-- Allow generic RFC 7591 Dynamic Client Registration:
-- a client may register without binding to a specific MCP server.
-- /oauth/authorize still enforces the org-ownership check on every
-- authorization, and the access-token `aud` claim is pinned to the
-- resource declared at /token, so a generic client cannot mint a
-- token usable against a server outside the user's org.
ALTER TABLE oauth_clients
  ALTER COLUMN server_id DROP NOT NULL;