<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Label this issue](https://contributors.gitlab.com/manage-issue?action=label&projectId=278964&issueIid=598071) </details> <!--IssueSummary end--> ### Release notes Admins can now search, filter, and bulk-delete OAuth applications from the Admin Area, making it manageable even when thousands of dynamic applications (e.g. created by MCP clients like AWS Kiro) exist on the instance. ### Problem to solve When AI coding assistants such as AWS Kiro use GitLab's dynamic OAuth application registration (RFC 7591), they create a new `[Unverified Dynamic Application]` OAuth application per user session or per authorization. On active instances this can result in thousands of OAuth applications being registered at the instance level. The Admin Area OAuth Applications page (`/admin/applications`) has no search or filtering capability and only basic Prev/Next pagination. With 6,000+ applications, the page becomes completely unusable — finding or managing a legitimate OAuth application can take hours. Related issues: - #561198 — Improve auditing and logging capabilities for MCP OAuth workflows ### Proposal Improve the Admin Area OAuth Applications page to handle large volumes of dynamic applications: 1. **Search** — free-text search by application name, redirect URI, or owner. 2. **Filtering** — filter by application type (e.g. dynamic/unverified vs. manually created), trusted status, and creation date range. 3. **Sorting** — sort by name, creation date, last used date. 4. **Bulk actions** — select multiple applications and bulk-delete or bulk-revoke tokens. 5. **Expiry / auto-cleanup** — optionally allow admins to configure an automatic expiry period for dynamic (unverified) OAuth applications that have not been used within N days. 6. **Rate limiting** — allow admins to set a per-user cap on the number of dynamic OAuth applications that can be active at one time, with older ones automatically revoked when the cap is exceeded. ### Intended users - **Instance administrators** on self-managed GitLab who need to audit and manage OAuth applications, especially after adopting AI coding tools (AWS Kiro, Claude Code, etc.) that use dynamic OAuth registration. ### Feature Usage Metrics - Number of OAuth applications visible on the admin page - Use of search/filter on the admin OAuth applications page - Number of bulk-delete actions performed - Number of dynamic OAuth applications auto-expired ### Does this feature require an audit event? Yes. Bulk deletion and auto-expiry of OAuth applications should each generate audit events (building on the work tracked in #8081).