diff --git a/.circleci/config.yml b/.circleci/config.yml
index c877d35d5..280919e1f 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -5,22 +5,27 @@ jobs:
   test:
     docker:
       - image: rishabhpoddar/supertokens_core_testing
+      - image: rishabhpoddar/oauth-server-cicd
       - image: mongo
         environment:
           MONGO_INITDB_ROOT_USERNAME: root
           MONGO_INITDB_ROOT_PASSWORD: root
     resource_class: large
+    parallelism: 4
     parameters:
       plugin:
         type: string
     steps:
       - checkout
+      - run: mkdir ~/junit
       - run: echo $'\n[mysqld]\ncharacter_set_server=utf8mb4\nmax_connections=10000' >> /etc/mysql/mysql.cnf
       - run: apt-get update && apt-get -y -q install postgresql-9.5 postgresql-client-9.5 postgresql-contrib-9.5 sudo
       - run: echo "host all  all    0.0.0.0/0  md5" >> /etc/postgresql/9.5/main/pg_hba.conf
       - run: echo "listen_addresses='*'" >> /etc/postgresql/9.5/main/postgresql.conf
       - run: sed -i 's/^#*\s*max_connections\s*=.*/max_connections = 10000/' /etc/postgresql/9.5/main/postgresql.conf
       - run: (cd .circleci/ && ./doTests.sh << parameters.plugin >>)
+      - store_test_results:
+          path: ~/junit
       - slack/status
 
   mark-passed:
@@ -44,7 +49,7 @@ workflows:
             tags:
               only: /dev-v[0-9]+(\.[0-9]+)*/
             branches:
-              ignore: /.*/
+              only: /test-cicd\/.*/
       - test:
           plugin: mongodb
           name: test-mongodb
@@ -54,7 +59,7 @@ workflows:
             tags:
               only: /dev-v[0-9]+(\.[0-9]+)*/
             branches:
-              ignore: /.*/
+              only: /test-cicd\/.*/
       - test:
           plugin: postgresql
           name: test-postgresql
@@ -64,7 +69,7 @@ workflows:
             tags:
               only: /dev-v[0-9]+(\.[0-9]+)*/
             branches:
-              ignore: /.*/
+              only: /test-cicd\/.*/
       - test:
           plugin: mysql
           name: test-mysql
@@ -74,7 +79,7 @@ workflows:
             tags:
               only: /dev-v[0-9]+(\.[0-9]+)*/
             branches:
-              ignore: /.*/
+              only: /test-cicd\/.*/
       - mark-passed:
           context:
             - slack-notification
diff --git a/.circleci/doTests.sh b/.circleci/doTests.sh
index 3fb117cc5..3cc3df115 100755
--- a/.circleci/doTests.sh
+++ b/.circleci/doTests.sh
@@ -65,6 +65,8 @@ then
 	exit 1
 fi
 
+mkdir -p ~/junit
+
 someTestsRan=false
 while read -u 10 line
 do
@@ -162,9 +164,24 @@ do
           fi
           cd ../
           echo $SUPERTOKENS_API_KEY > apiPassword
+
           ./startTestingEnv --cicd
 
-          if [[ $? -ne 0 ]]
+          TEST_EXIT_CODE=$?
+
+          if [ -d ~/junit ]
+          then
+            echo "Copying output from core"
+            cp ~/supertokens-root/supertokens-core/build/test-results/test/*.xml ~/junit/
+
+            if [[ $pluginToTest != "sqlite" ]]
+            then
+              echo "Copying output from plugin"
+              cp ~/supertokens-root/supertokens-$pluginToTest-plugin/build/test-results/test/*.xml ~/junit/
+            fi
+          fi
+
+          if [[ $TEST_EXIT_CODE -ne 0 ]]
           then
               echo ""
               echo ""
@@ -196,7 +213,7 @@ do
           echo ""
           echo ""
 
-          cd ../
+          cd ..
           rm -rf supertokens-root
 
           if [[ $currPinnedDb == "sqlite" ]]
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5a31052f..0e05b6d60 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,156 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## [Unreleased]
+
+## [9.3.0]
+
+### Changes
+
+- Adds support for OAuth2
+    - Added new feature in license key: `OAUTH`
+    - Adds new core config:
+        - `oauth_provider_public_service_url`
+        - `oauth_provider_admin_service_url`
+        - `oauth_provider_consent_login_base_url`
+        - `oauth_provider_url_configured_in_oauth_provider`
+    - Adds following APIs:
+        - POST `/recipe/oauth/clients`
+        - PUT `/recipe/oauth/clients`
+        - GET `/recipe/oauth/clients`
+        - GET `/recipe/oauth/clients/list`
+        - POST `/recipe/oauth/clients/remove`
+        - GET `/recipe/oauth/auth/requests/consent`
+        - PUT `/recipe/oauth/auth/requests/consent/accept`
+        - PUT `/recipe/oauth/auth/requests/consent/reject`
+        - GET `/recipe/oauth/auth/requests/login`
+        - PUT `/recipe/oauth/auth/requests/login/accept`
+        - PUT `/recipe/oauth/auth/requests/login/reject`
+        - GET `/recipe/oauth/auth/requests/logout`
+        - PUT `/recipe/oauth/auth/requests/logout/accept`
+        - PUT `/recipe/oauth/auth/requests/logout/reject`
+        - POST `/recipe/oauth/auth`
+        - POST `/recipe/oauth/token`
+        - POST `/recipe/oauth/introspect`
+        - POST `/recipe/oauth/session/revoke`
+        - POST `/recipe/oauth/token/revoke`
+        - POST `/recipe/oauth/tokens/revoke`
+
+### Migration
+
+If using PostgreSQL, run the following SQL script:
+
+```sql
+CREATE TABLE IF NOT EXISTS oauth_clients (
+    app_id VARCHAR(64),
+    client_id VARCHAR(255) NOT NULL,
+    is_client_credentials_only BOOLEAN NOT NULL,
+    PRIMARY KEY (app_id, client_id),
+    FOREIGN KEY(app_id) REFERENCES apps(app_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS oauth_sessions (
+    gid VARCHAR(255),
+    app_id VARCHAR(64) DEFAULT 'public',
+    client_id VARCHAR(255) NOT NULL,
+    session_handle VARCHAR(128),
+    external_refresh_token VARCHAR(255) UNIQUE,
+    internal_refresh_token VARCHAR(255) UNIQUE,
+    jti TEXT NOT NULL,
+    exp BIGINT NOT NULL,
+    PRIMARY KEY (gid),
+    FOREIGN KEY(app_id, client_id) REFERENCES oauth_clients(app_id, client_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS oauth_session_exp_index ON oauth_sessions(exp DESC);
+CREATE INDEX IF NOT EXISTS oauth_session_external_refresh_token_index ON oauth_sessions(app_id, external_refresh_token DESC);
+
+CREATE TABLE IF NOT EXISTS oauth_m2m_tokens (
+    app_id VARCHAR(64) DEFAULT 'public',
+    client_id VARCHAR(255) NOT NULL,
+    iat BIGINT NOT NULL,
+    exp BIGINT NOT NULL,
+    PRIMARY KEY (app_id, client_id, iat),
+    FOREIGN KEY(app_id, client_id) REFERENCES oauth_clients(app_id, client_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS oauth_m2m_token_iat_index ON oauth_m2m_tokens(iat DESC, app_id DESC);
+CREATE INDEX IF NOT EXISTS oauth_m2m_token_exp_index ON oauth_m2m_tokens(exp DESC);
+
+CREATE TABLE IF NOT EXISTS oauth_logout_challenges (
+    app_id VARCHAR(64) DEFAULT 'public',
+    challenge VARCHAR(128) NOT NULL,
+    client_id VARCHAR(255) NOT NULL,
+    post_logout_redirect_uri VARCHAR(1024),
+    session_handle VARCHAR(128),
+    state VARCHAR(128),
+    time_created BIGINT NOT NULL,
+    PRIMARY KEY (app_id, challenge),
+    FOREIGN KEY(app_id, client_id) REFERENCES oauth_clients(app_id, client_id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS oauth_logout_challenges_time_created_index ON oauth_logout_challenges(time_created DESC);
+```
+
+If using MySQL, run the following SQL script:
+
+```sql
+CREATE TABLE IF NOT EXISTS oauth_clients (
+  app_id VARCHAR(64),
+  client_id VARCHAR(255) NOT NULL,
+  is_client_credentials_only BOOLEAN NOT NULL,
+  PRIMARY KEY (app_id, client_id),
+  FOREIGN KEY(app_id) REFERENCES apps(app_id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS oauth_sessions (
+  gid VARCHAR(255),
+  app_id VARCHAR(64) DEFAULT 'public',
+  client_id VARCHAR(255) NOT NULL,
+  session_handle VARCHAR(128),
+  external_refresh_token VARCHAR(255) UNIQUE,
+  internal_refresh_token VARCHAR(255) UNIQUE,
+  jti TEXT NOT NULL,
+  exp BIGINT NOT NULL,
+  PRIMARY KEY (gid),
+  FOREIGN KEY(app_id, client_id) REFERENCES oauth_clients(app_id, client_id) ON DELETE CASCADE
+);
+
+CREATE INDEX oauth_session_exp_index ON oauth_sessions(exp DESC);
+CREATE INDEX oauth_session_external_refresh_token_index ON oauth_sessions(app_id, external_refresh_token DESC);
+
+CREATE TABLE oauth_m2m_tokens (
+  app_id VARCHAR(64) DEFAULT 'public',
+  client_id VARCHAR(255) NOT NULL,
+  iat BIGINT UNSIGNED NOT NULL,
+  exp BIGINT UNSIGNED NOT NULL,
+  PRIMARY KEY (app_id, client_id, iat),
+  FOREIGN KEY(app_id, client_id) REFERENCES oauth_clients(app_id, client_id) ON DELETE CASCADE
+);
+
+CREATE INDEX oauth_m2m_token_iat_index ON oauth_m2m_tokens(iat DESC, app_id DESC);
+CREATE INDEX oauth_m2m_token_exp_index ON oauth_m2m_tokens(exp DESC);
+
+CREATE TABLE IF NOT EXISTS oauth_logout_challenges (
+  app_id VARCHAR(64) DEFAULT 'public',
+  challenge VARCHAR(128) NOT NULL,
+  client_id VARCHAR(255) NOT NULL,
+  post_logout_redirect_uri VARCHAR(1024),
+  session_handle VARCHAR(128),
+  state VARCHAR(128),
+  time_created BIGINT UNSIGNED NOT NULL,
+  PRIMARY KEY (app_id, challenge),
+  FOREIGN KEY(app_id, client_id) REFERENCES oauth_clients(app_id, client_id) ON DELETE CASCADE
+);
+
+CREATE INDEX oauth_logout_challenges_time_created_index ON oauth_logout_challenges(time_created ASC, app_id ASC);
+```
+
+## [9.2.3] - 2024-10-09
+
+- Adds support for `--with-temp-dir` in CLI and `tempDirLocation=` in Core
+- Adds validation to firstFactors and requiredSecondaryFactors names while creating tenants/apps/etc. to not allow 
+  special chars.
 
 ### Added
 
@@ -168,17 +317,19 @@ Make sure the core is already upgraded to version 8.0.0 before migrating
 If using PostgreSQL
 
 ```sql
-ALTER TABLE totp_user_devices ADD COLUMN IF NOT EXISTS created_at BIGINT default 0;
-ALTER TABLE totp_user_devices 
-  ALTER COLUMN created_at DROP DEFAULT;
+ALTER TABLE totp_user_devices
+    ADD COLUMN IF NOT EXISTS created_at BIGINT default 0;
+ALTER TABLE totp_user_devices
+    ALTER COLUMN created_at DROP DEFAULT;
 ```
 
 If using MySQL
 
 ```sql
-ALTER TABLE totp_user_devices ADD COLUMN created_at BIGINT UNSIGNED default 0;
-ALTER TABLE totp_user_devices 
-  ALTER COLUMN created_at DROP DEFAULT;
+ALTER TABLE totp_user_devices
+    ADD COLUMN created_at BIGINT UNSIGNED default 0;
+ALTER TABLE totp_user_devices
+    ALTER COLUMN created_at DROP DEFAULT;
 DROP INDEX all_auth_recipe_users_pagination_index2 ON all_auth_recipe_users;
 DROP INDEX all_auth_recipe_users_pagination_index4 ON all_auth_recipe_users;
 ```
@@ -230,8 +381,8 @@ For MySQL:
 ALTER TABLE user_roles DROP FOREIGN KEY user_roles_ibfk_1;
 ALTER TABLE user_roles DROP FOREIGN KEY user_roles_ibfk_2;
 ALTER TABLE user_roles
-  ADD FOREIGN KEY (app_id, tenant_id)
-    REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE;
+    ADD FOREIGN KEY (app_id, tenant_id)
+        REFERENCES tenants (app_id, tenant_id) ON DELETE CASCADE;
 ```
 
 ## [7.0.18] - 2024-02-19
diff --git a/build.gradle b/build.gradle
index 00afc8e7c..c4779d56c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "9.2.2"
+version = "9.3.0"
 
 repositories {
     mavenCentral()
diff --git a/cli/jar/cli.jar b/cli/jar/cli.jar
index 4ff950e18..cf2cc1208 100644
Binary files a/cli/jar/cli.jar and b/cli/jar/cli.jar differ
diff --git a/cli/src/main/java/io/supertokens/cli/commandHandler/start/StartHandler.java b/cli/src/main/java/io/supertokens/cli/commandHandler/start/StartHandler.java
index 645608dd6..5bf579567 100644
--- a/cli/src/main/java/io/supertokens/cli/commandHandler/start/StartHandler.java
+++ b/cli/src/main/java/io/supertokens/cli/commandHandler/start/StartHandler.java
@@ -35,6 +35,7 @@ public class StartHandler extends CommandHandler {
     public void doCommand(String installationDir, boolean viaInstaller, String[] args) {
         String space = CLIOptionsParser.parseOption("--with-space", args);
         String configPath = CLIOptionsParser.parseOption("--with-config", args);
+        String tempDirLocation = CLIOptionsParser.parseOption("--with-temp-dir", args);
         if (configPath != null) {
             configPath = new File(configPath).getAbsolutePath();
         }
@@ -67,6 +68,9 @@ public void doCommand(String installationDir, boolean viaInstaller, String[] arg
             if (forceNoInMemDB) {
                 commands.add("forceNoInMemDB=true");
             }
+            if(tempDirLocation != null && !tempDirLocation.isEmpty()) {
+                commands.add("tempDirLocation=" + tempDirLocation);
+            }
         } else {
             commands.add(installationDir + "jre/bin/java");
             commands.add("-Djava.security.egd=file:/dev/urandom");
@@ -90,6 +94,9 @@ public void doCommand(String installationDir, boolean viaInstaller, String[] arg
             if (forceNoInMemDB) {
                 commands.add("forceNoInMemDB=true");
             }
+            if(tempDirLocation != null && !tempDirLocation.isEmpty()) {
+                commands.add("tempDirLocation=" + tempDirLocation);
+            }
         }
         if (!foreground) {
             try {
@@ -172,6 +179,8 @@ protected List<Option> getOptionsAndDescription() {
                 "Sets the host on which this instance of SuperTokens should run. Example: \"--host=192.168.0.1\""));
         options.add(
                 new Option("--foreground", "Runs this instance of SuperTokens in the foreground (not as a daemon)"));
+        options.add(
+                new Option("--with-temp-dir", "Uses the passed dir as temp dir, instead of the internal default."));
         return options;
     }
 
diff --git a/config.yaml b/config.yaml
index 11d7d03d9..5bbb2ce52 100644
--- a/config.yaml
+++ b/config.yaml
@@ -152,7 +152,25 @@ core_config_version: 0
 # if there are more CUDs in the database and block all other CUDs from being used from this instance.
 # supertokens_saas_load_only_cud:
 
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider
+# public service.
+# oauth_provider_public_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider admin
+# service.
+# oauth_provider_admin_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to replace the default
+# consent and login URLs to {apiDomain}.
+# oauth_provider_consent_login_base_url:
+
+# (OPTIONAL | Default: oauth_provider_public_service_url) If specified, the core uses this URL to parse responses from
+# the oauth provider when the oauth provider's internal address differs from the known public provider address.
+# oauth_provider_url_configured_in_oauth_provider:
+
+# (Optional | Default: null) string value. The encryption key used for saving OAuth client secret on the database.
+# oauth_client_secret_encryption_key:
+
 # (DIFFERENT_ACROSS_TENANTS | OPTIONAL | Default: number of available processor cores) int value. If specified,
 # the supertokens core will use the specified number of threads to complete the migration of users.
 # bulk_migration_parallelism:
-
diff --git a/coreDriverInterfaceSupported.json b/coreDriverInterfaceSupported.json
index aa87aab03..130c4b2c1 100644
--- a/coreDriverInterfaceSupported.json
+++ b/coreDriverInterfaceSupported.json
@@ -20,6 +20,7 @@
     "3.1",
     "4.0",
     "5.0",
-    "5.1"
+    "5.1",
+    "5.2"
   ]
 }
diff --git a/devConfig.yaml b/devConfig.yaml
index 853cc8b6f..a8230bc7a 100644
--- a/devConfig.yaml
+++ b/devConfig.yaml
@@ -152,6 +152,26 @@ disable_telemetry: true
 # if there are more CUDs in the database and block all other CUDs from being used from this instance.
 # supertokens_saas_load_only_cud:
 
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider
+# public service.
+# oauth_provider_public_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to connect to the OAuth provider admin
+# service.
+# oauth_provider_admin_service_url:
+
+# (OPTIONAL | Default: null) string value. If specified, the core uses this URL to replace the default
+# consent and login URLs to {apiDomain}.
+# oauth_provider_consent_login_base_url:
+
+# (OPTIONAL | Default: oauth_provider_public_service_url) If specified, the core uses this URL to parse responses from
+# the oauth provider when the oauth provider's internal address differs from the known public provider address.
+# oauth_provider_url_configured_in_oauth_provider:
+
+# (Optional | Default: null) string value. The encryption key used for saving OAuth client secret on the database.
+# oauth_client_secret_encryption_key:
+
 # (DIFFERENT_ACROSS_TENANTS | OPTIONAL | Default: number of available processor cores) int value. If specified,
 # the supertokens core will use the specified number of threads to complete the migration of users.
 # bulk_migration_parallelism:
+
diff --git a/downloader/jar/downloader.jar b/downloader/jar/downloader.jar
index 051bdfc53..18327571c 100644
Binary files a/downloader/jar/downloader.jar and b/downloader/jar/downloader.jar differ
diff --git a/ee/jar/ee.jar b/ee/jar/ee.jar
index 4cd8175da..a6ae666c0 100644
Binary files a/ee/jar/ee.jar and b/ee/jar/ee.jar differ
diff --git a/ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java b/ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java
index b70b0c14d..8825a765d 100644
--- a/ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java
+++ b/ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java
@@ -24,6 +24,7 @@
 import io.supertokens.pluginInterface.KeyValueInfo;
 import io.supertokens.pluginInterface.STORAGE_TYPE;
 import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.StorageUtils;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeStorage;
 import io.supertokens.pluginInterface.dashboard.sqlStorage.DashboardSQLStorage;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
@@ -32,6 +33,7 @@
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.ThirdPartyConfig;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
 import io.supertokens.pluginInterface.session.sqlStorage.SessionSQLStorage;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.utils.Utils;
@@ -348,6 +350,28 @@ private JsonObject getAccountLinkingStats() throws StorageQueryException, Tenant
         return result;
     }
 
+    private JsonObject getOAuthStats() throws StorageQueryException, TenantOrAppNotFoundException {
+        JsonObject result = new JsonObject();
+
+        OAuthStorage oAuthStorage = StorageUtils.getOAuthStorage(StorageLayer.getStorage(
+            this.appIdentifier.getAsPublicTenantIdentifier(), main));
+        
+        result.addProperty("totalNumberOfClients", oAuthStorage.countTotalNumberOfOAuthClients(appIdentifier));
+        result.addProperty("numberOfClientCredentialsOnlyClients", oAuthStorage.countTotalNumberOfClientCredentialsOnlyOAuthClients(appIdentifier));
+        result.addProperty("numberOfM2MTokensAlive", oAuthStorage.countTotalNumberOfOAuthM2MTokensAlive(appIdentifier));
+
+        long now = System.currentTimeMillis();
+        JsonArray tokensCreatedArray = new JsonArray();
+        for (int i = 1; i <= 31; i++) {
+            long timestamp = now - (i * 24 * 60 * 60 * 1000L);
+            int numberOfTokensCreated = oAuthStorage.countTotalNumberOfOAuthM2MTokensCreatedSince(this.appIdentifier, timestamp);
+            tokensCreatedArray.add(new JsonPrimitive(numberOfTokensCreated));
+        }
+        result.add("numberOfM2MTokensCreated", tokensCreatedArray);
+
+        return result;
+    }
+
     private JsonArray getMAUs() throws StorageQueryException, TenantOrAppNotFoundException {
         JsonArray mauArr = new JsonArray();
         long now = System.currentTimeMillis();
@@ -405,6 +429,10 @@ public JsonObject getPaidFeatureStats() throws StorageQueryException, TenantOrAp
             if (feature == EE_FEATURES.SECURITY) {
                 usageStats.add(EE_FEATURES.SECURITY.toString(), new JsonObject());
             }
+
+            if (feature == EE_FEATURES.OAUTH) {
+                usageStats.add(EE_FEATURES.OAUTH.toString(), getOAuthStats());
+            }
         }
 
         usageStats.add("maus", getMAUs());
diff --git a/jar/core-9.2.2.jar b/jar/core-9.3.0.jar
similarity index 71%
rename from jar/core-9.2.2.jar
rename to jar/core-9.3.0.jar
index fd1d03d2d..8071667b5 100644
Binary files a/jar/core-9.2.2.jar and b/jar/core-9.3.0.jar differ
diff --git a/pluginInterfaceSupported.json b/pluginInterfaceSupported.json
index 0dedee885..25f823814 100644
--- a/pluginInterfaceSupported.json
+++ b/pluginInterfaceSupported.json
@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "6.2"
+    "6.3"
   ]
 }
\ No newline at end of file
diff --git a/src/main/java/io/supertokens/Main.java b/src/main/java/io/supertokens/Main.java
index 03120c96c..424cde3f3 100644
--- a/src/main/java/io/supertokens/Main.java
+++ b/src/main/java/io/supertokens/Main.java
@@ -21,6 +21,7 @@
 import io.supertokens.config.CoreConfig;
 import io.supertokens.cronjobs.Cronjobs;
 import io.supertokens.cronjobs.bulkimport.ProcessBulkImportUsers;
+import io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges.CleanupOAuthSessionsAndChallenges;
 import io.supertokens.cronjobs.deleteExpiredAccessTokenSigningKeys.DeleteExpiredAccessTokenSigningKeys;
 import io.supertokens.cronjobs.deleteExpiredDashboardSessions.DeleteExpiredDashboardSessions;
 import io.supertokens.cronjobs.deleteExpiredEmailVerificationTokens.DeleteExpiredEmailVerificationTokens;
@@ -262,6 +263,8 @@ private void init() throws IOException, StorageQueryException {
         // initializes ProcessBulkImportUsers cronjob to process bulk import users - start happens via API call @see BulkImportBackgroundJobManager
         ProcessBulkImportUsers.init(this, uniqueUserPoolIdsTenants);
 
+        Cronjobs.addCronjob(this, CleanupOAuthSessionsAndChallenges.init(this, uniqueUserPoolIdsTenants));
+
         // this is to ensure tenantInfos are in sync for the new cron job as well
         MultitenancyHelper.getInstance(this).refreshCronjobs();
 
@@ -272,6 +275,7 @@ private void init() throws IOException, StorageQueryException {
         Webserver.getInstance(this).start();
 
         // this is a sign to the controlling script that this process has started.
+
         createDotStartedFileForThisProcess();
 
         // NOTE: If the message below is changed, make sure to also change the corresponding check in the CLI program
@@ -351,10 +355,11 @@ public void proceedToEnableFeatureFlag() {
 
     private void createDotStartedFileForThisProcess() throws IOException {
         CoreConfig config = Config.getBaseConfig(this);
+        String fileLocation = CLIOptions.get(this).getTempDirLocation() == null ? CLIOptions.get(this).getInstallationPath() : CLIOptions.get(this).getTempDirLocation();
         String fileName = OperatingSystem.getOS() == OperatingSystem.OS.WINDOWS
-                ? CLIOptions.get(this).getInstallationPath() + ".started\\" + config.getHost(this) + "-"
+                ? fileLocation + ".started\\" + config.getHost(this) + "-"
                 + config.getPort(this)
-                : CLIOptions.get(this).getInstallationPath() + ".started/" + config.getHost(this) + "-"
+                : fileLocation + ".started/" + config.getHost(this) + "-"
                 + config.getPort(this);
         File dotStarted = new File(fileName);
         if (!dotStarted.exists()) {
diff --git a/src/main/java/io/supertokens/cliOptions/CLIOptions.java b/src/main/java/io/supertokens/cliOptions/CLIOptions.java
index 2f42d9c42..e864628c4 100644
--- a/src/main/java/io/supertokens/cliOptions/CLIOptions.java
+++ b/src/main/java/io/supertokens/cliOptions/CLIOptions.java
@@ -32,10 +32,13 @@ public class CLIOptions extends ResourceDistributor.SingletonResource {
     private static final String HOST_FILE_KEY = "host=";
     private static final String TEST_MODE = "test_mode";
     private static final String FORCE_NO_IN_MEM_DB = "forceNoInMemDB=true";
+    private static final String TEMP_DIR_LOCATION_KEY = "tempDirLocation=";
     private final String installationPath;
     private final String configFilePath;
     private final Integer port;
     private final String host;
+    private final String tempDirLocation;
+
 
     // if this is true, then even in DEV mode, we will not use in memory db, even if there is an error in the plugin
     private final boolean forceNoInMemoryDB;
@@ -44,6 +47,7 @@ private CLIOptions(String[] args) {
         checkIfArgsIsCorrect(args);
         String installationPath = args[0];
         String configFilePathTemp = null;
+        String tempDirLocationPath = null;
         Integer portTemp = null;
         String hostTemp = null;
         boolean forceNoInMemoryDBTemp = false;
@@ -54,7 +58,16 @@ private CLIOptions(String[] args) {
                 if (!new File(configFilePathTemp).isAbsolute()) {
                     throw new QuitProgramException("configPath option must be an absolute path only");
                 }
-            } else if (curr.startsWith(PORT_FILE_KEY)) {
+            } else if (curr.startsWith(TEMP_DIR_LOCATION_KEY)) {
+                tempDirLocationPath = curr.split(TEMP_DIR_LOCATION_KEY)[1];
+                if (!new File(tempDirLocationPath).isAbsolute()) {
+                    throw new QuitProgramException("tempDirLocation option must be an absolute path only");
+                }
+                if(!tempDirLocationPath.isEmpty() && !tempDirLocationPath.endsWith(File.separator)){
+                    tempDirLocationPath = tempDirLocationPath + File.separator;
+                }
+            }
+            else if (curr.startsWith(PORT_FILE_KEY)) {
                 portTemp = Integer.parseInt(curr.split(PORT_FILE_KEY)[1]);
             } else if (curr.startsWith(HOST_FILE_KEY)) {
                 hostTemp = curr.split(HOST_FILE_KEY)[1];
@@ -69,6 +82,7 @@ private CLIOptions(String[] args) {
         this.port = portTemp;
         this.host = hostTemp;
         this.forceNoInMemoryDB = forceNoInMemoryDBTemp;
+        this.tempDirLocation = tempDirLocationPath;
     }
 
     private static CLIOptions getInstance(Main main) {
@@ -123,4 +137,8 @@ public String getHost() {
     public boolean isForceNoInMemoryDB() {
         return this.forceNoInMemoryDB;
     }
+
+    public String getTempDirLocation() {
+        return tempDirLocation;
+    }
 }
diff --git a/src/main/java/io/supertokens/config/Config.java b/src/main/java/io/supertokens/config/Config.java
index a51b8bd1d..91ed63af5 100644
--- a/src/main/java/io/supertokens/config/Config.java
+++ b/src/main/java/io/supertokens/config/Config.java
@@ -18,7 +18,6 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
-import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.JsonObject;
 import io.supertokens.Main;
diff --git a/src/main/java/io/supertokens/config/CoreConfig.java b/src/main/java/io/supertokens/config/CoreConfig.java
index 9e6957559..46495cda0 100644
--- a/src/main/java/io/supertokens/config/CoreConfig.java
+++ b/src/main/java/io/supertokens/config/CoreConfig.java
@@ -41,6 +41,8 @@
 import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Field;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.*;
 import java.util.regex.PatternSyntaxException;
 
@@ -62,6 +64,10 @@ public class CoreConfig {
     public static final String[] PROTECTED_CONFIGS = new String[]{
             "ip_allow_regex",
             "ip_deny_regex",
+            "oauth_provider_public_service_url",
+            "oauth_provider_admin_service_url",
+            "oauth_provider_consent_login_base_url",
+            "oauth_provider_url_configured_in_oauth_provider"
     };
 
     @IgnoreForAnnotationCheck
@@ -273,9 +279,42 @@ public class CoreConfig {
                     " address.")
     private String ip_deny_regex = null;
 
+    @NotConflictingInApp
+    @JsonProperty
+    @HideFromDashboard
+    @ConfigDescription(
+            "If specified, the core uses this URL to connect to the OAuth provider public service.")
+    private String oauth_provider_public_service_url = null;
+
+    @NotConflictingInApp
+    @JsonProperty
+    @HideFromDashboard
+    @ConfigDescription(
+            "If specified, the core uses this URL to connect to the OAuth provider admin service.")
+    private String oauth_provider_admin_service_url = null;
+
+    @NotConflictingInApp
+    @JsonProperty
+    @HideFromDashboard
+    @ConfigDescription(
+            "If specified, the core uses this URL to replace the default consent and login URLs to {apiDomain}.")
+    private String oauth_provider_consent_login_base_url = null;
+
+    @NotConflictingInApp
+    @JsonProperty
+    @HideFromDashboard
+    @ConfigDescription(
+            "If specified, the core uses this URL to parse responses from the oauth provider when the oauth provider's internal address differs from the known public provider address.")
+    private String oauth_provider_url_configured_in_oauth_provider = null;
+
     @ConfigYamlOnly
     @JsonProperty
     @HideFromDashboard
+    @ConfigDescription("The encryption key used for saving OAuth client secret on the database.")
+    private String oauth_client_secret_encryption_key = null;
+
+    @ConfigYamlOnly
+    @JsonProperty
     @ConfigDescription(
             "This is used when deploying the core in SuperTokens SaaS infrastructure. If set, limits what database " +
                     "information is shown to / modifiable by the dev when they query the core to get the information " +
@@ -311,6 +350,17 @@ public class CoreConfig {
             "migration of users. (Default: number of available processor cores).")
     private int bulk_migration_parallelism =  Runtime.getRuntime().availableProcessors();
 
+    @IgnoreForAnnotationCheck
+    private static boolean disableOAuthValidationForTest = false;
+
+    @TestOnly
+    public static void setDisableOAuthValidationForTest(boolean val) {
+        if (!Main.isTesting) {
+            throw new IllegalStateException("This method can only be called during testing");
+        }
+        disableOAuthValidationForTest = val;
+    }
+
     public static Set<String> getValidFields() {
         CoreConfig coreConfig = new CoreConfig();
         JsonObject coreConfigObj = new GsonBuilder().serializeNulls().create().toJsonTree(coreConfig).getAsJsonObject();
@@ -325,6 +375,41 @@ public static Set<String> getValidFields() {
         return validFields;
     }
 
+    public String getOAuthProviderPublicServiceUrl() throws InvalidConfigException {
+        if (oauth_provider_public_service_url == null) {
+            throw new InvalidConfigException("oauth_provider_public_service_url is not set");
+        }
+        return oauth_provider_public_service_url;
+    }
+
+    public String getOAuthProviderAdminServiceUrl() throws InvalidConfigException {
+        if (oauth_provider_admin_service_url == null) {
+            throw new InvalidConfigException("oauth_provider_public_service_url is not set");
+        }
+        return oauth_provider_admin_service_url;
+    }
+
+    public String getOauthProviderConsentLoginBaseUrl() throws InvalidConfigException {
+        if(oauth_provider_consent_login_base_url == null){
+            throw new InvalidConfigException("oauth_provider_consent_login_base_url is not set");
+        }
+        return oauth_provider_consent_login_base_url;
+    }
+
+    public String getOAuthProviderUrlConfiguredInOAuthProvider() throws InvalidConfigException {
+        if(oauth_provider_url_configured_in_oauth_provider == null) {
+            throw new InvalidConfigException("oauth_provider_url_configured_in_oauth_provider is not set");
+        }
+        return oauth_provider_url_configured_in_oauth_provider;
+    }
+
+    public String getOAuthClientSecretEncryptionKey() throws InvalidConfigException {
+        if(oauth_client_secret_encryption_key == null) {
+            throw new InvalidConfigException("oauth_client_secret_encryption_key is not set");
+        }
+        return oauth_client_secret_encryption_key;
+    }
+
     public String getIpAllowRegex() {
         return ip_allow_regex;
     }
@@ -819,6 +904,48 @@ void normalizeAndValidate(Main main, boolean includeConfigFilePath) throws Inval
             }
         }
 
+        if(oauth_provider_public_service_url != null) {
+            try {
+                URL url = new URL(oauth_provider_public_service_url);
+            } catch (MalformedURLException malformedURLException){
+                throw new InvalidConfigException("oauth_provider_public_service_url is not a valid URL");
+            }
+        }
+
+        if(oauth_provider_admin_service_url != null) {
+            try {
+                URL url = new URL(oauth_provider_admin_service_url);
+            } catch (MalformedURLException malformedURLException){
+                throw new InvalidConfigException("oauth_provider_admin_service_url is not a valid URL");
+            }
+        }
+
+        if(oauth_provider_consent_login_base_url != null) {
+            try {
+                URL url = new URL(oauth_provider_consent_login_base_url);
+            } catch (MalformedURLException malformedURLException){
+                throw new InvalidConfigException("oauth_provider_consent_login_base_url is not a valid URL");
+            }
+        }
+
+
+        if(oauth_provider_url_configured_in_oauth_provider == null) {
+            oauth_provider_url_configured_in_oauth_provider = oauth_provider_public_service_url;
+        } else {
+            try {
+                URL url = new URL(oauth_provider_url_configured_in_oauth_provider);
+            } catch (MalformedURLException malformedURLException){
+                throw new InvalidConfigException("oauth_provider_url_configured_in_oauth_provider is not a valid URL");
+            }
+        }
+
+        if (!disableOAuthValidationForTest) {
+            List<String> configsTogetherSet = Arrays.asList(oauth_provider_public_service_url, oauth_provider_admin_service_url, oauth_provider_consent_login_base_url);
+            if(isAnySet(configsTogetherSet) && !isAllSet(configsTogetherSet)) {
+                throw new InvalidConfigException("If any of the following is set, all of them has to be set: oauth_provider_public_service_url, oauth_provider_admin_service_url, oauth_provider_consent_login_base_url");
+            }
+        }
+
         isNormalizedAndValid = true;
     }
 
@@ -949,4 +1076,24 @@ void assertThatConfigFromSameAppIdAreNotConflicting(CoreConfig other) throws Inv
     public String getMaxCDIVersion() {
         return this.supertokens_max_cdi_version;
     }
+
+    private boolean isAnySet(List<String> configs){
+        for (String config : configs){
+            if(config!=null){
+                return true;
+            }
+        }
+        return false;
+    }
+
+    private boolean isAllSet(List<String> configs) {
+        boolean foundNotSet = false;
+        for(String config: configs){
+            if(config == null){
+                foundNotSet = true;
+                break;
+            }
+        }
+        return !foundNotSet;
+    }
 }
diff --git a/src/main/java/io/supertokens/cronjobs/cleanupOAuthSessionsAndChallenges/CleanupOAuthSessionsAndChallenges.java b/src/main/java/io/supertokens/cronjobs/cleanupOAuthSessionsAndChallenges/CleanupOAuthSessionsAndChallenges.java
new file mode 100644
index 000000000..9787618e6
--- /dev/null
+++ b/src/main/java/io/supertokens/cronjobs/cleanupOAuthSessionsAndChallenges/CleanupOAuthSessionsAndChallenges.java
@@ -0,0 +1,63 @@
+package io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges;
+
+import io.supertokens.Main;
+import io.supertokens.cronjobs.CronTask;
+import io.supertokens.cronjobs.CronTaskTest;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.StorageUtils;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
+
+import java.util.List;
+
+public class CleanupOAuthSessionsAndChallenges extends CronTask {
+
+    public static final String RESOURCE_KEY = "io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges" +
+            ".CleanupOAuthSessionsAndChallenges";
+
+    private CleanupOAuthSessionsAndChallenges(Main main, List<List<TenantIdentifier>> tenantsInfo) {
+        super("CleanupOAuthSessionsAndChallenges", main, tenantsInfo, true);
+    }
+
+    public static CleanupOAuthSessionsAndChallenges init(Main main, List<List<TenantIdentifier>> tenantsInfo) {
+        return (CleanupOAuthSessionsAndChallenges) main.getResourceDistributor()
+                .setResource(new TenantIdentifier(null, null, null), RESOURCE_KEY,
+                        new CleanupOAuthSessionsAndChallenges(main, tenantsInfo));
+    }
+
+    @Override
+    protected void doTaskPerStorage(Storage storage) throws Exception {
+        if (storage.getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        long monthAgo = System.currentTimeMillis() / 1000 - 31 * 24 * 3600;
+        oauthStorage.deleteExpiredOAuthSessions(monthAgo);
+        oauthStorage.deleteExpiredOAuthM2MTokens(monthAgo);
+
+        oauthStorage.deleteOAuthLogoutChallengesBefore(System.currentTimeMillis() - 1000 * 60 * 60 * 48); // 48 hours
+    }
+
+    @Override
+    public int getIntervalTimeSeconds() {
+        if (Main.isTesting) {
+            Integer interval = CronTaskTest.getInstance(main).getIntervalInSeconds(RESOURCE_KEY);
+            if (interval != null) {
+                return interval;
+            }
+        }
+        // Every 24 hours.
+        return 24 * 3600;
+    }
+
+    @Override
+    public int getInitialWaitTimeSeconds() {
+        if (!Main.isTesting) {
+            return getIntervalTimeSeconds();
+        } else {
+            return 0;
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/featureflag/EE_FEATURES.java b/src/main/java/io/supertokens/featureflag/EE_FEATURES.java
index 606b1a0fc..8708b883f 100644
--- a/src/main/java/io/supertokens/featureflag/EE_FEATURES.java
+++ b/src/main/java/io/supertokens/featureflag/EE_FEATURES.java
@@ -18,7 +18,7 @@
 
 public enum EE_FEATURES {
     ACCOUNT_LINKING("account_linking"), MULTI_TENANCY("multi_tenancy"), TEST("test"),
-    DASHBOARD_LOGIN("dashboard_login"), MFA("mfa"), SECURITY("security");
+    DASHBOARD_LOGIN("dashboard_login"), MFA("mfa"), SECURITY("security"), OAUTH("oauth");
 
     private final String name;
 
diff --git a/src/main/java/io/supertokens/inmemorydb/Start.java b/src/main/java/io/supertokens/inmemorydb/Start.java
index 2ce5aee4a..534daf779 100644
--- a/src/main/java/io/supertokens/inmemorydb/Start.java
+++ b/src/main/java/io/supertokens/inmemorydb/Start.java
@@ -50,12 +50,20 @@
 import io.supertokens.pluginInterface.jwt.JWTSigningKeyInfo;
 import io.supertokens.pluginInterface.jwt.exceptions.DuplicateKeyIdException;
 import io.supertokens.pluginInterface.jwt.sqlstorage.JWTRecipeSQLStorage;
-import io.supertokens.pluginInterface.multitenancy.*;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.MultitenancyStorage;
+import io.supertokens.pluginInterface.multitenancy.TenantConfig;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.exceptions.DuplicateClientTypeException;
 import io.supertokens.pluginInterface.multitenancy.exceptions.DuplicateTenantException;
 import io.supertokens.pluginInterface.multitenancy.exceptions.DuplicateThirdPartyIdException;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.multitenancy.sqlStorage.MultitenancySQLStorage;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.OAuthLogoutChallenge;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
+import io.supertokens.pluginInterface.oauth.exception.DuplicateOAuthLogoutChallengeException;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
 import io.supertokens.pluginInterface.passwordless.PasswordlessCode;
 import io.supertokens.pluginInterface.passwordless.PasswordlessDevice;
 import io.supertokens.pluginInterface.passwordless.exception.*;
@@ -103,10 +111,9 @@ public class Start
         implements SessionSQLStorage, EmailPasswordSQLStorage, EmailVerificationSQLStorage, ThirdPartySQLStorage,
         JWTRecipeSQLStorage, PasswordlessSQLStorage, UserMetadataSQLStorage, UserRolesSQLStorage, UserIdMappingStorage,
         UserIdMappingSQLStorage, MultitenancyStorage, MultitenancySQLStorage, TOTPSQLStorage, ActiveUsersStorage,
-        ActiveUsersSQLStorage, DashboardSQLStorage, AuthRecipeSQLStorage {
+        ActiveUsersSQLStorage, DashboardSQLStorage, AuthRecipeSQLStorage, OAuthStorage {
 
     private static final Object appenderLock = new Object();
-    private static final String APP_ID_KEY_NAME = "app_id";
     private static final String ACCESS_TOKEN_SIGNING_KEY_NAME = "access_token_signing_key";
     private static final String REFRESH_TOKEN_KEY_NAME = "refresh_token_key";
     public static boolean isTesting = false;
@@ -736,6 +743,8 @@ public void addInfoToNonAuthRecipesBasedOnUserId(TenantIdentifier tenantIdentifi
             /* Since JWT recipe tables do not store userId we do not add any data to them */
         } else if (className.equals(BulkImportStorage.class.getName())){
             //ignore
+        } else if (className.equals(OAuthStorage.class.getName())) {
+            /* Since OAuth tables store client-related data, we don't add user-specific data here */
         } else if (className.equals(ActiveUsersStorage.class.getName())) {
             try {
                 ActiveUsersQueries.updateUserLastActive(this, tenantIdentifier.toAppIdentifier(), userId);
@@ -3034,4 +3043,280 @@ public int countUsersThatHaveMoreThanOneLoginMethodOrTOTPEnabledAndActiveSince(A
             throw new StorageQueryException(e);
         }
     }
+
+    @Override
+    public OAuthClient getOAuthClientById(AppIdentifier appIdentifier, String clientId)
+            throws StorageQueryException, OAuthClientNotFoundException {
+        try {
+            OAuthClient client =  OAuthQueries.getOAuthClientById(this, clientId, appIdentifier);
+            if (client == null) {
+                throw new OAuthClientNotFoundException();
+            }
+            return client;
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void addOrUpdateOauthClient(AppIdentifier appIdentifier, String clientId, String clientSecret, boolean isClientCredentialsOnly, boolean enableRefreshTokenRotation)
+            throws StorageQueryException, TenantOrAppNotFoundException {
+        try {
+            OAuthQueries.addOrUpdateOauthClient(this, appIdentifier, clientId, clientSecret, isClientCredentialsOnly, enableRefreshTokenRotation);
+        } catch (SQLException e) {
+            if (e instanceof SQLiteException) {
+                String errorMessage = e.getMessage();
+                SQLiteConfig config = Config.getConfig(this);
+
+                if (isForeignKeyConstraintError(
+                        errorMessage,
+                        config.getAppsTable(),
+                        new String[]{"app_id"},
+                        new Object[]{appIdentifier.getAppId()})) {
+                    throw new TenantOrAppNotFoundException(appIdentifier);
+                }
+            }
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean deleteOAuthClient(AppIdentifier appIdentifier, String clientId) throws StorageQueryException {
+        try {
+            return OAuthQueries.deleteOAuthClient(this, clientId, appIdentifier);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public List<OAuthClient> getOAuthClients(AppIdentifier appIdentifier, List<String> clientIds) throws StorageQueryException {
+        try {
+            return OAuthQueries.getOAuthClients(this, appIdentifier, clientIds);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean revokeOAuthTokenByGID(AppIdentifier appIdentifier, String gid) throws StorageQueryException {
+        try {
+            return OAuthQueries.deleteOAuthSessionByGID(this, appIdentifier, gid);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean revokeOAuthTokenByClientId(AppIdentifier appIdentifier, String clientId)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.deleteOAuthSessionByClientId(this, appIdentifier, clientId);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean revokeOAuthTokenByJTI(AppIdentifier appIdentifier, String gid, String jti)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.deleteJTIFromOAuthSession(this, appIdentifier, gid, jti);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean revokeOAuthTokenBySessionHandle(AppIdentifier appIdentifier, String sessionHandle)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.deleteOAuthSessionBySessionHandle(this, appIdentifier, sessionHandle);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void addOAuthM2MTokenForStats(AppIdentifier appIdentifier, String clientId, long iat, long exp)
+            throws StorageQueryException, OAuthClientNotFoundException {
+        try {
+            OAuthQueries.addOAuthM2MTokenForStats(this, appIdentifier, clientId, iat, exp);
+        } catch (SQLException e) {
+            if (e instanceof SQLiteException) {
+                String errorMessage = e.getMessage();
+                SQLiteConfig config = Config.getConfig(this);
+
+                if (isForeignKeyConstraintError(
+                        errorMessage,
+                        config.getOAuthClientsTable(),
+                        new String[]{"app_id", "client_id"},
+                        new Object[]{appIdentifier.getAppId(), clientId})) {
+                    throw new OAuthClientNotFoundException();
+                }
+            }
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void deleteExpiredOAuthM2MTokens(long exp) throws StorageQueryException {
+        try {
+            OAuthQueries.deleteExpiredOAuthM2MTokens(this, exp);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void addOAuthLogoutChallenge(AppIdentifier appIdentifier, String challenge, String clientId,
+            String postLogoutRedirectionUri, String sessionHandle, String state, long timeCreated)
+            throws StorageQueryException, DuplicateOAuthLogoutChallengeException, OAuthClientNotFoundException {
+        try {
+            OAuthQueries.addOAuthLogoutChallenge(this, appIdentifier, challenge, clientId, postLogoutRedirectionUri, sessionHandle, state, timeCreated);
+        } catch (SQLException e) {
+            SQLiteConfig config = Config.getConfig(this);
+            String serverMessage = e.getMessage();
+
+            if (isPrimaryKeyError(serverMessage, config.getOAuthLogoutChallengesTable(),
+                    new String[]{"app_id", "challenge"})) {
+                throw new DuplicateOAuthLogoutChallengeException();
+            } else if (isForeignKeyConstraintError(
+                serverMessage,
+                config.getOAuthClientsTable(),
+                new String[]{"app_id", "client_id"},
+                new Object[]{appIdentifier.getAppId(), clientId})) {
+                    throw new OAuthClientNotFoundException();
+                }
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public OAuthLogoutChallenge getOAuthLogoutChallenge(AppIdentifier appIdentifier, String challenge) throws StorageQueryException {
+        try {
+            return OAuthQueries.getOAuthLogoutChallenge(this, appIdentifier, challenge);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void deleteOAuthLogoutChallenge(AppIdentifier appIdentifier, String challenge) throws StorageQueryException {
+        try {
+            OAuthQueries.deleteOAuthLogoutChallenge(this, appIdentifier, challenge);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void deleteOAuthLogoutChallengesBefore(long time) throws StorageQueryException {
+        try {
+            OAuthQueries.deleteOAuthLogoutChallengesBefore(this, time);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void createOrUpdateOAuthSession(AppIdentifier appIdentifier, String gid, String clientId,
+                                           String externalRefreshToken, String internalRefreshToken,
+                                           String sessionHandle, String jti, long exp)
+            throws StorageQueryException, OAuthClientNotFoundException {
+        try {
+            OAuthQueries.createOrUpdateOAuthSession(this, appIdentifier, gid, clientId, externalRefreshToken,
+                    internalRefreshToken, sessionHandle, jti, exp);
+        } catch (SQLException e) {
+            if (e instanceof SQLiteException) {
+                String errorMessage = e.getMessage();
+                SQLiteConfig config = Config.getConfig(this);
+
+                if (isForeignKeyConstraintError(
+                        errorMessage,
+                        config.getOAuthClientsTable(),
+                        new String[]{"app_id", "client_id"},
+                        new Object[]{appIdentifier.getAppId(), clientId})) {
+                    throw new OAuthClientNotFoundException();
+                }
+            }
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public String getRefreshTokenMapping(AppIdentifier appIdentifier, String externalRefreshToken)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.getRefreshTokenMapping(this, appIdentifier, externalRefreshToken);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public void deleteExpiredOAuthSessions(long exp) throws StorageQueryException {
+        try {
+            OAuthQueries.deleteExpiredOAuthSessions(this, exp);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public int countTotalNumberOfOAuthClients(AppIdentifier appIdentifier) throws StorageQueryException {
+        try {
+            return OAuthQueries.countTotalNumberOfClients(this, appIdentifier, false);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public int countTotalNumberOfClientCredentialsOnlyOAuthClients(AppIdentifier appIdentifier)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.countTotalNumberOfClients(this, appIdentifier, true);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public int countTotalNumberOfOAuthM2MTokensCreatedSince(AppIdentifier appIdentifier, long since)
+            throws StorageQueryException {
+        try {
+            return OAuthQueries.countTotalNumberOfOAuthM2MTokensCreatedSince(this, appIdentifier, since);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public int countTotalNumberOfOAuthM2MTokensAlive(AppIdentifier appIdentifier) throws StorageQueryException {
+        try {
+            return OAuthQueries.countTotalNumberOfOAuthM2MTokensAlive(this, appIdentifier);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean isOAuthTokenRevokedByGID(AppIdentifier appIdentifier, String gid) throws StorageQueryException {
+        try {
+            return !OAuthQueries.isOAuthSessionExistsByGID(this, appIdentifier, gid);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
+
+    @Override
+    public boolean isOAuthTokenRevokedByJTI(AppIdentifier appIdentifier, String gid, String jti)
+            throws StorageQueryException {
+        try {
+            return !OAuthQueries.isOAuthSessionExistsByJTI(this, appIdentifier, gid, jti);
+        } catch (SQLException e) {
+            throw new StorageQueryException(e);
+        }
+    }
 }
diff --git a/src/main/java/io/supertokens/inmemorydb/config/SQLiteConfig.java b/src/main/java/io/supertokens/inmemorydb/config/SQLiteConfig.java
index ee8c43241..0790898dc 100644
--- a/src/main/java/io/supertokens/inmemorydb/config/SQLiteConfig.java
+++ b/src/main/java/io/supertokens/inmemorydb/config/SQLiteConfig.java
@@ -164,4 +164,24 @@ public String getDashboardUsersTable() {
     public String getDashboardSessionsTable() {
         return "dashboard_user_sessions";
     }
+
+    public String getOAuthClientsTable() {
+        return "oauth_clients";
+    }
+
+    public String getOAuthRefreshTokenMappingTable() {
+        return "oauth_refresh_token_mapping";
+    }
+
+    public String getOAuthM2MTokensTable() {
+        return "oauth_m2m_tokens";
+    }
+
+    public String getOAuthSessionsTable() {
+        return "oauth_sessions";
+    }
+
+    public String getOAuthLogoutChallengesTable() {
+        return "oauth_logout_challenges";
+    }
 }
diff --git a/src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java b/src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java
index edf7a7f11..eb2fe4809 100644
--- a/src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java
+++ b/src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java
@@ -427,8 +427,37 @@ public static void createTablesIfNotExists(Start start, Main main) throws SQLExc
             update(start, TOTPQueries.getQueryToCreateUsedCodesExpiryTimeIndex(start), NO_OP_SETTER);
         }
 
-    }
+        if (!doesTableExists(start, Config.getConfig(start).getOAuthClientsTable())) {
+            getInstance(main).addState(CREATING_NEW_TABLE, null);
+            update(start, OAuthQueries.getQueryToCreateOAuthClientTable(start), NO_OP_SETTER);
+        }
+
+        if (!doesTableExists(start, Config.getConfig(start).getOAuthSessionsTable())) {
+            getInstance(main).addState(CREATING_NEW_TABLE, null);
+            update(start, OAuthQueries.getQueryToCreateOAuthSessionsTable(start), NO_OP_SETTER);
+
+            // index
+            update(start, OAuthQueries.getQueryToCreateOAuthSessionsExpIndex(start), NO_OP_SETTER);
+            update(start, OAuthQueries.getQueryToCreateOAuthSessionsExternalRefreshTokenIndex(start), NO_OP_SETTER);
+        }
+
+        if (!doesTableExists(start, Config.getConfig(start).getOAuthM2MTokensTable())) {
+            getInstance(main).addState(CREATING_NEW_TABLE, null);
+            update(start, OAuthQueries.getQueryToCreateOAuthM2MTokensTable(start), NO_OP_SETTER);
 
+            // index
+            update(start, OAuthQueries.getQueryToCreateOAuthM2MTokenIatIndex(start), NO_OP_SETTER);
+            update(start, OAuthQueries.getQueryToCreateOAuthM2MTokenExpIndex(start), NO_OP_SETTER);
+        }
+
+        if (!doesTableExists(start, Config.getConfig(start).getOAuthLogoutChallengesTable())) {
+            getInstance(main).addState(CREATING_NEW_TABLE, null);
+            update(start, OAuthQueries.getQueryToCreateOAuthLogoutChallengesTable(start), NO_OP_SETTER);
+
+            // index
+            update(start, OAuthQueries.getQueryToCreateOAuthLogoutChallengesTimeCreatedIndex(start), NO_OP_SETTER);
+        }
+    }
 
     public static void setKeyValue_Transaction(Start start, Connection con, TenantIdentifier tenantIdentifier,
                                                String key, KeyValueInfo info)
diff --git a/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java b/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java
new file mode 100644
index 000000000..e834ca9cf
--- /dev/null
+++ b/src/main/java/io/supertokens/inmemorydb/queries/OAuthQueries.java
@@ -0,0 +1,464 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.inmemorydb.queries;
+
+import io.supertokens.inmemorydb.Start;
+import io.supertokens.inmemorydb.Utils;
+import io.supertokens.inmemorydb.config.Config;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.OAuthLogoutChallenge;
+import org.jetbrains.annotations.NotNull;
+
+import java.sql.SQLException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+
+import static io.supertokens.inmemorydb.QueryExecutorTemplate.execute;
+import static io.supertokens.inmemorydb.QueryExecutorTemplate.update;
+
+public class OAuthQueries {
+
+    public static String getQueryToCreateOAuthClientTable(Start start) {
+        String oAuth2ClientTable = Config.getConfig(start).getOAuthClientsTable();
+        // @formatter:off
+        return "CREATE TABLE IF NOT EXISTS " + oAuth2ClientTable + " ("
+                + "app_id VARCHAR(64),"
+                + "client_id VARCHAR(255) NOT NULL,"
+                + "client_secret TEXT,"
+                + "enable_refresh_token_rotation BOOLEAN NOT NULL,"
+                + "is_client_credentials_only BOOLEAN NOT NULL,"
+                + " PRIMARY KEY (app_id, client_id),"
+                + " FOREIGN KEY(app_id) REFERENCES " + Config.getConfig(start).getAppsTable() + "(app_id) ON DELETE CASCADE);";
+        // @formatter:on
+    }
+
+    public static String getQueryToCreateOAuthSessionsTable(Start start) {
+        String oAuthSessionsTable = Config.getConfig(start).getOAuthSessionsTable();
+        // @formatter:off
+        return "CREATE TABLE IF NOT EXISTS " + oAuthSessionsTable + " ("
+                + "gid VARCHAR(255)," // needed for instrospect. It's much easier to find these records if we have a gid
+                + "app_id VARCHAR(64) DEFAULT 'public',"
+                + "client_id VARCHAR(255) NOT NULL,"
+                + "session_handle VARCHAR(128),"
+                + "external_refresh_token VARCHAR(255) UNIQUE,"
+                + "internal_refresh_token VARCHAR(255) UNIQUE,"
+                + "jti TEXT NOT NULL," // comma separated jti list
+                + "exp BIGINT NOT NULL,"
+                + "PRIMARY KEY (gid),"
+                + "FOREIGN KEY(app_id, client_id) REFERENCES " + Config.getConfig(start).getOAuthClientsTable() + "(app_id, client_id) ON DELETE CASCADE);";
+        // @formatter:on
+    }
+
+    public static String getQueryToCreateOAuthSessionsExpIndex(Start start) {
+        String oAuth2SessionTable = Config.getConfig(start).getOAuthSessionsTable();
+        return "CREATE INDEX IF NOT EXISTS oauth_session_exp_index ON "
+                + oAuth2SessionTable + "(exp DESC);";
+    }
+
+    public static String getQueryToCreateOAuthSessionsExternalRefreshTokenIndex(Start start) {
+        String oAuth2SessionTable = Config.getConfig(start).getOAuthSessionsTable();
+        return "CREATE INDEX IF NOT EXISTS oauth_session_external_refresh_token_index ON "
+                + oAuth2SessionTable + "(app_id, external_refresh_token DESC);";
+    }
+
+    public static String getQueryToCreateOAuthM2MTokensTable(Start start) {
+        String oAuth2M2MTokensTable = Config.getConfig(start).getOAuthM2MTokensTable();
+        // @formatter:off
+        return "CREATE TABLE IF NOT EXISTS " + oAuth2M2MTokensTable + " ("
+                + "app_id VARCHAR(64) DEFAULT 'public',"
+                + "client_id VARCHAR(255) NOT NULL,"
+                + "iat BIGINT NOT NULL,"
+                + "exp BIGINT NOT NULL,"
+                + "PRIMARY KEY (app_id, client_id, iat),"
+                + "FOREIGN KEY(app_id, client_id)"
+                + " REFERENCES " + Config.getConfig(start).getOAuthClientsTable() + "(app_id, client_id) ON DELETE CASCADE"
+                + ");";
+        // @formatter:on
+    }
+
+    public static String getQueryToCreateOAuthM2MTokenIatIndex(Start start) {
+        String oAuth2M2MTokensTable = Config.getConfig(start).getOAuthM2MTokensTable();
+        return "CREATE INDEX IF NOT EXISTS oauth_m2m_token_iat_index ON "
+                + oAuth2M2MTokensTable + "(iat DESC, app_id DESC);";
+    }
+
+    public static String getQueryToCreateOAuthM2MTokenExpIndex(Start start) {
+        String oAuth2M2MTokensTable = Config.getConfig(start).getOAuthM2MTokensTable();
+        return "CREATE INDEX IF NOT EXISTS oauth_m2m_token_exp_index ON "
+                + oAuth2M2MTokensTable + "(exp DESC);";
+    }
+
+    public static String getQueryToCreateOAuthLogoutChallengesTable(Start start) {
+        String oAuth2LogoutChallengesTable = Config.getConfig(start).getOAuthLogoutChallengesTable();
+        // @formatter:off
+        return "CREATE TABLE IF NOT EXISTS " + oAuth2LogoutChallengesTable + " ("
+                + "app_id VARCHAR(64) DEFAULT 'public',"
+                + "challenge VARCHAR(128) NOT NULL,"
+                + "client_id VARCHAR(255) NOT NULL,"
+                + "post_logout_redirect_uri VARCHAR(1024),"
+                + "session_handle VARCHAR(128),"
+                + "state VARCHAR(128),"
+                + "time_created BIGINT NOT NULL,"
+                + "PRIMARY KEY (app_id, challenge),"
+                + "FOREIGN KEY(app_id, client_id)"
+                + " REFERENCES " + Config.getConfig(start).getOAuthClientsTable() + "(app_id, client_id) ON DELETE CASCADE"
+                + ");";
+        // @formatter:on
+    }
+
+    public static String getQueryToCreateOAuthLogoutChallengesTimeCreatedIndex(Start start) {
+        String oAuth2LogoutChallengesTable = Config.getConfig(start).getOAuthLogoutChallengesTable();
+        return "CREATE INDEX IF NOT EXISTS oauth_logout_challenges_time_created_index ON "
+                + oAuth2LogoutChallengesTable + "(time_created DESC);";
+    }
+
+    public static OAuthClient getOAuthClientById(Start start, String clientId, AppIdentifier appIdentifier)
+            throws SQLException, StorageQueryException {
+        String QUERY = "SELECT client_secret, is_client_credentials_only, enable_refresh_token_rotation FROM " + Config.getConfig(start).getOAuthClientsTable() +
+            " WHERE client_id = ? AND app_id = ?";
+
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, clientId);
+            pst.setString(2, appIdentifier.getAppId());
+        }, (result) -> {
+            if (result.next()) {
+                return new OAuthClient(clientId, result.getString("client_secret"), result.getBoolean("is_client_credentials_only"), result.getBoolean("enable_refresh_token_rotation"));
+            }
+            return null;
+        });
+    }
+
+    public static void createOrUpdateOAuthSession(Start start, AppIdentifier appIdentifier, @NotNull String gid, @NotNull String clientId,
+                                                  String externalRefreshToken, String internalRefreshToken, String sessionHandle,
+                                                  String jti, long exp)
+            throws SQLException, StorageQueryException {
+        String QUERY = "INSERT INTO " + Config.getConfig(start).getOAuthSessionsTable() +
+                " (gid, client_id, app_id, external_refresh_token, internal_refresh_token, session_handle, jti, exp) VALUES (?, ?, ?, ?, ?, ?, ?, ?) " +
+                "ON CONFLICT (gid) DO UPDATE SET external_refresh_token = ?, internal_refresh_token = ?, " +
+                "session_handle = ? , jti = CONCAT(jti, ?), exp = ?";
+        update(start, QUERY, pst -> {
+
+            String jtiToInsert = jti + ","; //every jti value ends with ','
+
+            pst.setString(1, gid);
+            pst.setString(2, clientId);
+            pst.setString(3, appIdentifier.getAppId());
+            pst.setString(4, externalRefreshToken);
+            pst.setString(5, internalRefreshToken);
+            pst.setString(6, sessionHandle);
+            pst.setString(7, jtiToInsert);
+            pst.setLong(8, exp);
+
+            pst.setString(9, externalRefreshToken);
+            pst.setString(10, internalRefreshToken);
+            pst.setString(11, sessionHandle);
+            pst.setString(12, jtiToInsert);
+            pst.setLong(13, exp);
+        });
+    }
+
+    public static List<OAuthClient> getOAuthClients(Start start, AppIdentifier appIdentifier, List<String> clientIds)
+            throws SQLException, StorageQueryException {
+        String QUERY = "SELECT * FROM " + Config.getConfig(start).getOAuthClientsTable()
+                + " WHERE app_id = ? AND client_id IN ("
+                + Utils.generateCommaSeperatedQuestionMarks(clientIds.size())
+                + ")";
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            for (int i = 0; i < clientIds.size(); i++) {
+                pst.setString(i + 2, clientIds.get(i));
+            }
+        }, (result) -> {
+            List<OAuthClient> res = new ArrayList<>();
+            while (result.next()) {
+                res.add(new OAuthClient(result.getString("client_id"), result.getString("client_secret"), result.getBoolean("is_client_credentials_only"), result.getBoolean("enable_refresh_token_rotation")));
+            }
+            return res;
+        });
+    }
+
+    public static void addOrUpdateOauthClient(Start start, AppIdentifier appIdentifier, String clientId, String clientSecret,
+                                            boolean isClientCredentialsOnly, boolean enableRefreshTokenRotation)
+            throws SQLException, StorageQueryException {
+        String INSERT = "INSERT INTO " + Config.getConfig(start).getOAuthClientsTable()
+                + "(app_id, client_id, client_secret, is_client_credentials_only, enable_refresh_token_rotation) VALUES(?, ?, ?, ?, ?) "
+                + "ON CONFLICT (app_id, client_id) DO UPDATE SET client_secret = ?, is_client_credentials_only = ?, enable_refresh_token_rotation = ?";
+        update(start, INSERT, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, clientId);
+            pst.setString(3, clientSecret);
+            pst.setBoolean(4, isClientCredentialsOnly);
+            pst.setBoolean(5, enableRefreshTokenRotation);
+            pst.setString(6, clientSecret);
+            pst.setBoolean(7, isClientCredentialsOnly);
+            pst.setBoolean(8, enableRefreshTokenRotation);
+        });
+    }
+
+    public static boolean deleteOAuthClient(Start start, String clientId, AppIdentifier appIdentifier)
+            throws SQLException, StorageQueryException {
+        String DELETE = "DELETE FROM " + Config.getConfig(start).getOAuthClientsTable()
+                + " WHERE app_id = ? AND client_id = ?";
+        int numberOfRow = update(start, DELETE, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, clientId);
+        });
+        return numberOfRow > 0;
+    }
+
+    public static boolean deleteOAuthSessionByGID(Start start, AppIdentifier appIdentifier, String gid)
+            throws SQLException, StorageQueryException {
+        String DELETE = "DELETE FROM " + Config.getConfig(start).getOAuthSessionsTable()
+                        + " WHERE gid = ? and app_id = ?;";
+        int numberOfRows = update(start, DELETE, pst -> {
+            pst.setString(1, gid);
+            pst.setString(2, appIdentifier.getAppId());
+        });
+        return numberOfRows > 0;
+    }
+
+    public static boolean deleteOAuthSessionByClientId(Start start, AppIdentifier appIdentifier, String clientId)
+            throws SQLException, StorageQueryException {
+        String DELETE = "DELETE FROM " + Config.getConfig(start).getOAuthSessionsTable()
+                + " WHERE app_id = ? and client_id = ?;";
+        int numberOfRows = update(start, DELETE, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, clientId);
+        });
+        return numberOfRows > 0;
+    }
+
+    public static boolean deleteOAuthSessionBySessionHandle(Start start, AppIdentifier appIdentifier, String sessionHandle)
+            throws SQLException, StorageQueryException {
+        String DELETE = "DELETE FROM " + Config.getConfig(start).getOAuthSessionsTable()
+                + " WHERE app_id = ? and session_handle = ?";
+        int numberOfRows = update(start, DELETE, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, sessionHandle);
+        });
+        return numberOfRows > 0;
+    }
+
+    public static boolean deleteJTIFromOAuthSession(Start start, AppIdentifier appIdentifier, String gid, String jti)
+            throws SQLException, StorageQueryException {
+        //jti is a comma separated list. When deleting a jti, just have to delete from the list
+        String DELETE = "UPDATE " + Config.getConfig(start).getOAuthSessionsTable()
+                + " SET jti = REPLACE(jti, ?, '')" // deletion means replacing the jti with empty char
+                + " WHERE app_id = ? and gid = ?";
+        int numberOfRows = update(start, DELETE, pst -> {
+            pst.setString(1, jti + ",");
+            pst.setString(2, appIdentifier.getAppId());
+            pst.setString(3, gid);
+        });
+        return numberOfRows > 0;
+    }
+
+    public static int countTotalNumberOfClients(Start start, AppIdentifier appIdentifier,
+            boolean filterByClientCredentialsOnly) throws SQLException, StorageQueryException {
+        if (filterByClientCredentialsOnly) {
+            String QUERY = "SELECT COUNT(*) as c FROM " + Config.getConfig(start).getOAuthClientsTable() +
+                    " WHERE app_id = ? AND is_client_credentials_only = ?";
+            return execute(start, QUERY, pst -> {
+                pst.setString(1, appIdentifier.getAppId());
+                pst.setBoolean(2, true);
+            }, result -> {
+                if (result.next()) {
+                    return result.getInt("c");
+                }
+                return 0;
+            });
+        } else {
+            String QUERY = "SELECT COUNT(*) as c FROM " + Config.getConfig(start).getOAuthClientsTable() +
+                    " WHERE app_id = ?";
+            return execute(start, QUERY, pst -> {
+                pst.setString(1, appIdentifier.getAppId());
+            }, result -> {
+                if (result.next()) {
+                    return result.getInt("c");
+                }
+                return 0;
+            });
+        }
+    }
+
+    public static int countTotalNumberOfOAuthM2MTokensAlive(Start start, AppIdentifier appIdentifier)
+            throws SQLException, StorageQueryException {
+        String QUERY = "SELECT COUNT(*) as c FROM " + Config.getConfig(start).getOAuthM2MTokensTable() +
+                " WHERE app_id = ? AND exp > ?";
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setLong(2, System.currentTimeMillis()/1000);
+        }, result -> {
+            if (result.next()) {
+                return result.getInt("c");
+            }
+            return 0;
+        });
+    }
+
+    public static int countTotalNumberOfOAuthM2MTokensCreatedSince(Start start, AppIdentifier appIdentifier, long since)
+            throws SQLException, StorageQueryException {
+        String QUERY = "SELECT COUNT(*) as c FROM " + Config.getConfig(start).getOAuthM2MTokensTable() +
+                " WHERE app_id = ? AND iat >= ?";
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setLong(2, since / 1000);
+        }, result -> {
+            if (result.next()) {
+                return result.getInt("c");
+            }
+            return 0;
+        });
+    }
+
+    public static void addOAuthM2MTokenForStats(Start start, AppIdentifier appIdentifier, String clientId, long iat, long exp)
+            throws SQLException, StorageQueryException {
+        String QUERY = "INSERT INTO " + Config.getConfig(start).getOAuthM2MTokensTable() +
+                " (app_id, client_id, iat, exp) VALUES (?, ?, ?, ?) ON CONFLICT DO NOTHING";
+        update(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, clientId);
+            pst.setLong(3, iat);
+            pst.setLong(4, exp);
+        });
+    }
+
+    public static void addOAuthLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge, String clientId,
+            String postLogoutRedirectionUri, String sessionHandle, String state, long timeCreated) throws SQLException, StorageQueryException {
+        String QUERY = "INSERT INTO " + Config.getConfig(start).getOAuthLogoutChallengesTable() +
+                " (app_id, challenge, client_id, post_logout_redirect_uri, session_handle, state, time_created) VALUES (?, ?, ?, ?, ?, ?, ?)";
+        update(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, challenge);
+            pst.setString(3, clientId);
+            pst.setString(4, postLogoutRedirectionUri);
+            pst.setString(5, sessionHandle);
+            pst.setString(6, state);
+            pst.setLong(7, timeCreated);
+        });
+    }
+
+    public static OAuthLogoutChallenge getOAuthLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge) throws SQLException, StorageQueryException {
+        String QUERY = "SELECT challenge, client_id, post_logout_redirect_uri, session_handle, state, time_created FROM " +
+                Config.getConfig(start).getOAuthLogoutChallengesTable() +
+                " WHERE app_id = ? AND challenge = ?";
+        
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, challenge);
+        }, result -> {
+            if (result.next()) {
+                return new OAuthLogoutChallenge(
+                    result.getString("challenge"),
+                    result.getString("client_id"),
+                    result.getString("post_logout_redirect_uri"),
+                    result.getString("session_handle"),
+                    result.getString("state"),
+                    result.getLong("time_created")
+                );
+            }
+            return null;
+        });
+    }
+
+    public static void deleteOAuthLogoutChallenge(Start start, AppIdentifier appIdentifier, String challenge) throws SQLException, StorageQueryException {
+        String QUERY = "DELETE FROM " + Config.getConfig(start).getOAuthLogoutChallengesTable() +
+                " WHERE app_id = ? AND challenge = ?";
+        update(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, challenge);
+        });
+    }
+
+    public static void deleteOAuthLogoutChallengesBefore(Start start, long time) throws SQLException, StorageQueryException {
+        String QUERY = "DELETE FROM " + Config.getConfig(start).getOAuthLogoutChallengesTable() +
+                " WHERE time_created < ?";
+        update(start, QUERY, pst -> {
+            pst.setLong(1, time);
+        });
+    }
+
+    public static String getRefreshTokenMapping(Start start, AppIdentifier appIdentifier, String externalRefreshToken) throws SQLException, StorageQueryException {
+        String QUERY = "SELECT internal_refresh_token FROM " + Config.getConfig(start).getOAuthSessionsTable() +
+                " WHERE app_id = ? AND external_refresh_token = ?";
+        return execute(start, QUERY, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, externalRefreshToken);
+        }, result -> {
+            if (result.next()) {
+                return result.getString("internal_refresh_token");
+            }
+            return null;
+        });
+    }
+
+    public static void deleteExpiredOAuthSessions(Start start, long exp) throws SQLException, StorageQueryException {
+        // delete expired M2M tokens
+        String QUERY = "DELETE FROM " + Config.getConfig(start).getOAuthSessionsTable() +
+                " WHERE exp < ?";
+
+        update(start, QUERY, pst -> {
+            pst.setLong(1, exp);
+        });
+    }
+
+    public static void deleteExpiredOAuthM2MTokens(Start start, long exp) throws SQLException, StorageQueryException {
+        // delete expired M2M tokens
+        String QUERY = "DELETE FROM " + Config.getConfig(start).getOAuthM2MTokensTable() +
+                " WHERE exp < ?";
+        update(start, QUERY, pst -> {
+            pst.setLong(1, exp);
+        });
+    }
+
+    public static boolean isOAuthSessionExistsByJTI(Start start, AppIdentifier appIdentifier, String gid, String jti)
+            throws SQLException, StorageQueryException {
+        String SELECT = "SELECT jti FROM " + Config.getConfig(start).getOAuthSessionsTable()
+                + " WHERE app_id = ? and gid = ?;";
+        return execute(start, SELECT, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, gid);
+        }, result -> {
+            if(result.next()){
+                List<String> jtis = Arrays.stream(result.getString(1).split(",")).filter(s -> !s.isEmpty()).collect(
+                        Collectors.toList());
+                return jtis.contains(jti);
+            }
+            return false;
+        });
+    }
+
+    public static boolean isOAuthSessionExistsByGID(Start start, AppIdentifier appIdentifier, String gid)
+            throws SQLException, StorageQueryException {
+        String SELECT = "SELECT count(*) FROM " + Config.getConfig(start).getOAuthSessionsTable()
+                + " WHERE app_id = ? and gid = ?;";
+        return execute(start, SELECT, pst -> {
+            pst.setString(1, appIdentifier.getAppId());
+            pst.setString(2, gid);
+        }, result -> {
+            if(result.next()){
+                return result.getInt(1) > 0;
+            }
+            return false;
+        });
+    }
+
+}
diff --git a/src/main/java/io/supertokens/oauth/HttpRequestForOAuthProvider.java b/src/main/java/io/supertokens/oauth/HttpRequestForOAuthProvider.java
new file mode 100644
index 000000000..67664c717
--- /dev/null
+++ b/src/main/java/io/supertokens/oauth/HttpRequestForOAuthProvider.java
@@ -0,0 +1,201 @@
+package io.supertokens.oauth;
+
+import com.google.gson.Gson;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+
+import java.io.*;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+public class HttpRequestForOAuthProvider {
+    // This is a helper class to make HTTP requests to the hydra server specifically.
+    // Although this is similar to HttpRequest, this is slightly modified to be able to work with
+    // form data, headers in request and responses, query params in non-get requests, reading responses in
+    // case of errors, etc.
+    // Left the original HttpRequest as is to avoid any issues with existing code.
+
+    private static final int CONNECTION_TIMEOUT = 5000;
+    private static final int READ_TIMEOUT = 5000;
+
+    public static Response doGet(String url, Map<String, String> headers, Map<String, String> queryParams) throws IOException {
+        if (queryParams == null) {
+            queryParams = new HashMap<>();
+        }
+        URL obj = new URL(url + "?" + queryParams.entrySet().stream()
+                .map(e -> e.getKey() + "=" + URLEncoder.encode(e.getValue(), StandardCharsets.UTF_8))
+                .collect(Collectors.joining("&")));
+        HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+        con.setInstanceFollowRedirects(false); // Do not follow redirect
+        con.setRequestMethod("GET");
+        con.setConnectTimeout(CONNECTION_TIMEOUT);
+        con.setReadTimeout(READ_TIMEOUT);
+        if (headers != null) {
+            for (Map.Entry<String, String> entry : headers.entrySet()) {
+                con.setRequestProperty(entry.getKey(), entry.getValue());
+            }
+        }
+        return getResponse(con);
+    }
+
+    public static Response doFormPost(String url, Map<String, String> headers, Map<String, String> formFields) throws IOException, OAuthClientNotFoundException {
+        try {
+            URL obj = new URL(url);
+            HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+            con.setRequestMethod("POST");
+            con.setConnectTimeout(CONNECTION_TIMEOUT);
+            con.setReadTimeout(READ_TIMEOUT);
+            con.setDoOutput(true);
+            con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
+
+            if (headers != null) {
+                for (Map.Entry<String, String> entry : headers.entrySet()) {
+                    con.setRequestProperty(entry.getKey(), entry.getValue());
+                }
+            }
+
+            try (DataOutputStream os = new DataOutputStream(con.getOutputStream())) {
+                os.writeBytes(formFields.entrySet().stream()
+                        .map(e -> e.getKey() + "=" + URLEncoder.encode(e.getValue(), StandardCharsets.UTF_8))
+                        .collect(Collectors.joining("&")));
+            }
+            return getResponse(con);
+        } catch (FileNotFoundException e) {
+            throw new OAuthClientNotFoundException();
+        }
+    }
+
+    public static Response doJsonPost(String url, Map<String, String> headers, JsonObject jsonInput) throws IOException, OAuthClientNotFoundException {
+        try {
+            URL obj = new URL(url);
+            HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+            con.setRequestMethod("POST");
+            con.setConnectTimeout(CONNECTION_TIMEOUT);
+            con.setReadTimeout(READ_TIMEOUT);
+            con.setDoOutput(true);
+            con.setRequestProperty("Content-Type", "application/json");
+
+            if (headers != null) {
+                for (Map.Entry<String, String> entry : headers.entrySet()) {
+                    con.setRequestProperty(entry.getKey(), entry.getValue());
+                }
+            }
+
+            try (DataOutputStream os = new DataOutputStream(con.getOutputStream())) {
+                os.writeBytes(jsonInput.toString());
+            }
+            return getResponse(con);
+        } catch (FileNotFoundException e) {
+            throw new OAuthClientNotFoundException();
+        }
+    }
+
+    public static Response doJsonPut(String url, Map<String, String> queryParams, Map<String, String> headers, JsonObject jsonInput) throws IOException, OAuthClientNotFoundException {
+        try {
+            if (queryParams == null) {
+                queryParams = new HashMap<>();
+            }
+            URL obj = new URL(url + "?" + queryParams.entrySet().stream()
+                    .map(e -> e.getKey() + "=" + URLEncoder.encode(e.getValue(), StandardCharsets.UTF_8))
+                    .collect(Collectors.joining("&")));
+            HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+            con.setRequestMethod("PUT");
+            con.setConnectTimeout(CONNECTION_TIMEOUT);
+            con.setReadTimeout(READ_TIMEOUT);
+            con.setDoOutput(true);
+            con.setRequestProperty("Content-Type", "application/json");
+
+            if (headers != null) {
+                for (Map.Entry<String, String> entry : headers.entrySet()) {
+                    con.setRequestProperty(entry.getKey(), entry.getValue());
+                }
+            }
+
+            try (DataOutputStream os = new DataOutputStream(con.getOutputStream())) {
+                os.writeBytes(jsonInput.toString());
+            }
+            return getResponse(con);
+        } catch (FileNotFoundException e) {
+            throw new OAuthClientNotFoundException();
+        }
+    }
+
+    public static Response doJsonDelete(String url, Map<String, String> headers, Map<String, String> queryParams, JsonObject jsonInput) throws IOException, OAuthClientNotFoundException {
+        try {
+            if (queryParams == null) {
+                queryParams = new HashMap<>();
+            }
+
+            URL obj = new URL(url + "?" + queryParams.entrySet().stream()
+                    .map(e -> e.getKey() + "=" + URLEncoder.encode(e.getValue(), StandardCharsets.UTF_8))
+                    .collect(Collectors.joining("&")));
+            HttpURLConnection con = (HttpURLConnection) obj.openConnection();
+            con.setRequestMethod("DELETE");
+            con.setConnectTimeout(CONNECTION_TIMEOUT);
+            con.setReadTimeout(READ_TIMEOUT);
+            con.setDoOutput(true);
+            con.setRequestProperty("Content-Type", "application/json");
+
+            if (headers != null) {
+                for (Map.Entry<String, String> entry : headers.entrySet()) {
+                    con.setRequestProperty(entry.getKey(), entry.getValue());
+                }
+            }
+
+            if (jsonInput != null) {
+                try (DataOutputStream os = new DataOutputStream(con.getOutputStream())) {
+                    os.writeBytes(jsonInput.toString());
+                }
+            }
+
+            return getResponse(con);
+        } catch (FileNotFoundException e) {
+            throw new OAuthClientNotFoundException();
+        }
+    }
+
+    private static Response getResponse(HttpURLConnection con) throws IOException {
+        int responseCode = con.getResponseCode();
+        InputStream inputStream;
+        if (con.getErrorStream() != null) {
+            inputStream = con.getErrorStream();
+        } else {
+            inputStream = con.getInputStream();
+        }
+        BufferedReader in = new BufferedReader(new InputStreamReader(inputStream));
+
+        String inputLine;
+        StringBuilder response = new StringBuilder();
+        while ((inputLine = in.readLine()) != null) {
+            response.append(inputLine);
+        }
+        in.close();
+        JsonElement jsonResponse = null;
+        if (con.getContentType() != null && con.getContentType().contains("application/json")) {
+            Gson gson = new Gson();
+            jsonResponse = gson.fromJson(response.toString(), JsonElement.class);
+        }
+        return new Response(responseCode, response.toString(), jsonResponse, con.getHeaderFields());
+    }
+
+    public static class Response {
+        public int statusCode;
+        public String rawResponse;
+        public JsonElement jsonResponse;
+        public Map<String, List<String>> headers;
+
+        public Response(int statusCode, String rawResponse, JsonElement jsonResponse, Map<String, List<String>> headers) {
+            this.statusCode = statusCode;
+            this.rawResponse = rawResponse;
+            this.jsonResponse = jsonResponse;
+            this.headers = headers;
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/oauth/OAuth.java b/src/main/java/io/supertokens/oauth/OAuth.java
new file mode 100644
index 000000000..a97fad1d9
--- /dev/null
+++ b/src/main/java/io/supertokens/oauth/OAuth.java
@@ -0,0 +1,668 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.oauth;
+
+import com.auth0.jwt.exceptions.JWTCreationException;
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import io.supertokens.Main;
+import io.supertokens.config.Config;
+import io.supertokens.exceptions.TryRefreshTokenException;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.StorageUtils;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.OAuthLogoutChallenge;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
+import io.supertokens.pluginInterface.oauth.exception.DuplicateOAuthLogoutChallengeException;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.session.jwt.JWT.JWTException;
+import io.supertokens.utils.Utils;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.*;
+import java.util.Map.Entry;
+
+public class OAuth {
+    private static void checkForOauthFeature(AppIdentifier appIdentifier, Main main)
+            throws StorageQueryException, TenantOrAppNotFoundException, FeatureNotEnabledException {
+        EE_FEATURES[] features = FeatureFlag.getInstance(main, appIdentifier).getEnabledFeatures();
+        for (EE_FEATURES f : features) {
+            if (f == EE_FEATURES.OAUTH) {
+                return;
+            }
+        }
+
+        throw new FeatureNotEnabledException(
+                "OAuth feature is not enabled. Please subscribe to a SuperTokens core license key to enable this " +
+                        "feature.");
+    }
+
+    public static HttpRequestForOAuthProvider.Response doOAuthProxyGET(Main main, AppIdentifier appIdentifier, Storage storage, String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion, Map<String, String> queryParams, Map<String, String> headers) throws StorageQueryException, OAuthClientNotFoundException, TenantOrAppNotFoundException, FeatureNotEnabledException, InvalidConfigException, IOException, OAuthAPIException {
+        checkForOauthFeature(appIdentifier, main);
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        if (camelToSnakeCaseConversion) {
+            queryParams = convertCamelToSnakeCase(queryParams);
+        }
+
+        if (clientIdToCheck != null) {
+            oauthStorage.getOAuthClientById(appIdentifier, clientIdToCheck); // may throw OAuthClientNotFoundException
+        }
+
+        // Request transformations
+        headers = Transformations.transformRequestHeadersForHydra(headers);
+
+        String baseURL;
+        if (proxyToAdmin) {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderAdminServiceUrl();
+        } else {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderPublicServiceUrl();
+        }
+        String fullUrl = baseURL + path;
+
+        HttpRequestForOAuthProvider.Response response = HttpRequestForOAuthProvider.doGet(fullUrl, headers, queryParams);
+
+        // Response transformations
+        response.jsonResponse = Transformations.transformJsonResponseFromHydra(main, appIdentifier, response.jsonResponse);
+        response.headers = Transformations.transformResponseHeadersFromHydra(main, appIdentifier, response.headers);
+
+        checkNonSuccessResponse(response);
+
+        if (camelToSnakeCaseConversion) {
+            response.jsonResponse = convertSnakeCaseToCamelCaseRecursively(response.jsonResponse);
+        }
+
+
+        return response;
+    }
+
+    public static HttpRequestForOAuthProvider.Response doOAuthProxyFormPOST(Main main, AppIdentifier appIdentifier, Storage storage, String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion, Map<String, String> formFields, Map<String, String> headers) throws StorageQueryException, OAuthClientNotFoundException, TenantOrAppNotFoundException, FeatureNotEnabledException, InvalidConfigException, IOException, OAuthAPIException {
+        checkForOauthFeature(appIdentifier, main);
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        if (camelToSnakeCaseConversion) {
+            formFields = OAuth.convertCamelToSnakeCase(formFields);
+        }
+
+        if (clientIdToCheck != null) {
+            oauthStorage.getOAuthClientById(appIdentifier, clientIdToCheck); // may throw OAuthClientNotFoundException
+        }
+
+        // Request transformations
+        formFields = Transformations.transformFormFieldsForHydra(formFields);
+        headers = Transformations.transformRequestHeadersForHydra(headers);
+
+        String baseURL;
+        if (proxyToAdmin) {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderAdminServiceUrl();
+        } else {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderPublicServiceUrl();
+        }
+        String fullUrl = baseURL + path;
+
+        HttpRequestForOAuthProvider.Response response = HttpRequestForOAuthProvider.doFormPost(fullUrl, headers, formFields);
+
+        // Response transformations
+        response.jsonResponse = Transformations.transformJsonResponseFromHydra(main, appIdentifier, response.jsonResponse);
+        response.headers = Transformations.transformResponseHeadersFromHydra(main, appIdentifier, response.headers);
+
+        checkNonSuccessResponse(response);
+
+        if (camelToSnakeCaseConversion) {
+            response.jsonResponse = OAuth.convertSnakeCaseToCamelCaseRecursively(response.jsonResponse);
+        }
+
+        return response;
+    }
+
+    public static HttpRequestForOAuthProvider.Response doOAuthProxyJsonPOST(Main main, AppIdentifier appIdentifier, Storage storage, String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion, JsonObject jsonInput, Map<String, String> headers) throws StorageQueryException, OAuthClientNotFoundException, TenantOrAppNotFoundException, FeatureNotEnabledException, InvalidConfigException, IOException, OAuthAPIException {
+        checkForOauthFeature(appIdentifier, main);
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        if (camelToSnakeCaseConversion) {
+            jsonInput = convertCamelToSnakeCase(jsonInput);
+        }
+
+        if (clientIdToCheck != null) {
+            oauthStorage.getOAuthClientById(appIdentifier, clientIdToCheck); // may throw OAuthClientNotFoundException
+        }
+
+        // Request transformations
+        jsonInput = Transformations.transformJsonForHydra(jsonInput);
+        headers = Transformations.transformRequestHeadersForHydra(headers);
+
+        String baseURL;
+        if (proxyToAdmin) {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderAdminServiceUrl();
+        } else {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderPublicServiceUrl();
+        }
+        String fullUrl = baseURL + path;
+
+        HttpRequestForOAuthProvider.Response response = HttpRequestForOAuthProvider.doJsonPost(fullUrl, headers, jsonInput);
+
+        // Response transformations
+        response.jsonResponse = Transformations.transformJsonResponseFromHydra(main, appIdentifier, response.jsonResponse);
+        response.headers = Transformations.transformResponseHeadersFromHydra(main, appIdentifier, response.headers);
+
+        checkNonSuccessResponse(response);
+
+        if (camelToSnakeCaseConversion) {
+            response.jsonResponse = convertSnakeCaseToCamelCaseRecursively(response.jsonResponse);
+        }
+
+        return response;
+    }
+
+    public static HttpRequestForOAuthProvider.Response doOAuthProxyJsonPUT(Main main, AppIdentifier appIdentifier, Storage storage, String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion, Map<String, String> queryParams, JsonObject jsonInput, Map<String, String> headers) throws StorageQueryException, OAuthClientNotFoundException, TenantOrAppNotFoundException, FeatureNotEnabledException, InvalidConfigException, IOException, OAuthAPIException {
+        checkForOauthFeature(appIdentifier, main);
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        if (camelToSnakeCaseConversion) {
+            queryParams = convertCamelToSnakeCase(queryParams);
+            jsonInput = convertCamelToSnakeCase(jsonInput);
+        }
+
+        if (clientIdToCheck != null) {
+            oauthStorage.getOAuthClientById(appIdentifier, clientIdToCheck); // may throw OAuthClientNotFoundException
+        }
+
+        // Request transformations
+        jsonInput = Transformations.transformJsonForHydra(jsonInput);
+        headers = Transformations.transformRequestHeadersForHydra(headers);
+
+        String baseURL;
+        if (proxyToAdmin) {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderAdminServiceUrl();
+        } else {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderPublicServiceUrl();
+        }
+        String fullUrl = baseURL + path;
+
+        HttpRequestForOAuthProvider.Response response = HttpRequestForOAuthProvider.doJsonPut(fullUrl, queryParams, headers, jsonInput);
+
+        // Response transformations
+        response.jsonResponse = Transformations.transformJsonResponseFromHydra(main, appIdentifier, response.jsonResponse);
+        response.headers = Transformations.transformResponseHeadersFromHydra(main, appIdentifier, response.headers);
+
+        checkNonSuccessResponse(response);
+
+        if (camelToSnakeCaseConversion) {
+            response.jsonResponse = convertSnakeCaseToCamelCaseRecursively(response.jsonResponse);
+        }
+
+        return response;
+    }
+
+    public static HttpRequestForOAuthProvider.Response doOAuthProxyJsonDELETE(Main main, AppIdentifier appIdentifier, Storage storage, String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion, Map<String, String> queryParams, JsonObject jsonInput, Map<String, String> headers) throws StorageQueryException, OAuthClientNotFoundException, TenantOrAppNotFoundException, FeatureNotEnabledException, InvalidConfigException, IOException, OAuthAPIException {
+        checkForOauthFeature(appIdentifier, main);
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        if (camelToSnakeCaseConversion) {
+            jsonInput = OAuth.convertCamelToSnakeCase(jsonInput);
+        }
+
+        if (clientIdToCheck != null) {
+            oauthStorage.getOAuthClientById(appIdentifier, clientIdToCheck); // may throw OAuthClientNotFoundException
+        }
+
+        // Request transformations
+        jsonInput = Transformations.transformJsonForHydra(jsonInput);
+        headers = Transformations.transformRequestHeadersForHydra(headers);
+
+        String baseURL;
+        if (proxyToAdmin) {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderAdminServiceUrl();
+        } else {
+            baseURL = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main).getOAuthProviderPublicServiceUrl();
+        }
+        String fullUrl = baseURL + path;
+
+        HttpRequestForOAuthProvider.Response response = HttpRequestForOAuthProvider.doJsonDelete(fullUrl, headers, queryParams, jsonInput);
+
+        // Response transformations
+        response.jsonResponse = Transformations.transformJsonResponseFromHydra(main, appIdentifier, response.jsonResponse);
+        response.headers = Transformations.transformResponseHeadersFromHydra(main, appIdentifier, response.headers);
+
+        checkNonSuccessResponse(response);
+
+        if (camelToSnakeCaseConversion) {
+            response.jsonResponse = OAuth.convertSnakeCaseToCamelCaseRecursively(response.jsonResponse);
+        }
+
+        return response;
+    }
+
+    private static void checkNonSuccessResponse(HttpRequestForOAuthProvider.Response response) throws OAuthAPIException, OAuthClientNotFoundException {
+        if (response.statusCode >= 400) {
+            String error = response.jsonResponse.getAsJsonObject().get("error").getAsString();
+            String errorDescription = null;
+            if (response.jsonResponse.getAsJsonObject().has("error_description")) {
+                errorDescription = response.jsonResponse.getAsJsonObject().get("error_description").getAsString();
+            }
+            throw new OAuthAPIException(error, errorDescription, response.statusCode);
+        }
+    }
+
+    public static String transformTokensInAuthRedirect(Main main, AppIdentifier appIdentifier, Storage storage, String url, String iss, JsonObject accessTokenUpdate, JsonObject idTokenUpdate, boolean useDynamicKey) {
+        if (url.indexOf('#') == -1) {
+            return url;
+        }
+
+        try {
+            // Extract the part after '#'
+            String fragment = url.substring(url.indexOf('#') + 1);
+
+            // Parse the fragment as query parameters
+            // Create a JsonObject from the params
+            JsonObject jsonBody = new JsonObject();
+            for (String param : fragment.split("&")) {
+                String[] keyValue = param.split("=", 2);
+                if (keyValue.length == 2) {
+                    String key = keyValue[0];
+                    String value = java.net.URLDecoder.decode(keyValue[1], StandardCharsets.UTF_8.toString());
+                    jsonBody.addProperty(key, value);
+                }
+            }
+
+            // Transform the tokens
+            JsonObject transformedJson = transformTokens(main, appIdentifier, storage, jsonBody, iss, accessTokenUpdate, idTokenUpdate, useDynamicKey);
+
+            // Reconstruct the query params
+            StringBuilder newFragment = new StringBuilder();
+            for (Map.Entry<String, JsonElement> entry : transformedJson.entrySet()) {
+                if (newFragment.length() > 0) {
+                    newFragment.append("&");
+                }
+                String encodedValue = java.net.URLEncoder.encode(entry.getValue().getAsString(), StandardCharsets.UTF_8.toString());
+                newFragment.append(entry.getKey()).append("=").append(encodedValue);
+            }
+
+            // Reconstruct the URL
+            String baseUrl = url.substring(0, url.indexOf('#'));
+            return baseUrl + "#" + newFragment.toString();
+        } catch (Exception e) {
+            // If any exception occurs, return the original URL
+            return url;
+        }
+    }
+
+    public static JsonObject transformTokens(Main main, AppIdentifier appIdentifier, Storage storage, JsonObject jsonBody, String iss, JsonObject accessTokenUpdate, JsonObject idTokenUpdate, boolean useDynamicKey) throws IOException, JWTException, InvalidKeyException, NoSuchAlgorithmException, StorageQueryException, StorageTransactionLogicException, UnsupportedJWTSigningAlgorithmException, TenantOrAppNotFoundException, InvalidKeySpecException, JWTCreationException, InvalidConfigException {
+        String atHash = null;
+
+        if (jsonBody.has("refresh_token")) {
+            String refreshToken = jsonBody.get("refresh_token").getAsString();
+            refreshToken = refreshToken.replace("ory_rt_", "st_rt_");
+            jsonBody.addProperty("refresh_token", refreshToken);
+        }
+
+        if (jsonBody.has("access_token")) {
+            String accessToken = jsonBody.get("access_token").getAsString();
+            accessToken = OAuthToken.reSignToken(appIdentifier, main, accessToken, iss, accessTokenUpdate, null, OAuthToken.TokenType.ACCESS_TOKEN, useDynamicKey, 0);
+            jsonBody.addProperty("access_token", accessToken);
+
+            // Compute at_hash as per OAuth 2.0 standard
+            // 1. Take the access token
+            // 2. Hash it with SHA-256
+            // 3. Take the left-most half of the hash
+            // 4. Base64url encode it
+            byte[] accessTokenBytes = accessToken.getBytes(StandardCharsets.UTF_8);
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = digest.digest(accessTokenBytes);
+            byte[] halfHash = Arrays.copyOf(hash, hash.length / 2);
+            atHash = Base64.getUrlEncoder().withoutPadding().encodeToString(halfHash);
+        }
+
+        if (jsonBody.has("id_token")) {
+            String idToken = jsonBody.get("id_token").getAsString();
+            idToken = OAuthToken.reSignToken(appIdentifier, main, idToken, iss, idTokenUpdate, atHash, OAuthToken.TokenType.ID_TOKEN, useDynamicKey, 0);
+            jsonBody.addProperty("id_token", idToken);
+        }
+
+        return jsonBody;
+    }
+
+    public static void addOrUpdateClient(Main main, AppIdentifier appIdentifier, Storage storage, String clientId, String clientSecret, boolean isClientCredentialsOnly, boolean enableRefreshTokenRotation)
+            throws StorageQueryException, TenantOrAppNotFoundException, InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException, NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, InvalidConfigException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        clientSecret = encryptClientSecret(main, appIdentifier.getAsPublicTenantIdentifier(), clientSecret);
+        oauthStorage.addOrUpdateOauthClient(appIdentifier, clientId, clientSecret, isClientCredentialsOnly, enableRefreshTokenRotation);
+    }
+
+
+    private static String encryptClientSecret(Main main, TenantIdentifier tenant, String clientSecret)
+            throws InvalidConfigException, InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException,
+            NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException,
+            TenantOrAppNotFoundException {
+        if (clientSecret == null) {
+            return null;
+        }
+        String key = Config.getConfig(tenant, main).getOAuthClientSecretEncryptionKey();
+        clientSecret = Utils.encrypt(clientSecret, key);
+        return clientSecret;
+    }
+
+    private static String decryptClientSecret(Main main,  TenantIdentifier tenant, String clientSecret)
+            throws InvalidConfigException, InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException,
+            NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException,
+            TenantOrAppNotFoundException {
+        if (clientSecret == null) {
+            return null;
+        }
+        String key = Config.getConfig(tenant, main).getOAuthClientSecretEncryptionKey();
+        clientSecret = Utils.decrypt(clientSecret, key);
+        return clientSecret;
+    }
+
+    public static boolean removeClient(Main main, AppIdentifier appIdentifier, Storage storage, String clientId) throws StorageQueryException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        return oauthStorage.deleteOAuthClient(appIdentifier, clientId);
+    }
+
+    public static List<OAuthClient> getClients(Main main, AppIdentifier appIdentifier, Storage storage, List<String> clientIds)
+            throws StorageQueryException, InvalidKeyException, NoSuchAlgorithmException, InvalidKeySpecException,
+            NoSuchPaddingException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException,
+            InvalidConfigException, TenantOrAppNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        List<OAuthClient> finalResult = new ArrayList<>();
+        List<OAuthClient> clients = oauthStorage.getOAuthClients(appIdentifier, clientIds);
+        for (OAuthClient client : clients) {
+            finalResult.add(new OAuthClient(client.clientId, decryptClientSecret(main, appIdentifier.getAsPublicTenantIdentifier(), client.clientSecret), client.isClientCredentialsOnly, client.enableRefreshTokenRotation));
+        }
+        return finalResult;
+    }
+
+    private static Map<String, String> convertCamelToSnakeCase(Map<String, String> queryParams) {
+        Map<String, String> result = new HashMap<>();
+        if (queryParams != null) {
+            for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+                result.put(Utils.camelCaseToSnakeCase(entry.getKey()), entry.getValue());
+            }
+        }
+        return result;
+    }
+
+    private static JsonObject convertCamelToSnakeCase(JsonObject queryParams) {
+        JsonObject result = new JsonObject();
+        for (Map.Entry<String, JsonElement> entry : queryParams.entrySet()) {
+            result.add(Utils.camelCaseToSnakeCase(entry.getKey()), entry.getValue());
+        }
+        return result;
+    }
+
+    private static JsonElement convertSnakeCaseToCamelCaseRecursively(JsonElement jsonResponse) {
+        if (jsonResponse == null) {
+            return null;
+        }
+
+        if (jsonResponse.isJsonObject()) {
+            JsonObject result = new JsonObject();
+            for (Entry<String, JsonElement> entry: jsonResponse.getAsJsonObject().entrySet()) {
+                String key = entry.getKey();
+                JsonElement value = entry.getValue();
+                if (value.isJsonObject()) {
+                    value = convertSnakeCaseToCamelCaseRecursively(value.getAsJsonObject());
+                }
+                result.add(Utils.snakeCaseToCamelCase(key), value);
+            }
+            return result;
+        } else if (jsonResponse.isJsonArray()) {
+            JsonArray result = new JsonArray();
+            for (JsonElement element : jsonResponse.getAsJsonArray()) {
+                result.add(convertSnakeCaseToCamelCaseRecursively(element));
+            }
+            return result;
+        }
+        return jsonResponse;
+    }
+
+    public static void verifyAndUpdateIntrospectRefreshTokenPayload(Main main, AppIdentifier appIdentifier,
+            Storage storage, JsonObject payload, String refreshToken, String clientId) throws StorageQueryException, TenantOrAppNotFoundException, FeatureNotEnabledException, InvalidConfigException, IOException {
+
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        if (!payload.get("active").getAsBoolean()) {
+            return; // refresh token is not active
+        }
+
+        Transformations.transformExt(payload);
+        payload.remove("ext");
+
+        boolean isValid = !isTokenRevokedBasedOnPayload(oauthStorage, appIdentifier, payload);
+
+        if (!isValid) {
+            payload.entrySet().clear();
+            payload.addProperty("active", false);
+
+            refreshToken = refreshToken.replace("st_rt_", "ory_rt_");
+            Map<String, String> formFields = new HashMap<>();
+            formFields.put("token", refreshToken);
+
+            try {
+                OAuthClient oAuthClient = OAuth.getOAuthClientById(main, appIdentifier, storage, clientId);
+                formFields.put("client_secret", oAuthClient.clientSecret);
+                formFields.put("client_id", oAuthClient.clientId);
+
+                HttpRequestForOAuthProvider.Response revokeResponse = doOAuthProxyFormPOST(
+                     main, appIdentifier, oauthStorage,
+                     clientId, // clientIdToCheck
+                     "/oauth2/revoke", // path
+                     false, // proxyToAdmin
+                     false, // camelToSnakeCaseConversion
+                     formFields,
+                     new HashMap<>());
+
+            } catch (OAuthAPIException | OAuthClientNotFoundException | InvalidKeyException | NoSuchAlgorithmException |
+                    InvalidKeySpecException | NoSuchPaddingException | InvalidAlgorithmParameterException |
+                    IllegalBlockSizeException | BadPaddingException e){
+                //ignore
+            }
+        }
+    }
+
+    private static boolean isTokenRevokedBasedOnPayload(OAuthStorage oauthStorage, AppIdentifier appIdentifier, JsonObject payload) throws StorageQueryException {
+        boolean revoked = true;
+        if (payload.has("jti") && payload.has("gid")) {
+            //access token
+            revoked = oauthStorage.isOAuthTokenRevokedByJTI(appIdentifier, payload.get("gid").getAsString(), payload.get("jti").getAsString());
+        } else {
+            // refresh token
+            revoked = oauthStorage.isOAuthTokenRevokedByGID(appIdentifier, payload.get("gid").getAsString());
+        }
+        return revoked;
+    }
+
+    public static JsonObject introspectAccessToken(Main main, AppIdentifier appIdentifier, Storage storage,
+            String token) throws StorageQueryException, StorageTransactionLogicException, TenantOrAppNotFoundException, UnsupportedJWTSigningAlgorithmException {
+        try {
+            OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+            JsonObject payload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, token);
+
+            if (payload.has("stt") && payload.get("stt").getAsInt() == OAuthToken.TokenType.ACCESS_TOKEN.getValue()) {
+
+                boolean isValid = !isTokenRevokedBasedOnPayload(oauthStorage, appIdentifier, payload);
+
+                if (isValid) {
+                    payload.addProperty("active", true);
+                    payload.addProperty("token_type", "Bearer");
+                    payload.addProperty("token_use", "access_token");
+    
+                    return payload;
+                }
+            }
+            // else fallback to active: false
+
+        } catch (TryRefreshTokenException e) {
+            // fallback to active: false
+        }
+
+        JsonObject result = new JsonObject();
+        result.addProperty("active", false);
+        return result;
+    }
+
+    public static void revokeTokensForClientId(Main main, AppIdentifier appIdentifier, Storage storage, String clientId)
+            throws StorageQueryException, TenantOrAppNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        oauthStorage.revokeOAuthTokenByClientId(appIdentifier, clientId);
+    }
+
+    public static void revokeRefreshToken(Main main, AppIdentifier appIdentifier, Storage storage, String gid)
+            throws StorageQueryException, NoSuchAlgorithmException, TenantOrAppNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        oauthStorage.revokeOAuthTokenByGID(appIdentifier, gid);
+    }
+
+    public static void revokeAccessToken(Main main, AppIdentifier appIdentifier,
+            Storage storage, String token) throws StorageQueryException, TenantOrAppNotFoundException, UnsupportedJWTSigningAlgorithmException, StorageTransactionLogicException {
+        try {
+            OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+            JsonObject payload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, token);
+            if (payload.has("stt") && payload.get("stt").getAsInt() == OAuthToken.TokenType.ACCESS_TOKEN.getValue()) {
+                String jti = payload.get("jti").getAsString();
+                String gid = payload.get("gid").getAsString();
+                oauthStorage.revokeOAuthTokenByJTI(appIdentifier, gid, jti);
+            }
+
+        } catch (TryRefreshTokenException e) {
+            // the token is already invalid or revoked, so ignore
+        }
+    }
+
+        public static void revokeSessionHandle(Main main, AppIdentifier appIdentifier, Storage storage,
+                String sessionHandle) throws StorageQueryException, TenantOrAppNotFoundException {
+            OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+            oauthStorage.revokeOAuthTokenBySessionHandle(appIdentifier, sessionHandle);
+        }
+
+    public static JsonObject verifyIdTokenAndGetPayload(Main main, AppIdentifier appIdentifier, Storage storage,
+            String idToken) throws StorageQueryException, OAuthAPIException, TenantOrAppNotFoundException, UnsupportedJWTSigningAlgorithmException, StorageTransactionLogicException {
+        try {
+            return OAuthToken.getPayloadFromJWTToken(appIdentifier, main, idToken);
+        } catch (TryRefreshTokenException e) {
+            // invalid id token
+            throw new OAuthAPIException("invalid_request", "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.", 400);
+        }
+    }
+
+    public static void addM2MToken(Main main, AppIdentifier appIdentifier, Storage storage, String accessToken)
+            throws StorageQueryException, TenantOrAppNotFoundException, TryRefreshTokenException,
+            UnsupportedJWTSigningAlgorithmException, StorageTransactionLogicException, OAuthClientNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        JsonObject payload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, accessToken);
+        oauthStorage.addOAuthM2MTokenForStats(appIdentifier, payload.get("client_id").getAsString(), payload.get("iat").getAsLong(), payload.get("exp").getAsLong());
+    }
+
+    public static String createLogoutRequestAndReturnRedirectUri(Main main, AppIdentifier appIdentifier, Storage storage, String clientId,
+            String postLogoutRedirectionUri, String sessionHandle, String state)
+            throws StorageQueryException, OAuthClientNotFoundException {
+        
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+
+        while (true) {
+            try {
+                String logoutChallenge = UUID.randomUUID().toString();
+                oauthStorage.addOAuthLogoutChallenge(appIdentifier, logoutChallenge, clientId, postLogoutRedirectionUri, sessionHandle, state, System.currentTimeMillis());
+
+                return "{apiDomain}/oauth/logout?logout_challenge=" + logoutChallenge;
+            } catch (DuplicateOAuthLogoutChallengeException e) {
+                // retry
+            }
+        }
+    }
+
+    public static String consumeLogoutChallengeAndGetRedirectUri(Main main, AppIdentifier appIdentifier, Storage storage, String challenge)
+            throws StorageQueryException, OAuthAPIException, TenantOrAppNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        OAuthLogoutChallenge logoutChallenge = oauthStorage.getOAuthLogoutChallenge(appIdentifier, challenge);
+
+        if (logoutChallenge == null) {
+            throw new OAuthAPIException("invalid_request", "Logout request not found", 400);
+        }
+
+        revokeSessionHandle(main, appIdentifier, oauthStorage, logoutChallenge.sessionHandle);
+
+        if (logoutChallenge.postLogoutRedirectionUri != null) {
+            String url = logoutChallenge.postLogoutRedirectionUri;
+            if (logoutChallenge.state != null) {
+                return url + "?state=" + logoutChallenge.state;
+            } else {
+                return url;
+            }
+        } else {
+            return "{apiDomain}/fallbacks/logout/callback";
+        }
+    }
+
+    public static void deleteLogoutChallenge(Main main, AppIdentifier appIdentifier, Storage storage, String challenge) throws StorageQueryException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        oauthStorage.deleteOAuthLogoutChallenge(appIdentifier, challenge);
+    }
+
+    public static OAuthClient getOAuthClientById(Main main, AppIdentifier appIdentifier, Storage storage,
+        String clientId)
+            throws OAuthClientNotFoundException, StorageQueryException, InvalidKeyException, NoSuchAlgorithmException,
+            InvalidKeySpecException, NoSuchPaddingException, InvalidAlgorithmParameterException,
+            IllegalBlockSizeException, BadPaddingException, InvalidConfigException, TenantOrAppNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        OAuthClient client = oauthStorage.getOAuthClientById(appIdentifier, clientId);
+        if (client.clientSecret != null) {
+            client = new OAuthClient(client.clientId, decryptClientSecret(main, appIdentifier.getAsPublicTenantIdentifier(), client.clientSecret), client.isClientCredentialsOnly, client.enableRefreshTokenRotation);
+        }
+        return client;
+    }
+
+    public static String getInternalRefreshToken(Main main, AppIdentifier appIdentifier, Storage storage,
+                                                 String externalRefreshToken) throws StorageQueryException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        String internalRefreshToken = oauthStorage.getRefreshTokenMapping(appIdentifier, externalRefreshToken);
+        if (internalRefreshToken == null) {
+            return externalRefreshToken;
+        }
+        return internalRefreshToken;
+    }
+
+    public static void createOrUpdateOauthSession(Main main, AppIdentifier appIdentifier, Storage storage,
+                                                  String clientId, String gid, String externalRefreshToken, String internalRefreshToken,
+                                                  String sessionHandle, String jti, long exp)
+            throws StorageQueryException, OAuthClientNotFoundException {
+        OAuthStorage oauthStorage = StorageUtils.getOAuthStorage(storage);
+        oauthStorage.createOrUpdateOAuthSession(appIdentifier, gid, clientId, externalRefreshToken, internalRefreshToken,
+                sessionHandle, jti, exp);
+    }
+}
diff --git a/src/main/java/io/supertokens/oauth/OAuthToken.java b/src/main/java/io/supertokens/oauth/OAuthToken.java
new file mode 100644
index 000000000..6500e4194
--- /dev/null
+++ b/src/main/java/io/supertokens/oauth/OAuthToken.java
@@ -0,0 +1,157 @@
+package io.supertokens.oauth;
+
+import com.auth0.jwt.exceptions.JWTCreationException;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import io.supertokens.Main;
+import io.supertokens.exceptions.TryRefreshTokenException;
+import io.supertokens.jwt.JWTSigningFunctions;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.jwt.JWTAsymmetricSigningKeyInfo;
+import io.supertokens.pluginInterface.jwt.JWTSigningKeyInfo;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.session.jwt.JWT;
+import io.supertokens.session.jwt.JWT.JWTException;
+import io.supertokens.signingkeys.JWTSigningKey;
+import io.supertokens.signingkeys.SigningKeys;
+import io.supertokens.utils.Utils;
+
+import javax.annotation.Nonnull;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.KeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.*;
+
+public class OAuthToken {
+    public enum TokenType {
+        ACCESS_TOKEN(1),
+        ID_TOKEN(2);
+
+        private final int value;
+
+        TokenType(int value) {
+            this.value = value;
+        }
+
+        public int getValue() {
+            return value;
+        }
+    }
+
+    private static Set<String> NON_OVERRIDABLE_TOKEN_PROPS = Set.of(
+        "kid", "typ", "alg", "aud",
+        "iss", "iat", "exp", "nbf", "jti", "ext",
+        "sid", "rat", "at_hash", "gid",
+        "client_id", "scp", "sub", "stt"
+    );
+
+    public static JsonObject getPayloadFromJWTToken(AppIdentifier appIdentifier,
+            @Nonnull Main main, @Nonnull String token)
+            throws TenantOrAppNotFoundException, TryRefreshTokenException, StorageQueryException,
+            UnsupportedJWTSigningAlgorithmException, StorageTransactionLogicException {
+        List<JWTSigningKeyInfo> keyInfoList = SigningKeys.getInstance(appIdentifier, main).getAllKeys();
+        Exception error = null;
+        JWT.JWTInfo jwtInfo = null;
+        JWT.JWTPreParseInfo preParseJWTInfo = null;
+        try {
+            preParseJWTInfo = JWT.preParseJWTInfo(token);
+        } catch (JWTException e) {
+            // This basically should never happen, but it means, that the token structure is
+            // wrong, can't verify
+            throw new TryRefreshTokenException(e);
+        }
+
+        for (JWTSigningKeyInfo keyInfo : keyInfoList) {
+            try {
+                jwtInfo = JWT.verifyJWTAndGetPayload(preParseJWTInfo,
+                        ((JWTAsymmetricSigningKeyInfo) keyInfo).publicKey);
+                error = null;
+                break;
+            } catch (NoSuchAlgorithmException e) {
+                // This basically should never happen, but it means, that can't verify any
+                // tokens, no need to retry
+                throw new TryRefreshTokenException(e);
+            } catch (KeyException | JWTException e) {
+                error = e;
+            }
+        }
+
+        if (jwtInfo == null) {
+            throw new TryRefreshTokenException(error);
+        }
+
+        if (jwtInfo.payload.get("exp").getAsLong() * 1000 < System.currentTimeMillis()) {
+            throw new TryRefreshTokenException("Access token expired");
+        }
+
+        return jwtInfo.payload;
+    }
+
+    public static String reSignToken(AppIdentifier appIdentifier, Main main, String token, String iss, JsonObject payloadUpdate, String atHash, TokenType tokenType, boolean useDynamicSigningKey, int retryCount) throws IOException, JWTException, InvalidKeyException, NoSuchAlgorithmException, StorageQueryException, StorageTransactionLogicException, UnsupportedJWTSigningAlgorithmException, TenantOrAppNotFoundException, InvalidKeySpecException,
+            JWTCreationException {
+        JsonObject payload = JWT.getPayloadWithoutVerifying(token).payload;
+
+        payload.addProperty("iss", iss);
+        payload.addProperty("stt", tokenType.getValue());
+        if (atHash != null) {
+            payload.addProperty("at_hash", atHash);
+        }
+
+        if (tokenType == TokenType.ACCESS_TOKEN) {
+            // we need to move rsub, tId and sessionHandle from ext to root
+            Transformations.transformExt(payload);
+        } else {
+            if (payload.has("ext")) {
+                JsonObject ext = payload.get("ext").getAsJsonObject();
+                payload.addProperty("sid", ext.get("sessionHandle").getAsString());
+            }
+        }
+
+        // This should only happen in the authorization code flow during the token exchange. (enforced on the api level)
+        // Other flows (including later calls using the refresh token) will have the payloadUpdate defined.
+        if (payloadUpdate == null) {
+            if (tokenType == TokenType.ACCESS_TOKEN) {
+                if (payload.has("ext") && payload.get("ext").isJsonObject()) {
+                    payloadUpdate = payload.getAsJsonObject("ext").getAsJsonObject("initialPayload");
+                    payload.remove("ext");
+                }
+            } else {
+                payloadUpdate = payload.getAsJsonObject("initialPayload");
+            }
+        }
+        payload.remove("ext");
+        payload.remove("initialPayload");
+
+        // We ensure that the gid is there
+        // If it isn't that means that we are in a client_credentials (M2M) flow
+        if (!payload.has("gid")) {
+            payload.addProperty("gid", UUID.randomUUID().toString());
+        }
+
+        if (payloadUpdate != null) {
+            for (Map.Entry<String, JsonElement> entry : payloadUpdate.entrySet()) {
+                if (!NON_OVERRIDABLE_TOKEN_PROPS.contains(entry.getKey())) {
+                    payload.add(entry.getKey(), entry.getValue());
+                }
+            }
+        }
+
+        JWTSigningKeyInfo keyToUse;
+        if (useDynamicSigningKey) {
+            keyToUse = Utils.getJWTSigningKeyInfoFromKeyInfo(
+                    SigningKeys.getInstance(appIdentifier, main).getLatestIssuedDynamicKey());
+        } else {
+            keyToUse = SigningKeys.getInstance(appIdentifier, main)
+                    .getStaticKeyForAlgorithm(JWTSigningKey.SupportedAlgorithms.RS256);
+        }
+
+        token = JWTSigningFunctions.createJWTToken(JWTSigningKey.SupportedAlgorithms.RS256, new HashMap<>(),
+                    payload, null, payload.get("exp").getAsLong(), payload.get("iat").getAsLong(), keyToUse);
+        return token;
+    }
+}
diff --git a/src/main/java/io/supertokens/oauth/Transformations.java b/src/main/java/io/supertokens/oauth/Transformations.java
new file mode 100644
index 000000000..0ffa38a7e
--- /dev/null
+++ b/src/main/java/io/supertokens/oauth/Transformations.java
@@ -0,0 +1,257 @@
+package io.supertokens.oauth;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.config.Config;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.utils.Utils;
+
+public class Transformations {
+    private static Set<String> EXT_PROPS = Set.of("iss", "rsub", "tId", "sessionHandle", "gid");
+
+    private static Set<String> CLIENT_PROPS = Set.of(
+        "clientId",
+        "clientSecret",
+        "clientName",
+        "scope",
+        "redirectUris",
+        "postLogoutRedirectUris",
+        "authorizationCodeGrantAccessTokenLifespan",
+        "authorizationCodeGrantIdTokenLifespan",
+        "authorizationCodeGrantRefreshTokenLifespan",
+        "clientCredentialsGrantAccessTokenLifespan",
+        "implicitGrantAccessTokenLifespan",
+        "implicitGrantIdTokenLifespan",
+        "refreshTokenGrantAccessTokenLifespan",
+        "refreshTokenGrantIdTokenLifespan",
+        "refreshTokenGrantRefreshTokenLifespan",
+        "tokenEndpointAuthMethod",
+        "clientUri",
+        "allowedCorsOrigins",
+        "audience",
+        "grantTypes",
+        "responseTypes",
+        "logoUri",
+        "policyUri",
+        "tosUri",
+        "createdAt",
+        "updatedAt",
+        "metadata"
+    );
+
+    public static Map<String, String> transformRequestHeadersForHydra(Map<String, String> requestHeaders) {
+        if (requestHeaders == null) {
+            return requestHeaders;
+        }
+
+        if (requestHeaders.containsKey("Cookie")) {
+            String cookieValue = requestHeaders.get("Cookie");
+            cookieValue = cookieValue.replaceAll("st_oauth_", "ory_hydra_");
+            requestHeaders.put("Cookie", cookieValue);
+        }
+        return requestHeaders;
+    }
+
+    private static String transformQueryParamsInURLFromHydra(String redirectTo) {
+        if (!redirectTo.contains("?")) {
+            return redirectTo;
+        }
+
+        String query = redirectTo.split("\\?")[1];
+        if (query != null) {
+            String[] queryParams = query.split("&");
+            StringBuilder updatedQuery = new StringBuilder();
+            for (String param : queryParams) {
+                String[] keyValue = param.split("=");
+                if (keyValue.length > 1 && keyValue[1].startsWith("ory_")) {
+                    updatedQuery.append(keyValue[0]).append("=").append(keyValue[1].replaceFirst("ory_", "st_")).append("&");
+                } else {
+                    updatedQuery.append(param).append("&");
+                }
+            }
+            redirectTo = redirectTo.replace("?" + query, "?" + updatedQuery.toString().trim());
+        }
+
+        return redirectTo;
+    }
+
+    public static List<String> transformCookiesFromHydra(List<String> cookies) {
+        cookies = new ArrayList<>(cookies); // make it modifyable
+
+        for (int i = 0; i < cookies.size(); i++) {
+            String cookieStr = cookies.get(i);
+            if (cookieStr.startsWith("ory_hydra_")) {
+                cookieStr = cookieStr.replaceFirst("ory_hydra_", "st_oauth_");
+                cookies.set(i, cookieStr);
+            }
+        }
+
+        return cookies;
+    }
+
+    public static Map<String, String> transformFormFieldsForHydra(Map<String, String> bodyParams) {
+        Map<String, String> transformedBodyParams = new HashMap<>();
+        for (Map.Entry<String, String> entry : bodyParams.entrySet()) {
+            String value = entry.getValue();
+            if (value.startsWith("st_")) {
+                value = value.replaceFirst("st_", "ory_");
+            }
+            transformedBodyParams.put(entry.getKey(), value);
+        }
+        return transformedBodyParams;
+    }
+
+    public static JsonElement transformJsonResponseFromHydra(Main main, AppIdentifier appIdentifier, JsonElement jsonResponse) throws InvalidConfigException, TenantOrAppNotFoundException, OAuthAPIException {
+        if (jsonResponse == null) {
+            return jsonResponse;
+        }
+
+        if (jsonResponse.isJsonObject()) {
+            if (jsonResponse.getAsJsonObject().has("redirect_to")) {
+                String redirectTo = jsonResponse.getAsJsonObject().get("redirect_to").getAsString();
+                redirectTo = transformRedirectUrlFromHydra(main, appIdentifier, redirectTo);
+                jsonResponse.getAsJsonObject().addProperty("redirect_to", redirectTo);
+            }
+
+            for (Map.Entry<String, JsonElement> entry : jsonResponse.getAsJsonObject().entrySet()) {
+                if (entry.getValue().isJsonPrimitive() && entry.getValue().getAsJsonPrimitive().isString()) {
+                    String value = entry.getValue().getAsString();
+                    if (value.startsWith("ory_")) {
+                        value = value.replaceFirst("ory_", "st_");
+                        jsonResponse.getAsJsonObject().addProperty(entry.getKey(), value);
+                    }
+                }
+            }
+        }
+
+        return jsonResponse;
+    }
+
+    private static String transformRedirectUrlFromHydra(Main main, AppIdentifier appIdentifier,String redirectTo) throws InvalidConfigException, TenantOrAppNotFoundException, OAuthAPIException {
+        String hydraInternalAddress = Config.getConfig(appIdentifier.getAsPublicTenantIdentifier(), main)
+                .getOAuthProviderUrlConfiguredInOAuthProvider();
+        String hydraBaseUrlForConsentAndLogin = Config
+                .getConfig(appIdentifier.getAsPublicTenantIdentifier(), main)
+                .getOauthProviderConsentLoginBaseUrl();
+
+        if (!redirectTo.startsWith("/")) {
+            redirectTo = transformQueryParamsInURLFromHydra(redirectTo);
+
+            // We do not use the containsURL util to compare these because redirectTo can be a deep link
+            // Also, we do not mind comparison to internal addresses being strict comparisons
+            if (redirectTo.startsWith(hydraInternalAddress)) {
+                String query = redirectTo.contains("?") ? redirectTo.split("\\?")[1] : null;
+                Map<String, String> urlQueryParams = new HashMap<>();
+                if (query != null) {
+                    String[] pairs = query.split("&");
+                    for (String pair : pairs) {
+                        int idx = pair.indexOf("=");
+                        urlQueryParams.put(pair.substring(0, idx), URLDecoder.decode(pair.substring(idx + 1), StandardCharsets.UTF_8));
+                    }
+                }
+                String error = urlQueryParams.getOrDefault("error", null);
+                String errorDescription = urlQueryParams.getOrDefault("error_description", null);
+                if (error != null) {
+                    throw new OAuthAPIException(error, errorDescription, 400);
+                }
+                redirectTo = redirectTo.replace(hydraInternalAddress, "{apiDomain}");
+
+                // path to hydra starts with /oauth2 while on the SDK it would be /oauth
+                redirectTo = redirectTo.replace("oauth2/", "oauth/");
+            } else if (redirectTo.startsWith(hydraBaseUrlForConsentAndLogin)) {
+                redirectTo = redirectTo.replace(hydraBaseUrlForConsentAndLogin, "{apiDomain}");
+            }
+        }
+
+        return redirectTo;
+    }
+
+    public static Map<String, List<String>> transformResponseHeadersFromHydra(Main main, AppIdentifier appIdentifier,
+            Map<String, List<String>> headers)
+            throws InvalidConfigException, TenantOrAppNotFoundException, OAuthAPIException {
+        if (headers == null) {
+            return headers;
+        }
+
+        headers = new HashMap<>(headers); // make it modifyable
+
+        final String LOCATION_HEADER_NAME = "Location";
+        if (headers.containsKey(LOCATION_HEADER_NAME)) {
+            // Transform url in Location header
+            String redirectTo = headers.get(LOCATION_HEADER_NAME).get(0);
+            redirectTo = transformRedirectUrlFromHydra(main, appIdentifier, redirectTo);
+            headers.put(LOCATION_HEADER_NAME, List.of(redirectTo));
+        }
+
+        final String COOKIES_HEADER_NAME = "Set-Cookie";
+        if (headers.containsKey(COOKIES_HEADER_NAME)) {
+            // Cookie transformation
+            List<String> cookies = headers.get(COOKIES_HEADER_NAME);
+            cookies = Transformations.transformCookiesFromHydra(cookies);
+            headers.put(COOKIES_HEADER_NAME, cookies);
+        }
+
+        return headers;
+    }
+
+    public static JsonObject transformJsonForHydra(JsonObject jsonInput) {
+        JsonObject transformedJsonInput = new JsonObject();
+        for (Map.Entry<String, com.google.gson.JsonElement> entry : jsonInput.entrySet()) {
+            String key = entry.getKey();
+            com.google.gson.JsonElement value = entry.getValue();
+            if (value.isJsonPrimitive() && ((com.google.gson.JsonPrimitive) value).isString()) {
+                String stringValue = ((com.google.gson.JsonPrimitive) value).getAsString();
+                if (stringValue.startsWith("st_")) {
+                    stringValue = stringValue.replaceFirst("st_", "ory_");
+                    transformedJsonInput.addProperty(key, stringValue);
+                } else {
+                    transformedJsonInput.add(key, value);
+                }
+            } else {
+                transformedJsonInput.add(key, value);
+            }
+        }
+        return transformedJsonInput;
+    }
+
+    public static void transformExt(JsonObject payload) {
+        if (payload.has("ext")) {
+            JsonObject ext = payload.get("ext").getAsJsonObject();
+            for (String prop : EXT_PROPS) {
+                if (ext.has(prop)) {
+                    payload.addProperty(prop, ext.get(prop).getAsString());
+                    ext.remove(prop);
+                }
+            }
+        }
+    }
+
+    public static void applyClientPropsWhiteList(JsonObject payload) {
+        List<String> propsToRemove = new ArrayList<>();
+
+        for (Map.Entry<String, JsonElement> entry : payload.entrySet()) {
+            if (!CLIENT_PROPS.contains(entry.getKey())) {
+                propsToRemove.add(entry.getKey());
+            }
+        }
+
+        for (String prop : propsToRemove) {
+            payload.remove(prop);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/oauth/exceptions/OAuthAPIException.java b/src/main/java/io/supertokens/oauth/exceptions/OAuthAPIException.java
new file mode 100644
index 000000000..dc80be702
--- /dev/null
+++ b/src/main/java/io/supertokens/oauth/exceptions/OAuthAPIException.java
@@ -0,0 +1,33 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.oauth.exceptions;
+
+public class OAuthAPIException extends Exception {
+    private static final long serialVersionUID = 1836718299845759897L;
+
+    public final String error;
+    public final String errorDescription;
+    public final int statusCode;
+
+    public OAuthAPIException(String error, String errorDescription, int statusCode) {
+        super(error);
+
+        this.error = error;
+        this.errorDescription = errorDescription;
+        this.statusCode = statusCode;
+    }
+}
diff --git a/src/main/java/io/supertokens/utils/SemVer.java b/src/main/java/io/supertokens/utils/SemVer.java
index 6c94518c3..ef43014af 100644
--- a/src/main/java/io/supertokens/utils/SemVer.java
+++ b/src/main/java/io/supertokens/utils/SemVer.java
@@ -37,6 +37,7 @@ public class SemVer implements Comparable<SemVer> {
     public static final SemVer v4_0 = new SemVer("4.0");
     public static final SemVer v5_0 = new SemVer("5.0");
     public static final SemVer v5_1 = new SemVer("5.1");
+    public static final SemVer v5_2 = new SemVer("5.2");
 
     final private String version;
 
diff --git a/src/main/java/io/supertokens/utils/Utils.java b/src/main/java/io/supertokens/utils/Utils.java
index eb84cff5c..b64b80a0a 100644
--- a/src/main/java/io/supertokens/utils/Utils.java
+++ b/src/main/java/io/supertokens/utils/Utils.java
@@ -20,8 +20,8 @@
 import com.google.gson.JsonArray;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
-import com.google.i18n.phonenumbers.PhoneNumberUtil;
 import com.google.i18n.phonenumbers.NumberParseException;
+import com.google.i18n.phonenumbers.PhoneNumberUtil;
 import com.google.i18n.phonenumbers.Phonenumber;
 import io.supertokens.Main;
 import io.supertokens.config.Config;
@@ -45,6 +45,8 @@
 import java.io.ByteArrayOutputStream;
 import java.io.PrintStream;
 import java.math.BigInteger;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.security.*;
@@ -58,6 +60,7 @@
 import java.util.Base64.Encoder;
 import java.util.List;
 import java.util.UUID;
+import java.util.regex.Pattern;
 
 public class Utils {
 
@@ -431,8 +434,45 @@ public static JsonElement toJsonTreeWithNulls(Object src) {
         return new GsonBuilder().serializeNulls().create().toJsonTree(src);
     }
 
+
     public static boolean isAccountLinkingEnabled(Main main, AppIdentifier appIdentifier) throws StorageQueryException, TenantOrAppNotFoundException {
         return Arrays.stream(FeatureFlag.getInstance(main, appIdentifier).getEnabledFeatures())
                 .anyMatch(t -> t == EE_FEATURES.ACCOUNT_LINKING || t == EE_FEATURES.MFA);
     }
+
+    public static boolean containsUrl(String urlToCheckIfContains, String whatItContains, boolean careForProtocol)
+            throws MalformedURLException {
+        URL urlToCheck = new URL(urlToCheckIfContains);
+        URL urlToLookFor = new URL(whatItContains);
+
+        String originalHost = urlToCheck.getHost() + urlToCheck.getPort();
+        String wantedHost = urlToLookFor.getHost() + urlToLookFor.getPort();
+        if (careForProtocol){
+            originalHost = urlToCheck.getProtocol() + originalHost;
+            wantedHost = urlToCheck.getProtocol() + wantedHost;
+        }
+
+        return originalHost.equals(wantedHost);
+    }
+
+    public static String camelCaseToSnakeCase(String toSnakeCase) {
+        if (toSnakeCase != null) {
+            String regex = "([a-z])([A-Z]+)";
+            String replacement = "$1_$2";
+            toSnakeCase = toSnakeCase
+                    .replaceAll(
+                            regex, replacement)
+                    .toLowerCase();
+        }
+        return toSnakeCase;
+    }
+
+    public static String snakeCaseToCamelCase(String toCamelCase) {
+        if(toCamelCase != null) {
+            toCamelCase = Pattern.compile("_([a-z])")
+                    .matcher(toCamelCase)
+                    .replaceAll(m -> m.group(1).toUpperCase());
+        }
+        return toCamelCase;
+    }
 }
diff --git a/src/main/java/io/supertokens/webserver/Webserver.java b/src/main/java/io/supertokens/webserver/Webserver.java
index ca1ed9de2..25efc852e 100644
--- a/src/main/java/io/supertokens/webserver/Webserver.java
+++ b/src/main/java/io/supertokens/webserver/Webserver.java
@@ -40,6 +40,7 @@
 import io.supertokens.webserver.api.multitenancy.*;
 import io.supertokens.webserver.api.multitenancy.thirdparty.CreateOrUpdateThirdPartyConfigAPI;
 import io.supertokens.webserver.api.multitenancy.thirdparty.RemoveThirdPartyConfigAPI;
+import io.supertokens.webserver.api.oauth.*;
 import io.supertokens.webserver.api.passwordless.*;
 import io.supertokens.webserver.api.session.*;
 import io.supertokens.webserver.api.thirdparty.GetUsersByEmailAPI;
@@ -57,6 +58,7 @@
 import org.apache.catalina.core.StandardContext;
 import org.apache.catalina.startup.Tomcat;
 import org.apache.tomcat.util.http.fileupload.FileUtils;
+import org.jetbrains.annotations.TestOnly;
 
 import java.io.File;
 import java.util.UUID;
@@ -102,11 +104,13 @@ public void start() {
             return;
         }
 
-        File webserverTemp = new File(CLIOptions.get(main).getInstallationPath() + "webserver-temp");
+        String tempDirLocation = decideTempDirLocation();
+        File webserverTemp = new File(tempDirLocation);
         if (!webserverTemp.exists()) {
-            webserverTemp.mkdir();
+            webserverTemp.mkdirs();
         }
 
+
         CONTEXT_PATH = Config.getBaseConfig(main).getBasePath();
 
         // this will make it so that if there is a failure, then tomcat will throw an
@@ -118,7 +122,7 @@ public void start() {
         setupLogging();
 
         // baseDir is a place for Tomcat to store temporary files..
-        tomcat.setBaseDir(CLIOptions.get(main).getInstallationPath() + TEMP_FOLDER);
+        tomcat.setBaseDir(tempDirLocation);
 
         // set thread pool size and port
         Connector connector = new Connector();
@@ -132,7 +136,7 @@ public void start() {
         tomcat.getEngine().setName(main.getProcessId());
 
         // create docBase folder and get context
-        new File(CLIOptions.get(main).getInstallationPath() + TEMP_FOLDER + "webapps").mkdirs();
+        new File(decideTempDirLocation() + "webapps").mkdirs();
         StandardContext context = (StandardContext) tomcat.addContext(CONTEXT_PATH, "");
 
         // the amount of time for which we should wait for all requests to finish when
@@ -159,6 +163,15 @@ public void start() {
         setupRoutes();
     }
 
+    private String decideTempDirLocation(){
+        String userSetTempDir = CLIOptions.get(main).getTempDirLocation();
+        if(userSetTempDir != null && !userSetTempDir.endsWith(File.separator)) {
+            userSetTempDir = userSetTempDir + File.separator;
+        }
+        String defaultTempDir = CLIOptions.get(main).getInstallationPath() + TEMP_FOLDER;
+        return userSetTempDir != null ? userSetTempDir : defaultTempDir;
+    }
+
     private void setupRoutes() {
         addAPI(new NotFoundOrHelloAPI(main));
         addAPI(new HelloAPI(main));
@@ -274,6 +287,27 @@ private void setupRoutes() {
         addAPI(new CountBulkImportUsersAPI(main));
         addAPI(new BulkImportBackgroundJobManagerAPI(main));
 
+        addAPI(new OAuthAuthAPI(main));
+        addAPI(new OAuthTokenAPI(main));
+        addAPI(new CreateUpdateOrGetOAuthClientAPI(main));
+        addAPI(new OAuthClientListAPI(main));
+        addAPI(new RemoveOAuthClientAPI(main));
+
+        addAPI(new OAuthGetAuthConsentRequestAPI(main));
+        addAPI(new OAuthAcceptAuthConsentRequestAPI(main));
+        addAPI(new OAuthRejectAuthConsentRequestAPI(main));
+        addAPI(new OAuthGetAuthLoginRequestAPI(main));
+        addAPI(new OAuthAcceptAuthLoginRequestAPI(main));
+        addAPI(new OAuthRejectAuthLoginRequestAPI(main));
+        addAPI(new OAuthAcceptAuthLogoutRequestAPI(main));
+        addAPI(new OAuthRejectAuthLogoutRequestAPI(main));
+        addAPI(new OAuthTokenIntrospectAPI(main));
+
+        addAPI(new RevokeOAuthTokenAPI(main));
+        addAPI(new RevokeOAuthTokensAPI(main));
+        addAPI(new RevokeOAuthSessionAPI(main));
+        addAPI(new OAuthLogoutAPI(main));
+
         StandardContext context = tomcatReference.getContext();
         Tomcat tomcat = tomcatReference.getTomcat();
 
@@ -314,7 +348,7 @@ public void stop() {
         try {
             // we want to clear just this process' folder and not all since other processes
             // might still be running.
-            FileUtils.deleteDirectory(new File(CLIOptions.get(main).getInstallationPath() + TEMP_FOLDER));
+            FileUtils.deleteDirectory(new File(decideTempDirLocation()));
         } catch (Exception ignored) {
         }
 
@@ -360,6 +394,11 @@ public void closeLogger() {
         }
     }
 
+    @TestOnly
+    public TomcatReference getTomcatReference(){
+        return tomcatReference;
+    }
+
     public static class TomcatReference {
         private Tomcat tomcat;
         private StandardContext context;
@@ -373,6 +412,11 @@ Tomcat getTomcat() {
             return tomcat;
         }
 
+        @TestOnly
+        public Tomcat getTomcatForTest(){
+            return tomcat;
+        }
+
         StandardContext getContext() {
             return context;
         }
diff --git a/src/main/java/io/supertokens/webserver/WebserverAPI.java b/src/main/java/io/supertokens/webserver/WebserverAPI.java
index 3cf62be23..a8fc5795a 100644
--- a/src/main/java/io/supertokens/webserver/WebserverAPI.java
+++ b/src/main/java/io/supertokens/webserver/WebserverAPI.java
@@ -76,10 +76,11 @@ public abstract class WebserverAPI extends HttpServlet {
         supportedVersions.add(SemVer.v4_0);
         supportedVersions.add(SemVer.v5_0);
         supportedVersions.add(SemVer.v5_1);
+        supportedVersions.add(SemVer.v5_2);
     }
 
     public static SemVer getLatestCDIVersion() {
-        return SemVer.v5_1;
+        return SemVer.v5_2;
     }
 
     public SemVer getLatestCDIVersionForRequest(HttpServletRequest req)
diff --git a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java
index 2ee4aeb46..1ae57140d 100644
--- a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java
+++ b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java
@@ -102,6 +102,7 @@ protected void handle(HttpServletRequest req, HttpServletResponse resp, TenantId
 
             // Apply updates based on CDI version
             tenantConfig = applyTenantUpdates(tenantConfig, getVersionFromRequest(req), isV2, input);
+            validateFactorsName(tenantConfig);
 
             // Write tenant config to db
             createOrUpdate(req, sourceTenantIdentifier, tenantConfig);
@@ -938,6 +939,27 @@ private static TenantConfig applyTenantUpdates_5_0(TenantConfig tenantConfig, Js
         return tenantConfig;
     }
 
+    private static void validateFactorsName(TenantConfig tenantConfig) throws ServletException{
+        if(!areFactorNamesValid(tenantConfig.firstFactors)){
+            throw new ServletException(new BadRequestException("firstFactors should contain only 0-9,a-z,A-Z,_,.,- characters"));
+        }
+        if(!areFactorNamesValid(tenantConfig.requiredSecondaryFactors)){
+            throw new ServletException(new BadRequestException("requiredSecondaryFactors should contain only 0-9,a-z,A-Z,_,.,- characters"));
+        }
+    }
+
+    private static boolean areFactorNamesValid(String[] factors) {
+        if(factors != null && factors.length > 0) {
+            String allowedPattern = "^[0-9a-zA-Z_(\\.)-]+$";
+            for(String factor: factors){
+                if(factor != null && !factor.matches(allowedPattern)){
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
     private static TenantConfig applyV2TenantUpdates_5_1(TenantConfig tenantConfig, JsonObject input)
             throws ServletException {
         if (input.has("emailPasswordEnabled")) {
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/CreateUpdateOrGetOAuthClientAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/CreateUpdateOrGetOAuthClientAPI.java
new file mode 100644
index 000000000..a4e5e4c54
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/CreateUpdateOrGetOAuthClientAPI.java
@@ -0,0 +1,258 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.oauth.Transformations;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class CreateUpdateOrGetOAuthClientAPI extends WebserverAPI {
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/clients";
+    }
+
+    public CreateUpdateOrGetOAuthClientAPI(Main main){
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        String clientId = InputParser.getQueryParamOrThrowError(req, "clientId", false);
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyGET(
+                main, req, resp,
+                appIdentifier,
+                storage,
+                null, // clientIdToCheck
+                "/admin/clients/" + clientId, // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req),
+                new HashMap<>()
+            );
+            if (response != null) {
+                OAuthClient client = OAuth.getOAuthClientById(main, appIdentifier, storage, clientId);
+                Transformations.applyClientPropsWhiteList(response.jsonResponse.getAsJsonObject());
+                if (client.clientSecret != null) {
+                    response.jsonResponse.getAsJsonObject().addProperty("clientSecret", client.clientSecret);
+                }
+                response.jsonResponse.getAsJsonObject().addProperty("enableRefreshTokenRotation", client.enableRefreshTokenRotation);
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+        } catch (OAuthClientNotFoundException e) {
+            OAuthProxyHelper.handleOAuthClientNotFoundException(resp);
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | InvalidKeyException | 
+                NoSuchAlgorithmException | InvalidKeySpecException | InvalidAlgorithmParameterException | 
+                NoSuchPaddingException | IllegalBlockSizeException | BadPaddingException | 
+                StorageQueryException | InvalidConfigException e) {
+            throw new ServletException(e);
+		}
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+
+        // Defaults that we require
+        input.addProperty("accessTokenStrategy", "jwt");
+        input.addProperty("skipConsent", true);
+        input.addProperty("subjectType", "public");
+
+        if (!input.has("clientId")) {
+            input.addProperty("clientId", "stcl_" + UUID.randomUUID());
+        }
+
+        boolean enableRefreshTokenRotation = false;
+        if (input.has("enableRefreshTokenRotation")) {
+            enableRefreshTokenRotation = InputParser.parseBooleanOrThrowError(input, "enableRefreshTokenRotation", false);
+            input.remove("enableRefreshTokenRotation");
+        }
+
+        boolean isClientCredentialsOnly = input.has("grantTypes") &&
+            input.get("grantTypes").isJsonArray() &&
+            input.get("grantTypes").getAsJsonArray().size() == 1 &&
+            input.get("grantTypes").getAsJsonArray().get(0).getAsString().equals("client_credentials");
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            input.addProperty("owner", appIdentifier.getAppId());
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonPOST(
+                main, req, resp, 
+                appIdentifier,
+                storage,
+                null, // clientIdToCheck
+                "/admin/clients", // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                input, // jsonBody
+                new HashMap<>() // headers
+            );
+            if (response != null) {
+                String clientId = response.jsonResponse.getAsJsonObject().get("clientId").getAsString();
+                String clientSecret = null;
+                if (response.jsonResponse.getAsJsonObject().has("clientSecret")) {
+                    clientSecret = response.jsonResponse.getAsJsonObject().get("clientSecret").getAsString();
+                }
+                Transformations.applyClientPropsWhiteList(response.jsonResponse.getAsJsonObject());
+
+                try {
+                    OAuth.addOrUpdateClient(main, getAppIdentifier(req), enforcePublicTenantAndGetPublicTenantStorage(req), clientId, clientSecret, isClientCredentialsOnly, enableRefreshTokenRotation);
+                } catch (StorageQueryException | TenantOrAppNotFoundException | BadPermissionException | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException | InvalidConfigException e) {
+                    throw new ServletException(e);
+                }
+                response.jsonResponse.getAsJsonObject().addProperty("enableRefreshTokenRotation", enableRefreshTokenRotation);
+
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String clientId = InputParser.parseStringOrThrowError(input, "clientId", false);
+
+        // Apply existing client config on top of input
+        try {
+            Map<String, String> queryParams = new HashMap<>();
+            queryParams.put("clientId", clientId);
+            HttpRequestForOAuthProvider.Response response = OAuth.doOAuthProxyGET(
+                    main,
+                    getAppIdentifier(req),
+                    enforcePublicTenantAndGetPublicTenantStorage(req),
+                    clientId,
+                    "/admin/clients/" + clientId,
+                    true, true, queryParams, null);
+
+            JsonObject existingConfig = response.jsonResponse.getAsJsonObject();
+            for (Map.Entry<String, JsonElement> entry : existingConfig.entrySet()) {
+                String key = entry.getKey();
+                if (!input.has(key)) {
+                    input.add(key, entry.getValue());
+                }
+            }
+        } catch (StorageQueryException | TenantOrAppNotFoundException | FeatureNotEnabledException | InvalidConfigException | BadPermissionException e) {
+            throw new ServletException(e);
+        } catch (OAuthClientNotFoundException | OAuthAPIException e) {
+            // ignore since the PUT API will throw one of this error later on
+        }
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+            OAuthClient client = OAuth.getOAuthClientById(main, appIdentifier, storage, clientId);
+
+            if (input.has("grantTypes")) {
+                boolean isClientCredentialsOnly = input.has("grantTypes") &&
+                    input.get("grantTypes").isJsonArray() &&
+                    input.get("grantTypes").getAsJsonArray().size() == 1 &&
+                    input.get("grantTypes").getAsJsonArray().get(0).getAsString().equals("client_credentials");
+                client = new OAuthClient(clientId, client.clientSecret, isClientCredentialsOnly, client.enableRefreshTokenRotation);
+            }
+
+            if (input.has("clientSecret")) {
+                String clientSecret = InputParser.parseStringOrThrowError(input, "clientSecret", false);
+                client = new OAuthClient(clientId, clientSecret, client.isClientCredentialsOnly, client.enableRefreshTokenRotation);
+            }
+
+            if (input.has("enableRefreshTokenRotation")) {
+                boolean enableRefreshTokenRotation = InputParser.parseBooleanOrThrowError(input, "enableRefreshTokenRotation", false);
+                client = new OAuthClient(clientId, client.clientSecret, client.isClientCredentialsOnly, enableRefreshTokenRotation);
+            }
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonPUT(
+                main, req, resp,
+                appIdentifier,
+                storage,
+                clientId, // clientIdToCheck
+                "/admin/clients/" + clientId,
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                new HashMap<>(), // queryParams
+                input, // jsonBody
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                try {
+                    OAuth.addOrUpdateClient(main, appIdentifier, storage, clientId, client.clientSecret, client.isClientCredentialsOnly, client.enableRefreshTokenRotation);
+                } catch (StorageQueryException | TenantOrAppNotFoundException | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException | InvalidConfigException e) {
+                    throw new ServletException(e);
+                }
+
+                Transformations.applyClientPropsWhiteList(response.jsonResponse.getAsJsonObject());
+
+                if (!response.jsonResponse.getAsJsonObject().has("clientSecret")) {
+                    response.jsonResponse.getAsJsonObject().addProperty("clientSecret", client.clientSecret);
+                }
+                response.jsonResponse.getAsJsonObject().addProperty("enableRefreshTokenRotation", client.enableRefreshTokenRotation);
+
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+        } catch (IOException | StorageQueryException | TenantOrAppNotFoundException | BadPermissionException | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException | InvalidConfigException e) {
+            throw new ServletException(e);
+        } catch (OAuthClientNotFoundException e) {
+            OAuthProxyHelper.handleOAuthClientNotFoundException(resp);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthConsentRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthConsentRequestAPI.java
new file mode 100644
index 000000000..2b1fce705
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthConsentRequestAPI.java
@@ -0,0 +1,90 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.UUID;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthAcceptAuthConsentRequestAPI extends WebserverAPI {
+
+    public OAuthAcceptAuthConsentRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/consent/accept";
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String iss = InputParser.parseStringOrThrowError(input, "iss", false);
+        String tId = InputParser.parseStringOrThrowError(input, "tId", false);
+        String rsub = InputParser.parseStringOrThrowError(input, "rsub", false);
+        String sessionHandle = InputParser.parseStringOrThrowError(input, "sessionHandle", false);
+        JsonObject initialAccessTokenPayload = InputParser.parseJsonObjectOrThrowError(input, "initialAccessTokenPayload", false);
+        JsonObject initialIdTokenPayload = InputParser.parseJsonObjectOrThrowError(input, "initialIdTokenPayload", false);
+
+        JsonObject accessToken = new JsonObject();
+        accessToken.addProperty("iss", iss);
+        accessToken.addProperty("tId", tId);
+        accessToken.addProperty("rsub", rsub);
+        accessToken.addProperty("sessionHandle", sessionHandle);
+        accessToken.addProperty("gid", UUID.randomUUID().toString());
+        accessToken.add("initialPayload", initialAccessTokenPayload);
+
+        JsonObject idToken = new JsonObject();
+        JsonObject idTokenExt = new JsonObject();
+        idTokenExt.addProperty("sessionHandle", sessionHandle);
+        idToken.add("ext", idTokenExt);
+        idToken.add("initialPayload", initialIdTokenPayload);
+
+        // remove the above from input
+        input.remove("iss");
+        input.remove("tId");
+        input.remove("rsub");
+        input.remove("sessionHandle");
+        input.remove("initialAccessTokenPayload");
+        input.remove("initialIdTokenPayload");
+
+        JsonObject session = new JsonObject();
+        session.add("access_token", accessToken);
+        session.add("id_token", idToken);
+        input.add("session", session);
+
+        try {
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonPUT(
+                main, req, resp,
+                getAppIdentifier(req),
+                enforcePublicTenantAndGetPublicTenantStorage(req),
+                null, // clientIdToCheck
+                "/admin/oauth2/auth/requests/consent/accept", // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req),
+                input, // jsonBody
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthLoginRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthLoginRequestAPI.java
new file mode 100644
index 000000000..7ff74153f
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthLoginRequestAPI.java
@@ -0,0 +1,56 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.webserver.WebserverAPI;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthAcceptAuthLoginRequestAPI extends WebserverAPI {
+
+    public OAuthAcceptAuthLoginRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/login/accept";
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+
+        try {
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonPUT(
+                main, req, resp,
+                getAppIdentifier(req),
+                enforcePublicTenantAndGetPublicTenantStorage(req),
+                null, // clientIdToCheck
+                "/admin/oauth2/auth/requests/login/accept",
+                true,
+                true,
+                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req),
+                input, // jsonBody
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthLogoutRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthLogoutRequestAPI.java
new file mode 100644
index 000000000..786f0fbe8
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthLogoutRequestAPI.java
@@ -0,0 +1,50 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthAcceptAuthLogoutRequestAPI extends WebserverAPI {
+
+    public OAuthAcceptAuthLogoutRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/logout/accept";
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String challenge = InputParser.parseStringOrThrowError(input, "challenge", false);
+        
+        try {
+            String redirectTo = OAuth.consumeLogoutChallengeAndGetRedirectUri(main, getAppIdentifier(req), enforcePublicTenantAndGetPublicTenantStorage(req), challenge);
+
+            JsonObject response = new JsonObject();
+            response.addProperty("status", "OK");
+            response.addProperty("redirectTo", redirectTo);
+            super.sendJsonResponse(200, response, resp);
+
+        } catch (OAuthAPIException e) {
+            OAuthProxyHelper.handleOAuthAPIException(resp, e);
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthAuthAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAuthAPI.java
new file mode 100644
index 000000000..083aafe9e
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAuthAPI.java
@@ -0,0 +1,184 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.webserver.api.oauth;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+import io.supertokens.ActiveUsers;
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.pluginInterface.session.SessionInfo;
+import io.supertokens.pluginInterface.useridmapping.UserIdMapping;
+import io.supertokens.session.Session;
+import io.supertokens.session.jwt.JWT;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.useridmapping.UserIdType;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+public class OAuthAuthAPI extends WebserverAPI {
+    public OAuthAuthAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        JsonObject params = InputParser.parseJsonObjectOrThrowError(input, "params", false);
+        String cookies = InputParser.parseStringOrThrowError(input, "cookies", true);
+
+        // These optional stuff will be used in case of implicit flow
+        JsonObject accessTokenUpdate = InputParser.parseJsonObjectOrThrowError(input, "access_token", true);
+        JsonObject idTokenUpdate = InputParser.parseJsonObjectOrThrowError(input, "id_token", true);
+        String iss = InputParser.parseStringOrThrowError(input, "iss", true);
+        Boolean useStaticKeyInput = InputParser.parseBooleanOrThrowError(input, "useStaticSigningKey", true);
+        boolean useDynamicKey = Boolean.FALSE.equals(useStaticKeyInput);
+
+        Map<String, String> queryParams = params.entrySet().stream().collect(Collectors.toMap(
+                Map.Entry::getKey,
+                e -> e.getValue().getAsString()
+        ));
+
+        Map<String, String> headers = new HashMap<>();
+
+        if (cookies != null) {
+            headers.put("Cookie", cookies);
+        }
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyGET(
+                main, req, resp,
+                appIdentifier,
+                storage,
+                queryParams.get("client_id"), // clientIdToCheck
+                "/oauth2/auth", // proxyPath
+                false, // proxyToAdmin
+                false, // camelToSnakeCaseConversion
+                queryParams,
+                headers
+            );
+
+            if (response != null) {
+                if (response.headers == null || !response.headers.containsKey("Location")) {
+                    throw new IllegalStateException("Invalid response from hydra");
+                }
+        
+                String redirectTo = response.headers.get("Location").get(0);
+
+                redirectTo = OAuth.transformTokensInAuthRedirect(main, appIdentifier, storage, redirectTo, iss, accessTokenUpdate, idTokenUpdate, useDynamicKey);
+
+                if (redirectTo.contains("#")) {
+                    String tokensPart = redirectTo.substring(redirectTo.indexOf("#") + 1);
+                    String[] parts = tokensPart.split("&");
+                    for (String part : parts) {
+                        if (part.startsWith("access_token=")) {
+                            String accessToken = java.net.URLDecoder.decode(part.split("=")[1], "UTF-8");
+                            JsonObject accessTokenPayload;
+                            try {
+                                JWT.JWTInfo jwtInfo = JWT.getPayloadWithoutVerifying(accessToken);
+                                accessTokenPayload = jwtInfo.payload;
+                            } catch (JWT.JWTException  e) {
+                                // This should never happen here since we just created/signed the token
+                                throw new ServletException(e);
+                            }
+
+                            String clientId =  accessTokenPayload.get("client_id").getAsString();
+                            String gid = accessTokenPayload.get("gid").getAsString();
+                            String jti = accessTokenPayload.get("jti").getAsString();
+
+                            long exp = accessTokenPayload.get("exp").getAsLong();
+
+                            String sessionHandle = null;
+                            if (accessTokenPayload.has("sessionHandle")) {
+                                sessionHandle = accessTokenPayload.get("sessionHandle").getAsString();
+                                updateLastActive(appIdentifier, sessionHandle);
+                            }
+
+                            OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, null, null, sessionHandle, jti, exp);
+                        }
+                    }
+                }
+
+                List<String> responseCookies = response.headers.get("Set-Cookie");
+
+                JsonObject finalResponse = new JsonObject();
+                finalResponse.addProperty("redirectTo", redirectTo);
+
+                JsonArray jsonCookies = new JsonArray();
+                if (responseCookies != null) {
+                    for (String cookie : responseCookies) {
+                        jsonCookies.add(new JsonPrimitive(cookie));
+                    }
+                }
+        
+                finalResponse.add("cookies", jsonCookies);
+                finalResponse.addProperty("status", "OK");
+                
+                super.sendJsonResponse(200, finalResponse, resp);
+            }
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException | OAuthClientNotFoundException e) {
+            throw new ServletException(e);
+        }
+    }
+
+    private void updateLastActive(AppIdentifier appIdentifier, String sessionHandle) {
+        try {
+            TenantIdentifier tenantIdentifier = new TenantIdentifier(appIdentifier.getConnectionUriDomain(),
+                    appIdentifier.getAppId(), Session.getTenantIdFromSessionHandle(sessionHandle));
+            Storage storage = StorageLayer.getStorage(tenantIdentifier, main);
+            SessionInfo sessionInfo = Session.getSession(tenantIdentifier, storage, sessionHandle);
+
+            UserIdMapping userIdMapping = io.supertokens.useridmapping.UserIdMapping.getUserIdMapping(
+                    appIdentifier, storage, sessionInfo.userId, UserIdType.ANY);
+            if (userIdMapping != null) {
+                ActiveUsers.updateLastActive(appIdentifier, main, userIdMapping.superTokensUserId);
+            } else {
+                ActiveUsers.updateLastActive(appIdentifier, main, sessionInfo.userId);
+            }
+        } catch (Exception e) {
+            // ignore
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthClientListAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthClientListAPI.java
new file mode 100644
index 000000000..b728656f9
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthClientListAPI.java
@@ -0,0 +1,131 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+
+public class OAuthClientListAPI extends WebserverAPI {
+
+    public OAuthClientListAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+    
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/clients/list";
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+            Map<String, String> queryParams = OAuthProxyHelper.defaultGetQueryParamsFromRequest(req);
+            queryParams.put("owner", appIdentifier.getAppId());
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyGET(
+                main, req, resp,
+                appIdentifier,
+                storage,
+                null, // clientIdToCheck
+                "/admin/clients", // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                queryParams,
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                JsonObject finalResponse = new JsonObject();
+                finalResponse.addProperty("status", "OK");
+
+                // Filter out the clients for app
+                Map<String, OAuthClient> clientsMap = new HashMap<>();
+                try {
+                    List<String> clientIds = new ArrayList<>();
+                    for (JsonElement clientElem : response.jsonResponse.getAsJsonArray()) {
+                        clientIds.add(clientElem.getAsJsonObject().get("clientId").getAsString());
+                    }
+
+                    List<OAuthClient> clients = OAuth.getClients(main, getAppIdentifier(req), enforcePublicTenantAndGetPublicTenantStorage(req), clientIds);
+                    for (OAuthClient client : clients) {
+                        clientsMap.put(client.clientId, client);
+                    }
+                } catch (StorageQueryException | TenantOrAppNotFoundException | BadPermissionException |
+                         InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException |
+                         NoSuchPaddingException | InvalidAlgorithmParameterException | IllegalBlockSizeException |
+                         BadPaddingException | InvalidConfigException e) {
+                    throw new ServletException(e);
+                }
+
+                JsonArray clients = new JsonArray();
+                
+                for (JsonElement clientElem : response.jsonResponse.getAsJsonArray()) {
+                    if (clientsMap.containsKey(clientElem.getAsJsonObject().get("clientId").getAsString())) {
+                        clientElem.getAsJsonObject().addProperty("clientSecret", clientsMap.get(clientElem.getAsJsonObject().get("clientId").getAsString()).clientSecret);
+                        clientElem.getAsJsonObject().addProperty("enableRefreshTokenRotation", clientsMap.get(clientElem.getAsJsonObject().get("clientId").getAsString()).enableRefreshTokenRotation);
+                        clients.add(clientElem);
+                    }
+                }
+
+                finalResponse.add("clients", clients);
+
+                // pagination
+                List<String> linkHeader = response.headers.get("Link");
+                if (linkHeader != null && !linkHeader.isEmpty()) {
+                    for (String nextLink : linkHeader.get(0).split(",")) {
+                        if (!nextLink.contains("rel=\"next\"")) {
+                            continue;
+                        }
+
+                        String pageToken = null;
+                        if (nextLink.contains("page_token=")) {
+                            int startIndex = nextLink.indexOf("page_token=") + "page_token=".length();
+                            int endIndex = nextLink.indexOf('>', startIndex);
+                            if (endIndex != -1) {
+                                pageToken = nextLink.substring(startIndex, endIndex);
+                            }
+                        }
+                        if (pageToken != null) {
+                            finalResponse.addProperty("nextPaginationToken", pageToken);
+                        }
+                    }
+                }
+
+                super.sendJsonResponse(200, finalResponse, resp);
+            }
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthGetAuthConsentRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthGetAuthConsentRequestAPI.java
new file mode 100644
index 000000000..326e9041f
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthGetAuthConsentRequestAPI.java
@@ -0,0 +1,54 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.Transformations;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthGetAuthConsentRequestAPI extends WebserverAPI {
+
+    public OAuthGetAuthConsentRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/consent";
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        try {
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyGET(
+                main, req, resp,
+                getAppIdentifier(req),
+                enforcePublicTenantAndGetPublicTenantStorage(req),
+                null, // clientIdToCheck
+                "/admin/oauth2/auth/requests/consent", // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req),
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                Transformations.applyClientPropsWhiteList(response.jsonResponse.getAsJsonObject().get("client").getAsJsonObject());
+
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthGetAuthLoginRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthGetAuthLoginRequestAPI.java
new file mode 100644
index 000000000..a1d07e849
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthGetAuthLoginRequestAPI.java
@@ -0,0 +1,86 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.HashMap;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.oauth.Transformations;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthGetAuthLoginRequestAPI extends WebserverAPI {
+
+    public OAuthGetAuthLoginRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/login";
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyGET(
+                    main, req, resp,
+                    appIdentifier,
+                    storage,
+                    null, // clientIdToCheck
+                    "/admin/oauth2/auth/requests/login", // proxyPath
+                    true, // proxyToAdmin
+                    true, // camelToSnakeCaseConversion
+                    OAuthProxyHelper.defaultGetQueryParamsFromRequest(req),
+                    new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                Transformations.applyClientPropsWhiteList(
+                        response.jsonResponse.getAsJsonObject().get("client").getAsJsonObject());
+
+                String clientId = response.jsonResponse.getAsJsonObject().get("client").getAsJsonObject()
+                        .get("clientId").getAsString();
+                OAuthClient client = OAuth.getOAuthClientById(main, appIdentifier, storage, clientId);
+
+                response.jsonResponse.getAsJsonObject().get("client").getAsJsonObject()
+                        .addProperty("enableRefreshTokenRotation", client.enableRefreshTokenRotation);
+                response.jsonResponse.getAsJsonObject().get("client").getAsJsonObject().addProperty("clientSecret",
+                        client.clientSecret);
+
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException
+                | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException
+                | InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException
+                | StorageQueryException | InvalidConfigException e) {
+            throw new ServletException(e);
+        } catch (OAuthClientNotFoundException e) {
+            OAuthProxyHelper.handleOAuthClientNotFoundException(resp);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java
new file mode 100644
index 000000000..d794a6ba9
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthLogoutAPI.java
@@ -0,0 +1,137 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthLogoutAPI extends WebserverAPI {
+    public OAuthLogoutAPI(Main main){
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/sessions/logout";
+    }
+
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        String clientId = InputParser.getQueryParamOrThrowError(req, "clientId", true);
+        String idTokenHint = InputParser.getQueryParamOrThrowError(req, "idTokenHint", true);
+        String postLogoutRedirectionUri = InputParser.getQueryParamOrThrowError(req, "postLogoutRedirectUri", true);
+        String state = InputParser.getQueryParamOrThrowError(req, "state", true);
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            // Validations
+            if (idTokenHint == null) {
+                if (postLogoutRedirectionUri != null ) {
+                    throw new OAuthAPIException("invalid_request", "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Logout failed because query parameter postLogoutRedirectionUri is set but idTokenHint is missing.", 400);
+                }
+    
+                if (state != null) {
+                    throw new OAuthAPIException("invalid_request", "The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. Logout failed because query parameter state is set but idTokenHint is missing.", 400);
+                }
+            }
+            // Verify id token and client id associations
+            JsonObject idTokenPayload = null;
+            String sessionHandle = null;
+            if (idTokenHint != null) {
+                idTokenPayload = OAuth.verifyIdTokenAndGetPayload(main, appIdentifier, storage, idTokenHint);
+                if (idTokenPayload.has("sid")) {
+                    sessionHandle = idTokenPayload.get("sid").getAsString();
+                }
+
+                if (clientId != null) {
+                    String clientIdInIdTokenPayload = idTokenPayload.get("aud").getAsString();
+                    if (!clientId.equals(clientIdInIdTokenPayload)) {
+                        throw new OAuthAPIException("invalid_request", "The client_id in the id_token_hint does not match the client_id in the request.", 400);
+                    }
+                } else {
+                    clientId = idTokenPayload.get("aud").getAsString();
+                }
+            }
+
+            // Check if the post logout redirection URI is valid for the clientId
+            if (postLogoutRedirectionUri != null) {
+                HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyGET(
+                    main, req, resp, 
+                    appIdentifier, storage,
+                    clientId, // clientIdToCheck
+                    "/admin/clients/" + clientId, // path
+                    true, // proxyToAdmin
+                    true, // camelToSnakeCaseConversion
+                    new HashMap<>(), // queryParams
+                    new HashMap<>() // headers
+                );
+
+                if (response == null) {
+                    return; // proxy would have already responded
+                }
+
+                String[] postLogoutRedirectUris = null;
+                if (response.jsonResponse.getAsJsonObject().has("postLogoutRedirectUris") && response.jsonResponse.getAsJsonObject().get("postLogoutRedirectUris").isJsonArray()) {
+                    JsonArray postLogoutRedirectUrisArray = response.jsonResponse.getAsJsonObject().get("postLogoutRedirectUris").getAsJsonArray();
+                    postLogoutRedirectUris = new String[postLogoutRedirectUrisArray.size()];
+                    for (int i = 0; i < postLogoutRedirectUrisArray.size(); i++) {
+                        postLogoutRedirectUris[i] = postLogoutRedirectUrisArray.get(i).getAsString();
+                    }
+                }
+
+                if (postLogoutRedirectUris == null || postLogoutRedirectUris.length == 0) {
+                    throw new OAuthAPIException("", "", 400);
+                }
+
+                boolean isValidPostLogoutRedirectUri = false;
+                for (String uri : postLogoutRedirectUris) {
+                    if (uri.equals(postLogoutRedirectionUri)) {
+                        isValidPostLogoutRedirectUri = true;
+                        break;
+                    }
+                }
+
+                if (!isValidPostLogoutRedirectUri) {
+                    throw new OAuthAPIException("invalid_request", "The post_logout_redirect_uri is not valid for this client.", 400);
+                }
+            }
+
+            // Validations are complete, time to respond
+            String redirectTo = OAuth.createLogoutRequestAndReturnRedirectUri(main, appIdentifier, storage, clientId, postLogoutRedirectionUri, sessionHandle, state);
+
+            JsonObject response = new JsonObject();
+            response.addProperty("status", "OK");
+            response.addProperty("redirectTo", redirectTo);
+            super.sendJsonResponse(200, response, resp);
+
+        } catch (OAuthAPIException e) {
+            OAuthProxyHelper.handleOAuthAPIException(resp, e);
+        } catch (OAuthClientNotFoundException e) {
+            OAuthProxyHelper.handleOAuthClientNotFoundException(resp);
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException | UnsupportedJWTSigningAlgorithmException | StorageTransactionLogicException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthProxyHelper.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthProxyHelper.java
new file mode 100644
index 000000000..6a3476f94
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthProxyHelper.java
@@ -0,0 +1,145 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.io.Serial;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthProxyHelper {
+    @Serial
+    private static final long serialVersionUID = -8734479943734920904L;
+
+    public static HttpRequestForOAuthProvider.Response proxyGET(Main main, HttpServletRequest req, HttpServletResponse resp, AppIdentifier appIdentifier, Storage storage,
+                                                                String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion,
+                                                                Map<String, String> queryParams, Map<String, String> headers) throws IOException, ServletException {
+        try {
+            return OAuth.doOAuthProxyGET(main, appIdentifier, storage, clientIdToCheck, path, proxyToAdmin, camelToSnakeCaseConversion, queryParams, headers);
+
+        } catch (OAuthClientNotFoundException e) {
+            handleOAuthClientNotFoundException(resp);
+        } catch (OAuthAPIException e) {
+            handleOAuthAPIException(resp, e);
+        } catch (StorageQueryException | TenantOrAppNotFoundException | FeatureNotEnabledException | InvalidConfigException e) {
+            throw new ServletException(e);
+        }
+        return null;
+    }
+
+    public static HttpRequestForOAuthProvider.Response proxyFormPOST(Main main, HttpServletRequest req, HttpServletResponse resp, AppIdentifier appIdentifier, Storage storage,
+                                                                     String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion,
+                                                                     Map<String, String> formFields, Map<String, String> headers) throws IOException, ServletException {
+        try {
+            return OAuth.doOAuthProxyFormPOST(main, appIdentifier, storage, clientIdToCheck, path, proxyToAdmin, camelToSnakeCaseConversion, formFields, headers);
+        } catch (OAuthClientNotFoundException e) {
+            handleOAuthClientNotFoundException(resp);
+        } catch (OAuthAPIException e) {
+            handleOAuthAPIException(resp, e);
+        } catch (StorageQueryException | TenantOrAppNotFoundException | FeatureNotEnabledException | InvalidConfigException e) {
+            throw new ServletException(e);
+        }
+        return null;
+    }
+
+    public static HttpRequestForOAuthProvider.Response proxyJsonPOST(Main main, HttpServletRequest req, HttpServletResponse resp, AppIdentifier appIdentifier, Storage storage,
+                                                                     String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion,
+                                                                     JsonObject jsonInput, Map<String, String> headers) throws IOException, ServletException {
+        try {
+            return OAuth.doOAuthProxyJsonPOST(main, appIdentifier, storage, clientIdToCheck, path, proxyToAdmin, camelToSnakeCaseConversion, jsonInput, headers);
+        } catch (OAuthClientNotFoundException e) {
+            handleOAuthClientNotFoundException(resp);
+        } catch (OAuthAPIException e) {
+            handleOAuthAPIException(resp, e);
+        } catch (StorageQueryException | TenantOrAppNotFoundException | FeatureNotEnabledException | InvalidConfigException e) {
+            throw new ServletException(e);
+        }
+        return null;
+    }
+
+    public static HttpRequestForOAuthProvider.Response proxyJsonPUT(Main main, HttpServletRequest req, HttpServletResponse resp, AppIdentifier appIdentifier, Storage storage,
+                                                                    String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion,
+                                                                    Map<String, String> queryParams, JsonObject jsonInput, Map<String, String> headers) throws IOException, ServletException {
+
+        try {
+            return OAuth.doOAuthProxyJsonPUT(main, appIdentifier, storage, clientIdToCheck, path, proxyToAdmin, camelToSnakeCaseConversion, queryParams,  jsonInput, headers);
+        } catch (OAuthClientNotFoundException e) {
+            handleOAuthClientNotFoundException(resp);
+        } catch (OAuthAPIException e) {
+            handleOAuthAPIException(resp, e);
+        } catch (StorageQueryException | TenantOrAppNotFoundException | FeatureNotEnabledException | InvalidConfigException e) {
+            throw new ServletException(e);
+        }
+        return null;
+    }
+
+    public static HttpRequestForOAuthProvider.Response proxyJsonDELETE(Main main, HttpServletRequest req, HttpServletResponse resp, AppIdentifier appIdentifier, Storage storage,
+                                                                       String clientIdToCheck, String path, boolean proxyToAdmin, boolean camelToSnakeCaseConversion,
+                                                                       Map<String, String> queryParams, JsonObject jsonInput, Map<String, String> headers) throws IOException, ServletException {
+        try {
+            return OAuth.doOAuthProxyJsonDELETE(main, appIdentifier, storage, clientIdToCheck, path, proxyToAdmin, camelToSnakeCaseConversion, queryParams, jsonInput, headers);
+        } catch (OAuthClientNotFoundException e) {
+            handleOAuthClientNotFoundException(resp);
+        } catch (OAuthAPIException e) {
+            handleOAuthAPIException(resp, e);
+        } catch (StorageQueryException | TenantOrAppNotFoundException | FeatureNotEnabledException | InvalidConfigException e) {
+            throw new ServletException(e);
+        }
+        return null;
+    }
+
+    public static Map<String, String> defaultGetQueryParamsFromRequest(HttpServletRequest req) {
+        Map<String, String> queryParams = new HashMap<>();
+
+        String queryString = req.getQueryString();
+        if (queryString != null) {
+            String[] queryParamsParts = queryString.split("&");
+            for (String queryParam : queryParamsParts) {
+                String[] keyValue = queryParam.split("=");
+                if (keyValue.length == 2) {
+                    queryParams.put(keyValue[0], URLDecoder.decode(keyValue[1], StandardCharsets.UTF_8));
+                }
+            }
+        }
+
+        return queryParams;
+    }
+
+    public static void handleOAuthClientNotFoundException(HttpServletResponse resp) throws IOException {
+        JsonObject response = new JsonObject();
+        response.addProperty("status", "CLIENT_NOT_FOUND_ERROR");
+
+        resp.setStatus(200);
+        resp.setHeader("Content-Type", "application/json; charset=UTF-8");
+        resp.getWriter().println(response.toString());
+    }
+
+    public static void handleOAuthAPIException(HttpServletResponse resp, OAuthAPIException e) throws IOException {
+        JsonObject response = new JsonObject();
+        response.addProperty("status", "OAUTH_ERROR");
+        response.addProperty("error", e.error);
+        response.addProperty("errorDescription", e.errorDescription);
+        response.addProperty("statusCode", e.statusCode);
+
+        resp.setStatus(200);
+        resp.setHeader("Content-Type", "application/json; charset=UTF-8");
+        resp.getWriter().println(response.toString());
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthConsentRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthConsentRequestAPI.java
new file mode 100644
index 000000000..173af8812
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthConsentRequestAPI.java
@@ -0,0 +1,57 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthRejectAuthConsentRequestAPI extends WebserverAPI {
+
+    public OAuthRejectAuthConsentRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/consent/reject";
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+
+        try {
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonPUT(
+                main, req, resp,
+                getAppIdentifier(req),
+                enforcePublicTenantAndGetPublicTenantStorage(req),
+                null, // clientIdToCheck
+                "/admin/oauth2/auth/requests/consent/reject", // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req), // queryParams
+                input, // jsonBody
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthLoginRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthLoginRequestAPI.java
new file mode 100644
index 000000000..ec93e41c0
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthLoginRequestAPI.java
@@ -0,0 +1,58 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthRejectAuthLoginRequestAPI extends WebserverAPI {
+
+    public OAuthRejectAuthLoginRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/login/reject";
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+
+        try {
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonPUT(
+                main, req, resp,
+                getAppIdentifier(req),
+                enforcePublicTenantAndGetPublicTenantStorage(req),
+                null, // clientIdToCheck
+                "/admin/oauth2/auth/requests/login/reject", // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                OAuthProxyHelper.defaultGetQueryParamsFromRequest(req), // queryParams
+                input, // jsonBody
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthLogoutRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthLogoutRequestAPI.java
new file mode 100644
index 000000000..2a9118cfc
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthRejectAuthLogoutRequestAPI.java
@@ -0,0 +1,46 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class OAuthRejectAuthLogoutRequestAPI extends WebserverAPI {
+
+    public OAuthRejectAuthLogoutRequestAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/auth/requests/logout/reject";
+    }
+
+    @Override
+    protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String challenge = InputParser.parseStringOrThrowError(input, "challenge", false);
+
+        try {
+            OAuth.deleteLogoutChallenge(main, getAppIdentifier(req), enforcePublicTenantAndGetPublicTenantStorage(req), challenge);
+
+            JsonObject response = new JsonObject();
+            response.addProperty("status", "OK");
+            super.sendJsonResponse(200, response, resp);
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java
new file mode 100644
index 000000000..aad3fb727
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java
@@ -0,0 +1,291 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.webserver.api.oauth;
+
+import com.auth0.jwt.exceptions.JWTCreationException;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import io.supertokens.ActiveUsers;
+import io.supertokens.Main;
+import io.supertokens.exceptions.TryRefreshTokenException;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.oauth.OAuthToken;
+import io.supertokens.oauth.exceptions.OAuthAPIException;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.pluginInterface.session.SessionInfo;
+import io.supertokens.pluginInterface.useridmapping.UserIdMapping;
+import io.supertokens.session.Session;
+import io.supertokens.session.jwt.JWT.JWTException;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.useridmapping.UserIdType;
+import io.supertokens.utils.Utils;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class OAuthTokenAPI extends WebserverAPI {
+
+    public OAuthTokenAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/token";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String iss = InputParser.parseStringOrThrowError(input, "iss", false); // input validation
+        JsonObject bodyFromSDK = InputParser.parseJsonObjectOrThrowError(input, "inputBody", false);
+
+        String grantType = InputParser.parseStringOrThrowError(bodyFromSDK, "grant_type", false);
+        JsonObject accessTokenUpdate = InputParser.parseJsonObjectOrThrowError(input, "access_token", "authorization_code".equals(grantType));
+        JsonObject idTokenUpdate = InputParser.parseJsonObjectOrThrowError(input, "id_token", "authorization_code".equals(grantType));
+
+        // useStaticKeyInput defaults to true, so we check if it has been explicitly set to false
+        Boolean useStaticKeyInput = InputParser.parseBooleanOrThrowError(input, "useStaticSigningKey", true);
+        boolean useDynamicKey = Boolean.FALSE.equals(useStaticKeyInput);
+
+        String authorizationHeader = InputParser.parseStringOrThrowError(input, "authorizationHeader", true);
+
+        Map<String, String> headers = new HashMap<>();
+        if (authorizationHeader != null) {
+            headers.put("Authorization", authorizationHeader);
+        }
+
+        Map<String, String> formFields = new HashMap<>();
+        for (Map.Entry<String, JsonElement> entry : bodyFromSDK.entrySet()) {
+            formFields.put(entry.getKey(), entry.getValue().getAsString());
+        }
+
+        String clientId;
+
+        if (authorizationHeader != null) {
+            String[] parsedHeader = Utils.convertFromBase64(authorizationHeader.replaceFirst("^Basic ", "").trim()).split(":");
+            clientId = parsedHeader[0];
+        } else {
+            clientId = formFields.get("client_id");
+        }
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+            OAuthClient oauthClient = OAuth.getOAuthClientById(main, appIdentifier, storage, clientId);
+
+            String inputRefreshToken = null;
+
+            // check if the refresh token is valid
+            if (grantType.equals("refresh_token")) {
+                String refreshToken = InputParser.parseStringOrThrowError(bodyFromSDK, "refresh_token", false);
+                inputRefreshToken = refreshToken;
+
+                String internalRefreshToken = OAuth.getInternalRefreshToken(main, appIdentifier, storage, refreshToken);
+
+                Map<String, String> formFieldsForTokenIntrospect = new HashMap<>();
+                formFieldsForTokenIntrospect.put("token", internalRefreshToken);
+
+                HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyFormPOST(
+                    main, req, resp,
+                    appIdentifier,
+                    storage,
+                    null, // clientIdToCheck
+                    "/admin/oauth2/introspect", // pathProxy
+                    true, // proxyToAdmin
+                    false, // camelToSnakeCaseConversion
+                    formFieldsForTokenIntrospect,
+                    new HashMap<>() // headers
+                );
+
+                if (response == null) {
+                    return; // proxy helper would have sent the error response
+                }
+
+                JsonObject refreshTokenPayload = response.jsonResponse.getAsJsonObject();
+
+                try {
+                    OAuth.verifyAndUpdateIntrospectRefreshTokenPayload(main, appIdentifier, storage, refreshTokenPayload, refreshToken, oauthClient.clientId);
+                } catch (StorageQueryException | TenantOrAppNotFoundException |
+                            FeatureNotEnabledException | InvalidConfigException e) {
+                    throw new ServletException(e);
+                }
+
+                if (!refreshTokenPayload.get("active").getAsBoolean()) {
+                    // this is what ory would return for an invalid token
+                    OAuthProxyHelper.handleOAuthAPIException(resp, new OAuthAPIException(
+                        "token_inactive", "Token is inactive because it is malformed, expired or otherwise invalid. Token validation failed.", 401
+                    ));
+                    return;
+                }
+
+                formFields.put("refresh_token", internalRefreshToken);
+            }
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyFormPOST(
+                main, req, resp,
+                getAppIdentifier(req),
+                enforcePublicTenantAndGetPublicTenantStorage(req),
+                clientId, // clientIdToCheck
+                "/oauth2/token", // proxyPath
+                false, // proxyToAdmin
+                false, // camelToSnakeCaseConversion
+                formFields,
+                headers // headers
+            );
+
+            if (response != null) {
+                try {
+                    response.jsonResponse = OAuth.transformTokens(super.main, appIdentifier, storage, response.jsonResponse.getAsJsonObject(), iss, accessTokenUpdate, idTokenUpdate, useDynamicKey);
+
+                    if (grantType.equals("client_credentials")) {
+                        try {
+                            OAuth.addM2MToken(main, appIdentifier, storage, response.jsonResponse.getAsJsonObject().get("access_token").getAsString());
+                        } catch (TryRefreshTokenException e) {
+                            throw new IllegalStateException("should never happen");
+                        }
+                    }
+
+                    String gid = null;
+                    String jti = null;
+                    String sessionHandle = null;
+                    Long accessTokenExp = null;
+
+                    if(response.jsonResponse.getAsJsonObject().has("access_token")){
+                        try {
+                            JsonObject accessTokenPayload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, response.jsonResponse.getAsJsonObject().get("access_token").getAsString());
+                            gid = accessTokenPayload.get("gid").getAsString();
+                            jti = accessTokenPayload.get("jti").getAsString();
+                            accessTokenExp = accessTokenPayload.get("exp").getAsLong();
+                            if (accessTokenPayload.has("sessionHandle")) {
+                                sessionHandle = accessTokenPayload.get("sessionHandle").getAsString();
+                                updateLastActive(appIdentifier, sessionHandle);
+                            }
+                        } catch (TryRefreshTokenException e) {
+                            //ignore, shouldn't happen
+                        }
+                    }
+
+                    if (response.jsonResponse.getAsJsonObject().has("refresh_token")) {
+                        String newRefreshToken = response.jsonResponse.getAsJsonObject().get("refresh_token").getAsString();
+                        long refreshTokenExp = 0;
+                        {
+                            // Introspect the new refresh token to get the expiry
+                            Map<String, String> formFieldsForTokenIntrospect = new HashMap<>();
+                            formFieldsForTokenIntrospect.put("token", newRefreshToken);
+
+                            HttpRequestForOAuthProvider.Response introspectResponse = OAuthProxyHelper.proxyFormPOST(
+                                main, req, resp,
+                                getAppIdentifier(req),
+                                enforcePublicTenantAndGetPublicTenantStorage(req),
+                                null, // clientIdToCheck
+                                "/admin/oauth2/introspect", // pathProxy
+                                true, // proxyToAdmin
+                                false, // camelToSnakeCaseConversion
+                                formFieldsForTokenIntrospect,
+                                new HashMap<>() // headers
+                            );
+
+                            if (introspectResponse != null) {
+                                JsonObject refreshTokenPayload = introspectResponse.jsonResponse.getAsJsonObject();
+                                refreshTokenExp = refreshTokenPayload.get("exp").getAsLong();
+                            } else {
+                                throw new IllegalStateException("Should never come here");
+                            }
+                        }
+
+                        if (inputRefreshToken == null) {
+                            // Issuing a new refresh token, always creating a mapping.
+                            OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, newRefreshToken, null, sessionHandle, jti, refreshTokenExp);
+                        } else {
+                            // Refreshing a token
+                            if (!oauthClient.enableRefreshTokenRotation) {
+                                OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, inputRefreshToken, newRefreshToken, sessionHandle, jti, refreshTokenExp);
+                                response.jsonResponse.getAsJsonObject().remove("refresh_token");
+                            } else {
+                                OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, newRefreshToken, null, sessionHandle, jti, refreshTokenExp);
+                            }
+                        }
+                    } else {
+                        OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, null, null, sessionHandle, jti, accessTokenExp);
+                    }
+
+                } catch (IOException | InvalidConfigException | TenantOrAppNotFoundException | StorageQueryException
+                         | InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException
+                         | JWTCreationException | JWTException | StorageTransactionLogicException
+                         | UnsupportedJWTSigningAlgorithmException | OAuthClientNotFoundException e) {
+                    throw new ServletException(e);
+                }
+
+                response.jsonResponse.getAsJsonObject().addProperty("status", "OK");
+                super.sendJsonResponse(200, response.jsonResponse, resp);
+            }
+        } catch (IOException | StorageQueryException | TenantOrAppNotFoundException | BadPermissionException |
+                 InvalidKeyException | NoSuchAlgorithmException | InvalidKeySpecException | NoSuchPaddingException |
+                 InvalidAlgorithmParameterException | IllegalBlockSizeException | BadPaddingException |
+                 InvalidConfigException e) {
+            throw new ServletException(e);
+        } catch (OAuthClientNotFoundException e) {
+            OAuthProxyHelper.handleOAuthClientNotFoundException(resp);
+        }
+    }
+
+    private void updateLastActive(AppIdentifier appIdentifier, String sessionHandle) {
+        try {
+            TenantIdentifier tenantIdentifier = new TenantIdentifier(appIdentifier.getConnectionUriDomain(),
+                    appIdentifier.getAppId(), Session.getTenantIdFromSessionHandle(sessionHandle));
+            Storage storage = StorageLayer.getStorage(tenantIdentifier, main);
+            SessionInfo sessionInfo = Session.getSession(tenantIdentifier, storage, sessionHandle);
+
+            UserIdMapping userIdMapping = io.supertokens.useridmapping.UserIdMapping.getUserIdMapping(
+                    appIdentifier, storage, sessionInfo.userId, UserIdType.ANY);
+            if (userIdMapping != null) {
+                ActiveUsers.updateLastActive(appIdentifier, main, userIdMapping.superTokensUserId);
+            } else {
+                ActiveUsers.updateLastActive(appIdentifier, main, sessionInfo.userId);
+            }
+        } catch (Exception e) {
+            // ignore
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenIntrospectAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenIntrospectAPI.java
new file mode 100644
index 000000000..77cd53efd
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenIntrospectAPI.java
@@ -0,0 +1,117 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.webserver.api.oauth;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import io.supertokens.Main;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class OAuthTokenIntrospectAPI extends WebserverAPI {
+
+    public OAuthTokenIntrospectAPI(Main main) {
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/introspect";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String token = InputParser.parseStringOrThrowError(input, "token", false);
+
+        if (token.startsWith("st_rt_")) {
+            Map<String, String> formFields = new HashMap<>();
+            for (Map.Entry<String, JsonElement> entry : input.entrySet()) {
+                formFields.put(entry.getKey(), entry.getValue().getAsString());
+            }
+
+            try {
+                AppIdentifier appIdentifier = getAppIdentifier(req);
+                Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+                token = OAuth.getInternalRefreshToken(main, appIdentifier, storage, token);
+                formFields.put("token", token);
+
+                HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyFormPOST(
+                    main, req, resp,
+                    appIdentifier,
+                    storage,
+                    null, // clientIdToCheck
+                    "/admin/oauth2/introspect", // pathProxy
+                    true, // proxyToAdmin
+                    false, // camelToSnakeCaseConversion
+                    formFields,
+                    new HashMap<>() // headers
+                );
+
+                if (response != null) {
+                    JsonObject finalResponse = response.jsonResponse.getAsJsonObject();
+                    String clientId = null;
+                    if(finalResponse.has("client_id")) {
+                        clientId = finalResponse.get("client_id").getAsString();
+                    }
+                    try {
+                        OAuth.verifyAndUpdateIntrospectRefreshTokenPayload(main, appIdentifier, storage, finalResponse, token, clientId);
+                    } catch (StorageQueryException | TenantOrAppNotFoundException |
+                                FeatureNotEnabledException | InvalidConfigException e) {
+                        throw new ServletException(e);
+                    }
+
+                    finalResponse.addProperty("status", "OK");
+                    super.sendJsonResponse(200, finalResponse, resp);
+                }
+            } catch (IOException | StorageQueryException | TenantOrAppNotFoundException | BadPermissionException e) {
+                throw new ServletException(e);
+            }
+        } else {
+            try {
+                AppIdentifier appIdentifier = getAppIdentifier(req);
+                Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+                JsonObject response = OAuth.introspectAccessToken(main, appIdentifier, storage, token);
+                response.addProperty("status", "OK");
+                super.sendJsonResponse(200, response, resp);
+
+            } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException | StorageTransactionLogicException | UnsupportedJWTSigningAlgorithmException e) {
+                throw new ServletException(e);
+            }
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/RemoveOAuthClientAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/RemoveOAuthClientAPI.java
new file mode 100644
index 000000000..532821d37
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/RemoveOAuthClientAPI.java
@@ -0,0 +1,99 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class RemoveOAuthClientAPI extends WebserverAPI {
+
+    public RemoveOAuthClientAPI(Main main){
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/clients/remove";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String clientId = InputParser.parseStringOrThrowError(input, "clientId", false);
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            try {
+                boolean didExist = OAuth.removeClient(main, getAppIdentifier(req), enforcePublicTenantAndGetPublicTenantStorage(req), clientId);
+                if (!didExist) {
+                    JsonObject response = new JsonObject();
+                    response.addProperty("status", "OK");
+                    response.addProperty("didExist", false);
+                    super.sendJsonResponse(200, response, resp);
+                    return;
+                }
+            } catch (StorageQueryException | TenantOrAppNotFoundException | BadPermissionException e) {
+                throw new ServletException(e);
+            }
+
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonDELETE(
+                main, req, resp,
+                appIdentifier,
+                storage,
+                null, // clientIdToCheck
+                "/admin/clients/" + clientId, // proxyPath
+                true, // proxyToAdmin
+                true, // camelToSnakeCaseConversion
+                new HashMap<>(), // queryParams
+                new JsonObject(), // jsonBody
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                JsonObject finalResponse = new JsonObject();
+                finalResponse.addProperty("status", "OK");
+                finalResponse.addProperty("didExist", true);
+
+                super.sendJsonResponse(200, finalResponse, resp);
+            }
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthSessionAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthSessionAPI.java
new file mode 100644
index 000000000..ef54c7ee6
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthSessionAPI.java
@@ -0,0 +1,50 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class RevokeOAuthSessionAPI extends WebserverAPI {
+    public RevokeOAuthSessionAPI(Main main){
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/session/revoke";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+
+        String sessionHandle = InputParser.parseStringOrThrowError(input, "sessionHandle", false);
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            OAuth.revokeSessionHandle(main, appIdentifier, storage, sessionHandle);
+
+            JsonObject response = new JsonObject();
+            response.addProperty("status", "OK");
+            super.sendJsonResponse(200, response, resp);
+
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java
new file mode 100644
index 000000000..d958821de
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java
@@ -0,0 +1,157 @@
+package io.supertokens.webserver.api.oauth;
+
+import com.google.gson.JsonObject;
+import io.supertokens.Main;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.jwt.exceptions.UnsupportedJWTSigningAlgorithmException;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.utils.Utils;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.util.HashMap;
+import java.util.Map;
+
+public class RevokeOAuthTokenAPI extends WebserverAPI {
+    public RevokeOAuthTokenAPI(Main main){
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/token/revoke";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+
+        String token = InputParser.parseStringOrThrowError(input, "token", false);
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            if (token.startsWith("st_rt_")) {
+                token = OAuth.getInternalRefreshToken(main, appIdentifier, storage, token);
+
+                String gid = null;
+                long exp = -1;
+                {
+                    // introspect token to get gid
+                    Map<String, String> formFields = new HashMap<>();
+                    formFields.put("token", token);
+
+                    HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyFormPOST(
+                        main, req, resp,
+                        appIdentifier,
+                        storage,
+                        null, // clientIdToCheck
+                        "/admin/oauth2/introspect", // pathProxy
+                        true, // proxyToAdmin
+                        false, // camelToSnakeCaseConversion
+                        formFields,
+                        new HashMap<>() // headers
+                    );
+
+                    if (response != null) {
+                        JsonObject finalResponse = response.jsonResponse.getAsJsonObject();
+                        String clientId = null;
+                        if (finalResponse.has("client_id")){
+                            clientId = finalResponse.get("client_id").getAsString();
+                        }
+
+                        try {
+                            OAuth.verifyAndUpdateIntrospectRefreshTokenPayload(main, appIdentifier, storage, finalResponse, token, clientId);
+                            if (finalResponse.get("active").getAsBoolean()) {
+                                gid = finalResponse.get("gid").getAsString();
+                                exp = finalResponse.get("exp").getAsLong();
+                            }
+                        } catch (StorageQueryException | TenantOrAppNotFoundException |
+                                    FeatureNotEnabledException | InvalidConfigException e) {
+                            throw new ServletException(e);
+                        }
+                    }
+                }
+
+                // revoking refresh token
+
+                String clientId, clientSecret;
+
+                String authorizationHeader = InputParser.parseStringOrThrowError(input, "authorizationHeader", true);
+
+                if (authorizationHeader != null) {
+                    String[] parsedHeader = Utils.convertFromBase64(authorizationHeader.replaceFirst("^Basic ", "").trim()).split(":");
+                    clientId = parsedHeader[0];
+                    clientSecret = parsedHeader[1];
+                } else {
+                    clientId = InputParser.parseStringOrThrowError(input, "client_id", false);
+                    clientSecret = InputParser.parseStringOrThrowError(input, "client_secret", true);
+                }
+
+
+                Map<String, String> headers = new HashMap<>();
+                if (authorizationHeader != null) {
+                    headers.put("Authorization", authorizationHeader);
+                }
+
+                Map<String, String> formFields = new HashMap<>();
+                formFields.put("token", token);
+                formFields.put("client_id", clientId);
+                if (clientSecret != null) {
+                    formFields.put("client_secret", clientSecret);
+                }
+
+                HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyFormPOST(
+                    main, req, resp,
+                    getAppIdentifier(req),
+                    enforcePublicTenantAndGetPublicTenantStorage(req),
+                    null, //clientIdToCheck
+                    "/oauth2/revoke", // path
+                    false, // proxyToAdmin
+                    false, // camelToSnakeCaseConversion
+                    formFields, // formFields
+                    headers // headers
+                );
+
+                if (response != null) {
+                    // Success response would mean that the clientId/secret has been validated
+                    if (gid != null) {
+                        try {
+                            OAuth.revokeRefreshToken(main, appIdentifier, storage, gid);
+                        } catch (StorageQueryException | NoSuchAlgorithmException e) {
+                            throw new ServletException(e);
+                        }
+                    }
+
+                    JsonObject finalResponse = new JsonObject();
+                    finalResponse.addProperty("status", "OK");
+                    super.sendJsonResponse(200, finalResponse, resp);
+                }
+            } else {
+                // revoking access token
+                OAuth.revokeAccessToken(main, appIdentifier, storage, token);
+
+                JsonObject response = new JsonObject();
+                response.addProperty("status", "OK");
+                super.sendJsonResponse(200, response, resp);
+            }
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException |
+                 UnsupportedJWTSigningAlgorithmException | StorageTransactionLogicException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokensAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokensAPI.java
new file mode 100644
index 000000000..754912f19
--- /dev/null
+++ b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokensAPI.java
@@ -0,0 +1,75 @@
+package io.supertokens.webserver.api.oauth;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.oauth.OAuth;
+import io.supertokens.pluginInterface.RECIPE_ID;
+import io.supertokens.pluginInterface.Storage;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.webserver.InputParser;
+import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class RevokeOAuthTokensAPI extends WebserverAPI {
+
+    public RevokeOAuthTokensAPI(Main main){
+        super(main, RECIPE_ID.OAUTH.toString());
+    }
+
+    @Override
+    public String getPath() {
+        return "/recipe/oauth/tokens/revoke";
+    }
+
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws IOException, ServletException {
+        JsonObject input = InputParser.parseJsonObjectOrThrowError(req);
+        String clientId = InputParser.parseStringOrThrowError(input, "client_id", false);
+
+        try {
+            AppIdentifier appIdentifier = getAppIdentifier(req);
+            Storage storage = enforcePublicTenantAndGetPublicTenantStorage(req);
+
+            OAuth.revokeTokensForClientId(main, appIdentifier, storage, clientId);
+
+            Map<String, String> queryParams = new HashMap<>();
+            queryParams.put("client_id", clientId);
+
+            HttpRequestForOAuthProvider.Response response = OAuthProxyHelper.proxyJsonDELETE(
+                main, req, resp,
+                appIdentifier,
+                storage,
+                null, // clientIdToCheck
+                "/admin/oauth2/tokens", // proxyPath
+                true, // proxyToAdmin
+                false, // camelToSnakeCaseConversion
+                queryParams, // queryParams
+                new JsonObject(), // jsonInput
+                new HashMap<>() // headers
+            );
+
+            if (response != null) {
+                if (response.statusCode == 204) {
+                    JsonObject finalResponse = new JsonObject();
+                    finalResponse.addProperty("status", "OK");
+                    super.sendJsonResponse(200, finalResponse, resp);
+                } else {
+                    throw new IllegalStateException("should never come here");
+                }
+            }
+        } catch (IOException | TenantOrAppNotFoundException | BadPermissionException | StorageQueryException e) {
+            throw new ServletException(e);
+        }
+    }
+}
diff --git a/src/test/java/io/supertokens/test/CLIOptionsTest.java b/src/test/java/io/supertokens/test/CLIOptionsTest.java
index d783c63be..e3bae94f0 100644
--- a/src/test/java/io/supertokens/test/CLIOptionsTest.java
+++ b/src/test/java/io/supertokens/test/CLIOptionsTest.java
@@ -287,4 +287,32 @@ public void testMultipleInstancesAtTheSameTime() throws Exception {
 
     }
 
+    @Test
+    public void cli2TempLocationTest() throws Exception {
+
+        String[] args = {"../"};
+
+        TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(PROCESS_STATE.STARTED));
+
+        assertEquals(Config.getConfig(process.getProcess()).getHost(process.getProcess()), "localhost");
+        assertEquals(Config.getConfig(process.getProcess()).getPort(process.getProcess()), 3567);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(PROCESS_STATE.STOPPED));
+
+        //process starts with tempDirLocation param too.
+        args = new String[]{"../", "tempDirLocation=" + new File("../tempDir/").getAbsolutePath()};
+
+        process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(PROCESS_STATE.STARTED));
+
+        assertEquals(Config.getConfig(process.getProcess()).getHost(process.getProcess()), "localhost");
+        assertEquals(Config.getConfig(process.getProcess()).getPort(process.getProcess()), 3567);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(PROCESS_STATE.STOPPED));
+
+    }
+
 }
diff --git a/src/test/java/io/supertokens/test/CronjobTest.java b/src/test/java/io/supertokens/test/CronjobTest.java
index 24e8ce7a5..05e1c178d 100644
--- a/src/test/java/io/supertokens/test/CronjobTest.java
+++ b/src/test/java/io/supertokens/test/CronjobTest.java
@@ -22,7 +22,6 @@
 import io.supertokens.cronjobs.CronTask;
 import io.supertokens.cronjobs.CronTaskTest;
 import io.supertokens.cronjobs.Cronjobs;
-import io.supertokens.cronjobs.bulkimport.ProcessBulkImportUsers;
 import io.supertokens.cronjobs.syncCoreConfigWithDb.SyncCoreConfigWithDb;
 import io.supertokens.exceptions.QuitProgramException;
 import io.supertokens.featureflag.EE_FEATURES;
@@ -33,7 +32,6 @@
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.multitenancy.*;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
-import io.supertokens.pluginInterface.multitenancy.TenantConfig;
 import io.supertokens.storageLayer.StorageLayer;
 import org.junit.AfterClass;
 import org.junit.Before;
@@ -1051,6 +1049,8 @@ public void testThatThereAreTasksOfAllCronTaskClassesAndHaveCorrectIntervals() t
         intervals.put("io.supertokens.cronjobs.deleteExpiredAccessTokenSigningKeys.DeleteExpiredAccessTokenSigningKeys",
                 86400);
         intervals.put("io.supertokens.cronjobs.bulkimport.ProcessBulkImportUsers", 60);
+        intervals.put("io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges.CleanupOAuthSessionsAndChallenges",
+                86400);
 
         Map<String, Integer> delays = new HashMap<>();
         delays.put("io.supertokens.ee.cronjobs.EELicenseCheck", 86400);
@@ -1066,6 +1066,8 @@ public void testThatThereAreTasksOfAllCronTaskClassesAndHaveCorrectIntervals() t
         delays.put("io.supertokens.cronjobs.deleteExpiredAccessTokenSigningKeys.DeleteExpiredAccessTokenSigningKeys",
                 0);
         delays.put("io.supertokens.cronjobs.bulkimport.ProcessBulkImportUsers", 0);
+        delays.put("io.supertokens.cronjobs.cleanupOAuthSessionsAndChallenges.CleanupOAuthSessionsAndChallenges",
+                0);
 
         List<CronTask> allTasks = Cronjobs.getInstance(process.getProcess()).getTasks();
         assertEquals(11, allTasks.size());
diff --git a/src/test/java/io/supertokens/test/DotStartedFileTest.java b/src/test/java/io/supertokens/test/DotStartedFileTest.java
index b812863b1..e54b30e89 100644
--- a/src/test/java/io/supertokens/test/DotStartedFileTest.java
+++ b/src/test/java/io/supertokens/test/DotStartedFileTest.java
@@ -185,4 +185,36 @@ public void processFailToStartDotStartedFileTest() throws Exception {
         process.kill();
         assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
     }
+
+    @Test
+    public void dotStartedFileAtTempDirLocation() throws Exception {
+        String tempDirLocation = new File("../tempDir/").getAbsolutePath();
+        String[] args = {"../", "tempDirLocation=" + tempDirLocation};
+
+        String host = "localhost";
+        String port = "8081";
+        String hostPortNameCheck = host + "-" + port;
+
+        Utils.setValueInConfig("port", port);
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        File loc = new File(tempDirLocation + "/.started");
+
+        File[] dotStartedNameAndContent = loc.listFiles();
+        assert dotStartedNameAndContent != null;
+        assertEquals(1, dotStartedNameAndContent.length);
+        assertEquals(dotStartedNameAndContent[0].getName(), hostPortNameCheck);
+
+        String[] dotStartedContent = Files.readString(Paths.get(dotStartedNameAndContent[0].getPath())).split("\n");
+        String line = dotStartedContent[0];
+        assertEquals(line, Long.toString(ProcessHandle.current().pid()));
+        line = dotStartedContent.length > 1 ? dotStartedContent[1] : "";
+        assertEquals(line, Config.getConfig(process.main).getBasePath());
+        assertEquals(line, "");
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
 }
diff --git a/src/test/java/io/supertokens/test/FeatureFlagTest.java b/src/test/java/io/supertokens/test/FeatureFlagTest.java
index 2cc0276de..a80013308 100644
--- a/src/test/java/io/supertokens/test/FeatureFlagTest.java
+++ b/src/test/java/io/supertokens/test/FeatureFlagTest.java
@@ -904,6 +904,9 @@ public void testNetworkCallIsMadeInCoreInit() throws Exception {
     private final String OPAQUE_KEY_WITH_SECURITY_FEATURE = "tje5MVjlRz0Kwzax-mKksdYpZvwNhQagFdHj=ma=W0H7WET9R0Hcpv" +
             "Aui9r3wIk=swO2TIBLQNa94y10VQkzAa0Q0iw6GPzMeftJ4uvbnb1qpGpyf4K0cUwIZ76Pd9kZ";
 
+    private final String OPAQUE_KEY_WITH_OAUTH_FEATURE = "hjspBIZu94zCJ2g7w6SMz4ERAKyaLogBpSy8OhgjcLRjsRiH2CXKEEgI" +
+            "SAikEn2lixgV67=56LrTqHiExBcOuZU-TQoYAaTJuLNNdKxHjXAdgDdB5g1kYDcPANGNEoV-";
+
     @Test
     public void testPaidStatsContainsAllEnabledFeatures() throws Exception {
         String[] args = {"../"};
@@ -918,6 +921,7 @@ public void testPaidStatsContainsAllEnabledFeatures() throws Exception {
                 OPAQUE_KEY_WITH_DASHBOARD_FEATURE,
                 OPAQUE_KEY_WITH_ACCOUNT_LINKING_FEATURE,
                 OPAQUE_KEY_WITH_SECURITY_FEATURE,
+                OPAQUE_KEY_WITH_OAUTH_FEATURE
         };
 
         Set<EE_FEATURES> requiredFeatures = new HashSet<>();
diff --git a/src/test/java/io/supertokens/test/SuperTokensSaaSSecretTest.java b/src/test/java/io/supertokens/test/SuperTokensSaaSSecretTest.java
index d35aa0436..f6ca82cc7 100644
--- a/src/test/java/io/supertokens/test/SuperTokensSaaSSecretTest.java
+++ b/src/test/java/io/supertokens/test/SuperTokensSaaSSecretTest.java
@@ -428,9 +428,22 @@ public static void checkSessionResponse(JsonObject response, TestingProcessManag
         assertEquals(response.get("refreshToken").getAsJsonObject().entrySet().size(), 3);
     }
 
-    private static final String[] PROTECTED_CORE_CONFIG = new String[]{"ip_allow_regex", "ip_deny_regex"};
+    private static final String[] PROTECTED_CORE_CONFIG = new String[]{
+            "ip_allow_regex",
+            "ip_deny_regex",
+            "oauth_provider_public_service_url",
+            "oauth_provider_admin_service_url",
+            "oauth_provider_consent_login_base_url",
+            "oauth_provider_url_configured_in_oauth_provider"
+    };
     private static final Object[] PROTECTED_CORE_CONFIG_VALUES = new String[]{
-            "127\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|::1|0:0:0:0:0:0:0:1", "192.0.0.1"};
+            "127\\\\.\\\\d+\\\\.\\\\d+\\\\.\\\\d+|::1|0:0:0:0:0:0:0:1",
+            "192.0.0.1",
+            "http://localhost:4444",
+            "http://localhost:4445",
+            "http://localhost:3001/auth/oauth",
+            "http://localhost:4444"
+    };
 
     @Test
     public void testThatTenantCannotSetProtectedConfigIfSuperTokensSaaSSecretIsSet()
@@ -540,6 +553,8 @@ public void testThatTenantCannotGetProtectedConfigIfSuperTokensSaaSSecretIsSet()
             return;
         }
 
+        CoreConfig.setDisableOAuthValidationForTest(true);
+
         for (int i = 0; i < PROTECTED_CORE_CONFIG.length; i++) {
             JsonObject j = new JsonObject();
             if (PROTECTED_CORE_CONFIG_VALUES[i] instanceof String) {
@@ -548,7 +563,7 @@ public void testThatTenantCannotGetProtectedConfigIfSuperTokensSaaSSecretIsSet()
                 j.addProperty(PROTECTED_CORE_CONFIG[i], (Integer) PROTECTED_CORE_CONFIG_VALUES[i]);
             }
             Multitenancy.addNewOrUpdateAppOrTenant(process.main, new TenantIdentifier(null, null, null),
-                    new TenantConfig(new TenantIdentifier(null, null, "t" + i), new EmailPasswordConfig(false),
+                    new TenantConfig(new TenantIdentifier(null, "a" + i, null), new EmailPasswordConfig(false),
                             new ThirdPartyConfig(false, new ThirdPartyConfig.Provider[0]),
                             new PasswordlessConfig(false),
                             null, null, j));
@@ -556,42 +571,49 @@ public void testThatTenantCannotGetProtectedConfigIfSuperTokensSaaSSecretIsSet()
             {
                 JsonObject response = HttpRequestForTesting.sendJsonRequest(process.getProcess(), "",
                         HttpRequestForTesting.getMultitenantUrl(TenantIdentifier.BASE_TENANT,
-                                "/recipe/multitenancy/tenant/list"),
+                                "/recipe/multitenancy/app/list"),
                         null, 1000, 1000, null,
                         SemVer.v3_0.get(), "GET", apiKey, "multitenancy");
 
                 Assert.assertEquals("OK", response.getAsJsonPrimitive("status").getAsString());
 
                 boolean found = false;
-                for (JsonElement tenant : response.get("tenants").getAsJsonArray()) {
-                    JsonObject tenantObj = tenant.getAsJsonObject();
-
-                    if (tenantObj.get("tenantId").getAsString().equals("t" + i)) {
+                for (JsonElement app : response.get("apps").getAsJsonArray()) {
+                    JsonObject appObj = app.getAsJsonObject();
+                    if (appObj.get("appId").getAsString().equals("a" + i)) {
                         found = true;
 
-                        assertFalse(tenantObj.get("coreConfig").getAsJsonObject().has(PROTECTED_CORE_CONFIG[i]));
+                        for (JsonElement tenant : appObj.get("tenants").getAsJsonArray()) {
+                            JsonObject tenantObj = tenant.getAsJsonObject();
+
+                            assertFalse(tenantObj.get("coreConfig").getAsJsonObject().has(PROTECTED_CORE_CONFIG[i]));
+                        }
                     }
                 }
+
                 Assert.assertTrue(found);
             }
 
             {
                 JsonObject response = HttpRequestForTesting.sendJsonRequest(process.getProcess(), "",
                         HttpRequestForTesting.getMultitenantUrl(TenantIdentifier.BASE_TENANT,
-                                "/recipe/multitenancy/tenant/list"),
+                                "/recipe/multitenancy/app/list"),
                         null, 1000, 1000, null,
                         SemVer.v3_0.get(), "GET", saasSecret, "multitenancy");
 
                 Assert.assertEquals("OK", response.getAsJsonPrimitive("status").getAsString());
 
                 boolean found = false;
-                for (JsonElement tenant : response.get("tenants").getAsJsonArray()) {
-                    JsonObject tenantObj = tenant.getAsJsonObject();
-
-                    if (tenantObj.get("tenantId").getAsString().equals("t" + i)) {
+                for (JsonElement app : response.get("apps").getAsJsonArray()) {
+                    JsonObject appObj = app.getAsJsonObject();
+                    if (appObj.get("appId").getAsString().equals("a" + i)) {
                         found = true;
 
-                        Assert.assertTrue(tenantObj.get("coreConfig").getAsJsonObject().has(PROTECTED_CORE_CONFIG[i]));
+                        for (JsonElement tenant : appObj.get("tenants").getAsJsonArray()) {
+                            JsonObject tenantObj = tenant.getAsJsonObject();
+
+                            assertTrue(tenantObj.get("coreConfig").getAsJsonObject().has(PROTECTED_CORE_CONFIG[i]));
+                        }
                     }
                 }
                 Assert.assertTrue(found);
diff --git a/src/test/java/io/supertokens/test/Utils.java b/src/test/java/io/supertokens/test/Utils.java
index 2c86519bb..fd8a83fc8 100644
--- a/src/test/java/io/supertokens/test/Utils.java
+++ b/src/test/java/io/supertokens/test/Utils.java
@@ -19,6 +19,7 @@
 import com.google.gson.JsonArray;
 import com.google.gson.JsonObject;
 import io.supertokens.Main;
+import io.supertokens.config.CoreConfig;
 import io.supertokens.pluginInterface.PluginInterfaceTesting;
 import io.supertokens.pluginInterface.useridmapping.UserIdMapping;
 import io.supertokens.storageLayer.StorageLayer;
@@ -34,10 +35,12 @@
 import org.mockito.Mockito;
 
 import java.io.*;
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashMap;
 
 import static org.junit.Assert.*;
 
@@ -84,6 +87,7 @@ public static void reset() {
         PluginInterfaceTesting.isTesting = true;
         Main.makeConsolePrintSilent = true;
         String installDir = "../";
+        CoreConfig.setDisableOAuthValidationForTest(false);
         try {
 
             // if the default config is not the same as the current config, we must reset the storage layer
@@ -270,4 +274,16 @@ public static <T> void assertArrayEqualsIgnoreOrder(T[] array1, T[] array2) {
                 array1.length == array2.length && Arrays.asList(array1).containsAll(Arrays.asList(array2))
                         && Arrays.asList(array2).containsAll(Arrays.asList(array1)));
     }
+
+    public static java.util.Map<String, String> splitQueryString(String query) throws UnsupportedEncodingException {
+        java.util.Map<String, String> queryParams = new HashMap<>();
+        String[] pairs = query.split("&");
+        for (String pair : pairs) {
+            int idx = pair.indexOf("=");
+            String key = idx > 0 ? URLDecoder.decode(pair.substring(0, idx), "UTF-8") : pair;
+            String value = idx > 0 && pair.length() > idx + 1 ? URLDecoder.decode(pair.substring(idx + 1), "UTF-8") : null;
+            queryParams.put(key, value);
+        }
+        return queryParams;
+    }
 }
diff --git a/src/test/java/io/supertokens/test/UtilsTest.java b/src/test/java/io/supertokens/test/UtilsTest.java
index b30d91169..707c4e792 100644
--- a/src/test/java/io/supertokens/test/UtilsTest.java
+++ b/src/test/java/io/supertokens/test/UtilsTest.java
@@ -22,6 +22,8 @@
 import org.junit.Test;
 import org.junit.rules.TestRule;
 
+import java.net.MalformedURLException;
+
 import static org.junit.Assert.*;
 
 public class UtilsTest {
@@ -104,4 +106,138 @@ public void testNormalizeWhitespacePhoneNumber() {
         String inputPhoneNumber = "   ";
         assertEquals("", io.supertokens.utils.Utils.normalizeIfPhoneNumber(inputPhoneNumber));
     }
+
+    @Test
+    public void testUrlContainsWithoutSlash() throws MalformedURLException {
+        String itShouldContain = "http://127.0.0.1/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://127.0.0.1";
+
+        assertTrue(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, true));
+    }
+
+    @Test
+    public void testUrlContainsWithSlash() throws MalformedURLException {
+        String itShouldContain = "http://127.0.0.1/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://127.0.0.1/";
+
+        assertTrue(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, true));
+    }
+
+    @Test
+    public void testUrlContainsWithPort() throws MalformedURLException {
+        String itShouldContain = "http://127.0.0.1:3000/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://127.0.0.1:3000/";
+
+        assertTrue(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, true));
+    }
+
+    @Test
+    public void testUrlContainsWithAndWithoutPort() throws MalformedURLException {
+        String itShouldContain = "http://127.0.0.1:3000/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://127.0.0.1";
+
+        assertFalse(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, true));
+    }
+
+    @Test
+    public void testUrlContainsWithoutAndWithPort() throws MalformedURLException {
+        String itShouldContain = "http://127.0.0.1/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://127.0.0.1:4444";
+
+        assertFalse(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, true));
+    }
+
+    @Test
+    public void testUrlContainsWhenProtocolDoesntMatter() throws MalformedURLException {
+        String itShouldContain = "https://127.0.0.1/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://127.0.0.1";
+
+        assertTrue(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, false));
+    }
+
+    @Test
+    public void testUrlContainsCaseSensitive() throws MalformedURLException {
+        String itShouldContain = "http://littlecat/fallback/error?somerandom=123";
+        String thisShouldBeContained = "http://littleCat";
+
+        assertFalse(io.supertokens.utils.Utils.containsUrl(itShouldContain,thisShouldBeContained, false));
+    }
+
+    @Test
+    public void testSnakeCaseToCamelCase() {
+        String original = "snake_case";
+        String expectedResult = "snakeCase";
+        String gotResult = io.supertokens.utils.Utils.snakeCaseToCamelCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testSnakeCaseToCamelCaseStartingWithSnake() {
+        String original = "_snake_case";
+        String expectedResult = "SnakeCase";
+        String gotResult = io.supertokens.utils.Utils.snakeCaseToCamelCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testSnakeCaseToCamelCaseWithNull() {
+        String original = null;
+        String expectedResult = null;
+        String gotResult = io.supertokens.utils.Utils.snakeCaseToCamelCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testSnakeCaseToCamelCaseNothingToDo() {
+        String original = "snake";
+        String expectedResult = "snake";
+        String gotResult = io.supertokens.utils.Utils.snakeCaseToCamelCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testSnakeCaseToCamelCaseMultipleSnakes() {
+        String original = "snake_case_multiple_snakes";
+        String expectedResult = "snakeCaseMultipleSnakes";
+        String gotResult = io.supertokens.utils.Utils.snakeCaseToCamelCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testCamelCaseToSnakeCase() {
+        String original = "camelCased";
+        String expectedResult = "camel_cased";
+        String gotResult = io.supertokens.utils.Utils.camelCaseToSnakeCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testCamelCaseToSnakeCaseBigInitial() {
+        String original = "CamelCased";
+        String expectedResult = "camel_cased";
+        String gotResult = io.supertokens.utils.Utils.camelCaseToSnakeCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+
+    @Test
+    public void testCamelCaseToSnakeCaseWithNull() {
+        String original = null;
+        String expectedResult = null;
+        String gotResult = io.supertokens.utils.Utils.camelCaseToSnakeCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+    @Test
+    public void testCamelCaseToSnakeCaseMultipleCamels() {
+        String original = "multipleCamelsInCamelCase";
+        String expectedResult = "multiple_camels_in_camel_case";
+        String gotResult = io.supertokens.utils.Utils.camelCaseToSnakeCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
+    @Test
+    public void testCamelCaseToSnakeCaseNothingToDo() {
+        String original = "nothing";
+        String expectedResult = "nothing";
+        String gotResult = io.supertokens.utils.Utils.camelCaseToSnakeCase(original);
+        assertEquals(expectedResult, gotResult);
+    }
 }
diff --git a/src/test/java/io/supertokens/test/WebserverTest.java b/src/test/java/io/supertokens/test/WebserverTest.java
index 66592385b..d87ee1e2a 100644
--- a/src/test/java/io/supertokens/test/WebserverTest.java
+++ b/src/test/java/io/supertokens/test/WebserverTest.java
@@ -35,6 +35,7 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import org.apache.catalina.startup.Tomcat;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.Rule;
@@ -42,6 +43,7 @@
 import org.junit.rules.TestRule;
 import org.mockito.Mockito;
 
+import java.io.File;
 import java.io.IOException;
 import java.net.ConnectException;
 import java.net.InetAddress;
@@ -963,6 +965,25 @@ public void validBasePath() throws InterruptedException, IOException, HttpRespon
 
     }
 
+    @Test
+    public void tempDirLocationWebserverStarts() throws InterruptedException, HttpResponseException, IOException {
+        String tempDirLocation = new File("../tempDir/").getCanonicalPath();
+        String[] args = {"../", "tempDirLocation=" + tempDirLocation};
+        TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(PROCESS_STATE.STARTED));
+
+        Webserver.TomcatReference reference = Webserver.getInstance(process.getProcess()).getTomcatReference();
+        File catalinaBase = reference.getTomcatForTest().getServer().getCatalinaBase();
+        assertEquals(tempDirLocation, catalinaBase.getAbsolutePath());
+
+        String response = HttpRequest.sendGETRequest(process.getProcess(), "", "http://localhost:3567/", null,
+                1000, 1000, null);
+        assertEquals("Hello", response);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(PROCESS_STATE.STOPPED));
+    }
+
     @Test
     public void validBasePathWithEmptyHelloPath() throws InterruptedException, IOException, HttpResponseException {
         {
diff --git a/src/test/java/io/supertokens/test/httpRequest/HttpRequestForTesting.java b/src/test/java/io/supertokens/test/httpRequest/HttpRequestForTesting.java
index 876b473c4..fdd7b434f 100644
--- a/src/test/java/io/supertokens/test/httpRequest/HttpRequestForTesting.java
+++ b/src/test/java/io/supertokens/test/httpRequest/HttpRequestForTesting.java
@@ -22,10 +22,9 @@
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 
 import java.io.*;
-import java.net.HttpURLConnection;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.net.URLEncoder;
+import java.net.*;
+import java.net.http.HttpClient;
+import java.net.http.HttpResponse;
 import java.nio.charset.StandardCharsets;
 import java.util.Map;
 
diff --git a/src/test/java/io/supertokens/test/multitenant/AppTenantUserTest.java b/src/test/java/io/supertokens/test/multitenant/AppTenantUserTest.java
index b2913796d..cca62b70c 100644
--- a/src/test/java/io/supertokens/test/multitenant/AppTenantUserTest.java
+++ b/src/test/java/io/supertokens/test/multitenant/AppTenantUserTest.java
@@ -28,8 +28,10 @@
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
 import io.supertokens.pluginInterface.bulkimport.BulkImportStorage;
+import io.supertokens.pluginInterface.jwt.JWTRecipeStorage;
 import io.supertokens.pluginInterface.multitenancy.*;
 import io.supertokens.pluginInterface.nonAuthRecipe.NonAuthRecipeStorage;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.test.TestingProcessManager;
 import io.supertokens.test.Utils;
@@ -77,9 +79,12 @@ public void testDeletingAppDeleteNonAuthRecipeData() throws Exception {
         }
 
         // this list contains the package names for recipes which dont use UserIdMapping
-        ArrayList<String> classesToSkip = new ArrayList<>(
-                List.of("io.supertokens.pluginInterface.jwt.JWTRecipeStorage", ActiveUsersStorage.class.getName(),
-                        BulkImportStorage.class.getName()));
+        List<String> classesToSkip = List.of(
+            JWTRecipeStorage.class.getName(),
+            ActiveUsersStorage.class.getName(),
+            OAuthStorage.class.getName(),
+            BulkImportStorage.class.getName()
+        );
 
         Reflections reflections = new Reflections("io.supertokens.pluginInterface");
         Set<Class<? extends NonAuthRecipeStorage>> classes = reflections.getSubTypesOf(NonAuthRecipeStorage.class);
@@ -183,9 +188,12 @@ public void testDisassociationOfUserDeletesNonAuthRecipeData() throws Exception
         }
 
         // this list contains the package names for recipes which dont use UserIdMapping
-        ArrayList<String> classesToSkip = new ArrayList<>(
-                List.of("io.supertokens.pluginInterface.jwt.JWTRecipeStorage", ActiveUsersStorage.class.getName(),
-                        BulkImportStorage.class.getName()));
+        List<String> classesToSkip = List.of(
+                JWTRecipeStorage.class.getName(),
+                ActiveUsersStorage.class.getName(),
+                OAuthStorage.class.getName(),
+                BulkImportStorage.class.getName()
+        );
 
         Reflections reflections = new Reflections("io.supertokens.pluginInterface");
         Set<Class<? extends NonAuthRecipeStorage>> classes = reflections.getSubTypesOf(NonAuthRecipeStorage.class);
diff --git a/src/test/java/io/supertokens/test/multitenant/TestAppData.java b/src/test/java/io/supertokens/test/multitenant/TestAppData.java
index 14047a72e..3295511ea 100644
--- a/src/test/java/io/supertokens/test/multitenant/TestAppData.java
+++ b/src/test/java/io/supertokens/test/multitenant/TestAppData.java
@@ -28,14 +28,14 @@
 import io.supertokens.featureflag.EE_FEATURES;
 import io.supertokens.featureflag.FeatureFlagTestContent;
 import io.supertokens.multitenancy.Multitenancy;
+import io.supertokens.oauth.OAuth;
 import io.supertokens.passwordless.Passwordless;
 import io.supertokens.pluginInterface.STORAGE_TYPE;
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
-import io.supertokens.pluginInterface.bulkimport.BulkImportStorage;
-import io.supertokens.pluginInterface.bulkimport.BulkImportUser;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.multitenancy.*;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
 import io.supertokens.pluginInterface.totp.TOTPDevice;
 import io.supertokens.session.Session;
 import io.supertokens.storageLayer.StorageLayer;
@@ -59,7 +59,6 @@
 import java.security.Key;
 import java.time.Duration;
 import java.time.Instant;
-import java.util.ArrayList;
 import java.util.Arrays;
 
 import static org.junit.Assert.assertEquals;
@@ -102,6 +101,7 @@ public void testThatDeletingAppDeleteDataFromAllTables() throws Exception {
         FeatureFlagTestContent.getInstance(process.getProcess())
                 .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES,
                         new EE_FEATURES[]{EE_FEATURES.MULTI_TENANCY, EE_FEATURES.MFA});
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
         process.startProcess();
         assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
 
@@ -181,6 +181,12 @@ null, null, new JsonObject()
 
         BulkImport.addUsers(app.toAppIdentifier(), appStorage, BulkImportTestUtils.generateBulkImportUser(1));
 
+        OAuth.addOrUpdateClient(process.getProcess(), app.toAppIdentifier(), appStorage, "test", "secret123", false, false);
+        OAuth.createLogoutRequestAndReturnRedirectUri(process.getProcess(), app.toAppIdentifier(), appStorage, "test", "http://localhost", "sessionHandle", "state");
+        ((OAuthStorage) appStorage).addOAuthM2MTokenForStats(app.toAppIdentifier(), "test", 1000, 2000);
+        OAuth.revokeSessionHandle(process.getProcess(), app.toAppIdentifier(), appStorage, "sessionHandle");
+        OAuth.createOrUpdateOauthSession(process.getProcess(), app.toAppIdentifier(), appStorage, "test", "test-gid", null, null, "sessionHandle", "jti", 0);
+
         String[] tablesThatHaveData = appStorage
                 .getAllTablesInTheDatabaseThatHasDataForAppId(app.getAppId());
         tablesThatHaveData = removeStrings(tablesThatHaveData, tablesToIgnore);
diff --git a/src/test/java/io/supertokens/test/multitenant/api/TestApp5_1.java b/src/test/java/io/supertokens/test/multitenant/api/TestApp5_1.java
index 320231971..623ce71fc 100644
--- a/src/test/java/io/supertokens/test/multitenant/api/TestApp5_1.java
+++ b/src/test/java/io/supertokens/test/multitenant/api/TestApp5_1.java
@@ -861,6 +861,45 @@ public void testDuplicateValuesInFirstFactorsAndRequiredSecondaryFactors() throw
         }
     }
 
+    @Test
+    public void testInvalidValuesInFirstFactorsAndRequiredSecondaryFactors() throws Exception {
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject config = new JsonObject();
+        StorageLayer.getBaseStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(config, 1);
+
+        String[] factors = new String[]{"not!okay", "some-special-@charz", "i*dont*know", "custom//"};
+        try {
+            createApp(
+                    process.getProcess(),
+                    new TenantIdentifier(null, null, null),
+                    "a1", true, factors, false, null,
+                    config);
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+            assertEquals(
+                    "Http error. Status Code: 400. Message: firstFactors should contain only 0-9,a-z,A-Z,_,.,- characters",
+                    e.getMessage());
+        }
+
+        try {
+            createApp(
+                    process.getProcess(),
+                    new TenantIdentifier(null, null, null),
+                    "a1", false, null, true, factors,
+                    config);
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+            assertEquals(
+                    "Http error. Status Code: 400. Message: requiredSecondaryFactors should contain only 0-9,a-z,A-Z,_,.,- characters",
+                    e.getMessage());
+        }
+    }
+
     private static JsonObject createApp(Main main, TenantIdentifier sourceTenant, String appId,
                                         boolean setFirstFactors, String[] firstFactors,
                                         boolean setRequiredSecondaryFactors, String[] requiredSecondaryFactors,
diff --git a/src/test/java/io/supertokens/test/multitenant/api/TestConnectionUriDomain5_1.java b/src/test/java/io/supertokens/test/multitenant/api/TestConnectionUriDomain5_1.java
index 065c3b0d7..087e0ae8e 100644
--- a/src/test/java/io/supertokens/test/multitenant/api/TestConnectionUriDomain5_1.java
+++ b/src/test/java/io/supertokens/test/multitenant/api/TestConnectionUriDomain5_1.java
@@ -745,6 +745,51 @@ public void testDuplicateValuesInFirstFactorsAndRequiredSecondaryFactors() throw
         }
     }
 
+    @Test
+    public void testInvalidValuesInFirstFactorsAndRequiredSecondaryFactors() throws Exception {
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        if (StorageLayer.isInMemDb(process.getProcess())) {
+            return;
+        }
+
+        JsonObject config = new JsonObject();
+        StorageLayer.getBaseStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(config, 1);
+
+        String[] factors = new String[]{"inv@lid", "email?password", "cus!tom"};
+        try {
+            createConnectionUriDomain(
+                    process.getProcess(),
+                    new TenantIdentifier(null, null, null),
+                    "127.0.0.1",
+                    true, factors, false, null,
+                    config);
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+            assertEquals(
+                    "Http error. Status Code: 400. Message: firstFactors should contain only 0-9,a-z,A-Z,_,.,- characters",
+                    e.getMessage());
+        }
+
+        try {
+            createConnectionUriDomain(
+                    process.getProcess(),
+                    new TenantIdentifier(null, null, null),
+                    "127.0.0.1",
+                    false, null, true, factors,
+                    config);
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+            assertEquals(
+                    "Http error. Status Code: 400. Message: requiredSecondaryFactors should contain only 0-9,a-z,A-Z,_,.,- characters",
+                    e.getMessage());
+        }
+    }
+
     private static JsonObject createConnectionUriDomain(Main main, TenantIdentifier sourceTenant,
                                                         String connectionUriDomain,
                                                         boolean setFirstFactors, String[] firstFactors,
diff --git a/src/test/java/io/supertokens/test/multitenant/api/TestTenant5_1.java b/src/test/java/io/supertokens/test/multitenant/api/TestTenant5_1.java
index 728e65625..1ef07d4f2 100644
--- a/src/test/java/io/supertokens/test/multitenant/api/TestTenant5_1.java
+++ b/src/test/java/io/supertokens/test/multitenant/api/TestTenant5_1.java
@@ -612,6 +612,45 @@ public void testDuplicateValuesInFirstFactorsAndRequiredSecondaryFactors() throw
         }
     }
 
+    @Test
+    public void testInvalidValuesInFirstFactorsAndRequiredSecondaryFactors() throws Exception {
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject config = new JsonObject();
+        StorageLayer.getBaseStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(config, 1);
+
+        String[] factors = new String[]{"~notvalid", "it's-also-not", "almost.good!1!", "itsok"};
+        try {
+            createTenant(
+                    process.getProcess(),
+                    new TenantIdentifier(null, null, null),
+                    "t1", true, factors, false, null,
+                    config);
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+            assertEquals(
+                    "Http error. Status Code: 400. Message: firstFactors should contain only 0-9,a-z,A-Z,_,.,- characters",
+                    e.getMessage());
+        }
+
+        try {
+            createTenant(
+                    process.getProcess(),
+                    new TenantIdentifier(null, null, null),
+                    "t1", false, null, true, factors,
+                    config);
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+            assertEquals(
+                    "Http error. Status Code: 400. Message: requiredSecondaryFactors should contain only 0-9,a-z,A-Z,_,.,- characters",
+                    e.getMessage());
+        }
+    }
+
     private static JsonObject createTenant(Main main, TenantIdentifier sourceTenant, String tenantId,
                                            boolean setFirstFactors, String[] firstFactors,
                                            boolean setRequiredSecondaryFactors, String[] requiredSecondaryFactors,
diff --git a/src/test/java/io/supertokens/test/multitenant/api/TestTenantUserAssociation.java b/src/test/java/io/supertokens/test/multitenant/api/TestTenantUserAssociation.java
index ccc4c6181..a495687da 100644
--- a/src/test/java/io/supertokens/test/multitenant/api/TestTenantUserAssociation.java
+++ b/src/test/java/io/supertokens/test/multitenant/api/TestTenantUserAssociation.java
@@ -38,6 +38,7 @@
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.pluginInterface.nonAuthRecipe.NonAuthRecipeStorage;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
 import io.supertokens.pluginInterface.usermetadata.UserMetadataStorage;
 import io.supertokens.session.Session;
 import io.supertokens.session.info.SessionInformationHolder;
@@ -201,6 +202,7 @@ public void testUserDisassociationForNotAuthRecipes() throws Exception {
                     || name.equals(JWTRecipeStorage.class.getName())
                     || name.equals(ActiveUsersStorage.class.getName())
                     || name.equals(BulkImportStorage.class.getName())
+                    || name.equals(OAuthStorage.class.getName())
             ) {
                 // user metadata is app specific and does not have any tenant specific data
                 // JWT storage does not have any user specific data
diff --git a/src/test/java/io/supertokens/test/oauth/OAuthStorageTest.java b/src/test/java/io/supertokens/test/oauth/OAuthStorageTest.java
new file mode 100644
index 000000000..aff9f9b72
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/OAuthStorageTest.java
@@ -0,0 +1,338 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth;
+
+import io.supertokens.ProcessState;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.pluginInterface.oauth.OAuthClient;
+import io.supertokens.pluginInterface.oauth.OAuthLogoutChallenge;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
+import io.supertokens.pluginInterface.oauth.exception.DuplicateOAuthLogoutChallengeException;
+import io.supertokens.pluginInterface.oauth.exception.OAuthClientNotFoundException;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.junit.Assert.*;
+
+public class OAuthStorageTest {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+    }
+
+    @Test
+    public void testClientCRUD() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        OAuthStorage storage = (OAuthStorage) StorageLayer.getStorage(process.getProcess());
+
+        AppIdentifier appIdentifier = new AppIdentifier(null, null);
+        assertEquals(0, storage.getOAuthClients(appIdentifier, new ArrayList<>()).size()); // TODO fix me
+
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid1", "secret123", false, false);
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid2", "secret123", true, false);
+
+        OAuthClient client = storage.getOAuthClientById(appIdentifier, "clientid1");
+        assertNotNull(client);
+        assertEquals("secret123", client.clientSecret);
+        assertFalse(client.isClientCredentialsOnly);
+        assertFalse(client.enableRefreshTokenRotation);
+
+        try {
+            storage.getOAuthClientById(appIdentifier, "clientid3");
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            // ignore
+        }
+
+        assertEquals(2, storage.countTotalNumberOfOAuthClients(appIdentifier));
+        assertEquals(1, storage.countTotalNumberOfClientCredentialsOnlyOAuthClients(appIdentifier));
+
+        List<OAuthClient> clients = storage.getOAuthClients(appIdentifier, List.of("clientid1", "clientid2"));
+        assertEquals(2, clients.size());
+
+        storage.deleteOAuthClient(appIdentifier, "clientid1");
+        clients = storage.getOAuthClients(appIdentifier, List.of("clientid1", "clientid2"));
+        assertEquals(1, clients.size());
+
+        assertEquals(1, storage.countTotalNumberOfClientCredentialsOnlyOAuthClients(appIdentifier));
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid2", "secret123", false, false);
+        assertEquals(0, storage.countTotalNumberOfClientCredentialsOnlyOAuthClients(appIdentifier));
+
+        // Test all field updates
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid2", "newsecret", true, true);
+        client = storage.getOAuthClientById(appIdentifier, "clientid2");
+        assertEquals("newsecret", client.clientSecret);
+        assertTrue(client.isClientCredentialsOnly);
+        assertTrue(client.enableRefreshTokenRotation);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testLogoutChallenge() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        OAuthStorage storage = (OAuthStorage) StorageLayer.getStorage(process.getProcess());
+
+        AppIdentifier appIdentifier = new AppIdentifier(null, null);
+
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid", "secret123", false, false);
+
+        // Test nulls
+        storage.addOAuthLogoutChallenge(appIdentifier, "challengeid", "clientid", null, null, null, System.currentTimeMillis());
+        OAuthLogoutChallenge challenge = storage.getOAuthLogoutChallenge(
+                appIdentifier, "challengeid");
+        assertNull(challenge.postLogoutRedirectionUri);
+        assertNull(challenge.sessionHandle);
+        assertNull(challenge.state);
+
+        // Test values
+        storage.addOAuthLogoutChallenge(appIdentifier, "challengeid1", "clientid", "a", "b", "c", System.currentTimeMillis());
+        challenge = storage.getOAuthLogoutChallenge(
+                appIdentifier, "challengeid1");
+        assertEquals("a", challenge.postLogoutRedirectionUri);
+        assertEquals("b", challenge.sessionHandle);
+        assertEquals("c", challenge.state);
+
+        Thread.sleep(100);
+
+        // Test revoke
+        storage.deleteOAuthLogoutChallengesBefore(System.currentTimeMillis());
+
+        assertNull(storage.getOAuthLogoutChallenge(appIdentifier, "challengeid"));
+        assertNull(storage.getOAuthLogoutChallenge(appIdentifier, "challengeid1"));
+
+        // Test delete
+        storage.addOAuthLogoutChallenge(appIdentifier, "challengeid", "clientid", null, null, null, 0);
+        assertNotNull(storage.getOAuthLogoutChallenge(appIdentifier, "challengeid"));
+        storage.deleteOAuthLogoutChallenge(appIdentifier, "challengeid");
+        assertNull(storage.getOAuthLogoutChallenge(appIdentifier, "challengeid"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRevoke() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        OAuthStorage storage = (OAuthStorage) StorageLayer.getStorage(process.getProcess());
+
+        AppIdentifier appIdentifier = new AppIdentifier(null, null);
+
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid", "clientSecret", false, true);
+        storage.createOrUpdateOAuthSession(appIdentifier, "abcd", "clientid", "externalRefreshToken",
+                "internalRefreshToken", "efgh", "ijkl", System.currentTimeMillis() + 1000 * 60 * 60 * 24);
+        storage.createOrUpdateOAuthSession(appIdentifier, "abcd", "clientid", "externalRefreshToken",
+                "internalRefreshToken", "efgh", "mnop", System.currentTimeMillis() + 1000 * 60 * 60 * 24);
+
+        assertFalse(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "ijkl"));
+        assertFalse(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "mnop"));
+
+        storage.revokeOAuthTokenByJTI(appIdentifier, "abcd","ijkl");
+        assertTrue(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "ijkl"));
+        assertFalse(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "mnop"));
+
+        storage.revokeOAuthTokenByJTI(appIdentifier, "abcd","mnop");
+        assertTrue(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "ijkl"));
+        assertTrue(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "mnop"));
+
+
+        storage.revokeOAuthTokenByGID(appIdentifier, "abcd");
+        assertTrue(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "mnop"));
+
+        storage.createOrUpdateOAuthSession(appIdentifier, "abcd", "clientid", "externalRefreshToken",
+                "internalRefreshToken", "efgh", "ijkl", System.currentTimeMillis() + 1000 * 60 * 60 * 24);
+        storage.createOrUpdateOAuthSession(appIdentifier, "abcd", "clientid", "externalRefreshToken",
+                "internalRefreshToken", "efgh", "mnop", System.currentTimeMillis() + 1000 * 60 * 60 * 24);
+
+        storage.revokeOAuthTokenBySessionHandle(appIdentifier, "efgh");
+        assertTrue(storage.isOAuthTokenRevokedByJTI(appIdentifier, "abcd", "mnop"));
+
+        // test cleanup
+        Thread.sleep(3000);
+        storage.deleteExpiredOAuthSessions(System.currentTimeMillis() / 1000 - 3);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testM2MTokenAndStats() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        OAuthStorage storage = (OAuthStorage) StorageLayer.getStorage(process.getProcess());
+        AppIdentifier appIdentifier = new AppIdentifier(null, null);
+
+        long now = System.currentTimeMillis() / 1000;
+
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid", "secret123", true, false);
+
+        storage.addOAuthM2MTokenForStats(appIdentifier, "clientid", now - 3600 - 2, now + 2);
+        storage.addOAuthM2MTokenForStats(appIdentifier, "clientid", now - 3600 * 24 - 2, now + 2);
+        storage.addOAuthM2MTokenForStats(appIdentifier, "clientid", now - 3600 * 48 - 2, now + 2);
+
+        assertEquals(3, storage.countTotalNumberOfOAuthM2MTokensAlive(appIdentifier));
+        assertEquals(2, storage.countTotalNumberOfOAuthM2MTokensCreatedSince(appIdentifier, 1000 * (now - 3600 * 24 - 3)));
+
+        Thread.sleep(3000);
+        assertEquals(0, storage.countTotalNumberOfOAuthM2MTokensAlive(appIdentifier));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testConstraints() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        OAuthStorage storage = (OAuthStorage) StorageLayer.getStorage(process.getProcess());
+        AppIdentifier appIdentifier = new AppIdentifier(null, null);
+
+        storage.addOrUpdateOauthClient(appIdentifier, "clientid", "secret123", false, false);
+
+        // PK
+        {
+            long now = System.currentTimeMillis() / 1000;
+            storage.addOAuthM2MTokenForStats(appIdentifier, "clientid", now, now + 100);
+            storage.addOAuthM2MTokenForStats(appIdentifier, "clientid", now, now + 100); // should not throw
+        }
+
+        try {
+            storage.addOAuthLogoutChallenge(appIdentifier, "challengeid", "clientid", null, null, null, 0);
+            storage.addOAuthLogoutChallenge(appIdentifier, "challengeid", "clientid", null, null, null, 0);
+            fail();
+        } catch (DuplicateOAuthLogoutChallengeException e) {
+            // this is what we expect
+        }
+        {
+            assertFalse(storage.revokeOAuthTokenByGID(appIdentifier, "abcd"));
+        }
+
+        // App id FK
+        AppIdentifier appIdentifier2 = new AppIdentifier(null,"a1");
+        try {
+            storage.addOrUpdateOauthClient(appIdentifier2, "clientid", "secret123", false, false);
+            fail();
+        } catch (TenantOrAppNotFoundException e) {
+            // expected
+        }
+
+        assertFalse(storage.revokeOAuthTokenByGID(appIdentifier2, "abcd"));
+
+        // Client FK
+        try {
+            storage.addOAuthLogoutChallenge(appIdentifier2, "challenge1", "clientid", null, null, null, 0);
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            // ignore
+        }
+        try {
+            storage.addOAuthLogoutChallenge(appIdentifier, "challenge1", "clientidx", null, null, null, 0);
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            // ignore
+        }
+        try {
+            storage.addOAuthM2MTokenForStats(appIdentifier2, "clientid", 0, 0);
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            // expected
+        }
+        try {
+            storage.addOAuthM2MTokenForStats(appIdentifier, "clientidx", 0, 0);
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            // expected
+        }
+
+        try {
+            storage.createOrUpdateOAuthSession(appIdentifier2, "abcd", "clientid", null, null, null, "asdasd",
+                    System.currentTimeMillis() + 10000);
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            //expected
+        }
+
+        try {
+            storage.createOrUpdateOAuthSession(appIdentifier2, "abcd", "clientid-not-existing", null, null, null, "asdasd",
+                    System.currentTimeMillis() + 10000);
+            fail();
+        } catch (OAuthClientNotFoundException e) {
+            //expected
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/OAuthAPIHelper.java b/src/test/java/io/supertokens/test/oauth/api/OAuthAPIHelper.java
new file mode 100644
index 000000000..1ae491eab
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/OAuthAPIHelper.java
@@ -0,0 +1,152 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.oauth.HttpRequestForOAuthProvider;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.utils.SemVer;
+
+public class OAuthAPIHelper {
+    public static void resetOAuthProvider() {
+        try {
+            HttpRequestForOAuthProvider.Response clientsResponse = HttpRequestForOAuthProvider
+                    .doGet("http://localhost:4445/admin/clients", new HashMap<>(), new HashMap<>());
+
+            for (JsonElement client : clientsResponse.jsonResponse.getAsJsonArray()) {
+                HttpRequestForOAuthProvider.doJsonDelete(
+                        "http://localhost:4445/admin/clients/"
+                                + client.getAsJsonObject().get("client_id").getAsString(),
+                        new HashMap<>(), new HashMap<>(), new JsonObject());
+            }
+
+            // We query these in an effort to help with possible warm up issues
+            HttpRequestForOAuthProvider.doGet("http://localhost:4444/.well-known/openid-configuration", new HashMap<>(), new HashMap<>());
+            HttpRequestForOAuthProvider.doGet("http://localhost:4444/.well-known/jwks.json", new HashMap<>(), new HashMap<>());
+            Thread.sleep(1000);
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static JsonObject createClient(Main main, JsonObject createClientBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", createClientBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject updateClient(Main main, JsonObject updateClientBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", updateClientBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject auth(Main main, JsonObject authBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/auth", authBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject token(Main main, JsonObject tokenBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/token", tokenBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject acceptLoginRequest(Main main, Map<String, String> queryParams,
+            JsonObject acceptLoginChallengeBody) throws Exception {
+        String url = "http://localhost:3567/recipe/oauth/auth/requests/login/accept";
+        if (queryParams != null && !queryParams.isEmpty()) {
+            StringBuilder queryString = new StringBuilder("?");
+            for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+                if (queryString.length() > 1) {
+                    queryString.append("&");
+                }
+                String encodedValue = URLEncoder.encode(entry.getValue(), StandardCharsets.UTF_8.toString());
+                queryString.append(entry.getKey()).append("=").append(encodedValue);
+            }
+            url += queryString.toString();
+        }
+
+        JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(main, "",
+                url, acceptLoginChallengeBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject acceptConsentRequest(Main main, Map<String, String> queryParams,
+            JsonObject acceptConsentChallengeBody) throws Exception {
+        String url = "http://localhost:3567/recipe/oauth/auth/requests/consent/accept";
+        if (queryParams != null && !queryParams.isEmpty()) {
+            StringBuilder queryString = new StringBuilder("?");
+            for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+                if (queryString.length() > 1) {
+                    queryString.append("&");
+                }
+                String encodedValue = URLEncoder.encode(entry.getValue(), StandardCharsets.UTF_8.toString());
+                queryString.append(entry.getKey()).append("=").append(encodedValue);
+            }
+            url += queryString.toString();
+        }
+
+        JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(main, "",
+                url, acceptConsentChallengeBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject revoke(Main main, JsonObject revokeRequestBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/token/revoke", revokeRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject introspect(Main main, JsonObject introspectRequestBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/introspect", introspectRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject revokeClientId(Main main, JsonObject revokeClientIdRequestBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/tokens/revoke", revokeClientIdRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    public static JsonObject revokeSessionHandle(Main main, JsonObject revokeSessionHandleRequestBody)
+            throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/session/revoke", revokeSessionHandleRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestAuthCodeFlow.java b/src/test/java/io/supertokens/test/oauth/api/TestAuthCodeFlow.java
new file mode 100644
index 000000000..841f69de8
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestAuthCodeFlow.java
@@ -0,0 +1,241 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.totp.TotpLicenseTest;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertNotNull;
+
+public class TestAuthCodeFlow {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testAuthCodeGrantFlow() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject clientBody = new JsonObject();
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        clientBody.add("grantTypes", grantTypes);
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        clientBody.add("responseTypes", responseTypes);
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost.com:3000/auth/callback/supertokens"));
+        clientBody.add("redirectUris", redirectUris);
+        clientBody.addProperty("scope", "openid email offline_access");
+        clientBody.addProperty("tokenEndpointAuthMethod", "client_secret_post");
+
+        JsonObject client = OAuthAPIHelper.createClient(process.getProcess(), clientBody);
+
+        JsonObject authRequestBody = new JsonObject();
+        JsonObject params = new JsonObject();
+        params.addProperty("client_id", client.get("clientId").getAsString());
+        params.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        params.addProperty("response_type", "code");
+        params.addProperty("scope", "openid offline_access");
+        params.addProperty("state", "test12345678");
+
+        authRequestBody.add("params", params);
+
+        JsonObject authResponse = OAuthAPIHelper.auth(process.getProcess(), authRequestBody);
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        URL url = new URL(redirectTo);
+        Map<String, String> queryParams = splitQuery(url);
+        String loginChallenge = queryParams.get("login_challenge");
+
+        Map<String, String> acceptLoginRequestParams = new HashMap<>();
+        acceptLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+        acceptLoginRequestBody.addProperty("subject", "someuserid");
+        acceptLoginRequestBody.addProperty("remember", true);
+        acceptLoginRequestBody.addProperty("rememberFor", 3600);
+        acceptLoginRequestBody.addProperty("identityProviderSessionId", "session-handle");
+
+        JsonObject acceptLoginRequestResponse = OAuthAPIHelper.acceptLoginRequest(process.getProcess(), acceptLoginRequestParams, acceptLoginRequestBody);
+
+        redirectTo = acceptLoginRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(process.getProcess(), authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+        cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String consentChallenge = queryParams.get("consent_challenge");
+
+        JsonObject acceptConsentRequestBody = new JsonObject();
+        acceptConsentRequestBody.addProperty("iss", "http://localhost:3001/auth");
+        acceptConsentRequestBody.addProperty("tId", "public");
+        acceptConsentRequestBody.addProperty("rsub", "someuserid");
+        acceptConsentRequestBody.addProperty("sessionHandle", "session-handle");
+        acceptConsentRequestBody.add("initialAccessTokenPayload", new JsonObject());
+        acceptConsentRequestBody.add("initialIdTokenPayload", new JsonObject());
+        JsonArray grantScope = new JsonArray();
+        grantScope.add(new JsonPrimitive("openid"));
+        grantScope.add(new JsonPrimitive("offline_access"));
+        acceptConsentRequestBody.add("grantScope", grantScope);
+        JsonArray audience = new JsonArray();
+        acceptConsentRequestBody.add("grantAccessTokenAudience", audience);
+        JsonObject session = new JsonObject();
+        JsonObject accessToken = new JsonObject();
+        accessToken.addProperty("gid", "gidForTesting");
+        session.add("access_token", accessToken);
+        session.add("id_token", new JsonObject());
+        acceptConsentRequestBody.add("session", session);
+
+        queryParams = new HashMap<>();
+        queryParams.put("consentChallenge", consentChallenge);
+
+        JsonObject acceptConsentRequestResponse = OAuthAPIHelper.acceptConsentRequest(process.getProcess(), queryParams, acceptConsentRequestBody);
+
+        redirectTo = acceptConsentRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(process.getProcess(), authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String authorizationCode = queryParams.get("code");
+
+        JsonObject tokenRequestBody = new JsonObject();
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "authorization_code");
+        inputBody.addProperty("code", authorizationCode);
+        inputBody.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+        tokenRequestBody.add("inputBody", inputBody);
+        tokenRequestBody.addProperty("iss", "http://localhost:3001/auth");
+
+        JsonObject tokenResponse = OAuthAPIHelper.token(process.getProcess(), tokenRequestBody);
+
+         assertNotNull(tokenResponse.get("access_token"));
+         assertNotNull(tokenResponse.get("id_token"));
+         assertNotNull(tokenResponse.get("refresh_token"));
+         assertNotNull(tokenResponse.get("expires_in"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    // Helper method to split query parameters
+    private static Map<String, String> splitQuery(URL url) throws UnsupportedEncodingException {
+        Map<String, String> queryPairs = new LinkedHashMap<>();
+        String query = url.getQuery();
+        String[] pairs = query.split("&");
+        for (String pair : pairs) {
+            int idx = pair.indexOf("=");
+            queryPairs.put(URLDecoder.decode(pair.substring(0, idx), "UTF-8"),
+                           URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
+        }
+        return queryPairs;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestClientCreate5_2.java b/src/test/java/io/supertokens/test/oauth/api/TestClientCreate5_2.java
new file mode 100644
index 000000000..a256fd981
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestClientCreate5_2.java
@@ -0,0 +1,305 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.test.totp.TotpLicenseTest;
+import io.supertokens.utils.SemVer;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import static org.junit.Assert.*;
+
+public class TestClientCreate5_2 {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testInvalidInputs() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        {
+            // Duplicate client id
+            JsonObject createBody = new JsonObject();
+            createBody.addProperty("clientId", "test-client-id");
+
+            JsonObject resp = createClient(process.getProcess(), createBody);
+            assertEquals("OK", resp.get("status").getAsString());
+
+            resp = createClient(process.getProcess(), createBody);
+            assertEquals("OAUTH_ERROR", resp.get("status").getAsString());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testDefaultClientIdGeneration() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        JsonObject createBody = new JsonObject();
+
+        JsonObject resp = createClient(process.getProcess(), createBody);
+        assertEquals("OK", resp.get("status").getAsString());
+        resp.remove("status");
+        verifyStructure(resp);
+
+        assertTrue(resp.get("clientId").getAsString().startsWith("stcl_"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAllFields() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        String[] FIELDS = new String[]{
+                "clientId",
+                "clientSecret",
+                "clientName",
+                "scope",
+                "redirectUris",
+                "enableRefreshTokenRotation",
+                "authorizationCodeGrantAccessTokenLifespan",
+                "authorizationCodeGrantIdTokenLifespan",
+                "authorizationCodeGrantRefreshTokenLifespan",
+                "clientCredentialsGrantAccessTokenLifespan",
+                "implicitGrantAccessTokenLifespan",
+                "implicitGrantIdTokenLifespan",
+                "refreshTokenGrantAccessTokenLifespan",
+                "refreshTokenGrantIdTokenLifespan",
+                "refreshTokenGrantRefreshTokenLifespan",
+                "tokenEndpointAuthMethod",
+                "clientUri",
+                "allowedCorsOrigins",
+                "audience",
+                "grantTypes",
+                "responseTypes",
+                "logoUri",
+                "policyUri",
+                "tosUri",
+                "metadata",
+                "postLogoutRedirectUris"
+        };
+
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost:3000/auth"));
+
+        JsonArray allowedCorsOrigins = new JsonArray();
+        allowedCorsOrigins.add(new JsonPrimitive("http://localhost:3000"));
+
+        JsonArray audience = new JsonArray();
+        audience.add(new JsonPrimitive("https://api.example.com"));
+
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("implicit"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        grantTypes.add(new JsonPrimitive("client_credentials"));
+
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("token"));
+        responseTypes.add(new JsonPrimitive("code token"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        responseTypes.add(new JsonPrimitive("code id_token"));
+        responseTypes.add(new JsonPrimitive("token id_token"));
+        responseTypes.add(new JsonPrimitive("code token id_token"));
+
+        JsonArray postRedirectLogoutUris = new JsonArray();
+        postRedirectLogoutUris.add(new JsonPrimitive("http://localhost:3000/logout"));
+
+        JsonObject metadata = new JsonObject();
+        metadata.addProperty("sub", "test-client-id");
+        metadata.addProperty("iss", "http://localhost:3000");
+        metadata.addProperty("aud", "https://api.example.com");
+        metadata.addProperty("exp", 1714857600);
+        metadata.addProperty("iat", 1714857600);
+        metadata.addProperty("jti", "test-jti");
+        metadata.addProperty("nonce", "test-nonce");
+
+        JsonElement[] VALUES = new JsonElement[]{
+            new JsonPrimitive("test-client-id"), // clientId
+            new JsonPrimitive("kEdQVPNLsl_FHOFBO_nWnj7P3."), // clientSecret
+            new JsonPrimitive("Test Client"), // clientName
+            new JsonPrimitive("offline_access offline openid"), // scope
+            redirectUris, // redirectUris
+            new JsonPrimitive(true), // enableRefreshTokenRotation
+            new JsonPrimitive("1h0m0s"), // authorizationCodeGrantAccessTokenLifespan
+            new JsonPrimitive("2h0m0s"), // authorizationCodeGrantIdTokenLifespan
+            new JsonPrimitive("3h0m0s"), // authorizationCodeGrantRefreshTokenLifespan
+            new JsonPrimitive("4h0m0s"), // clientCredentialsGrantAccessTokenLifespan
+            new JsonPrimitive("5h0m0s"), // implicitGrantAccessTokenLifespan
+            new JsonPrimitive("6h0m0s"), // implicitGrantIdTokenLifespan
+            new JsonPrimitive("7h0m0s"), // refreshTokenGrantAccessTokenLifespan
+            new JsonPrimitive("8h0m0s"), // refreshTokenGrantIdTokenLifespan
+            new JsonPrimitive("9h0m0s"), // refreshTokenGrantRefreshTokenLifespan
+            new JsonPrimitive("client_secret_post"), // tokenEndpointAuthMethod
+            new JsonPrimitive("http://localhost:3000"), // clientUri
+            allowedCorsOrigins, // allowedCorsOrigins
+            audience, // audience
+            grantTypes, // grantTypes
+            responseTypes, // responseTypes
+            new JsonPrimitive("http://localhost:3000/logo.png"), // logoUri
+            new JsonPrimitive("http://localhost:3000/policy.html"), // policyUri
+            new JsonPrimitive("http://localhost:3000/tos.html"), // tosUri
+            metadata, // metadata
+            postRedirectLogoutUris // postRedirectLogoutUris
+        };
+
+        for (int i = 0; i < FIELDS.length; i++) {
+            JsonObject createBody = new JsonObject();
+            createBody.add(FIELDS[i], VALUES[i]);
+
+            if ("postLogoutRedirectUris".equals(FIELDS[i])) {
+                createBody.add("redirectUris", redirectUris);
+            }
+
+            JsonObject resp = createClient(process.getProcess(), createBody);
+            assertEquals("Unable to create client with field: " + FIELDS[i], "OK", resp.get("status").getAsString());
+            assertEquals("Value mismatch for field: " + FIELDS[i], VALUES[i], resp.get(FIELDS[i]));
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject createClient(Main main, JsonObject createClientBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", createClientBody, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private void verifyStructure(JsonObject response) throws Exception {
+        assertEquals(27, response.entrySet().size());
+        String[] FIELDS = new String[]{
+                "clientId",
+                "clientSecret",
+                "clientName",
+                "scope",
+                "redirectUris",
+                "enableRefreshTokenRotation",
+                "authorizationCodeGrantAccessTokenLifespan",
+                "authorizationCodeGrantIdTokenLifespan",
+                "authorizationCodeGrantRefreshTokenLifespan",
+                "clientCredentialsGrantAccessTokenLifespan",
+                "implicitGrantAccessTokenLifespan",
+                "implicitGrantIdTokenLifespan",
+                "refreshTokenGrantAccessTokenLifespan",
+                "refreshTokenGrantIdTokenLifespan",
+                "refreshTokenGrantRefreshTokenLifespan",
+                "tokenEndpointAuthMethod",
+                "clientUri",
+                "allowedCorsOrigins",
+                "audience",
+                "grantTypes",
+                "responseTypes",
+                "logoUri",
+                "policyUri",
+                "tosUri",
+                "createdAt",
+                "updatedAt",
+                "metadata"
+        };
+
+        for (String field : FIELDS) {
+            assertTrue(response.has(field));
+        }
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestClientDelete5_2.java b/src/test/java/io/supertokens/test/oauth/api/TestClientDelete5_2.java
new file mode 100644
index 000000000..523ee699f
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestClientDelete5_2.java
@@ -0,0 +1,155 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.test.totp.TotpLicenseTest;
+import io.supertokens.utils.SemVer;
+
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Set;
+
+public class TestClientDelete5_2 {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testClientDelete() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        Set<String> clientIds = new HashSet<>();
+        for (int i = 0; i < 10; i++) {
+            JsonObject client = createClient(process.getProcess());
+            clientIds.add(client.get("clientId").getAsString());
+        }
+
+        String clientIdToDelete = clientIds.iterator().next();
+        JsonObject resp = deleteClient(process.getProcess(), clientIdToDelete);
+        assertEquals("OK", resp.get("status").getAsString());
+        assertEquals(true, resp.get("didExist").getAsBoolean());
+
+        JsonObject clients = listClients(process.getProcess());
+        Set<String> clientIdsAfterDeletion = new HashSet<>();
+        for (JsonElement client : clients.get("clients").getAsJsonArray()) {
+            clientIdsAfterDeletion.add(client.getAsJsonObject().get("clientId").getAsString());
+        }
+
+        assertFalse(clientIdsAfterDeletion.contains(clientIdToDelete));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testClientDeleteWithInvalidClientId() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject resp = deleteClient(process.getProcess(), "non-existent-client-id");
+        assertEquals("OK", resp.get("status").getAsString());
+        assertEquals(false, resp.get("didExist").getAsBoolean());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject createClient(Main main) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", new JsonObject(), 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject deleteClient(Main main, String clientId) throws Exception {
+        JsonObject body = new JsonObject();
+        body.addProperty("clientId", clientId);
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients/remove", body, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject listClients(Main main) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendGETRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients/list", new HashMap<>(), 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestClientList5_2.java b/src/test/java/io/supertokens/test/oauth/api/TestClientList5_2.java
new file mode 100644
index 000000000..e94d878c4
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestClientList5_2.java
@@ -0,0 +1,232 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.test.totp.TotpLicenseTest;
+import io.supertokens.utils.SemVer;
+import java.util.Map;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.HashMap;
+
+public class TestClientList5_2 {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testClientList() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        Set<String> clientIds = new HashSet<>();
+        for (int i = 0; i < 10; i++) {
+            JsonObject client = createClient(process.getProcess(), new JsonObject());
+            clientIds.add(client.get("clientId").getAsString());
+        }
+
+        JsonObject response = listClients(process.getProcess(), new HashMap<>());
+        assertEquals(10, response.get("clients").getAsJsonArray().size());
+
+        Set<String> clientIdsFromResponse = new HashSet<>();
+        for (JsonElement client : response.get("clients").getAsJsonArray()) {
+            clientIdsFromResponse.add(client.getAsJsonObject().get("clientId").getAsString());
+        }
+        assertEquals(clientIds, clientIdsFromResponse);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testClientListWithPagination() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        Set<String> clientIds = new HashSet<>();
+        for (int i = 0; i < 100; i++) {
+            JsonObject client = createClient(process.getProcess(), new JsonObject());
+            clientIds.add(client.get("clientId").getAsString());
+        }
+
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("pageSize", "10");
+
+        Set<String> clientIdsFromResponse = new HashSet<>();
+
+        JsonObject response = listClients(process.getProcess(), queryParams);
+        assertEquals(10, response.get("clients").getAsJsonArray().size());
+
+        for (JsonElement client : response.get("clients").getAsJsonArray()) {
+            clientIdsFromResponse.add(client.getAsJsonObject().get("clientId").getAsString());
+        }
+
+        while (response.has("nextPaginationToken")) {
+            queryParams.put("pageToken", response.get("nextPaginationToken").getAsString());
+
+            response = listClients(process.getProcess(), queryParams);
+            for (JsonElement client : response.get("clients").getAsJsonArray()) {
+                clientIdsFromResponse.add(client.getAsJsonObject().get("clientId").getAsString());
+            }    
+        }
+
+        assertEquals(clientIds, clientIdsFromResponse);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testClientListWithClientNameFilter() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        Set<String> clientIds = new HashSet<>();
+        for (int i = 0; i < 100; i++) {
+            JsonObject clientBody = new JsonObject();
+            clientBody.add("clientName", new JsonPrimitive("Hello"));
+            JsonObject client = createClient(process.getProcess(), clientBody);
+            clientIds.add(client.get("clientId").getAsString());
+        }
+
+        for (int i = 0; i < 100; i++) {
+            JsonObject clientBody = new JsonObject();
+            clientBody.add("clientName", new JsonPrimitive("World"));
+            createClient(process.getProcess(), clientBody);
+        }
+
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("pageSize", "10");
+        queryParams.put("clientName", "Hello");
+
+        Set<String> clientIdsFromResponse = new HashSet<>();
+
+        JsonObject response = listClients(process.getProcess(), queryParams);
+        assertEquals(10, response.get("clients").getAsJsonArray().size());
+
+        for (JsonElement client : response.get("clients").getAsJsonArray()) {
+            clientIdsFromResponse.add(client.getAsJsonObject().get("clientId").getAsString());
+        }
+
+        while (response.has("nextPaginationToken")) {
+            queryParams.put("pageToken", response.get("nextPaginationToken").getAsString());
+
+            response = listClients(process.getProcess(), queryParams);
+            for (JsonElement client : response.get("clients").getAsJsonArray()) {
+                clientIdsFromResponse.add(client.getAsJsonObject().get("clientId").getAsString());
+            }    
+        }
+
+        assertEquals(clientIds, clientIdsFromResponse);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject createClient(Main main, JsonObject createClientBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", createClientBody, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject listClients(Main main, Map<String, String> queryParams) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendGETRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients/list", queryParams, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestClientUpdate5_2.java b/src/test/java/io/supertokens/test/oauth/api/TestClientUpdate5_2.java
new file mode 100644
index 000000000..50ac96d52
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestClientUpdate5_2.java
@@ -0,0 +1,203 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.test.totp.TotpLicenseTest;
+import io.supertokens.utils.SemVer;
+
+public class TestClientUpdate5_2 {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testAllFields() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        String[] FIELDS = new String[] {
+                "clientSecret",
+                "clientName",
+                "scope",
+                "redirectUris",
+                "enableRefreshTokenRotation",
+                "authorizationCodeGrantAccessTokenLifespan",
+                "authorizationCodeGrantIdTokenLifespan",
+                "authorizationCodeGrantRefreshTokenLifespan",
+                "clientCredentialsGrantAccessTokenLifespan",
+                "implicitGrantAccessTokenLifespan",
+                "implicitGrantIdTokenLifespan",
+                "refreshTokenGrantAccessTokenLifespan",
+                "refreshTokenGrantIdTokenLifespan",
+                "refreshTokenGrantRefreshTokenLifespan",
+                "tokenEndpointAuthMethod",
+                "clientUri",
+                "allowedCorsOrigins",
+                "audience",
+                "grantTypes",
+                "responseTypes",
+                "logoUri",
+                "policyUri",
+                "tosUri",
+                "metadata",
+                "postLogoutRedirectUris"
+        };
+
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost:3000/auth"));
+
+        JsonArray allowedCorsOrigins = new JsonArray();
+        allowedCorsOrigins.add(new JsonPrimitive("http://localhost:3000"));
+
+        JsonArray audience = new JsonArray();
+        audience.add(new JsonPrimitive("https://api.example.com"));
+
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("implicit"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        grantTypes.add(new JsonPrimitive("client_credentials"));
+
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("token"));
+        responseTypes.add(new JsonPrimitive("code token"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        responseTypes.add(new JsonPrimitive("code id_token"));
+        responseTypes.add(new JsonPrimitive("token id_token"));
+        responseTypes.add(new JsonPrimitive("code token id_token"));
+
+        JsonArray postRedirectLogoutUris = new JsonArray();
+        postRedirectLogoutUris.add(new JsonPrimitive("http://localhost:3000/logout"));
+
+        JsonObject metadata = new JsonObject();
+        metadata.addProperty("sub", "test-client-id");
+        metadata.addProperty("iss", "http://localhost:3000");
+        metadata.addProperty("aud", "https://api.example.com");
+        metadata.addProperty("exp", 1714857600);
+        metadata.addProperty("iat", 1714857600);
+        metadata.addProperty("jti", "test-jti");
+        metadata.addProperty("nonce", "test-nonce");
+
+        JsonElement[] VALUES = new JsonElement[] {
+                new JsonPrimitive("kEdQVPNLsl_FHOFBO_nWnj7P3."), // clientSecret
+                new JsonPrimitive("Test Client"), // clientName
+                new JsonPrimitive("offline_access offline openid"), // scope
+                redirectUris, // redirectUris
+                new JsonPrimitive(true), // enableRefreshTokenRotation
+                new JsonPrimitive("1h0m0s"), // authorizationCodeGrantAccessTokenLifespan
+                new JsonPrimitive("2h0m0s"), // authorizationCodeGrantIdTokenLifespan
+                new JsonPrimitive("3h0m0s"), // authorizationCodeGrantRefreshTokenLifespan
+                new JsonPrimitive("4h0m0s"), // clientCredentialsGrantAccessTokenLifespan
+                new JsonPrimitive("5h0m0s"), // implicitGrantAccessTokenLifespan
+                new JsonPrimitive("6h0m0s"), // implicitGrantIdTokenLifespan
+                new JsonPrimitive("7h0m0s"), // refreshTokenGrantAccessTokenLifespan
+                new JsonPrimitive("8h0m0s"), // refreshTokenGrantIdTokenLifespan
+                new JsonPrimitive("9h0m0s"), // refreshTokenGrantRefreshTokenLifespan
+                new JsonPrimitive("client_secret_post"), // tokenEndpointAuthMethod
+                new JsonPrimitive("http://localhost:3000"), // clientUri
+                allowedCorsOrigins, // allowedCorsOrigins
+                audience, // audience
+                grantTypes, // grantTypes
+                responseTypes, // responseTypes
+                new JsonPrimitive("http://localhost:3000/logo.png"), // logoUri
+                new JsonPrimitive("http://localhost:3000/policy.html"), // policyUri
+                new JsonPrimitive("http://localhost:3000/tos.html"), // tosUri
+                metadata, // metadata
+                postRedirectLogoutUris // postRedirectLogoutUris
+        };
+
+        JsonObject client = createClient(process.getProcess(), new JsonObject());
+
+        for (int i = 0; i < FIELDS.length; i++) {
+            JsonObject createBody = new JsonObject();
+            createBody.add("clientId", client.get("clientId"));
+            createBody.add(FIELDS[i], VALUES[i]);
+
+            JsonObject resp = updateClient(process.getProcess(), createBody);
+            assertEquals("Unable to create client with field: " + FIELDS[i], "OK", resp.get("status").getAsString());
+            assertEquals("Value mismatch for field: " + FIELDS[i], VALUES[i], resp.get(FIELDS[i]));
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject createClient(Main main, JsonObject createClientBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", createClientBody, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject updateClient(Main main, JsonObject createClientBody) throws Exception {
+        JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", createClientBody, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestImplicitFlow.java b/src/test/java/io/supertokens/test/oauth/api/TestImplicitFlow.java
new file mode 100644
index 000000000..21e6a1133
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestImplicitFlow.java
@@ -0,0 +1,204 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.totp.TotpLicenseTest;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+
+import static org.junit.Assert.assertNotNull;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+public class TestImplicitFlow {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testImplicitGrantFlow() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject clientBody = new JsonObject();
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("implicit"));
+        clientBody.add("grantTypes", grantTypes);
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("token"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        clientBody.add("responseTypes", responseTypes);
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost.com:3000/auth/callback/supertokens"));
+        clientBody.add("redirectUris", redirectUris);
+        clientBody.addProperty("scope", "openid profile email");
+
+        JsonObject client = OAuthAPIHelper.createClient(process.getProcess(), clientBody);
+
+        JsonObject authRequestBody = new JsonObject();
+        JsonObject params = new JsonObject();
+        params.addProperty("client_id", client.get("clientId").getAsString());
+        params.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        params.addProperty("response_type", "token");
+        params.addProperty("scope", "openid profile email");
+        params.addProperty("state", "test12345678");
+
+        authRequestBody.add("params", params);
+
+        JsonObject authResponse = OAuthAPIHelper.auth(process.getProcess(), authRequestBody);
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        URL url = new URL(redirectTo);
+        Map<String, String> queryParams = splitQuery(url);
+        String loginChallenge = queryParams.get("login_challenge");
+
+        Map<String, String> acceptLoginRequestParams = new HashMap<>();
+        acceptLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+        acceptLoginRequestBody.addProperty("subject", "someuserid");
+        acceptLoginRequestBody.addProperty("remember", true);
+        acceptLoginRequestBody.addProperty("rememberFor", 3600);
+
+        JsonObject acceptLoginRequestResponse = OAuthAPIHelper.acceptLoginRequest(process.getProcess(), acceptLoginRequestParams, acceptLoginRequestBody);
+
+        redirectTo = acceptLoginRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(process.getProcess(), authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+        cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String consentChallenge = queryParams.get("consent_challenge");
+
+        JsonObject acceptConsentRequestBody = new JsonObject();
+        acceptConsentRequestBody.addProperty("remember", true);
+        acceptConsentRequestBody.addProperty("rememberFor", 3600);
+        acceptConsentRequestBody.addProperty("iss", "http://localhost:3001/auth");
+        acceptConsentRequestBody.addProperty("tId", "public");
+        acceptConsentRequestBody.addProperty("rsub", "someuser");
+        acceptConsentRequestBody.addProperty("sessionHandle", "session-handle");
+        acceptConsentRequestBody.add("initialAccessTokenPayload", new JsonObject());
+        acceptConsentRequestBody.add("initialIdTokenPayload", new JsonObject());
+
+        queryParams = new HashMap<>();
+        queryParams.put("consentChallenge", consentChallenge);
+
+        JsonObject acceptConsentRequestResponse = OAuthAPIHelper.acceptConsentRequest(process.getProcess(), queryParams, acceptConsentRequestBody);
+
+        redirectTo = acceptConsentRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(process.getProcess(), authRequestBody);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    // Helper method to split query parameters
+    private static Map<String, String> splitQuery(URL url) throws UnsupportedEncodingException {
+        Map<String, String> queryPairs = new LinkedHashMap<>();
+        String query = url.getQuery();
+        String[] pairs = query.split("&");
+        for (String pair : pairs) {
+            int idx = pair.indexOf("=");
+            queryPairs.put(URLDecoder.decode(pair.substring(0, idx), "UTF-8"),
+                           URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
+        }
+        return queryPairs;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestIssueTokens.java b/src/test/java/io/supertokens/test/oauth/api/TestIssueTokens.java
new file mode 100644
index 000000000..2484ea4ee
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestIssueTokens.java
@@ -0,0 +1,286 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.emailpassword.EmailPassword;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
+import io.supertokens.session.Session;
+import io.supertokens.session.info.SessionInformationHolder;
+import io.supertokens.session.jwt.JWT;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+public class TestIssueTokens {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testAccessToken() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+
+        AuthRecipeUserInfo user = EmailPassword.signUp(process.getProcess(), "test@example.com", "password123");
+        SessionInformationHolder session = Session.createNewSession(process.getProcess(), user.getSupertokensUserId(),
+                new JsonObject(), new JsonObject());
+
+        JsonObject tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        String accessToken = tokenResponse.get("access_token").getAsString();
+        JWT.JWTInfo accessTokenInfo = JWT.getPayloadWithoutVerifying(accessToken);
+        assertTrue(accessTokenInfo.payload.has("iss"));
+        assertEquals("http://localhost:3001/auth", accessTokenInfo.payload.get("iss").getAsString());
+
+        String idToken = tokenResponse.get("id_token").getAsString();
+        JWT.JWTInfo idTokenInfo = JWT.getPayloadWithoutVerifying(idToken);
+        assertTrue(idTokenInfo.payload.has("iss"));
+        assertEquals("http://localhost:3001/auth", idTokenInfo.payload.get("iss").getAsString());
+
+        // test introspect access token
+        JsonObject introspectResponse = introspectToken(process.getProcess(),
+                tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertTrue(introspectResponse.get("active").getAsBoolean());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject issueTokens(Main main, JsonObject client, String sub, String rsub, String sessionHandle)
+            throws Exception {
+        JsonObject authRequestBody = new JsonObject();
+        JsonObject params = new JsonObject();
+        params.addProperty("client_id", client.get("clientId").getAsString());
+        params.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        params.addProperty("response_type", "code");
+        params.addProperty("scope", "openid offline_access");
+        params.addProperty("state", "test12345678");
+
+        authRequestBody.add("params", params);
+
+        JsonObject authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        URL url = new URL(redirectTo);
+        Map<String, String> queryParams = splitQuery(url);
+        String loginChallenge = queryParams.get("login_challenge");
+
+        Map<String, String> acceptLoginRequestParams = new HashMap<>();
+        acceptLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+        acceptLoginRequestBody.addProperty("subject", sub);
+        acceptLoginRequestBody.addProperty("remember", true);
+        acceptLoginRequestBody.addProperty("rememberFor", 3600);
+        acceptLoginRequestBody.addProperty("identityProviderSessionId", sessionHandle);
+
+        JsonObject acceptLoginRequestResponse = OAuthAPIHelper.acceptLoginRequest(main, acceptLoginRequestParams,
+                acceptLoginRequestBody);
+
+        redirectTo = acceptLoginRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+        cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String consentChallenge = queryParams.get("consent_challenge");
+
+        JsonObject acceptConsentRequestBody = new JsonObject();
+        acceptConsentRequestBody.addProperty("iss", "http://localhost:3001/auth");
+        acceptConsentRequestBody.addProperty("tId", "public");
+        acceptConsentRequestBody.addProperty("rsub", rsub);
+        acceptConsentRequestBody.addProperty("sessionHandle", sessionHandle);
+        acceptConsentRequestBody.add("initialAccessTokenPayload", new JsonObject());
+        acceptConsentRequestBody.add("initialIdTokenPayload", new JsonObject());
+        JsonArray grantScope = new JsonArray();
+        grantScope.add(new JsonPrimitive("openid"));
+        grantScope.add(new JsonPrimitive("offline_access"));
+        acceptConsentRequestBody.add("grantScope", grantScope);
+        JsonArray audience = new JsonArray();
+        acceptConsentRequestBody.add("grantAccessTokenAudience", audience);
+        JsonObject session = new JsonObject();
+        session.add("access_token", new JsonObject());
+        session.add("id_token", new JsonObject());
+        acceptConsentRequestBody.add("session", session);
+
+        queryParams = new HashMap<>();
+        queryParams.put("consentChallenge", consentChallenge);
+
+        JsonObject acceptConsentRequestResponse = OAuthAPIHelper.acceptConsentRequest(main, queryParams,
+                acceptConsentRequestBody);
+
+        redirectTo = acceptConsentRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String authorizationCode = queryParams.get("code");
+
+        JsonObject tokenRequestBody = new JsonObject();
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "authorization_code");
+        inputBody.addProperty("code", authorizationCode);
+        inputBody.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+        tokenRequestBody.add("inputBody", inputBody);
+        tokenRequestBody.addProperty("iss", "http://localhost:3001/auth");
+
+        JsonObject tokenResponse = OAuthAPIHelper.token(main, tokenRequestBody);
+        return tokenResponse;
+    }
+
+    private static Map<String, String> splitQuery(URL url) throws UnsupportedEncodingException {
+        Map<String, String> queryPairs = new LinkedHashMap<>();
+        String query = url.getQuery();
+        String[] pairs = query.split("&");
+        for (String pair : pairs) {
+            int idx = pair.indexOf("=");
+            queryPairs.put(URLDecoder.decode(pair.substring(0, idx), "UTF-8"),
+                    URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
+        }
+        return queryPairs;
+    }
+
+    private JsonObject refreshToken(Main main, JsonObject client, String refreshToken) throws Exception {
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "refresh_token");
+        inputBody.addProperty("refresh_token", refreshToken);
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+
+        JsonObject tokenBody = new JsonObject();
+        tokenBody.add("inputBody", inputBody);
+        tokenBody.addProperty("iss", "http://localhost:3001/auth");
+        tokenBody.add("access_token", new JsonObject());
+        tokenBody.add("id_token", new JsonObject());
+        return OAuthAPIHelper.token(main, tokenBody);
+    }
+
+    private JsonObject introspectToken(Main main, String token) throws Exception {
+        JsonObject introspectRequestBody = new JsonObject();
+        introspectRequestBody.addProperty("token", token);
+        return OAuthAPIHelper.introspect(main, introspectRequestBody);
+    }
+
+    private JsonObject createClient(Main main) throws Exception {
+        JsonObject clientBody = new JsonObject();
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        clientBody.add("grantTypes", grantTypes);
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        clientBody.add("responseTypes", responseTypes);
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost.com:3000/auth/callback/supertokens"));
+        clientBody.add("redirectUris", redirectUris);
+        clientBody.addProperty("scope", "openid email offline_access");
+        clientBody.addProperty("tokenEndpointAuthMethod", "client_secret_post");
+
+        JsonObject client = OAuthAPIHelper.createClient(main, clientBody);
+        return client;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestLoginRequest5_2.java b/src/test/java/io/supertokens/test/oauth/api/TestLoginRequest5_2.java
new file mode 100644
index 000000000..be54fc4ba
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestLoginRequest5_2.java
@@ -0,0 +1,501 @@
+package io.supertokens.test.oauth.api;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import java.net.URL;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpRequestForTesting;
+import io.supertokens.utils.SemVer;
+
+public class TestLoginRequest5_2 {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testLoginRequestCreationAndGet() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+        String clientId = client.get("clientId").getAsString();
+
+        JsonObject authResponse = authRequest(process.getProcess(), clientId);
+
+        assertEquals("OK", authResponse.get("status").getAsString());
+        assertEquals(3, authResponse.entrySet().size());
+        assertTrue(authResponse.has("redirectTo"));
+        assertTrue(authResponse.has("cookies"));
+
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+        assertTrue(cookies.startsWith("st_oauth_login_csrf_dev_"));
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        Map<String, String> queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(1, queryParams.size());
+
+        String loginChallenge = queryParams.get("login_challenge");
+        assertNotNull(loginChallenge);
+
+        JsonObject loginRequestResponse = getLoginRequest(process.getProcess(), loginChallenge);
+
+        assertEquals(10, loginRequestResponse.entrySet().size());
+        assertEquals("OK", loginRequestResponse.get("status").getAsString());
+        assertTrue(loginRequestResponse.has("challenge"));
+        assertTrue(loginRequestResponse.has("requestedScope"));
+        assertTrue(loginRequestResponse.has("requestedAccessTokenAudience"));
+        assertFalse(loginRequestResponse.get("skip").getAsBoolean());
+        assertEquals("", loginRequestResponse.get("subject").getAsString());
+        assertTrue(loginRequestResponse.has("oidcContext"));
+        assertTrue(loginRequestResponse.has("client"));
+        assertTrue(loginRequestResponse.has("requestUrl"));
+        assertTrue(loginRequestResponse.has("sessionId"));
+
+        JsonArray requestedScope = loginRequestResponse.getAsJsonArray("requestedScope");
+        assertEquals(2, requestedScope.size());
+        assertTrue(requestedScope.contains(new JsonPrimitive("openid")));
+        assertTrue(requestedScope.contains(new JsonPrimitive("offline_access")));
+
+        JsonArray requestedAccessTokenAudience = loginRequestResponse.getAsJsonArray("requestedAccessTokenAudience");
+        assertEquals(0, requestedAccessTokenAudience.size());
+
+        JsonObject clientInResponse = loginRequestResponse.getAsJsonObject("client");
+        verifyClientStructure(clientInResponse);
+
+        assertTrue(loginRequestResponse.get("requestUrl").getAsString().startsWith("http://localhost:4444/oauth2/auth?"));
+        assertTrue(loginRequestResponse.has("sessionId"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testLoginRequestGetWithDeletedClient() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+        String clientId = client.get("clientId").getAsString();
+
+        JsonObject authResponse = authRequest(process.getProcess(), clientId);
+
+        assertEquals("OK", authResponse.get("status").getAsString());
+        assertEquals(3, authResponse.entrySet().size());
+        assertTrue(authResponse.has("redirectTo"));
+        assertTrue(authResponse.has("cookies"));
+
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+        assertTrue(cookies.startsWith("st_oauth_login_csrf_dev_"));
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        Map<String, String> queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(1, queryParams.size());
+
+        String loginChallenge = queryParams.get("login_challenge");
+        assertNotNull(loginChallenge);
+
+        deleteClient(process.getProcess(), clientId);
+
+        JsonObject loginRequestResponse = getLoginRequest(process.getProcess(), loginChallenge);
+
+        assertEquals("CLIENT_NOT_FOUND_ERROR", loginRequestResponse.get("status").getAsString());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAcceptLoginRequest() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+        String clientId = client.get("clientId").getAsString();
+
+        JsonObject authResponse = authRequest(process.getProcess(), clientId);
+
+        assertEquals("OK", authResponse.get("status").getAsString());
+        assertEquals(3, authResponse.entrySet().size());
+        assertTrue(authResponse.has("redirectTo"));
+        assertTrue(authResponse.has("cookies"));
+
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+        assertTrue(cookies.startsWith("st_oauth_login_csrf_dev_"));
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        Map<String, String> queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(1, queryParams.size());
+
+        String loginChallenge = queryParams.get("login_challenge");
+        assertNotNull(loginChallenge);
+
+        JsonObject acceptResponse = acceptLoginRequest(process.getProcess(), loginChallenge);
+
+        assertEquals("OK", acceptResponse.get("status").getAsString());
+
+        redirectTo = acceptResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(6, queryParams.size());
+
+        String loginVerifier = queryParams.get("login_verifier");
+        assertNotNull(loginVerifier);
+
+        String expectedRedirectUri = "http://localhost.com:3000/auth/callback/supertokens";
+        String expectedResponseType = "code";
+        String expectedScope = "openid offline_access";
+        String expectedState = "test12345678";
+
+        assertEquals(clientId, queryParams.get("client_id"));
+        assertEquals(expectedRedirectUri, queryParams.get("redirect_uri"));
+        assertEquals(expectedResponseType, queryParams.get("response_type"));
+        assertEquals(expectedScope, queryParams.get("scope"));
+        assertEquals(expectedState, queryParams.get("state"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testAcceptNonExistantLoginRequest() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+        String clientId = client.get("clientId").getAsString();
+
+        JsonObject authResponse = authRequest(process.getProcess(), clientId);
+
+        assertEquals("OK", authResponse.get("status").getAsString());
+        assertEquals(3, authResponse.entrySet().size());
+        assertTrue(authResponse.has("redirectTo"));
+        assertTrue(authResponse.has("cookies"));
+
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+        assertTrue(cookies.startsWith("st_oauth_login_csrf_dev_"));
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        Map<String, String> queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(1, queryParams.size());
+
+        String loginChallenge = queryParams.get("login_challenge");
+        assertNotNull(loginChallenge);
+
+        JsonObject acceptResponse = acceptLoginRequest(process.getProcess(), loginChallenge + "extras");
+
+        assertEquals("OAUTH_ERROR", acceptResponse.get("status").getAsString());
+        assertEquals("Not Found", acceptResponse.get("error").getAsString());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRejectLoginRequest() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+        String clientId = client.get("clientId").getAsString();
+
+        JsonObject authResponse = authRequest(process.getProcess(), clientId);
+
+        assertEquals("OK", authResponse.get("status").getAsString());
+        assertEquals(3, authResponse.entrySet().size());
+        assertTrue(authResponse.has("redirectTo"));
+        assertTrue(authResponse.has("cookies"));
+
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+        assertTrue(cookies.startsWith("st_oauth_login_csrf_dev_"));
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        Map<String, String> queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(1, queryParams.size());
+
+        String loginChallenge = queryParams.get("login_challenge");
+        assertNotNull(loginChallenge);
+
+        JsonObject rejectResponse = rejectLoginRequest(process.getProcess(), loginChallenge);
+
+        assertEquals("OK", rejectResponse.get("status").getAsString());
+        redirectTo = rejectResponse.get("redirectTo").getAsString();
+        assertTrue(redirectTo.startsWith("{apiDomain}"));
+
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001");
+        queryParams = Utils.splitQueryString(new URL(redirectTo).getQuery());
+        assertEquals(6, queryParams.size());
+
+        assertTrue(queryParams.containsKey("client_id"));
+        assertTrue(queryParams.containsKey("login_verifier"));
+        assertTrue(queryParams.containsKey("redirect_uri"));
+        assertTrue(queryParams.containsKey("response_type"));
+        assertTrue(queryParams.containsKey("scope"));
+        assertTrue(queryParams.containsKey("state"));
+
+        assertEquals(clientId, queryParams.get("client_id"));
+        assertEquals("http://localhost.com:3000/auth/callback/supertokens", queryParams.get("redirect_uri"));
+        assertEquals("code", queryParams.get("response_type"));
+        assertEquals("openid offline_access", queryParams.get("scope"));
+        assertEquals("test12345678", queryParams.get("state"));
+
+        // Verify login_verifier is present and not empty
+        assertNotNull(queryParams.get("login_verifier"));
+        assertFalse(queryParams.get("login_verifier").isEmpty());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject acceptLoginRequest(Main main, String loginChallenge) throws Exception {
+        Map<String, String> acceptLoginRequestParams = new HashMap<>();
+        acceptLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+        acceptLoginRequestBody.addProperty("subject", "someuserid");
+        acceptLoginRequestBody.addProperty("remember", true);
+        acceptLoginRequestBody.addProperty("rememberFor", 3600);
+        acceptLoginRequestBody.addProperty("identityProviderSessionId", "session-handle");
+
+        String url = "http://localhost:3567/recipe/oauth/auth/requests/login/accept?loginChallenge=" + URLEncoder.encode(loginChallenge, StandardCharsets.UTF_8.toString());
+
+        JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(main, "",
+                url, acceptLoginRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+	}
+
+    private JsonObject rejectLoginRequest(Main main, String loginChallenge) throws Exception {
+        Map<String, String> rejectLoginRequestParams = new HashMap<>();
+        rejectLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+
+        String url = "http://localhost:3567/recipe/oauth/auth/requests/login/reject?loginChallenge=" + URLEncoder.encode(loginChallenge, StandardCharsets.UTF_8.toString());
+
+        JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(main, "",
+                url, acceptLoginRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+	private JsonObject createClient(Main main) throws Exception {
+        JsonObject createClientBody = new JsonObject();
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        createClientBody.add("grantTypes", grantTypes);
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        createClientBody.add("responseTypes", responseTypes);
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost.com:3000/auth/callback/supertokens"));
+        createClientBody.add("redirectUris", redirectUris);
+        createClientBody.addProperty("scope", "openid email offline_access");
+        createClientBody.addProperty("tokenEndpointAuthMethod", "client_secret_post");
+
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients", createClientBody, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject authRequest(Main main, String clientId) throws Exception {
+        JsonObject authRequestBody = new JsonObject();
+        JsonObject params = new JsonObject();
+        params.addProperty("client_id", clientId);
+        params.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        params.addProperty("response_type", "code");
+        params.addProperty("scope", "openid offline_access");
+        params.addProperty("state", "test12345678");
+        authRequestBody.add("params", params);
+
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/auth", authRequestBody, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject getLoginRequest(Main main, String loginChallenge) throws Exception {
+        Map<String, String> queryParams = new HashMap<>();
+        queryParams.put("loginChallenge", loginChallenge);
+        JsonObject response = HttpRequestForTesting.sendGETRequest(main, "",
+                "http://localhost:3567/recipe/oauth/auth/requests/login", queryParams, 5000, 5000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private JsonObject deleteClient(Main main, String clientId) throws Exception {
+        JsonObject body = new JsonObject(); 
+        body.addProperty("clientId", clientId);
+        JsonObject response = HttpRequestForTesting.sendJsonPOSTRequest(main, "",
+                "http://localhost:3567/recipe/oauth/clients/remove", body, 1000, 1000, null,
+                SemVer.v5_2.get(), "");
+        return response;
+    }
+
+    private void verifyClientStructure(JsonObject response) throws Exception {
+        assertEquals(27, response.entrySet().size());
+        String[] FIELDS = new String[]{
+                "clientId",
+                "clientSecret",
+                "clientName",
+                "scope",
+                "redirectUris",
+                "enableRefreshTokenRotation",
+                "authorizationCodeGrantAccessTokenLifespan",
+                "authorizationCodeGrantIdTokenLifespan",
+                "authorizationCodeGrantRefreshTokenLifespan",
+                "clientCredentialsGrantAccessTokenLifespan",
+                "implicitGrantAccessTokenLifespan",
+                "implicitGrantIdTokenLifespan",
+                "refreshTokenGrantAccessTokenLifespan",
+                "refreshTokenGrantIdTokenLifespan",
+                "refreshTokenGrantRefreshTokenLifespan",
+                "tokenEndpointAuthMethod",
+                "clientUri",
+                "allowedCorsOrigins",
+                "audience",
+                "grantTypes",
+                "responseTypes",
+                "logoUri",
+                "policyUri",
+                "tosUri",
+                "createdAt",
+                "updatedAt",
+                "metadata"
+        };
+
+        for (String field : FIELDS) {
+            assertTrue(response.has(field));
+        }
+    }
+
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestRefreshTokenFlowWithTokenRotationOptions.java b/src/test/java/io/supertokens/test/oauth/api/TestRefreshTokenFlowWithTokenRotationOptions.java
new file mode 100644
index 000000000..967862d1b
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestRefreshTokenFlowWithTokenRotationOptions.java
@@ -0,0 +1,426 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.oauth.api;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlag;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.totp.TotpLicenseTest;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+public class TestRefreshTokenFlowWithTokenRotationOptions {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    private static JsonObject createClient(Main main, boolean enableRefreshTokenRotation) throws Exception {
+        JsonObject clientBody = new JsonObject();
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        clientBody.add("grantTypes", grantTypes);
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        clientBody.add("responseTypes", responseTypes);
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost.com:3000/auth/callback/supertokens"));
+        clientBody.add("redirectUris", redirectUris);
+        clientBody.addProperty("scope", "openid email offline_access");
+        clientBody.addProperty("tokenEndpointAuthMethod", "client_secret_post");
+        clientBody.addProperty("enableRefreshTokenRotation", enableRefreshTokenRotation);
+
+        return OAuthAPIHelper.createClient(main, clientBody);
+    }
+
+    private static void updateClient(Main main, JsonObject client, boolean enableRefreshTokenRotation) throws Exception {
+        JsonObject updateClientBody = new JsonObject();
+        updateClientBody.addProperty("clientId", client.get("clientId").getAsString());
+        updateClientBody.addProperty("enableRefreshTokenRotation", enableRefreshTokenRotation);
+        OAuthAPIHelper.updateClient(main, updateClientBody);
+    }
+
+    private static JsonObject completeFlowAndGetTokens(Main main, JsonObject client) throws Exception {
+        JsonObject authRequestBody = new JsonObject();
+        JsonObject params = new JsonObject();
+        params.addProperty("client_id", client.get("clientId").getAsString());
+        params.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        params.addProperty("response_type", "code");
+        params.addProperty("scope", "openid offline_access");
+        params.addProperty("state", "test12345678");
+
+        authRequestBody.add("params", params);
+        JsonObject authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        URL url = new URL(redirectTo);
+        Map<String, String> queryParams = splitQuery(url);
+        String loginChallenge = queryParams.get("login_challenge");
+
+        Map<String, String> acceptLoginRequestParams = new HashMap<>();
+        acceptLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+        acceptLoginRequestBody.addProperty("subject", "someuserid");
+        acceptLoginRequestBody.addProperty("remember", true);
+        acceptLoginRequestBody.addProperty("rememberFor", 3600);
+        acceptLoginRequestBody.addProperty("identityProviderSessionId", "session-handle");
+
+        JsonObject acceptLoginRequestResponse = OAuthAPIHelper.acceptLoginRequest(main, acceptLoginRequestParams, acceptLoginRequestBody);
+
+        redirectTo = acceptLoginRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+        cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String consentChallenge = queryParams.get("consent_challenge");
+
+        JsonObject acceptConsentRequestBody = new JsonObject();
+        acceptConsentRequestBody.addProperty("iss", "http://localhost:3001/auth");
+        acceptConsentRequestBody.addProperty("tId", "public");
+        acceptConsentRequestBody.addProperty("rsub", "someuserid");
+        acceptConsentRequestBody.addProperty("sessionHandle", "session-handle");
+        acceptConsentRequestBody.add("initialAccessTokenPayload", new JsonObject());
+        acceptConsentRequestBody.add("initialIdTokenPayload", new JsonObject());
+        JsonArray grantScope = new JsonArray();
+        grantScope.add(new JsonPrimitive("openid"));
+        grantScope.add(new JsonPrimitive("offline_access"));
+        acceptConsentRequestBody.add("grantScope", grantScope);
+        JsonArray audience = new JsonArray();
+        acceptConsentRequestBody.add("grantAccessTokenAudience", audience);
+        JsonObject session = new JsonObject();
+//        JsonObject accessToken = new JsonObject();
+//        accessToken.addProperty("gid", "gidForTesting");
+        session.add("access_token", new JsonObject());
+        session.add("id_token", new JsonObject());
+        acceptConsentRequestBody.add("session", session);
+
+        queryParams = new HashMap<>();
+        queryParams.put("consentChallenge", consentChallenge);
+
+        JsonObject acceptConsentRequestResponse = OAuthAPIHelper.acceptConsentRequest(main, queryParams, acceptConsentRequestBody);
+
+        redirectTo = acceptConsentRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String authorizationCode = queryParams.get("code");
+
+        JsonObject tokenRequestBody = new JsonObject();
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "authorization_code");
+        inputBody.addProperty("code", authorizationCode);
+        inputBody.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+        tokenRequestBody.add("inputBody", inputBody);
+        tokenRequestBody.addProperty("iss", "http://localhost:3001/auth");
+
+        return OAuthAPIHelper.token(main, tokenRequestBody);
+
+    }
+
+    private static JsonObject refreshToken(Main main, JsonObject client, String refreshToken) throws Exception {
+        JsonObject tokenRequestBody = new JsonObject();
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "refresh_token");
+        inputBody.addProperty("refresh_token", refreshToken);
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+
+        tokenRequestBody.add("access_token", new JsonObject());
+        tokenRequestBody.add("id_token", new JsonObject());
+        tokenRequestBody.add("inputBody", inputBody);
+        tokenRequestBody.addProperty("iss", "http://localhost:3001/auth");
+
+        return OAuthAPIHelper.token(main, tokenRequestBody);
+    }
+
+    @Test
+    public void testRefreshTokenWithRotationDisabled() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject client = createClient(process.getProcess(), false);
+        JsonObject tokens = completeFlowAndGetTokens(process.getProcess(), client);
+
+        String refreshToken = tokens.get("refresh_token").getAsString();
+        JsonObject newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        // refresh again with original refresh token
+        newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRefreshTokenWithRotationEnabled() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject client = createClient(process.getProcess(), true);
+        JsonObject tokens = completeFlowAndGetTokens(process.getProcess(), client);
+
+        String refreshToken = tokens.get("refresh_token").getAsString();
+        JsonObject newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertTrue(newTokens.has("refresh_token"));
+
+        String newRefreshToken = newTokens.get("refresh_token").getAsString();
+
+        // refresh again with original refresh token
+        newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertEquals("OAUTH_ERROR", newTokens.get("status").getAsString());
+        assertEquals("token_inactive", newTokens.get("error").getAsString());
+
+        newTokens = refreshToken(process.getProcess(), client, newRefreshToken);
+        assertTrue(newTokens.has("refresh_token"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRefreshTokenWhenRotationIsEnabledAfter() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject client = createClient(process.getProcess(), false);
+        JsonObject tokens = completeFlowAndGetTokens(process.getProcess(), client);
+
+        String refreshToken = tokens.get("refresh_token").getAsString();
+        JsonObject newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        updateClient(process.getProcess(), client, true);
+
+        newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertTrue(newTokens.has("refresh_token"));
+
+        String newRefreshToken = newTokens.get("refresh_token").getAsString();
+
+        // refresh again with original refresh token
+        newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertEquals("OAUTH_ERROR", newTokens.get("status").getAsString());
+        assertEquals("token_inactive", newTokens.get("error").getAsString());
+
+
+        newTokens = refreshToken(process.getProcess(), client, newRefreshToken);
+        assertTrue(newTokens.has("refresh_token"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRefreshTokenWithRotationIsDisabledAfter() throws Exception {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlag.getInstance(process.main)
+                .setLicenseKeyAndSyncFeatures(TotpLicenseTest.OPAQUE_KEY_WITH_MFA_FEATURE);
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.OAUTH});
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        JsonObject client = createClient(process.getProcess(), true);
+        JsonObject tokens = completeFlowAndGetTokens(process.getProcess(), client);
+
+        String refreshToken = tokens.get("refresh_token").getAsString();
+        JsonObject newTokens = refreshToken(process.getProcess(), client, refreshToken);
+        assertTrue(newTokens.has("refresh_token"));
+
+        String newRefreshToken = newTokens.get("refresh_token").getAsString();
+
+        updateClient(process.getProcess(), client, false);
+
+        newTokens = refreshToken(process.getProcess(), client, newRefreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        newTokens = refreshToken(process.getProcess(), client, newRefreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        newTokens = refreshToken(process.getProcess(), client, newRefreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        newTokens = refreshToken(process.getProcess(), client, newRefreshToken);
+        assertFalse(newTokens.has("refresh_token"));
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private static Map<String, String> splitQuery(URL url) throws UnsupportedEncodingException {
+        Map<String, String> queryPairs = new LinkedHashMap<>();
+        String query = url.getQuery();
+        String[] pairs = query.split("&");
+        for (String pair : pairs) {
+            int idx = pair.indexOf("=");
+            queryPairs.put(URLDecoder.decode(pair.substring(0, idx), "UTF-8"),
+                           URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
+        }
+        return queryPairs;
+    }
+}
diff --git a/src/test/java/io/supertokens/test/oauth/api/TestRevoke5_2.java b/src/test/java/io/supertokens/test/oauth/api/TestRevoke5_2.java
new file mode 100644
index 000000000..c0eece257
--- /dev/null
+++ b/src/test/java/io/supertokens/test/oauth/api/TestRevoke5_2.java
@@ -0,0 +1,497 @@
+package io.supertokens.test.oauth.api;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.emailpassword.EmailPassword;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
+import io.supertokens.session.Session;
+import io.supertokens.session.info.SessionInformationHolder;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URL;
+import java.net.URLDecoder;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+import static org.junit.Assert.*;
+
+public class TestRevoke5_2 {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+        OAuthAPIHelper.resetOAuthProvider();
+    }
+
+    @Test
+    public void testRevokeAccessToken() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+
+        AuthRecipeUserInfo user = EmailPassword.signUp(process.getProcess(), "test@example.com", "password123");
+        SessionInformationHolder session = Session.createNewSession(process.getProcess(), user.getSupertokensUserId(),
+                new JsonObject(), new JsonObject());
+
+        JsonObject tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        String accessToken = tokenResponse.get("access_token").getAsString();
+
+        Thread.sleep(500);
+        JsonObject revokeResponse = revokeToken(process.getProcess(), null, accessToken);
+        assertEquals("OK", revokeResponse.get("status").getAsString());
+
+        Thread.sleep(500);
+        // test introspect access token
+        JsonObject introspectResponse = introspectToken(process.getProcess(),
+                tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRevokeRefreshToken() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+
+        AuthRecipeUserInfo user = EmailPassword.signUp(process.getProcess(), "test@example.com", "password123");
+        SessionInformationHolder session = Session.createNewSession(process.getProcess(), user.getSupertokensUserId(),
+                new JsonObject(), new JsonObject());
+
+        JsonObject tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        String refreshToken = tokenResponse.get("refresh_token").getAsString();
+
+        Thread.sleep(500);
+        JsonObject revokeResponse = revokeToken(process.getProcess(), client, refreshToken);
+        assertEquals("OK", revokeResponse.get("status").getAsString());
+
+        Thread.sleep(500);
+
+        // test introspect refresh token
+        JsonObject introspectResponse = introspectToken(process.getProcess(), refreshToken);
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        // test introspect access token
+        introspectResponse = introspectToken(process.getProcess(), tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        // test refresh token
+        JsonObject refreshResponse = refreshToken(process.getProcess(), client, refreshToken);
+        assertEquals("OAUTH_ERROR", refreshResponse.get("status").getAsString());
+        assertEquals("token_inactive", refreshResponse.get("error").getAsString());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testRevokeClientId() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+
+        AuthRecipeUserInfo user = EmailPassword.signUp(process.getProcess(), "test@example.com", "password123");
+        SessionInformationHolder session = Session.createNewSession(process.getProcess(), user.getSupertokensUserId(),
+                new JsonObject(), new JsonObject());
+
+        JsonObject tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        // revoke client id
+        JsonObject revokeClientIdResponse = revokeClientId(process.getProcess(), client);
+        assertEquals("OK", revokeClientIdResponse.get("status").getAsString());
+
+        Thread.sleep(1000);
+
+        // test introspect refresh token (should be revoked also - not allowed)
+        JsonObject introspectResponse = introspectToken(process.getProcess(),
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        // test introspect access token (not allowed)
+        introspectResponse = introspectToken(process.getProcess(), tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        // test refresh token (not allowed)
+        JsonObject refreshResponse = refreshToken(process.getProcess(), client,
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OAUTH_ERROR", refreshResponse.get("status").getAsString());
+
+        Thread.sleep(1000);
+
+        // issue new tokens
+        tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        // test introspect refresh token (allowed)
+        introspectResponse = introspectToken(process.getProcess(),
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertTrue(introspectResponse.get("active").getAsBoolean());
+
+        // test introspect access token (allowed)
+        introspectResponse = introspectToken(process.getProcess(), tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertTrue(introspectResponse.get("active").getAsBoolean());
+
+        // test refresh token (allowed)
+        refreshResponse = refreshToken(process.getProcess(), client,
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OK", refreshResponse.get("status").getAsString());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject revokeClientId(Main process, JsonObject client) throws Exception {
+        JsonObject revokeClientIdRequestBody = new JsonObject();
+        revokeClientIdRequestBody.addProperty("client_id", client.get("clientId").getAsString());
+        return OAuthAPIHelper.revokeClientId(process, revokeClientIdRequestBody);
+    }
+
+    @Test
+    public void testRevokeSessionHandle() throws Exception {
+        String[] args = { "../" };
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        Utils.setValueInConfig("oauth_provider_public_service_url", "http://localhost:4444");
+        Utils.setValueInConfig("oauth_provider_admin_service_url", "http://localhost:4445");
+        Utils.setValueInConfig("oauth_provider_consent_login_base_url", "http://localhost:3001/auth");
+        Utils.setValueInConfig("oauth_client_secret_encryption_key", "secret");
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        FeatureFlagTestContent.getInstance(process.main)
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[] { EE_FEATURES.OAUTH });
+
+        JsonObject client = createClient(process.getProcess());
+
+        AuthRecipeUserInfo user = EmailPassword.signUp(process.getProcess(), "test@example.com", "password123");
+        SessionInformationHolder session = Session.createNewSession(process.getProcess(), user.getSupertokensUserId(),
+                new JsonObject(), new JsonObject());
+
+        JsonObject tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        // revoke client id
+        JsonObject revokeSessionhandleResponse = revokeSessionHandle(process.getProcess(), session.session.handle);
+        System.out.println(revokeSessionhandleResponse.toString());
+        assertEquals("OK", revokeSessionhandleResponse.get("status").getAsString());
+
+        Thread.sleep(1000);
+
+        // test introspect refresh token (not allowed)
+        JsonObject introspectResponse = introspectToken(process.getProcess(),
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        // test introspect access token (not allowed)
+        introspectResponse = introspectToken(process.getProcess(), tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertFalse(introspectResponse.get("active").getAsBoolean());
+
+        // test refresh token (not allowed)
+        JsonObject refreshResponse = refreshToken(process.getProcess(), client,
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OAUTH_ERROR", refreshResponse.get("status").getAsString());
+        assertEquals("token_inactive", refreshResponse.get("error").getAsString());
+
+        Thread.sleep(1000);
+
+        // issue new tokens
+        tokenResponse = issueTokens(process.getProcess(), client, user.getSupertokensUserId(),
+                user.getSupertokensUserId(), session.session.handle);
+
+        // test introspect refresh token (allowed)
+        introspectResponse = introspectToken(process.getProcess(),
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertTrue(introspectResponse.get("active").getAsBoolean());
+
+        // test introspect access token (allowed)
+        introspectResponse = introspectToken(process.getProcess(), tokenResponse.get("access_token").getAsString());
+        assertEquals("OK", introspectResponse.get("status").getAsString());
+        assertTrue(introspectResponse.get("active").getAsBoolean());
+
+        // test refresh token (allowed)
+        refreshResponse = refreshToken(process.getProcess(), client,
+                tokenResponse.get("refresh_token").getAsString());
+        assertEquals("OK", refreshResponse.get("status").getAsString());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    private JsonObject revokeSessionHandle(Main process, String handle) throws Exception {
+        JsonObject revokeSessionHandleRequestBody = new JsonObject();
+        revokeSessionHandleRequestBody.addProperty("sessionHandle", handle);
+        return OAuthAPIHelper.revokeSessionHandle(process, revokeSessionHandleRequestBody);
+    }
+
+    private JsonObject refreshToken(Main main, JsonObject client, String refreshToken) throws Exception {
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "refresh_token");
+        inputBody.addProperty("refresh_token", refreshToken);
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+
+        JsonObject tokenBody = new JsonObject();
+        tokenBody.add("inputBody", inputBody);
+        tokenBody.addProperty("iss", "http://localhost:3001/auth");
+        tokenBody.add("access_token", new JsonObject());
+        tokenBody.add("id_token", new JsonObject());
+        return OAuthAPIHelper.token(main, tokenBody);
+    }
+
+    private JsonObject introspectToken(Main main, String token) throws Exception {
+        JsonObject introspectRequestBody = new JsonObject();
+        introspectRequestBody.addProperty("token", token);
+        return OAuthAPIHelper.introspect(main, introspectRequestBody);
+    }
+
+    private JsonObject createClient(Main main) throws Exception {
+        JsonObject clientBody = new JsonObject();
+        JsonArray grantTypes = new JsonArray();
+        grantTypes.add(new JsonPrimitive("authorization_code"));
+        grantTypes.add(new JsonPrimitive("refresh_token"));
+        clientBody.add("grantTypes", grantTypes);
+        JsonArray responseTypes = new JsonArray();
+        responseTypes.add(new JsonPrimitive("code"));
+        responseTypes.add(new JsonPrimitive("id_token"));
+        clientBody.add("responseTypes", responseTypes);
+        JsonArray redirectUris = new JsonArray();
+        redirectUris.add(new JsonPrimitive("http://localhost.com:3000/auth/callback/supertokens"));
+        clientBody.add("redirectUris", redirectUris);
+        clientBody.addProperty("scope", "openid email offline_access");
+        clientBody.addProperty("tokenEndpointAuthMethod", "client_secret_post");
+
+        JsonObject client = OAuthAPIHelper.createClient(main, clientBody);
+        return client;
+    }
+
+    private JsonObject issueTokens(Main main, JsonObject client, String sub, String rsub, String sessionHandle)
+            throws Exception {
+        JsonObject authRequestBody = new JsonObject();
+        JsonObject params = new JsonObject();
+        params.addProperty("client_id", client.get("clientId").getAsString());
+        params.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        params.addProperty("response_type", "code");
+        params.addProperty("scope", "openid offline_access");
+        params.addProperty("state", "test12345678");
+
+        authRequestBody.add("params", params);
+
+        JsonObject authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+        String cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        String redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        URL url = new URL(redirectTo);
+        Map<String, String> queryParams = splitQuery(url);
+        String loginChallenge = queryParams.get("login_challenge");
+
+        Map<String, String> acceptLoginRequestParams = new HashMap<>();
+        acceptLoginRequestParams.put("loginChallenge", loginChallenge);
+
+        JsonObject acceptLoginRequestBody = new JsonObject();
+        acceptLoginRequestBody.addProperty("subject", sub);
+        acceptLoginRequestBody.addProperty("remember", true);
+        acceptLoginRequestBody.addProperty("rememberFor", 3600);
+        acceptLoginRequestBody.addProperty("identityProviderSessionId", sessionHandle);
+
+        JsonObject acceptLoginRequestResponse = OAuthAPIHelper.acceptLoginRequest(main, acceptLoginRequestParams,
+                acceptLoginRequestBody);
+
+        redirectTo = acceptLoginRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+        cookies = authResponse.get("cookies").getAsJsonArray().get(0).getAsString();
+        cookies = cookies.split(";")[0];
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String consentChallenge = queryParams.get("consent_challenge");
+
+        JsonObject acceptConsentRequestBody = new JsonObject();
+        acceptConsentRequestBody.addProperty("iss", "http://localhost:3001/auth");
+        acceptConsentRequestBody.addProperty("tId", "public");
+        acceptConsentRequestBody.addProperty("rsub", rsub);
+        acceptConsentRequestBody.addProperty("sessionHandle", sessionHandle);
+        acceptConsentRequestBody.add("initialAccessTokenPayload", new JsonObject());
+        acceptConsentRequestBody.add("initialIdTokenPayload", new JsonObject());
+        JsonArray grantScope = new JsonArray();
+        grantScope.add(new JsonPrimitive("openid"));
+        grantScope.add(new JsonPrimitive("offline_access"));
+        acceptConsentRequestBody.add("grantScope", grantScope);
+        JsonArray audience = new JsonArray();
+        acceptConsentRequestBody.add("grantAccessTokenAudience", audience);
+        JsonObject session = new JsonObject();
+        session.add("access_token", new JsonObject());
+        session.add("id_token", new JsonObject());
+        acceptConsentRequestBody.add("session", session);
+
+        queryParams = new HashMap<>();
+        queryParams.put("consentChallenge", consentChallenge);
+
+        JsonObject acceptConsentRequestResponse = OAuthAPIHelper.acceptConsentRequest(main, queryParams,
+                acceptConsentRequestBody);
+
+        redirectTo = acceptConsentRequestResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        params = new JsonObject();
+        for (Map.Entry<String, String> entry : queryParams.entrySet()) {
+            params.addProperty(entry.getKey(), entry.getValue());
+        }
+        authRequestBody.add("params", params);
+        authRequestBody.addProperty("cookies", cookies);
+
+        authResponse = OAuthAPIHelper.auth(main, authRequestBody);
+
+        redirectTo = authResponse.get("redirectTo").getAsString();
+        redirectTo = redirectTo.replace("{apiDomain}", "http://localhost:3001/auth");
+
+        url = new URL(redirectTo);
+        queryParams = splitQuery(url);
+
+        String authorizationCode = queryParams.get("code");
+
+        JsonObject tokenRequestBody = new JsonObject();
+        JsonObject inputBody = new JsonObject();
+        inputBody.addProperty("grant_type", "authorization_code");
+        inputBody.addProperty("code", authorizationCode);
+        inputBody.addProperty("redirect_uri", "http://localhost.com:3000/auth/callback/supertokens");
+        inputBody.addProperty("client_id", client.get("clientId").getAsString());
+        inputBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+        tokenRequestBody.add("inputBody", inputBody);
+        tokenRequestBody.addProperty("iss", "http://localhost:3001/auth");
+
+        JsonObject tokenResponse = OAuthAPIHelper.token(main, tokenRequestBody);
+        return tokenResponse;
+    }
+
+    private static Map<String, String> splitQuery(URL url) throws UnsupportedEncodingException {
+        Map<String, String> queryPairs = new LinkedHashMap<>();
+        String query = url.getQuery();
+        String[] pairs = query.split("&");
+        for (String pair : pairs) {
+            int idx = pair.indexOf("=");
+            queryPairs.put(URLDecoder.decode(pair.substring(0, idx), "UTF-8"),
+                    URLDecoder.decode(pair.substring(idx + 1), "UTF-8"));
+        }
+        return queryPairs;
+    }
+
+    private JsonObject revokeToken(Main main, JsonObject client, String token) throws Exception {
+        JsonObject revokeRequestBody = new JsonObject();
+        revokeRequestBody.addProperty("token", token);
+        if (client != null) {
+            revokeRequestBody.addProperty("client_id", client.get("clientId").getAsString());
+            revokeRequestBody.addProperty("client_secret", client.get("clientSecret").getAsString());
+        }
+        return OAuthAPIHelper.revoke(main, revokeRequestBody);
+    }
+}
diff --git a/src/test/java/io/supertokens/test/userIdMapping/UserIdMappingTest.java b/src/test/java/io/supertokens/test/userIdMapping/UserIdMappingTest.java
index 13868666e..1af8acb90 100644
--- a/src/test/java/io/supertokens/test/userIdMapping/UserIdMappingTest.java
+++ b/src/test/java/io/supertokens/test/userIdMapping/UserIdMappingTest.java
@@ -26,9 +26,11 @@
 import io.supertokens.pluginInterface.STORAGE_TYPE;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
 import io.supertokens.pluginInterface.bulkimport.BulkImportStorage;
+import io.supertokens.pluginInterface.jwt.JWTRecipeStorage;
 import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
 import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.nonAuthRecipe.NonAuthRecipeStorage;
+import io.supertokens.pluginInterface.oauth.OAuthStorage;
 import io.supertokens.pluginInterface.useridmapping.UserIdMappingStorage;
 import io.supertokens.pluginInterface.useridmapping.exception.UnknownSuperTokensUserIdException;
 import io.supertokens.pluginInterface.useridmapping.exception.UserIdMappingAlreadyExistsException;
@@ -800,9 +802,12 @@ public void checkThatCreateUserIdMappingHasAllNonAuthRecipeChecks() throws Excep
                 .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.MFA});
 
         // this list contains the package names for recipes which dont use UserIdMapping
-        ArrayList<String> nonAuthRecipesWhichDontNeedUserIdMapping = new ArrayList<>(
-                List.of("io.supertokens.pluginInterface.jwt.JWTRecipeStorage", ActiveUsersStorage.class.getName(),
-                BulkImportStorage.class.getName()));
+        List<String> nonAuthRecipesWhichDontNeedUserIdMapping = List.of(
+                JWTRecipeStorage.class.getName(),
+                ActiveUsersStorage.class.getName(),
+                OAuthStorage.class.getName(),
+                BulkImportStorage.class.getName()
+        );
 
         Reflections reflections = new Reflections("io.supertokens.pluginInterface");
         Set<Class<? extends NonAuthRecipeStorage>> classes = reflections.getSubTypesOf(NonAuthRecipeStorage.class);
@@ -882,8 +887,12 @@ public void checkThatDeleteUserIdMappingHasAllNonAuthRecipeChecks() throws Excep
             return;
         }
 
-        ArrayList<String> nonAuthRecipesWhichDontNeedUserIdMapping = new ArrayList<>(
-                List.of("io.supertokens.pluginInterface.jwt.JWTRecipeStorage", ActiveUsersStorage.class.getName(), BulkImportStorage.class.getName()));
+        List<String> nonAuthRecipesWhichDontNeedUserIdMapping = List.of(
+                JWTRecipeStorage.class.getName(),
+                ActiveUsersStorage.class.getName(),
+                OAuthStorage.class.getName(),
+                BulkImportStorage.class.getName()
+        );
         Reflections reflections = new Reflections("io.supertokens.pluginInterface");
         Set<Class<? extends NonAuthRecipeStorage>> classes = reflections.getSubTypesOf(NonAuthRecipeStorage.class);
         List<String> names = classes.stream().map(Class::getCanonicalName).collect(Collectors.toList());