54,7 +54,7 @@ export class OAuthClientRepository {
         websiteUrl: true,
         rejectionReason: true,
         isTrusted: true,
-        approvalStatus: true,
+        status: true,
         userId: true,
         createdAt: true,
         user: {
@@ -80,7 +80,7 @@ export class OAuthClientRepository {
         websiteUrl: true,
         rejectionReason: true,
         clientType: true,
-        approvalStatus: true,
+        status: true,
         userId: true,
         createdAt: true,
       },
@@ -88,9 +88,9 @@ export class OAuthClientRepository {
     });
   }
 
-  async findByUserIdAndStatus(userId: number, approvalStatus: OAuthClientApprovalStatus) {
+  async findByUserIdAndStatus(userId: number, status: OAuthClientStatus) {
     return this.prisma.oAuthClient.findMany({
-      where: { userId, approvalStatus },
+      where: { userId, status },
       orderBy: { createdAt: "desc" },
     });
   }
@@ -106,7 +106,7 @@ export class OAuthClientRepository {
         websiteUrl: true,
         rejectionReason: true,
         clientType: true,
-        approvalStatus: true,
+        status: true,
         userId: true,
         createdAt: true,
         user: {
@@ -121,9 +121,9 @@ export class OAuthClientRepository {
     });
   }
 
-  async findByStatus(approvalStatus: OAuthClientApprovalStatus) {
+  async findByStatus(status: OAuthClientStatus) {
     return this.prisma.oAuthClient.findMany({
-      where: { approvalStatus },
+      where: { status },
       select: {
         clientId: true,
         redirectUri: true,
@@ -133,7 +133,7 @@ export class OAuthClientRepository {
         websiteUrl: true,
         rejectionReason: true,
         clientType: true,
-        approvalStatus: true,
+        status: true,
         userId: true,
         createdAt: true,
         user: {
@@ -156,9 +156,9 @@ export class OAuthClientRepository {
     websiteUrl?: string;
     enablePkce?: boolean;
     userId?: number;
-    approvalStatus: OAuthClientApprovalStatus;
+    status: OAuthClientStatus;
   }) {
-    const { name, purpose, redirectUri, logo, websiteUrl, enablePkce, userId, approvalStatus } = data;
+    const { name, purpose, redirectUri, logo, websiteUrl, enablePkce, userId, status } = data;
 
     const clientId = randomBytes(32).toString("hex");
 
@@ -179,7 +179,7 @@ export class OAuthClientRepository {
         clientType: enablePkce ? "PUBLIC" : "CONFIDENTIAL",
         logo,
         websiteUrl,
-        approvalStatus: approvalStatus,
+        status,
         clientSecret: hashedSecret,
         ...(userId && {
           user: {
@@ -198,14 +198,14 @@ export class OAuthClientRepository {
       clientType: client.clientType,
       clientSecret,
       isPkceEnabled: enablePkce,
-      approvalStatus: client.approvalStatus,
+      status: client.status,
     };
   }
 
-  async updateStatus(clientId: string, approvalStatus: OAuthClientApprovalStatus) {
+  async updateStatus(clientId: string, status: OAuthClientStatus) {
     return this.prisma.oAuthClient.update({
       where: { clientId },
-      data: { approvalStatus },
+      data: { status },
     });
   }
 
diff --git a/packages/prisma/migrations/20260113115410_new_oauth_client_properties/migration.sql b/packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql
similarity index 52%
rename from packages/prisma/migrations/20260113115410_new_oauth_client_properties/migration.sql
rename to packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql
index 0049c6b31f322f..4607d82e6a8d66 100644
--- a/packages/prisma/migrations/20260113115410_new_oauth_client_properties/migration.sql
+++ b/packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql
@@ -1,14 +1,17 @@
 -- CreateEnum
-CREATE TYPE "public"."OAuthClientApprovalStatus" AS ENUM ('pending', 'approved', 'rejected');
+CREATE TYPE "public"."OAuthClientStatus" AS ENUM ('pending', 'approved', 'rejected');
 
 -- AlterTable
-ALTER TABLE "public"."OAuthClient" ADD COLUMN     "approvalStatus" "public"."OAuthClientApprovalStatus" NOT NULL DEFAULT 'approved',
-ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+ALTER TABLE "public"."OAuthClient" ADD COLUMN     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
 ADD COLUMN     "purpose" TEXT,
 ADD COLUMN     "rejectionReason" TEXT,
+ADD COLUMN     "status" "public"."OAuthClientStatus" NOT NULL DEFAULT 'approved',
 ADD COLUMN     "userId" INTEGER,
 ADD COLUMN     "websiteUrl" TEXT;
 
+-- CreateIndex
+CREATE INDEX "IntegrationAttributeSync_credentialId_idx" ON "public"."IntegrationAttributeSync"("credentialId");
+
 -- CreateIndex
 CREATE INDEX "OAuthClient_userId_idx" ON "public"."OAuthClient"("userId");
 
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index 3e4d920cb75586..099522ef0c3d7d 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -1773,28 +1773,28 @@ enum OAuthClientType {
   PUBLIC       @map("public")
 }
 
-enum OAuthClientApprovalStatus {
+enum OAuthClientStatus {
   PENDING  @map("pending")
   APPROVED @map("approved")
   REJECTED @map("rejected")
 }
 
 model OAuthClient {
-  clientId        String                    @id @unique
+  clientId        String            @id @unique
   redirectUri     String
   clientSecret    String?
-  clientType      OAuthClientType           @default(CONFIDENTIAL)
+  clientType      OAuthClientType   @default(CONFIDENTIAL)
   name            String
   purpose         String?
   logo            String?
   websiteUrl      String?
   rejectionReason String?
-  isTrusted       Boolean                   @default(false)
+  isTrusted       Boolean           @default(false)
   accessCodes     AccessCode[]
-  approvalStatus  OAuthClientApprovalStatus @default(APPROVED)
+  status          OAuthClientStatus @default(APPROVED)
   userId          Int?
-  user            User?                     @relation(fields: [userId], references: [id], onDelete: SetNull)
-  createdAt       DateTime                  @default(now())
+  user            User?             @relation(fields: [userId], references: [id], onDelete: SetNull)
+  createdAt       DateTime          @default(now())
 
   @@index([userId])
 }
diff --git a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
index 0a5b2831385f81..eb1fe551ba901f 100644
--- a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
@@ -22,7 +22,7 @@ export const createClientHandler = async ({ ctx, input }: AddClientOptions) => {
     logo,
     websiteUrl,
     enablePkce,
-    approvalStatus: "APPROVED",
+    status: "APPROVED",
   });
 
   return {
@@ -34,6 +34,6 @@ export const createClientHandler = async ({ ctx, input }: AddClientOptions) => {
     clientType: client.clientType,
     clientSecret: client.clientSecret,
     isPkceEnabled: enablePkce,
-    approvalStatus: client.approvalStatus,
+    status: client.status,
   };
 };
diff --git a/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts b/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts
index 2499674889cda3..ee5b72245c819a 100644
--- a/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/listClients.schema.ts
@@ -1,9 +1,9 @@
 import { z } from "zod";
 
-import { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+import { OAuthClientStatus } from "@calcom/prisma/enums";
 
 export const ZListClientsInputSchema = z.object({
-  status: z.nativeEnum(OAuthClientApprovalStatus).optional(),
+  status: z.nativeEnum(OAuthClientStatus).optional(),
 });
 
 export type TListClientsInputSchema = z.infer<typeof ZListClientsInputSchema>;
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.test.ts
index 33db6342e18fee..aaf737fbf94320 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.test.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.test.ts
@@ -4,7 +4,7 @@ import type { TFunction } from "i18next";
 
 import type { PrismaClient } from "@calcom/prisma";
 
-import { submitClientHandler } from "./submitClient.handler";
+import { submitClientForReviewHandler } from "./submitClientForReview.handler";
 
 const mocks = vi.hoisted(() => {
   return {
@@ -53,7 +53,7 @@ describe("submitClientHandler", () => {
       clientType: "CONFIDENTIAL",
       clientSecret: "plain-secret",
       isPkceEnabled: false,
-      approvalStatus: "PENDING",
+      status: "PENDING",
     };
 
     mocks.createOAuthClient.mockResolvedValue(createdClient);
@@ -77,7 +77,7 @@ describe("submitClientHandler", () => {
       enablePkce: false,
     };
 
-    const result = await submitClientHandler({ ctx, input });
+    const result = await submitClientForReviewHandler({ ctx, input });
 
     expect(mocks.createOAuthClient).toHaveBeenCalledWith({
       name: input.name,
@@ -87,7 +87,7 @@ describe("submitClientHandler", () => {
       websiteUrl: input.websiteUrl,
       enablePkce: input.enablePkce,
       userId: ctx.user.id,
-      approvalStatus: "PENDING",
+      status: "PENDING",
     });
 
     expect(mocks.sendAdminOAuthClientNotification).toHaveBeenCalledWith({
@@ -108,7 +108,7 @@ describe("submitClientHandler", () => {
       redirectUri: createdClient.redirectUri,
       logo: createdClient.logo,
       clientType: createdClient.clientType,
-      approvalStatus: createdClient.approvalStatus,
+      status: createdClient.status,
       isPkceEnabled: input.enablePkce,
     });
   });
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
index a72759ab3bac19..e99c28277e1f99 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
@@ -32,7 +32,7 @@ export const submitClientForReviewHandler = async ({ ctx, input }: SubmitClientO
     websiteUrl,
     enablePkce,
     userId,
-    approvalStatus: "PENDING",
+    status: "PENDING",
   });
 
   const t = await getTranslation("en", "common");
@@ -54,7 +54,7 @@ export const submitClientForReviewHandler = async ({ ctx, input }: SubmitClientO
     redirectUri: client.redirectUri,
     logo: client.logo,
     clientType: client.clientType,
-    approvalStatus: client.approvalStatus,
+    status: client.status,
     isPkceEnabled: enablePkce,
   };
 };
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.schema.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.schema.ts
index 5f6b3adcf2d343..22274317efc928 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.schema.ts
@@ -23,7 +23,7 @@ export const ZSubmitClientOutputSchema = z.object({
   redirectUri: z.string(),
   logo: z.string().nullable(),
   clientType: z.string(),
-  approvalStatus: z.string(),
+  status: z.string(),
   isPkceEnabled: z.boolean().optional(),
 });
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
index 686fcbfbd9dd59..e23862b603570b 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
@@ -3,7 +3,7 @@ import { beforeEach, describe, expect, it, vi } from "vitest";
 import type { TFunction } from "i18next";
 
 import type { PrismaClient } from "@calcom/prisma";
-import { OAuthClientApprovalStatus, UserPermissionRole } from "@calcom/prisma/enums";
+import { OAuthClientStatus, UserPermissionRole } from "@calcom/prisma/enums";
 
 import { updateClientHandler } from "./updateClient.handler";
 
@@ -62,7 +62,7 @@ describe("updateClientHandler", () => {
 
     mocks.getTranslation.mockResolvedValue(t);
 
-    mocks.findByClientId.mockResolvedValue({
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
@@ -70,11 +70,7 @@ describe("updateClientHandler", () => {
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "PENDING",
-    });
-
-    mocks.findByClientIdIncludeUser.mockResolvedValue({
-      clientId: CLIENT_ID,
+      status: "PENDING",
       user: {
         email: USER_EMAIL,
         name: USER_NAME,
@@ -85,7 +81,7 @@ describe("updateClientHandler", () => {
       clientId: CLIENT_ID,
       name: CLIENT_NAME,
       purpose: CLIENT_PURPOSE,
-      approvalStatus: "APPROVED",
+      status: "APPROVED",
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
@@ -106,7 +102,7 @@ describe("updateClientHandler", () => {
 
     const input = {
       clientId: CLIENT_ID,
-      status: OAuthClientApprovalStatus.APPROVED,
+      status: OAuthClientStatus.APPROVED,
     };
 
     const result = await updateClientHandler({ ctx, input });
@@ -115,7 +111,7 @@ describe("updateClientHandler", () => {
       expect.objectContaining({
         where: { clientId: input.clientId },
         data: {
-          approvalStatus: "APPROVED",
+          status: "APPROVED",
           rejectionReason: null,
         },
       })
@@ -135,7 +131,7 @@ describe("updateClientHandler", () => {
       clientId: CLIENT_ID,
       name: CLIENT_NAME,
       purpose: CLIENT_PURPOSE,
-      approvalStatus: "APPROVED",
+      status: "APPROVED",
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
@@ -153,7 +149,7 @@ describe("updateClientHandler", () => {
 
     mocks.getTranslation.mockResolvedValue(t);
 
-    mocks.findByClientId.mockResolvedValue({
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
@@ -161,11 +157,7 @@ describe("updateClientHandler", () => {
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "PENDING",
-    });
-
-    mocks.findByClientIdIncludeUser.mockResolvedValue({
-      clientId: CLIENT_ID,
+      status: "PENDING",
       user: {
         email: USER_EMAIL,
         name: USER_NAME,
@@ -176,7 +168,7 @@ describe("updateClientHandler", () => {
       clientId: CLIENT_ID,
       name: CLIENT_NAME,
       purpose: CLIENT_PURPOSE,
-      approvalStatus: "REJECTED",
+      status: "REJECTED",
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
@@ -197,7 +189,7 @@ describe("updateClientHandler", () => {
 
     const input = {
       clientId: CLIENT_ID,
-      status: OAuthClientApprovalStatus.REJECTED,
+      status: OAuthClientStatus.REJECTED,
       rejectionReason: REJECTION_REASON_RAW,
     };
 
@@ -207,7 +199,7 @@ describe("updateClientHandler", () => {
       expect.objectContaining({
         where: { clientId: input.clientId },
         data: {
-          approvalStatus: "REJECTED",
+          status: "REJECTED",
           rejectionReason: REJECTION_REASON_TRIMMED,
         },
       })
@@ -226,14 +218,16 @@ describe("updateClientHandler", () => {
   });
 
   it("throws FORBIDDEN when a non-admin attempts to set rejectionReason", async () => {
-    mocks.findByClientId.mockResolvedValue({
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "PENDING",
+      status: "PENDING",
+      user: null,
     });
 
     const ctx = {
@@ -260,14 +254,16 @@ describe("updateClientHandler", () => {
   });
 
   it("throws BAD_REQUEST when rejecting without a non-empty rejectionReason", async () => {
-    mocks.findByClientId.mockResolvedValue({
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "PENDING",
+      status: "PENDING",
+      user: null,
     });
 
     const ctx = {
@@ -287,7 +283,7 @@ describe("updateClientHandler", () => {
         ctx,
         input: {
           clientId: CLIENT_ID,
-          status: OAuthClientApprovalStatus.REJECTED,
+          status: OAuthClientStatus.REJECTED,
           rejectionReason: " ",
         },
       })
@@ -298,14 +294,16 @@ describe("updateClientHandler", () => {
   });
 
   it("throws FORBIDDEN when a non-admin attempts to update status", async () => {
-    mocks.findByClientId.mockResolvedValue({
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "PENDING",
+      status: "PENDING",
+      user: null,
     });
 
     const ctx = {
@@ -325,7 +323,7 @@ describe("updateClientHandler", () => {
         ctx,
         input: {
           clientId: CLIENT_ID,
-          status: OAuthClientApprovalStatus.APPROVED,
+          status: OAuthClientStatus.APPROVED,
         },
       })
     ).rejects.toMatchObject({
@@ -335,14 +333,16 @@ describe("updateClientHandler", () => {
   });
 
   it("throws FORBIDDEN when a non-owner, non-admin attempts to update client fields", async () => {
-    mocks.findByClientId.mockResolvedValue({
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "PENDING",
+      status: "PENDING",
+      user: null,
     });
 
     const ctx = {
@@ -371,8 +371,8 @@ describe("updateClientHandler", () => {
     });
   });
 
-  it("sets approvalStatus to PENDING when an owner edits a previously approved client (reapproval flow)", async () => {
-    mocks.findByClientId.mockResolvedValue({
+  it("sets status to PENDING when an owner edits a previously approved client (reapproval flow)", async () => {
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
       name: CLIENT_NAME,
@@ -380,14 +380,15 @@ describe("updateClientHandler", () => {
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
-      approvalStatus: "APPROVED",
+      status: "APPROVED",
+      user: null,
     });
 
     const prismaUpdate = vi.fn().mockResolvedValue({
       clientId: CLIENT_ID,
       name: "My Client v2",
       purpose: CLIENT_PURPOSE,
-      approvalStatus: "PENDING",
+      status: "PENDING",
       redirectUri: REDIRECT_URI,
       websiteUrl: null,
       logo: null,
@@ -419,7 +420,7 @@ describe("updateClientHandler", () => {
         where: { clientId: CLIENT_ID },
         data: {
           name: "My Client v2",
-          approvalStatus: "PENDING",
+          status: "PENDING",
           rejectionReason: null,
         },
       })
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 63900900fc8ca8..43bc001ebcc232 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -5,7 +5,7 @@ import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 import type { PrismaClient } from "@calcom/prisma";
 import { UserPermissionRole } from "@calcom/prisma/enums";
-import type { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+import type { OAuthClientStatus } from "@calcom/prisma/enums";
 
 import type { TUpdateClientInputSchema } from "./updateClient.schema";
 
@@ -24,7 +24,7 @@ type UpdateClientOutput = {
   clientId: string;
   name: string;
   purpose: string | null;
-  approvalStatus: OAuthClientApprovalStatus;
+  status: OAuthClientStatus;
   redirectUri: string;
   websiteUrl: string | null;
   logo: string | null;
@@ -37,7 +37,7 @@ export const updateClientHandler = async ({
 }: UpdateClientOptions): Promise<UpdateClientOutput> => {
   const {
     clientId,
-    status: requestedApprovalStatus,
+    status: requestedStatus,
     rejectionReason,
     name,
     purpose,
@@ -60,12 +60,12 @@ export const updateClientHandler = async ({
     throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can set a rejection reason" });
   }
 
-  if (requestedApprovalStatus === "REJECTED" && (!rejectionReason || rejectionReason.trim().length === 0)) {
+  if (requestedStatus === "REJECTED" && (!rejectionReason || rejectionReason.trim().length === 0)) {
     throw new TRPCError({ code: "BAD_REQUEST", message: "Rejection reason is required" });
   }
 
   const isUpdatingFields = hasAnyFieldsChanged({ name, purpose, redirectUri, websiteUrl, logo });
-  const isUpdatingStatus = requestedApprovalStatus !== undefined;
+  const isUpdatingStatus = requestedStatus !== undefined;
 
   if (isUpdatingStatus && !isAdmin) {
     throw new TRPCError({ code: "FORBIDDEN", message: "Only admins can update OAuth client status" });
@@ -92,10 +92,10 @@ export const updateClientHandler = async ({
     },
   });
 
-  const nextApprovalStatus = computeNextApprovalStatus({
-    requestedApprovalStatus: requestedApprovalStatus,
+  const nextStatus = computeNextStatus({
+    requestedStatus,
     triggersReapprovalForOwnerEdit: shouldTriggerReapprovalForOwnerEdit,
-    existingApprovalStatus: clientWithUser.approvalStatus,
+    currentStatus: clientWithUser.status,
   });
 
   const updateData = buildUpdateClientUpdateData({
@@ -104,10 +104,10 @@ export const updateClientHandler = async ({
     redirectUri,
     logo,
     websiteUrl,
-    requestedApprovalStatus,
+    requestedStatus,
     rejectionReason,
-    nextApprovalStatus,
-    existingApprovalStatus: clientWithUser.approvalStatus,
+    nextStatus,
+    currentStatus: clientWithUser.status,
   });
 
   const updatedClient = await ctx.prisma.oAuthClient.update({
@@ -117,7 +117,7 @@ export const updateClientHandler = async ({
       clientId: true,
       name: true,
       purpose: true,
-      approvalStatus: true,
+      status: true,
       redirectUri: true,
       websiteUrl: true,
       logo: true,
@@ -127,7 +127,7 @@ export const updateClientHandler = async ({
 
   await notifyOwnerAboutAdminReview({
     isAdmin,
-    requestedApprovalStatus,
+    requestedStatus,
     clientWithUser,
     updatedClient: {
       clientId: updatedClient.clientId,
@@ -140,7 +140,7 @@ export const updateClientHandler = async ({
     clientId: updatedClient.clientId,
     name: updatedClient.name,
     purpose: updatedClient.purpose,
-    approvalStatus: updatedClient.approvalStatus,
+    status: updatedClient.status,
     redirectUri: updatedClient.redirectUri,
     websiteUrl: updatedClient.websiteUrl,
     logo: updatedClient.logo,
@@ -194,20 +194,20 @@ function triggersReapprovalForOwnerEdit(params: {
   return false;
 }
 
-function computeNextApprovalStatus(params: {
-  requestedApprovalStatus: OAuthClientApprovalStatus | undefined;
+function computeNextStatus(params: {
+  requestedStatus: OAuthClientStatus | undefined;
   triggersReapprovalForOwnerEdit: boolean;
-  existingApprovalStatus: OAuthClientApprovalStatus;
-}): OAuthClientApprovalStatus {
-  const { requestedApprovalStatus, triggersReapprovalForOwnerEdit, existingApprovalStatus } = params;
-  if (requestedApprovalStatus !== undefined) return requestedApprovalStatus;
+  currentStatus: OAuthClientStatus;
+}): OAuthClientStatus {
+  const { requestedStatus, triggersReapprovalForOwnerEdit, currentStatus } = params;
+  if (requestedStatus !== undefined) return requestedStatus;
   if (triggersReapprovalForOwnerEdit) return "PENDING";
-  return existingApprovalStatus;
+  return currentStatus;
 }
 
 type NotifyOwnerAboutAdminReviewParams = {
   isAdmin: boolean;
-  requestedApprovalStatus: OAuthClientApprovalStatus | undefined;
+  requestedStatus: OAuthClientStatus | undefined;
   clientWithUser: Awaited<ReturnType<OAuthClientRepository["findByClientIdIncludeUser"]>> | null;
   updatedClient: {
     clientId: string;
@@ -217,14 +217,14 @@ type NotifyOwnerAboutAdminReviewParams = {
 };
 
 async function notifyOwnerAboutAdminReview(params: NotifyOwnerAboutAdminReviewParams) {
-  const { isAdmin, requestedApprovalStatus, clientWithUser, updatedClient, rejectionReason } = params;
+  const { isAdmin, requestedStatus, clientWithUser, updatedClient, rejectionReason } = params;
   if (!isAdmin) return;
-  if (requestedApprovalStatus !== "APPROVED" && requestedApprovalStatus !== "REJECTED") return;
+  if (requestedStatus !== "APPROVED" && requestedStatus !== "REJECTED") return;
   if (!clientWithUser?.user) return;
 
   const t = await getTranslation("en", "common");
 
-  if (requestedApprovalStatus === "APPROVED") {
+  if (requestedStatus === "APPROVED") {
     await sendOAuthClientApprovedNotification({
       t,
       userEmail: clientWithUser.user.email,
@@ -251,7 +251,7 @@ type UpdateOAuthClientData = {
   redirectUri?: string;
   logo?: string | null;
   websiteUrl?: string | null;
-  approvalStatus?: OAuthClientApprovalStatus;
+  status?: OAuthClientStatus;
   rejectionReason?: string | null;
 };
 
@@ -261,10 +261,10 @@ function buildUpdateClientUpdateData(params: {
   redirectUri: string | undefined;
   logo: string | null | undefined;
   websiteUrl: string | null | undefined;
-  requestedApprovalStatus: OAuthClientApprovalStatus | undefined;
+  requestedStatus: OAuthClientStatus | undefined;
   rejectionReason: string | undefined;
-  nextApprovalStatus: OAuthClientApprovalStatus;
-  existingApprovalStatus: OAuthClientApprovalStatus;
+  nextStatus: OAuthClientStatus;
+  currentStatus: OAuthClientStatus;
 }): UpdateOAuthClientData {
   const {
     name,
@@ -272,10 +272,10 @@ function buildUpdateClientUpdateData(params: {
     redirectUri,
     logo,
     websiteUrl,
-    requestedApprovalStatus,
+    requestedStatus,
     rejectionReason,
-    nextApprovalStatus,
-    existingApprovalStatus,
+    nextStatus,
+    currentStatus,
   } = params;
 
   const updateData: UpdateOAuthClientData = {};
@@ -285,13 +285,13 @@ function buildUpdateClientUpdateData(params: {
   if (redirectUri !== undefined) updateData.redirectUri = redirectUri;
   if (logo !== undefined) updateData.logo = logo;
   if (websiteUrl !== undefined) updateData.websiteUrl = websiteUrl;
-  if (nextApprovalStatus !== existingApprovalStatus) updateData.approvalStatus = nextApprovalStatus;
+  if (nextStatus !== currentStatus) updateData.status = nextStatus;
 
-  if (requestedApprovalStatus === "REJECTED") {
+  if (requestedStatus === "REJECTED") {
     updateData.rejectionReason = rejectionReason?.trim() ?? null;
-  } else if (requestedApprovalStatus !== undefined) {
+  } else if (requestedStatus !== undefined) {
     updateData.rejectionReason = null;
-  } else if (nextApprovalStatus !== existingApprovalStatus && nextApprovalStatus !== "REJECTED") {
+  } else if (nextStatus !== currentStatus && nextStatus !== "REJECTED") {
     updateData.rejectionReason = null;
   }
 
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts
index 2e329b9bac0701..7e8fc5635352ae 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.schema.ts
@@ -1,10 +1,10 @@
 import { z } from "zod";
 
-import { OAuthClientApprovalStatus } from "@calcom/prisma/enums";
+import { OAuthClientStatus } from "@calcom/prisma/enums";
 
 export const ZUpdateClientInputSchema = z.object({
   clientId: z.string(),
-  status: z.nativeEnum(OAuthClientApprovalStatus).optional(),
+  status: z.nativeEnum(OAuthClientStatus).optional(),
   rejectionReason: z.string().min(1).optional(),
   name: z.string().min(1).optional(),
   purpose: z.string().min(1).optional(),
@@ -18,7 +18,7 @@ export const ZUpdateClientInputSchema = z.object({
     z.string().url().nullable().optional()
   ),
 }).superRefine((val, ctx) => {
-  if (val.status === OAuthClientApprovalStatus.REJECTED && !val.rejectionReason) {
+  if (val.status === OAuthClientStatus.REJECTED && !val.rejectionReason) {
     ctx.addIssue({
       code: z.ZodIssueCode.custom,
       path: ["rejectionReason"],

From 47723a891d92212d3ff419731089a305630a26bf Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 16:25:38 +0000
Subject: [PATCH 61/72] refactor: simplify modal

---
 .../admin/oauth-clients-admin-view.tsx        | 35 ++++++++++-----
 .../settings/developer/oauth-clients-view.tsx | 35 ++++++++++-----
 .../oauth/AdminOAuthClientCreateFlow.tsx      | 35 ---------------
 .../settings/oauth/OAuthClientCreateFlow.tsx  | 45 -------------------
 .../settings/oauth/OAuthClientsList.tsx       |  2 +-
 .../{ => create}/NewOAuthClientButton.tsx     |  0
 .../{ => create}/OAuthClientCreateModal.tsx   |  2 +-
 .../{ => create}/OAuthClientPreviewDialog.tsx |  2 +-
 .../{ => view}/OAuthClientDetailsDialog.tsx   |  2 +-
 .../{ => view}/OAuthClientFormFields.tsx      |  2 +-
 10 files changed, 51 insertions(+), 109 deletions(-)
 delete mode 100644 apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx
 delete mode 100644 apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx
 rename apps/web/modules/settings/oauth/{ => create}/NewOAuthClientButton.tsx (100%)
 rename apps/web/modules/settings/oauth/{ => create}/OAuthClientCreateModal.tsx (97%)
 rename apps/web/modules/settings/oauth/{ => create}/OAuthClientPreviewDialog.tsx (98%)
 rename apps/web/modules/settings/oauth/{ => view}/OAuthClientDetailsDialog.tsx (99%)
 rename apps/web/modules/settings/oauth/{ => view}/OAuthClientFormFields.tsx (98%)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 6e8916b29aa0c8..056d3863d840e8 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -10,11 +10,12 @@ import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import { AdminOAuthClientCreateFlow } from "../oauth/AdminOAuthClientCreateFlow";
-import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateModal";
-import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
+import type { OAuthClientCreateFormValues } from "../oauth/create/OAuthClientCreateModal";
+import { OAuthClientCreateDialog } from "../oauth/create/OAuthClientCreateModal";
+import { OAuthClientPreviewDialog } from "../oauth/create/OAuthClientPreviewDialog";
+import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/view/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
-import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
+import { NewOAuthClientButton } from "../oauth/create/NewOAuthClientButton";
 
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
@@ -163,14 +164,24 @@ export default function OAuthClientsAdminView() {
         />
       )}
 
-      <AdminOAuthClientCreateFlow
-        open={showCreateDialog}
-        onOpenChange={setShowCreateDialog}
-        isSubmitting={createMutation.isPending}
-        onSubmit={handleAddClient}
-        createdClient={createdClient}
-        onClose={handleCloseDialog}
-      />
+      {createdClient ? (
+        <OAuthClientPreviewDialog
+          open={showCreateDialog}
+          onOpenChange={setShowCreateDialog}
+          title={t("oauth_client_created")}
+          description={t("oauth_client_created_description")}
+          client={createdClient}
+          onClose={handleCloseDialog}
+        />
+      ) : (
+        <OAuthClientCreateDialog
+          open={showCreateDialog}
+          onOpenChange={setShowCreateDialog}
+          isSubmitting={createMutation.isPending}
+          onSubmit={handleAddClient}
+          onClose={handleCloseDialog}
+        />
+      )}
 
       <OAuthClientDetailsDialog
         open={Boolean(selectedClient)}
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 8811e570dfc178..1f9b1c3381ab83 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -7,11 +7,12 @@ import { EmptyScreen } from "@calcom/ui/components/empty-screen";
 import { showToast } from "@calcom/ui/components/toast";
 import SettingsHeader from "@calcom/features/settings/appDir/SettingsHeader";
 
-import type { OAuthClientCreateFormValues } from "../oauth/OAuthClientCreateModal";
-import { OAuthClientCreateFlow } from "../oauth/OAuthClientCreateFlow";
-import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/OAuthClientDetailsDialog";
+import type { OAuthClientCreateFormValues } from "../oauth/create/OAuthClientCreateModal";
+import { OAuthClientCreateDialog } from "../oauth/create/OAuthClientCreateModal";
+import { OAuthClientPreviewDialog } from "../oauth/create/OAuthClientPreviewDialog";
+import { OAuthClientDetailsDialog, type OAuthClientDetails } from "../oauth/view/OAuthClientDetailsDialog";
 import { OAuthClientsList } from "../oauth/OAuthClientsList";
-import { NewOAuthClientButton } from "../oauth/NewOAuthClientButton";
+import { NewOAuthClientButton } from "../oauth/create/NewOAuthClientButton";
 
 import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 
@@ -136,14 +137,24 @@ const OAuthClientsView = () => {
         />
       )}
 
-      <OAuthClientCreateFlow
-        open={showDialog}
-        onOpenChange={setShowDialog}
-        isSubmitting={submitForReviewMutation.isPending}
-        onSubmit={handleSubmit}
-        createdClient={submittedClient}
-        onClose={handleCloseCreateDialog}
-      />
+      {submittedClient ? (
+        <OAuthClientPreviewDialog
+          open={showDialog}
+          onOpenChange={setShowDialog}
+          title={t("oauth_client_submitted")}
+          description={t("oauth_client_submitted_description")}
+          client={submittedClient}
+          onClose={handleCloseCreateDialog}
+        />
+      ) : (
+        <OAuthClientCreateDialog
+          open={showDialog}
+          onOpenChange={setShowDialog}
+          isSubmitting={submitForReviewMutation.isPending}
+          onSubmit={handleSubmit}
+          onClose={handleCloseCreateDialog}
+        />
+      )}
 
       <OAuthClientDetailsDialog
         open={Boolean(selectedClient)}
diff --git a/apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx b/apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx
deleted file mode 100644
index e027264b8df656..00000000000000
--- a/apps/web/modules/settings/oauth/AdminOAuthClientCreateFlow.tsx
+++ /dev/null
@@ -1,35 +0,0 @@
-"use client";
-
-import { useLocale } from "@calcom/lib/hooks/useLocale";
-
-import { OAuthClientPreviewDialog } from "./OAuthClientPreviewDialog";
-import { OAuthClientCreateDialog } from "./OAuthClientCreateModal";
-import type { OAuthClientCreateFlowProps } from "./OAuthClientCreateFlow";
-
-export function AdminOAuthClientCreateFlow(
-  {
-    createdClient,
-    ...rest
-  }: OAuthClientCreateFlowProps
-) {
-  const { t } = useLocale();
-
-  if (createdClient) {
-    return (
-      <OAuthClientPreviewDialog
-        open={rest.open}
-        onOpenChange={rest.onOpenChange}
-        title={t("oauth_client_created")}
-        description={t("oauth_client_created_description")}
-        client={createdClient}
-        onClose={rest.onClose}
-      />
-    );
-  }
-
-  return (
-    <OAuthClientCreateDialog
-      {...rest}
-    />
-  );
-}
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx b/apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx
deleted file mode 100644
index 83f1363530ff11..00000000000000
--- a/apps/web/modules/settings/oauth/OAuthClientCreateFlow.tsx
+++ /dev/null
@@ -1,45 +0,0 @@
-"use client";
-
-import { useLocale } from "@calcom/lib/hooks/useLocale";
-
-import { OAuthClientPreviewDialog } from "./OAuthClientPreviewDialog";
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
-import { OAuthClientCreateDialog, type OAuthClientCreateDialogProps } from "./OAuthClientCreateModal";
-
-export type OAuthClientCreateFlowProps = OAuthClientCreateDialogProps & {
-  createdClient: OAuthClientDetails | null;
-};
-
-export function OAuthClientCreateFlow({
-  open,
-  onOpenChange,
-  isSubmitting,
-  onSubmit,
-  createdClient,
-  onClose,
-}: OAuthClientCreateFlowProps) {
-  const { t } = useLocale();
-
-  if (createdClient) {
-    return (
-      <OAuthClientPreviewDialog
-        open={open}
-        onOpenChange={onOpenChange}
-        title={t("oauth_client_submitted")}
-        description={t("oauth_client_submitted_description")}
-        client={createdClient}
-        onClose={onClose}
-      />
-    );
-  }
-
-  return (
-    <OAuthClientCreateDialog
-      open={open}
-      onOpenChange={onOpenChange}
-      isSubmitting={isSubmitting}
-      onSubmit={onSubmit}
-      onClose={onClose}
-    />
-  );
-}
diff --git a/apps/web/modules/settings/oauth/OAuthClientsList.tsx b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
index ee723d73d69839..932266c0adac11 100644
--- a/apps/web/modules/settings/oauth/OAuthClientsList.tsx
+++ b/apps/web/modules/settings/oauth/OAuthClientsList.tsx
@@ -8,7 +8,7 @@ import { Avatar } from "@calcom/ui/components/avatar";
 import { Badge } from "@calcom/ui/components/badge";
 import { Icon } from "@calcom/ui/components/icon";
 
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+import type { OAuthClientDetails } from "./view/OAuthClientDetailsDialog";
 
 const getStatusBadge = (status: string, t: (key: string) => string): ReactNode => {
   switch (status) {
diff --git a/apps/web/modules/settings/oauth/NewOAuthClientButton.tsx b/apps/web/modules/settings/oauth/create/NewOAuthClientButton.tsx
similarity index 100%
rename from apps/web/modules/settings/oauth/NewOAuthClientButton.tsx
rename to apps/web/modules/settings/oauth/create/NewOAuthClientButton.tsx
diff --git a/apps/web/modules/settings/oauth/OAuthClientCreateModal.tsx b/apps/web/modules/settings/oauth/create/OAuthClientCreateModal.tsx
similarity index 97%
rename from apps/web/modules/settings/oauth/OAuthClientCreateModal.tsx
rename to apps/web/modules/settings/oauth/create/OAuthClientCreateModal.tsx
index 1c3dfe7568dfee..bc4627cbf8920f 100644
--- a/apps/web/modules/settings/oauth/OAuthClientCreateModal.tsx
+++ b/apps/web/modules/settings/oauth/create/OAuthClientCreateModal.tsx
@@ -6,7 +6,7 @@ import { useForm } from "react-hook-form";
 
 import { useLocale } from "@calcom/lib/hooks/useLocale";
 
-import { OAuthClientFormFields } from "./OAuthClientFormFields";
+import { OAuthClientFormFields } from "../view/OAuthClientFormFields";
 
 import { Dialog } from "@calcom/features/components/controlled-dialog";
 import { Button } from "@calcom/ui/components/button";
diff --git a/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx b/apps/web/modules/settings/oauth/create/OAuthClientPreviewDialog.tsx
similarity index 98%
rename from apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
rename to apps/web/modules/settings/oauth/create/OAuthClientPreviewDialog.tsx
index 1d695053ae5ac9..51b0a6e35fc109 100644
--- a/apps/web/modules/settings/oauth/OAuthClientPreviewDialog.tsx
+++ b/apps/web/modules/settings/oauth/create/OAuthClientPreviewDialog.tsx
@@ -12,7 +12,7 @@ import { DialogContent, DialogFooter } from "@calcom/ui/components/dialog";
 import { showToast } from "@calcom/ui/components/toast";
 import { Tooltip } from "@calcom/ui/components/tooltip";
 
-import type { OAuthClientDetails } from "./OAuthClientDetailsDialog";
+import type { OAuthClientDetails } from "../view/OAuthClientDetailsDialog";
 
 export function OAuthClientPreviewDialog({
   open,
diff --git a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx
similarity index 99%
rename from apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
rename to apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx
index 4fca2892d6b8b0..f6224633291b97 100644
--- a/apps/web/modules/settings/oauth/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx
@@ -14,7 +14,7 @@ import { showToast } from "@calcom/ui/components/toast";
 import { Tooltip } from "@calcom/ui/components/tooltip";
 import { Label, TextArea } from "@calcom/ui/components/form";
 
-import type { OAuthClientCreateFormValues } from "./OAuthClientCreateModal";
+import type { OAuthClientCreateFormValues } from "../create/OAuthClientCreateModal";
 import { OAuthClientFormFields } from "./OAuthClientFormFields";
 
 export type OAuthClientDetails = {
diff --git a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx b/apps/web/modules/settings/oauth/view/OAuthClientFormFields.tsx
similarity index 98%
rename from apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
rename to apps/web/modules/settings/oauth/view/OAuthClientFormFields.tsx
index a67498235b0832..fdc1833272d579 100644
--- a/apps/web/modules/settings/oauth/OAuthClientFormFields.tsx
+++ b/apps/web/modules/settings/oauth/view/OAuthClientFormFields.tsx
@@ -12,7 +12,7 @@ import { Icon } from "@calcom/ui/components/icon";
 import { ImageUploader } from "@calcom/ui/components/image-uploader";
 import { Tooltip } from "@calcom/ui/components/tooltip";
 
-import type { OAuthClientCreateFormValues } from "./OAuthClientCreateModal";
+import type { OAuthClientCreateFormValues } from "../create/OAuthClientCreateModal";
 
 export const OAuthClientFormFields = ({
   form,

From df18f3c96fe1ccf63270431d83b31d8926f4a740 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 16:33:50 +0000
Subject: [PATCH 62/72] refactor: name

---
 .../settings/admin/oauth-clients-admin-view.tsx    | 14 +++++++-------
 .../settings/developer/oauth-clients-view.tsx      | 14 +++++++-------
 2 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
index 056d3863d840e8..427f63e251106c 100644
--- a/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
+++ b/apps/web/modules/settings/admin/oauth-clients-admin-view.tsx
@@ -20,7 +20,7 @@ import { NewOAuthClientButton } from "../oauth/create/NewOAuthClientButton";
 export default function OAuthClientsAdminView() {
   const { t } = useLocale();
   const utils = trpc.useUtils();
-  const [showCreateDialog, setShowCreateDialog] = useState(false);
+  const [isCreatingClient, setIsCreatingClient] = useState(false);
   const [createdClient, setCreatedClient] = useState<OAuthClientDetails | null>(null);
   const [selectedClient, setSelectedClient] = useState<OAuthClientDetails | null>(null);
 
@@ -89,7 +89,7 @@ export default function OAuthClientsAdminView() {
   };
 
   const handleCloseDialog = () => {
-    setShowCreateDialog(false);
+    setIsCreatingClient(false);
     setCreatedClient(null);
   };
 
@@ -112,7 +112,7 @@ export default function OAuthClientsAdminView() {
   const newOAuthClientButton = (
     <NewOAuthClientButton
       dataTestId="open-admin-oauth-client-create-dialog"
-      onClick={() => setShowCreateDialog(true)}
+      onClick={() => setIsCreatingClient(true)}
     />
   );
 
@@ -166,8 +166,8 @@ export default function OAuthClientsAdminView() {
 
       {createdClient ? (
         <OAuthClientPreviewDialog
-          open={showCreateDialog}
-          onOpenChange={setShowCreateDialog}
+          open={isCreatingClient}
+          onOpenChange={setIsCreatingClient}
           title={t("oauth_client_created")}
           description={t("oauth_client_created_description")}
           client={createdClient}
@@ -175,8 +175,8 @@ export default function OAuthClientsAdminView() {
         />
       ) : (
         <OAuthClientCreateDialog
-          open={showCreateDialog}
-          onOpenChange={setShowCreateDialog}
+          open={isCreatingClient}
+          onOpenChange={setIsCreatingClient}
           isSubmitting={createMutation.isPending}
           onSubmit={handleAddClient}
           onClose={handleCloseDialog}
diff --git a/apps/web/modules/settings/developer/oauth-clients-view.tsx b/apps/web/modules/settings/developer/oauth-clients-view.tsx
index 1f9b1c3381ab83..bf7a4694438045 100644
--- a/apps/web/modules/settings/developer/oauth-clients-view.tsx
+++ b/apps/web/modules/settings/developer/oauth-clients-view.tsx
@@ -19,7 +19,7 @@ import { OAuthClientsSkeleton } from "./oauth-clients-skeleton";
 const OAuthClientsView = () => {
   const { t } = useLocale();
   const utils = trpc.useUtils();
-  const [showDialog, setShowDialog] = useState(false);
+  const [isCreatingClient, setIsCreatingClient] = useState(false);
   const [submittedClient, setSubmittedClient] = useState<OAuthClientDetails | null>(null);
   const [selectedClient, setSelectedClient] = useState<OAuthClientDetails | null>(null);
 
@@ -92,7 +92,7 @@ const OAuthClientsView = () => {
   };
 
   const handleCloseCreateDialog = () => {
-    setShowDialog(false);
+    setIsCreatingClient(false);
     setSubmittedClient(null);
   };
 
@@ -105,7 +105,7 @@ const OAuthClientsView = () => {
   }
 
   const newOAuthClientButton = (
-    <NewOAuthClientButton dataTestId="open-oauth-client-create-dialog" onClick={() => setShowDialog(true)} />
+    <NewOAuthClientButton dataTestId="open-oauth-client-create-dialog" onClick={() => setIsCreatingClient(true)} />
   );
 
   return (
@@ -139,8 +139,8 @@ const OAuthClientsView = () => {
 
       {submittedClient ? (
         <OAuthClientPreviewDialog
-          open={showDialog}
-          onOpenChange={setShowDialog}
+          open={isCreatingClient}
+          onOpenChange={setIsCreatingClient}
           title={t("oauth_client_submitted")}
           description={t("oauth_client_submitted_description")}
           client={submittedClient}
@@ -148,8 +148,8 @@ const OAuthClientsView = () => {
         />
       ) : (
         <OAuthClientCreateDialog
-          open={showDialog}
-          onOpenChange={setShowDialog}
+          open={isCreatingClient}
+          onOpenChange={setIsCreatingClient}
           isSubmitting={submitForReviewMutation.isPending}
           onSubmit={handleSubmit}
           onClose={handleCloseCreateDialog}

From ec1953403452d692320018401b57452d2f898b83 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Wed, 14 Jan 2026 16:48:15 +0000
Subject: [PATCH 63/72] dont require repproval if redirectUri changes

---
 .../viewer/oAuth/updateClient.handler.test.ts | 56 +++++++++++++++++++
 .../viewer/oAuth/updateClient.handler.ts      | 13 +++--
 2 files changed, 65 insertions(+), 4 deletions(-)

diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
index e23862b603570b..07b45fd31759fc 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
@@ -429,4 +429,60 @@ describe("updateClientHandler", () => {
     expect(mocks.sendOAuthClientApprovedNotification).not.toHaveBeenCalled();
     expect(mocks.sendOAuthClientRejectedNotification).not.toHaveBeenCalled();
   });
+
+  it("does not set status to PENDING when an owner updates redirectUri", async () => {
+    mocks.findByClientIdIncludeUser.mockResolvedValue({
+      clientId: CLIENT_ID,
+      userId: OWNER_USER_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      redirectUri: REDIRECT_URI,
+      websiteUrl: null,
+      logo: null,
+      status: "APPROVED",
+      user: null,
+    });
+
+    const updatedRedirectUri = "https://example.com/new-callback";
+
+    const prismaUpdate = vi.fn().mockResolvedValue({
+      clientId: CLIENT_ID,
+      name: CLIENT_NAME,
+      purpose: CLIENT_PURPOSE,
+      status: "APPROVED",
+      redirectUri: updatedRedirectUri,
+      websiteUrl: null,
+      logo: null,
+      rejectionReason: null,
+    });
+
+    const ctx = {
+      user: {
+        id: OWNER_USER_ID,
+        role: UserPermissionRole.USER,
+      },
+      prisma: {
+        oAuthClient: {
+          update: prismaUpdate,
+        },
+      } as unknown as PrismaClient,
+    };
+
+    await updateClientHandler({
+      ctx,
+      input: {
+        clientId: CLIENT_ID,
+        redirectUri: updatedRedirectUri,
+      },
+    });
+
+    expect(prismaUpdate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        where: { clientId: CLIENT_ID },
+        data: {
+          redirectUri: updatedRedirectUri,
+        },
+      })
+    );
+  });
 });
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 43bc001ebcc232..5717d3abe51194 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -178,18 +178,23 @@ function triggersReapprovalForOwnerEdit(params: {
   if (isAdmin) return false;
   if (!isOwner) return false;
 
-  if (proposedUpdates.name !== undefined && proposedUpdates.name !== currentClient.name) return true;
+  if (proposedUpdates.name !== undefined && proposedUpdates.name !== currentClient.name) {
+    return true;
+  }
+
   if (
     proposedUpdates.logo !== undefined &&
     toNullableString(proposedUpdates.logo) !== toNullableString(currentClient.logo)
-  )
+  ) {
     return true;
+  }
+  
   if (
     proposedUpdates.websiteUrl !== undefined &&
     toNullableString(proposedUpdates.websiteUrl) !== toNullableString(currentClient.websiteUrl)
-  )
+  ) {
     return true;
-  if (proposedUpdates.redirectUri !== undefined && proposedUpdates.redirectUri !== currentClient.redirectUri) return true;
+  }
 
   return false;
 }

From 6cc78d4be4e59078b275e847419fc358ac70663b Mon Sep 17 00:00:00 2001
From: Lauris Skraucis <lauris.skraucis@gmail.com>
Date: Thu, 15 Jan 2026 15:49:44 +0000
Subject: [PATCH 64/72] fix: remove integration sync index creation

---
 .../20260114154054_add_oauth_client_properties/migration.sql   | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql b/packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql
index 4607d82e6a8d66..20d0dd409a17e3 100644
--- a/packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql
+++ b/packages/prisma/migrations/20260114154054_add_oauth_client_properties/migration.sql
@@ -9,9 +9,6 @@ ADD COLUMN     "status" "public"."OAuthClientStatus" NOT NULL DEFAULT 'approved'
 ADD COLUMN     "userId" INTEGER,
 ADD COLUMN     "websiteUrl" TEXT;
 
--- CreateIndex
-CREATE INDEX "IntegrationAttributeSync_credentialId_idx" ON "public"."IntegrationAttributeSync"("credentialId");
-
 -- CreateIndex
 CREATE INDEX "OAuthClient_userId_idx" ON "public"."OAuthClient"("userId");
 

From a5c38beb2bd660ae09c29d505840ce07d8c37aa5 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 15 Jan 2026 16:30:16 +0000
Subject: [PATCH 65/72] refactor: require re-approval if redirectUri updated

---
 .../oauth/view/OAuthClientDetailsDialog.tsx   | 13 ++-
 .../oauth/oauth-client-owner-crud.e2e.ts      | 91 ++++++++++++++++++-
 .../viewer/oAuth/updateClient.handler.test.ts |  6 +-
 .../viewer/oAuth/updateClient.handler.ts      |  8 +-
 4 files changed, 109 insertions(+), 9 deletions(-)

diff --git a/apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx b/apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx
index f6224633291b97..941c0800dbe7da 100644
--- a/apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx
+++ b/apps/web/modules/settings/oauth/view/OAuthClientDetailsDialog.tsx
@@ -17,7 +17,7 @@ import { Label, TextArea } from "@calcom/ui/components/form";
 import type { OAuthClientCreateFormValues } from "../create/OAuthClientCreateModal";
 import { OAuthClientFormFields } from "./OAuthClientFormFields";
 
-export type OAuthClientDetails = {
+type OAuthClientDetails = {
   clientId: string;
   name: string;
   purpose?: string | null;
@@ -31,7 +31,7 @@ export type OAuthClientDetails = {
   clientType?: string;
 };
 
-export const OAuthClientDetailsDialog = ({
+const OAuthClientDetailsDialog = ({
   open,
   onOpenChange,
   client,
@@ -213,7 +213,7 @@ export const OAuthClientDetailsDialog = ({
             })}>
             {status ? (
               <div className="flex items-center justify-start">
-                <Badge variant={getStatusBadgeVariant(status).variant}>
+                <Badge data-testid="oauth-client-details-status-badge" variant={getStatusBadgeVariant(status).variant}>
                   {t(getStatusBadgeVariant(status).labelKey)}
                 </Badge>
               </div>
@@ -343,7 +343,7 @@ export const OAuthClientDetailsDialog = ({
   );
 };
 
-function getStatusBadgeVariant (status: string) {
+function getStatusBadgeVariant(status: string) {
   switch (status) {
     case "APPROVED":
       return { variant: "success" as const, labelKey: "approved" as const };
@@ -353,4 +353,7 @@ function getStatusBadgeVariant (status: string) {
     default:
       return { variant: "orange" as const, labelKey: "pending" as const };
   }
-};
\ No newline at end of file
+};
+
+export type { OAuthClientDetails };
+export { OAuthClientDetailsDialog };
\ No newline at end of file
diff --git a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
index 989468844261aa..5b0b72c7aa8b15 100644
--- a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
+++ b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
@@ -49,6 +49,7 @@ type ExpectedOAuthClientDetails = {
   purpose: string;
   redirectUri: string;
   websiteUrl: string;
+  statusLabel: "Approved" | "Rejected" | "Pending";
   pkceEnabled: boolean;
   hasLogo: boolean;
 };
@@ -231,6 +232,7 @@ async function expectOAuthClientInDb(
 }
 
 async function expectOAuthClientDetails(details: Locator, expected: ExpectedOAuthClientDetails): Promise<void> {
+  await expect(details.getByTestId("oauth-client-details-status-badge")).toHaveText(expected.statusLabel);
   await expect(details.getByTestId("oauth-client-details-client-id")).toHaveText(expected.clientId);
   await expect(getOAuthClientDetailsNameInput(details)).toHaveValue(expected.name);
   await expect(getOAuthClientDetailsPurposeInput(details)).toHaveValue(expected.purpose);
@@ -247,7 +249,6 @@ async function expectOAuthClientInList(page: Page, input: { clientId: string; na
   const row = getOAuthClientListItem(page, input.clientId);
   await expect(row).toBeVisible();
   await expect(row.getByText(input.name)).toBeVisible();
-  await expect(row.getByText("Pending")).toBeVisible();
 }
 
 async function goToOAuthSettings(page: Page): Promise<void> {
@@ -337,6 +338,7 @@ test.describe("OAuth client creation", () => {
       purpose,
       redirectUri,
       websiteUrl: "",
+      statusLabel: "Pending",
       pkceEnabled: false,
       hasLogo: false,
     });
@@ -373,6 +375,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: false,
       hasLogo: true,
     });
@@ -386,6 +389,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: false,
       hasLogo: true,
     });
@@ -407,6 +411,85 @@ test.describe("OAuth client creation", () => {
     await expectOAuthClientDeletedInDb(prisma, clientId);
   });
 
+  test("editing redirect uri of an approved client triggers reapproval (status becomes PENDING)", async ({ page, prisma, users }, testInfo) => {
+    const testPrefix = `e2e-oauth-client-creation-${testInfo.testId}-`;
+
+    const user = await users.create();
+    await user.apiLogin("/settings/developer/oauth");
+
+    const clientName = `${testPrefix}approved-client-${Date.now()}`;
+    const clientId = `${testPrefix.replaceAll("-", "")}approved${Date.now()}`;
+
+    const initialRedirectUri = "https://example.com/approved-callback";
+
+    await prisma.oAuthClient.create({
+      data: {
+        clientId,
+        name: clientName,
+        purpose: "Approved client for redirectUri reapproval test",
+        redirectUri: initialRedirectUri,
+        websiteUrl: null,
+        logo: null,
+        clientType: "PUBLIC",
+        clientSecret: null,
+        status: "APPROVED",
+        userId: user.id,
+      },
+    });
+
+    await page.reload();
+
+    const detailsBeforeUpdate = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(detailsBeforeUpdate, {
+      clientId,
+      name: clientName,
+      purpose: "Approved client for redirectUri reapproval test",
+      redirectUri: initialRedirectUri,
+      websiteUrl: "",
+      statusLabel: "Approved",
+      pkceEnabled: true,
+      hasLogo: false,
+    });
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      status: "APPROVED",
+      redirectUri: initialRedirectUri,
+      clientType: "PUBLIC",
+      clientSecret: null,
+    });
+
+    const updatedRedirectUri = `https://example.com/approved-updated-${Date.now()}`;
+
+    await getOAuthClientDetailsRedirectUriInput(detailsBeforeUpdate).fill(updatedRedirectUri);
+
+    const updateResponsePromise = page.waitForResponse((res) => res.url().includes("/api/trpc/oAuth/updateClient"));
+    await page.getByTestId("oauth-client-details-save").click();
+    const updateResponse = await updateResponsePromise;
+    expect(updateResponse.ok()).toBe(true);
+
+    await closeOAuthClientDetails(page);
+
+    const detailsAfterUpdate = await openOAuthClientDetails(page, clientId);
+    await expectOAuthClientDetails(detailsAfterUpdate, {
+      clientId,
+      name: clientName,
+      purpose: "Approved client for redirectUri reapproval test",
+      redirectUri: updatedRedirectUri,
+      websiteUrl: "",
+      statusLabel: "Pending",
+      pkceEnabled: true,
+      hasLogo: false,
+    });
+    await closeOAuthClientDetails(page);
+
+    await expectOAuthClientInDb(prisma, clientId, {
+      status: "PENDING",
+      redirectUri: updatedRedirectUri,
+      clientType: "PUBLIC",
+      clientSecret: null,
+    });
+  });
+
   test("creates a private (confidential) OAuth client; submitted modal shows id+secret; list/details/DB reflect values", async ({ page, prisma }, testInfo) => {
     await loginAsSeededAdminAndGoToOAuthSettings(page);
 
@@ -435,6 +518,7 @@ test.describe("OAuth client creation", () => {
       purpose,
       redirectUri,
       websiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: false,
       hasLogo: true,
     });
@@ -471,6 +555,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: false,
       hasLogo: true,
     });
@@ -484,6 +569,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: false,
       hasLogo: true,
     });
@@ -531,6 +617,7 @@ test.describe("OAuth client creation", () => {
       purpose,
       redirectUri,
       websiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: true,
       hasLogo: false,
     });
@@ -567,6 +654,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: true,
       hasLogo: true,
     });
@@ -580,6 +668,7 @@ test.describe("OAuth client creation", () => {
       purpose: editedPurpose,
       redirectUri: editedRedirectUri,
       websiteUrl: editedWebsiteUrl,
+      statusLabel: "Pending",
       pkceEnabled: true,
       hasLogo: true,
     });
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
index 07b45fd31759fc..8b34f12ebad248 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.test.ts
@@ -430,7 +430,7 @@ describe("updateClientHandler", () => {
     expect(mocks.sendOAuthClientRejectedNotification).not.toHaveBeenCalled();
   });
 
-  it("does not set status to PENDING when an owner updates redirectUri", async () => {
+  it("sets status to PENDING when an owner updates redirectUri (reapproval flow)", async () => {
     mocks.findByClientIdIncludeUser.mockResolvedValue({
       clientId: CLIENT_ID,
       userId: OWNER_USER_ID,
@@ -449,7 +449,7 @@ describe("updateClientHandler", () => {
       clientId: CLIENT_ID,
       name: CLIENT_NAME,
       purpose: CLIENT_PURPOSE,
-      status: "APPROVED",
+      status: "PENDING",
       redirectUri: updatedRedirectUri,
       websiteUrl: null,
       logo: null,
@@ -481,6 +481,8 @@ describe("updateClientHandler", () => {
         where: { clientId: CLIENT_ID },
         data: {
           redirectUri: updatedRedirectUri,
+          status: "PENDING",
+          rejectionReason: null,
         },
       })
     );
diff --git a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
index 5717d3abe51194..759a74aef8ef3b 100644
--- a/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/updateClient.handler.ts
@@ -31,7 +31,7 @@ type UpdateClientOutput = {
   rejectionReason: string | null;
 };
 
-export const updateClientHandler = async ({
+const updateClientHandler = async ({
   ctx,
   input,
 }: UpdateClientOptions): Promise<UpdateClientOutput> => {
@@ -196,6 +196,10 @@ function triggersReapprovalForOwnerEdit(params: {
     return true;
   }
 
+  if (proposedUpdates.redirectUri !== undefined && proposedUpdates.redirectUri !== currentClient.redirectUri) {
+    return true;
+  }
+
   return false;
 }
 
@@ -302,3 +306,5 @@ function buildUpdateClientUpdateData(params: {
 
   return updateData;
 }
+
+export { updateClientHandler };

From 154eee10b68485dad2508e77010d9c6a44805ba1 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 15 Jan 2026 16:37:24 +0000
Subject: [PATCH 66/72] fix: flaky e2e test

---
 apps/web/playwright/oauth/oauth-client-helpers.ts        | 2 +-
 apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/web/playwright/oauth/oauth-client-helpers.ts b/apps/web/playwright/oauth/oauth-client-helpers.ts
index 12298acd164e9b..a356dbcebcde61 100644
--- a/apps/web/playwright/oauth/oauth-client-helpers.ts
+++ b/apps/web/playwright/oauth/oauth-client-helpers.ts
@@ -37,7 +37,7 @@ type CreateOAuthClientResult = {
 export async function createPendingOAuthClient(page: Page, input: CreateOAuthClientInput): Promise<CreateOAuthClientResult> {
   await goToDeveloperOAuthSettings(page);
 
-  await page.getByTestId("open-oauth-client-create-dialog").click();
+  await page.locator("header").getByTestId("open-oauth-client-create-dialog").click();
 
   const form = page.getByTestId("oauth-client-create-form");
   await form.locator("#name").fill(input.name);
diff --git a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
index 5b0b72c7aa8b15..3675ef06e7f50b 100644
--- a/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
+++ b/apps/web/playwright/oauth/oauth-client-owner-crud.e2e.ts
@@ -83,7 +83,7 @@ const oAuthClientSelect = {
 async function createOAuthClient(page: Page, input: CreateOAuthClientInput): Promise<CreateOAuthClientResult> {
   await goToOAuthSettings(page);
 
-  await page.getByTestId("open-oauth-client-create-dialog").click();
+  await page.locator("header").getByTestId("open-oauth-client-create-dialog").click();
 
   const form = getOAuthClientCreateForm(page);
   await getOAuthClientCreateNameInput(form).fill(input.name);
@@ -287,7 +287,7 @@ test.describe("OAuth client creation", () => {
   test("cannot be created without required fields (name, purpose, redirect uri)", async ({ page }) => {
     await loginAsSeededAdminAndGoToOAuthSettings(page);
 
-    await page.getByTestId("open-oauth-client-create-dialog").click();
+    await page.locator("header").getByTestId("open-oauth-client-create-dialog").click();
 
     const form = page.getByTestId("oauth-client-create-form");
     await expect(form).toBeVisible();

From 83eccde84d1898a763634efbf8629ef228987e47 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Thu, 15 Jan 2026 17:07:06 +0000
Subject: [PATCH 67/72] fix: flaky e2e test

---
 .../oauth/oauth-client-admin.e2e.ts           | 42 +++++++++++++++----
 1 file changed, 35 insertions(+), 7 deletions(-)

diff --git a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
index 235f3527068dee..38c98aaa45732c 100644
--- a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
+++ b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
@@ -29,15 +29,37 @@ async function expectClientStatusInDb(
     .toBe(status);
 }
 
-async function expectClientInAdminSection(page: Page, sectionTestId: string, clientId: string): Promise<void> {
+async function waitForAdminSection(page: Page, sectionTestId: string) {
+  await expect
+    .poll(
+      async () => {
+        return await page.getByTestId(sectionTestId).count();
+      },
+      { timeout: 30_000 }
+    )
+    .toBe(1);
+
   const section = page.getByTestId(sectionTestId);
   await expect(section).toBeVisible();
+  return section;
+}
+
+async function expectClientInAdminSection(page: Page, sectionTestId: string, clientId: string): Promise<void> {
+  const section = await waitForAdminSection(page, sectionTestId);
+
+  await expect
+    .poll(
+      async () => {
+        return await section.getByTestId(`oauth-client-list-item-${clientId}`).count();
+      },
+      { timeout: 30_000 }
+    )
+    .toBe(1);
   await expect(section.getByTestId(`oauth-client-list-item-${clientId}`)).toBeVisible();
 }
 
 async function expectClientNotInAdminSection(page: Page, sectionTestId: string, clientId: string): Promise<void> {
-  const section = page.getByTestId(sectionTestId);
-  await expect(section).toBeVisible();
+  const section = await waitForAdminSection(page, sectionTestId);
   await expect(section.getByTestId(`oauth-client-list-item-${clientId}`)).toHaveCount(0);
 }
 
@@ -117,14 +139,20 @@ test.describe("OAuth clients admin", () => {
 
     await expectClientStatusInDb(prisma, toBeRejected.clientId, "REJECTED");
 
-    const rejectedDetails = await openOAuthClientDetailsFromList(page, toBeRejected.clientId);
+    await expectClientNotInAdminSection(page, "oauth-client-admin-pending-section", toBeRejected.clientId);
+    await expectClientInAdminSection(page, "oauth-client-admin-rejected-section", toBeRejected.clientId);
+
+    await page
+      .getByTestId("oauth-client-admin-rejected-section")
+      .getByTestId(`oauth-client-list-item-${toBeRejected.clientId}`)
+      .click();
+
+    const rejectedDetails = page.getByTestId("oauth-client-details-form");
+    await expect(rejectedDetails).toBeVisible();
     await expect(rejectedDetails.getByTestId("oauth-client-details-rejection-reason-display")).toContainText(
       rejectionReason
     );
     await closeOAuthClientDetails(page);
-
-    await expectClientNotInAdminSection(page, "oauth-client-admin-pending-section", toBeRejected.clientId);
-    await expectClientInAdminSection(page, "oauth-client-admin-rejected-section", toBeRejected.clientId);
     await expectClientInAdminSection(page, "oauth-client-admin-pending-section", staysPending.clientId);
 
     // Reload to ensure list queries show consistent counts

From b2888f4f5ad1e20696bcc129b4ea3b5d45d290e2 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Fri, 16 Jan 2026 09:21:29 +0000
Subject: [PATCH 68/72] fix: flaky e2e test

---
 apps/web/playwright/oauth/oauth-client-admin.e2e.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
index 38c98aaa45732c..57bbc38b685305 100644
--- a/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
+++ b/apps/web/playwright/oauth/oauth-client-admin.e2e.ts
@@ -8,7 +8,6 @@ import {
   createApprovedOAuthClientAsAdmin,
   createPendingOAuthClient,
   goToAdminOAuthSettings,
-  loginAsSeededAdmin,
   openOAuthClientDetailsFromList,
 } from "./oauth-client-helpers";
 
@@ -80,8 +79,9 @@ test.describe("OAuth clients admin", () => {
     await users.deleteAll();
   });
 
-  test("can manage pending/approved/rejected clients and can create approved clients as admin", async ({ page, prisma }, testInfo) => {
-    await loginAsSeededAdmin(page);
+  test("can manage pending/approved/rejected clients and can create approved clients as admin", async ({ page, prisma, users }, testInfo) => {
+    const adminUser = await users.create({ role: "ADMIN" });
+    await adminUser.apiLogin();
 
     const testPrefix = `e2e-oauth-client-admin-${testInfo.testId}-`;
 

From ce0fb75f964e8b137919072c2b9a461aef42e51f Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Fri, 16 Jan 2026 14:39:07 +0000
Subject: [PATCH 69/72] fix: remove duplicate common.json keys

---
 apps/web/public/static/locales/en/common.json | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/apps/web/public/static/locales/en/common.json b/apps/web/public/static/locales/en/common.json
index 0d439ddf6ca6b2..80023c90a41ba6 100644
--- a/apps/web/public/static/locales/en/common.json
+++ b/apps/web/public/static/locales/en/common.json
@@ -1089,7 +1089,6 @@
   "approve": "Approve",
   "approved": "Approved",
   "rejected": "Rejected",
-  "pending": "Pending",
   "hi_user": "Hi {{name}}",
   "admin_oauth_notification_email_subject": "New OAuth Client Submission: {{clientName}}",
   "admin_oauth_notification_email_title": "New OAuth Client: {{clientName}}",
@@ -1158,7 +1157,6 @@
   "copy_times_to": "Copy times to",
   "copy_times_to_tooltip": "Copy times to …",
   "change_weekly_schedule": "Change your weekly schedule",
-  "logo": "Logo",
   "error": "Error",
   "at_least_characters_one": "Please enter at least one character",
   "at_least_characters_other": "Please enter at least {{count}} characters",
@@ -3683,7 +3681,6 @@
   "invalid_link": "Invalid link",
   "currently_subscribed_to_plan": "You are currently subscribed to {{planFirstLetter}}{{planRest}} plan",
   "user_team": "User/Team",
-  "client_id_copied": "Client ID copied!",
   "client_secret_copied": "Client secret copied!",
   "maintenance_message": "The Cal.com team are performing scheduled maintenance. If you have any questions, please contact support.",
   "your_payment_failed": "Your payment failed",

From 4a80d675c59d17011655f5bcee3dd21b06a4c1d7 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Fri, 16 Jan 2026 14:53:49 +0000
Subject: [PATCH 70/72] refactor: replace team@cal.com with
 SUPPORT_MAIL_ADDRESS

---
 .../emails/templates/admin-oauth-client-notification.test.ts  | 3 ++-
 packages/emails/templates/admin-oauth-client-notification.ts  | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/packages/emails/templates/admin-oauth-client-notification.test.ts b/packages/emails/templates/admin-oauth-client-notification.test.ts
index 5ea94d07f0e377..d547c93b607a7c 100644
--- a/packages/emails/templates/admin-oauth-client-notification.test.ts
+++ b/packages/emails/templates/admin-oauth-client-notification.test.ts
@@ -1,6 +1,7 @@
 import { describe, expect, it } from "vitest";
 
 import type { TFunction } from "i18next";
+import { SUPPORT_MAIL_ADDRESS } from "@calcom/lib/constants";
 
 import AdminOAuthClientNotification from "./admin-oauth-client-notification";
 
@@ -56,7 +57,7 @@ describe("AdminOAuthClientNotification", () => {
 
     expect(payload).toEqual(
       expect.objectContaining({
-        to: "team@cal.com",
+        to: SUPPORT_MAIL_ADDRESS,
         subject: `New OAuth Client: ${input.clientName}`,
       })
     );
diff --git a/packages/emails/templates/admin-oauth-client-notification.ts b/packages/emails/templates/admin-oauth-client-notification.ts
index 81ac94f41eecf8..ec28a97518c9e6 100644
--- a/packages/emails/templates/admin-oauth-client-notification.ts
+++ b/packages/emails/templates/admin-oauth-client-notification.ts
@@ -1,6 +1,6 @@
 import type { TFunction } from "i18next";
 
-import { EMAIL_FROM_NAME } from "@calcom/lib/constants";
+import { EMAIL_FROM_NAME, SUPPORT_MAIL_ADDRESS } from "@calcom/lib/constants";
 
 import renderEmail from "../src/renderEmail";
 import BaseEmail from "./_base-email";
@@ -27,7 +27,7 @@ export default class AdminOAuthClientNotification extends BaseEmail {
   protected async getNodeMailerPayload(): Promise<Record<string, unknown>> {
     return {
       from: `${EMAIL_FROM_NAME} <${this.getMailerOptions().from}>`,
-      to: "team@cal.com",
+      to: SUPPORT_MAIL_ADDRESS,
       subject: `${this.input.t("admin_oauth_notification_email_subject", { clientName: this.input.clientName })}`,
       html: await renderEmail("AdminOAuthClientNotificationEmail", {
         clientName: this.input.clientName,

From 1e5854b6b8f619dcf60f8f0b7b163acc8f93c3d2 Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Fri, 16 Jan 2026 15:21:30 +0000
Subject: [PATCH 71/72] refactor: generate client secret on handler level

---
 .../oauth/repositories/OAuthClientRepository.ts | 17 +++++------------
 .../viewer/oAuth/createClient.handler.ts        | 13 +++++++++++--
 .../oAuth/submitClientForReview.handler.ts      | 13 +++++++++++--
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index eb02d17cd194df..7ed00ddcb8ace0 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -1,6 +1,6 @@
 import { randomBytes } from "node:crypto";
 
-import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
+
 import type { PrismaClient } from "@calcom/prisma";
 import type { OAuthClientStatus } from "@calcom/prisma/enums";
 
@@ -152,24 +152,17 @@ export class OAuthClientRepository {
     name: string;
     purpose: string;
     redirectUri: string;
+    clientSecret?: string;
     logo?: string;
     websiteUrl?: string;
     enablePkce?: boolean;
     userId?: number;
     status: OAuthClientStatus;
   }) {
-    const { name, purpose, redirectUri, logo, websiteUrl, enablePkce, userId, status } = data;
+    const { name, purpose, redirectUri, clientSecret, logo, websiteUrl, enablePkce, userId, status } = data;
 
     const clientId = randomBytes(32).toString("hex");
 
-    let clientSecret: string | undefined;
-    let hashedSecret: string | undefined;
-    if (!enablePkce) {
-      const [hashed, plain] = generateSecret();
-      hashedSecret = hashed;
-      clientSecret = plain;
-    }
-
     const client = await this.prisma.oAuthClient.create({
       data: {
         name,
@@ -180,7 +173,7 @@ export class OAuthClientRepository {
         logo,
         websiteUrl,
         status,
-        clientSecret: hashedSecret,
+        clientSecret,
         ...(userId && {
           user: {
             connect: { id: userId },
@@ -196,7 +189,7 @@ export class OAuthClientRepository {
       redirectUri: client.redirectUri,
       logo: client.logo,
       clientType: client.clientType,
-      clientSecret,
+      clientSecret: client.clientSecret,
       isPkceEnabled: enablePkce,
       status: client.status,
     };
diff --git a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
index eb1fe551ba901f..c61550c18d00d0 100644
--- a/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/createClient.handler.ts
@@ -1,6 +1,6 @@
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
 import type { PrismaClient } from "@calcom/prisma";
-
+import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
 import type { TCreateClientInputSchema } from "./createClient.schema";
 
 type AddClientOptions = {
@@ -15,10 +15,19 @@ export const createClientHandler = async ({ ctx, input }: AddClientOptions) => {
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
+  let plainSecret: string | undefined;
+  let hashedSecret: string | undefined;
+  if (!enablePkce) {
+    const [hashed, plain] = generateSecret();
+    hashedSecret = hashed;
+    plainSecret = plain;
+  }
+
   const client = await oAuthClientRepository.create({
     name,
     purpose,
     redirectUri,
+    clientSecret: hashedSecret,
     logo,
     websiteUrl,
     enablePkce,
@@ -32,7 +41,7 @@ export const createClientHandler = async ({ ctx, input }: AddClientOptions) => {
     redirectUri: client.redirectUri,
     logo: client.logo,
     clientType: client.clientType,
-    clientSecret: client.clientSecret,
+    clientSecret: plainSecret,
     isPkceEnabled: enablePkce,
     status: client.status,
   };
diff --git a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
index e99c28277e1f99..e370f52701efd6 100644
--- a/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
+++ b/packages/trpc/server/routers/viewer/oAuth/submitClientForReview.handler.ts
@@ -1,7 +1,7 @@
 import { sendAdminOAuthClientNotification } from "@calcom/emails/oauth-email-service";
 import { getTranslation } from "@calcom/lib/server/i18n";
 import { OAuthClientRepository } from "@calcom/features/oauth/repositories/OAuthClientRepository";
-
+import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
 import type { PrismaClient } from "@calcom/prisma";
 
 import type { TSubmitClientInputSchema } from "./submitClientForReview.schema";
@@ -24,10 +24,19 @@ export const submitClientForReviewHandler = async ({ ctx, input }: SubmitClientO
 
   const oAuthClientRepository = new OAuthClientRepository(ctx.prisma);
 
+  let plainSecret: string | undefined;
+  let hashedSecret: string | undefined;
+  if (!enablePkce) {
+    const [hashed, plain] = generateSecret();
+    hashedSecret = hashed;
+    plainSecret = plain;
+  }
+
   const client = await oAuthClientRepository.create({
     name,
     purpose,
     redirectUri,
+    clientSecret: hashedSecret,
     logo,
     websiteUrl,
     enablePkce,
@@ -50,7 +59,7 @@ export const submitClientForReviewHandler = async ({ ctx, input }: SubmitClientO
     clientId: client.clientId,
     name: client.name,
     purpose: client.purpose,
-    clientSecret: client.clientSecret,
+    clientSecret: plainSecret,
     redirectUri: client.redirectUri,
     logo: client.logo,
     clientType: client.clientType,

From e8b809d0a5fe205c2b6a628b595aabfde67e6fdc Mon Sep 17 00:00:00 2001
From: supalarry <laurisskraucis@gmail.com>
Date: Fri, 16 Jan 2026 16:55:23 +0000
Subject: [PATCH 72/72] fix: authorization code only available to approved
 clients

---
 .../auth/oauth/token/__tests__/route.test.ts  |   4 +
 .../oauth-authorize-approval-status.e2e.ts    | 140 ++++++++++++++++++
 .../repositories/OAuthClientRepository.ts     |   1 +
 .../features/oauth/services/OAuthService.ts   |  16 +-
 4 files changed, 159 insertions(+), 2 deletions(-)
 create mode 100644 apps/web/playwright/oauth/oauth-authorize-approval-status.e2e.ts

diff --git a/apps/web/app/api/auth/oauth/token/__tests__/route.test.ts b/apps/web/app/api/auth/oauth/token/__tests__/route.test.ts
index 3edd45fff184b8..11b6c220923f26 100644
--- a/apps/web/app/api/auth/oauth/token/__tests__/route.test.ts
+++ b/apps/web/app/api/auth/oauth/token/__tests__/route.test.ts
@@ -149,6 +149,7 @@ describe("POST /api/auth/oauth/token", () => {
       redirectUri: "https://app.example.com/callback",
       clientSecret: null,
       clientType: "PUBLIC" as const,
+      status: "APPROVED" as const,
     } as const;
 
     const mockAccessCode = {
@@ -279,6 +280,7 @@ describe("POST /api/auth/oauth/token", () => {
       redirectUri: "https://app.example.com/callback",
       clientSecret: "hashed_secret",
       clientType: "CONFIDENTIAL" as const,
+      status: "APPROVED" as const,
     } as const;
 
     const mockAccessCode = {
@@ -494,6 +496,7 @@ describe("POST /api/auth/oauth/token", () => {
         redirectUri: "https://app.example.com/callback",
         clientSecret: null,
         clientType: "PUBLIC" as const,
+        status: "APPROVED" as const,
       } as Awaited<ReturnType<typeof prismaMock.oAuthClient.findUnique>>);
 
       const tokenRequest = createTokenRequest({
@@ -517,6 +520,7 @@ describe("POST /api/auth/oauth/token", () => {
         redirectUri: "https://app.example.com/callback",
         clientSecret: null,
         clientType: "PUBLIC" as const,
+        status: "APPROVED" as const,
       } as Awaited<ReturnType<typeof prismaMock.oAuthClient.findUnique>>);
       prismaMock.accessCode.findFirst.mockResolvedValue(null);
 
diff --git a/apps/web/playwright/oauth/oauth-authorize-approval-status.e2e.ts b/apps/web/playwright/oauth/oauth-authorize-approval-status.e2e.ts
new file mode 100644
index 00000000000000..bdbc408097f0ae
--- /dev/null
+++ b/apps/web/playwright/oauth/oauth-authorize-approval-status.e2e.ts
@@ -0,0 +1,140 @@
+import { expect } from "@playwright/test";
+import { randomBytes } from "node:crypto";
+
+import { OAUTH_ERROR_REASONS } from "@calcom/features/oauth/services/OAuthService";
+import type { PrismaClient } from "@calcom/prisma";
+
+import { test } from "../lib/fixtures";
+
+test.describe("OAuth authorize - client approval status", () => {
+  test.afterEach(async ({ prisma, users }, testInfo) => {
+    const testPrefix = `e2e-oauth-authorize-status-${testInfo.testId}-`;
+
+    await prisma.oAuthClient.deleteMany({
+      where: {
+        name: {
+          startsWith: testPrefix,
+        },
+      },
+    });
+
+    await users.deleteAll();
+  });
+
+  async function createOAuthClient({
+    prisma,
+    name,
+    status,
+  }: {
+    prisma: PrismaClient;
+    name: string;
+    status: "PENDING" | "APPROVED" | "REJECTED";
+  }) {
+    const clientId = randomBytes(32).toString("hex");
+
+    const client = await prisma.oAuthClient.create({
+      data: {
+        clientId,
+        name,
+        redirectUri: "https://example.com",
+        clientSecret: null,
+        clientType: "CONFIDENTIAL",
+        status,
+      },
+    });
+
+    return client;
+  }
+
+  test("PENDING client redirects to redirectUri with unauthorized_client error", async ({ page, users, prisma }, testInfo) => {
+    const user = await users.create({ username: "oauth-authorize-pending" });
+    await user.apiLogin();
+
+    const testPrefix = `e2e-oauth-authorize-status-${testInfo.testId}-`;
+    const client = await createOAuthClient({
+      prisma,
+      name: `${testPrefix}pending-${Date.now()}`,
+      status: "PENDING",
+    });
+
+    await page.goto(
+      `auth/oauth2/authorize?client_id=${client.clientId}&redirect_uri=${client.redirectUri}&state=1234`
+    );
+
+    await page.waitForSelector('[data-testid="allow-button"]');
+    await page.getByTestId("allow-button").click();
+
+    await page.waitForFunction(() => {
+      return window.location.href.startsWith("https://example.com");
+    });
+
+    await expect(page).toHaveURL(/^https:\/\/example\.com/);
+
+    const url = new URL(page.url());
+    expect(url.searchParams.get("error")).toBe("unauthorized_client");
+    expect(url.searchParams.get("error_description")).toBe(OAUTH_ERROR_REASONS["client_not_approved"]);
+    expect(url.searchParams.get("state")).toBe("1234");
+    expect(url.searchParams.get("code")).toBeNull();
+  });
+
+  test("REJECTED client redirects to redirectUri with unauthorized_client error", async ({ page, users, prisma }, testInfo) => {
+    const user = await users.create({ username: "oauth-authorize-rejected" });
+    await user.apiLogin();
+
+    const testPrefix = `e2e-oauth-authorize-status-${testInfo.testId}-`;
+    const client = await createOAuthClient({
+      prisma,
+      name: `${testPrefix}rejected-${Date.now()}`,
+      status: "REJECTED",
+    });
+
+    await page.goto(
+      `auth/oauth2/authorize?client_id=${client.clientId}&redirect_uri=${client.redirectUri}&state=1234`
+    );
+
+    await page.waitForSelector('[data-testid="allow-button"]');
+    await page.getByTestId("allow-button").click();
+
+    await page.waitForFunction(() => {
+      return window.location.href.startsWith("https://example.com");
+    });
+
+    await expect(page).toHaveURL(/^https:\/\/example\.com/);
+
+    const url = new URL(page.url());
+    expect(url.searchParams.get("error")).toBe("unauthorized_client");
+    expect(url.searchParams.get("error_description")).toBe(OAUTH_ERROR_REASONS["client_not_approved"]);
+    expect(url.searchParams.get("state")).toBe("1234");
+    expect(url.searchParams.get("code")).toBeNull();
+  });
+
+  test("APPROVED client redirects to redirectUri with code", async ({ page, users, prisma }, testInfo) => {
+    const user = await users.create({ username: "oauth-authorize-approved" });
+    await user.apiLogin();
+
+    const testPrefix = `e2e-oauth-authorize-status-${testInfo.testId}-`;
+    const client = await createOAuthClient({
+      prisma,
+      name: `${testPrefix}approved-${Date.now()}`,
+      status: "APPROVED",
+    });
+
+    await page.goto(
+      `auth/oauth2/authorize?client_id=${client.clientId}&redirect_uri=${client.redirectUri}&state=1234`
+    );
+
+    await page.waitForSelector('[data-testid="allow-button"]');
+    await page.getByTestId("allow-button").click();
+
+    await page.waitForFunction(() => {
+      return window.location.href.startsWith("https://example.com");
+    });
+
+    await expect(page).toHaveURL(/^https:\/\/example\.com/);
+
+    const url = new URL(page.url());
+    expect(url.searchParams.get("code")).toBeTruthy();
+    expect(url.searchParams.get("state")).toBe("1234");
+    expect(url.searchParams.get("error")).toBeNull();
+  });
+});
diff --git a/packages/features/oauth/repositories/OAuthClientRepository.ts b/packages/features/oauth/repositories/OAuthClientRepository.ts
index 7ed00ddcb8ace0..e29118c1ac40a7 100644
--- a/packages/features/oauth/repositories/OAuthClientRepository.ts
+++ b/packages/features/oauth/repositories/OAuthClientRepository.ts
@@ -37,6 +37,7 @@ export class OAuthClientRepository {
         redirectUri: true,
         clientSecret: true,
         clientType: true,
+        status: true,
       },
     });
   }
diff --git a/packages/features/oauth/services/OAuthService.ts b/packages/features/oauth/services/OAuthService.ts
index cce38157beeaec..5304b97583afe8 100644
--- a/packages/features/oauth/services/OAuthService.ts
+++ b/packages/features/oauth/services/OAuthService.ts
@@ -1,4 +1,4 @@
-import { randomBytes } from "crypto";
+import { randomBytes } from "node:crypto";
 import jwt from "jsonwebtoken";
 
 import { TeamRepository } from "@calcom/features/ee/teams/repositories/TeamRepository";
@@ -8,6 +8,7 @@ import { generateSecret } from "@calcom/features/oauth/utils/generateSecret";
 import { ErrorCode } from "@calcom/lib/errorCodes";
 import { ErrorWithCode } from "@calcom/lib/errors";
 import { verifyCodeChallenge } from "@calcom/lib/pkce";
+import { OAuthClientStatus } from "@calcom/prisma/enums";
 import type { AccessScope, OAuthClientType } from "@calcom/prisma/enums";
 
 export interface OAuth2Client {
@@ -51,6 +52,7 @@ export class OAuthService {
   private readonly accessCodeRepository: AccessCodeRepository;
   private readonly teamsRepository: TeamRepository;
   private readonly oAuthClientRepository: OAuthClientRepository;
+
   constructor(
     private readonly deps: {
       oAuthClientRepository: OAuthClientRepository;
@@ -67,7 +69,7 @@ export class OAuthService {
     const client = await this.oAuthClientRepository.findByClientId(clientId);
 
     if (!client) {
-      throw new ErrorWithCode(ErrorCode.NotFound, "unauthorized_client");
+      throw new ErrorWithCode(ErrorCode.NotFound, "unauthorized_client", { reason: "client_not_found" });
     }
 
     return {
@@ -96,6 +98,8 @@ export class OAuthService {
       throw new ErrorWithCode(ErrorCode.Unauthorized, "unauthorized_client", { reason: "client_not_found" });
     }
 
+    this.ensureClientIsApproved(client);
+
     // RFC 6749 4.1.2.1: Redirect URI mismatch on Auth step is 'invalid_request'
     this.validateRedirectUri(client.redirectUri, redirectUri);
 
@@ -148,6 +152,12 @@ export class OAuthService {
     return { redirectUrl, authorizationCode, client };
   }
 
+  private ensureClientIsApproved(client: { status: OAuthClientStatus }): void {
+    if (client.status !== OAuthClientStatus.APPROVED) {
+      throw new ErrorWithCode(ErrorCode.Unauthorized, "unauthorized_client", { reason: "client_not_approved" });
+    }
+  }
+
   private validateRedirectUri(registeredUri: string, providedUri: string): void {
     if (providedUri !== registeredUri) {
       throw new ErrorWithCode(ErrorCode.BadRequest, "invalid_request", { reason: "redirect_uri_mismatch" });
@@ -423,6 +433,7 @@ export class OAuthService {
 
 export type OAuthErrorReason =
   | "client_not_found"
+  | "client_not_approved"
   | "redirect_uri_mismatch"
   | "pkce_required"
   | "invalid_code_challenge_method"
@@ -439,6 +450,7 @@ export type OAuthErrorReason =
 // Mapping of OAuth error reasons to descriptive messages, keeping previous messages for compatibility
 export const OAUTH_ERROR_REASONS: Record<OAuthErrorReason, string> = {
   client_not_found: "OAuth client with ID not found",
+  client_not_approved: "OAuth client is not approved",
   redirect_uri_mismatch: "redirect_uri does not match registered redirect URI",
   pkce_required: "code_challenge required for public clients",
   invalid_code_challenge_method: "code_challenge_method must be S256",