It appears that Auth0 only supports open Dynamic Client Registration, which means that there’s no way to control the creation of clients. The OIDC spec defines a method to restrict which clients can use DCR:
“The OpenID Provider MAY require an Initial Access Token that is provisioned out-of-band (in a manner that is out of scope for this specification) to restrict registration requests to only authorized Clients or developers.”
Is there any plan for Auth0 to support initial access tokens for DCR?