Meeds OAuth2 Server Open DCR is allowed only for allowlisted redirect/CIMD origins. Public-client compatibility secret is deterministic HMAC-based.