diff --git a/internal/bootstrap/handlers.go b/internal/bootstrap/handlers.go
index f37e523f..6f52fdbf 100644
--- a/internal/bootstrap/handlers.go
+++ b/internal/bootstrap/handlers.go
@@ -17,6 +17,7 @@ type handlerSet struct {
 	device        *handlers.DeviceHandler
 	token         *handlers.TokenHandler
 	client        *handlers.ClientHandler
+	userClient    *handlers.UserClientHandler
 	session       *handlers.SessionHandler
 	oauth         *handlers.OAuthHandler
 	audit         *handlers.AuditHandler
@@ -58,8 +59,9 @@ func initializeHandlers(deps handlerDeps) handlerSet {
 			deps.services.authorization,
 			deps.cfg,
 		),
-		client:  handlers.NewClientHandler(deps.services.client, deps.services.authorization),
-		session: handlers.NewSessionHandler(deps.services.token, deps.services.user),
+		client:     handlers.NewClientHandler(deps.services.client, deps.services.authorization),
+		userClient: handlers.NewUserClientHandler(deps.services.client),
+		session:    handlers.NewSessionHandler(deps.services.token, deps.services.user),
 		oauth: handlers.NewOAuthHandler(
 			deps.oauthProviders,
 			deps.services.user,
diff --git a/internal/bootstrap/router.go b/internal/bootstrap/router.go
index b472bbe2..50c19c06 100644
--- a/internal/bootstrap/router.go
+++ b/internal/bootstrap/router.go
@@ -172,9 +172,13 @@ func setupAllRoutes(
 		oauthProtected.POST("/authorize", h.authorization.HandleAuthorize)
 	}
 
+	// injectPendingCount adds the pending client count to context for admin users.
+	// Applied to all authenticated route groups so the navbar badge is visible site-wide.
+	injectPending := h.client.InjectPendingCount()
+
 	// Protected routes (require login)
 	protected := r.Group("")
-	protected.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware())
+	protected.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware(), injectPending)
 	{
 		protected.GET("/device", h.device.DevicePage)
 		protected.POST("/device/verify", rateLimiters.deviceVerify, h.device.DeviceVerify)
@@ -182,7 +186,7 @@ func setupAllRoutes(
 
 	// Account routes (require login)
 	account := r.Group("/account")
-	account.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware())
+	account.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware(), injectPending)
 	{
 		account.GET("/sessions", h.session.ListSessions)
 		account.POST("/sessions/:id/revoke", h.session.RevokeSession)
@@ -194,12 +198,27 @@ func setupAllRoutes(
 		account.POST("/authorizations/:uuid/revoke", h.authorization.RevokeAuthorization)
 	}
 
+	// User apps area (all authenticated users, not admin-only)
+	apps := r.Group("/apps")
+	apps.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware(), injectPending)
+	{
+		apps.GET("", h.userClient.ShowMyAppsPage)
+		apps.GET("/new", h.userClient.ShowCreateAppPage)
+		apps.POST("", h.userClient.CreateApp)
+		apps.GET("/:id", h.userClient.ShowAppPage)
+		apps.GET("/:id/edit", h.userClient.ShowEditAppPage)
+		apps.POST("/:id", h.userClient.UpdateApp)
+		apps.POST("/:id/delete", h.userClient.DeleteApp)
+		apps.GET("/:id/regenerate-secret", h.userClient.RegenerateAppSecret)
+	}
+
 	// Admin routes (require admin role)
 	admin := r.Group("/admin")
 	admin.Use(
 		middleware.RequireAuth(h.userService),
 		middleware.RequireAdmin(h.userService),
 		middleware.CSRFMiddleware(),
+		injectPending,
 	)
 	{
 		admin.GET("/clients", h.client.ShowClientsPage)
@@ -212,6 +231,8 @@ func setupAllRoutes(
 		admin.GET("/clients/:id/regenerate-secret", h.client.RegenerateSecret)
 		admin.POST("/clients/:id/revoke-all", h.client.RevokeAllTokens)
 		admin.GET("/clients/:id/authorizations", h.client.ListClientAuthorizations)
+		admin.POST("/clients/:id/approve", h.client.ApproveClient)
+		admin.POST("/clients/:id/reject", h.client.RejectClient)
 
 		// Audit log routes (HTML pages)
 		admin.GET("/audit", h.audit.ShowAuditLogsPage)
diff --git a/internal/handlers/audit.go b/internal/handlers/audit.go
index 8ae6aa3c..e6ca4662 100644
--- a/internal/handlers/audit.go
+++ b/internal/handlers/audit.go
@@ -95,7 +95,7 @@ func (h *AuditHandler) ShowAuditLogsPage(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AdminAuditLogs(templates.AuditLogsPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "audit"),
+		NavbarProps: buildNavbarProps(c, userModel, "audit"),
 		User:        userModel,
 		Logs:        toPointerSlice(logs),
 		Page:        pagination.CurrentPage,
diff --git a/internal/handlers/authorization.go b/internal/handlers/authorization.go
index 47966bbd..6b14b017 100644
--- a/internal/handlers/authorization.go
+++ b/internal/handlers/authorization.go
@@ -113,7 +113,7 @@ func (h *AuthorizationHandler) ShowAuthorizePage(c *gin.Context) {
 	// Render the consent page
 	templates.RenderTempl(c, http.StatusOK, templates.AuthorizePage(templates.AuthorizePageProps{
 		BaseProps:           templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps:         buildNavbarProps(user, ""),
+		NavbarProps:         buildNavbarProps(c, user, ""),
 		Username:            user.Username,
 		ClientID:            req.Client.ClientID,
 		ClientName:          req.Client.ClientName,
diff --git a/internal/handlers/client.go b/internal/handlers/client.go
index f2f654cd..bb604eb3 100644
--- a/internal/handlers/client.go
+++ b/internal/handlers/client.go
@@ -42,15 +42,33 @@ func parseRedirectURIs(input string) []string {
 	return redirectURIs
 }
 
+// InjectPendingCount is a middleware that queries the pending client count for
+// admin users and stores it in the gin context so buildNavbarProps can show the
+// badge on every page. Non-admin users are skipped to avoid unnecessary queries.
+func (h *ClientHandler) InjectPendingCount() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if u, exists := c.Get("user"); exists {
+			if user, ok := u.(*models.User); ok && user.IsAdmin() {
+				if count, err := h.clientService.CountPendingClients(); err == nil {
+					c.Set(ctxKeyPendingClientsCount, int(count))
+				}
+			}
+		}
+		c.Next()
+	}
+}
+
 // ShowClientsPage displays the list of all OAuth clients
 func (h *ClientHandler) ShowClientsPage(c *gin.Context) {
 	// Parse pagination parameters
 	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
 	pageSize, _ := strconv.Atoi(c.DefaultQuery("page_size", "10"))
 	search := c.Query("search")
+	statusFilter := c.Query("status")
 
-	// Create pagination params
+	// Create pagination params (with optional status filter)
 	params := store.NewPaginationParams(page, pageSize, search)
+	params.StatusFilter = statusFilter
 
 	// Get paginated clients with creator information
 	clients, pagination, err := h.clientService.ListClientsPaginatedWithCreator(params)
@@ -77,15 +95,18 @@ func (h *ClientHandler) ShowClientsPage(c *gin.Context) {
 	user, _ := c.Get("user")
 	userModel := user.(*models.User)
 
+	navbar := buildNavbarProps(c, userModel, "clients")
+
 	templates.RenderTempl(c, http.StatusOK, templates.AdminClients(templates.ClientsPageProps{
-		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "clients"),
-		User:        userModel,
-		Clients:     clients,
-		Pagination:  pagination,
-		Search:      search,
-		PageSize:    pageSize,
-		Success:     successMsg,
+		BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+		NavbarProps:  navbar,
+		User:         userModel,
+		Clients:      clients,
+		Pagination:   pagination,
+		Search:       search,
+		PageSize:     pageSize,
+		Success:      successMsg,
+		StatusFilter: statusFilter,
 	}))
 }
 
@@ -96,7 +117,7 @@ func (h *ClientHandler) ShowCreateClientPage(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AdminClientForm(templates.ClientFormPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "clients"),
+		NavbarProps: buildNavbarProps(c, userModel, "clients"),
 		Title:       "Create OAuth Client",
 		Method:      http.MethodPost,
 		Action:      "/admin/clients",
@@ -119,6 +140,7 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 		EnableDeviceFlow:            c.PostForm("enable_device_flow") == queryValueTrue,
 		EnableAuthCodeFlow:          c.PostForm("enable_auth_code_flow") == queryValueTrue,
 		EnableClientCredentialsFlow: c.PostForm("enable_client_credentials_flow") == queryValueTrue,
+		IsAdminCreated:              true, // admin-created clients are immediately active
 	}
 
 	resp, err := h.clientService.CreateClient(c.Request.Context(), req)
@@ -143,7 +165,7 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 			http.StatusBadRequest,
 			templates.AdminClientForm(templates.ClientFormPageProps{
 				BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-				NavbarProps: buildNavbarProps(userModel, "clients"),
+				NavbarProps: buildNavbarProps(c, userModel, "clients"),
 				Client:      clientData,
 				Error:       err.Error(),
 				Title:       "Create OAuth Client",
@@ -173,6 +195,7 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 		EnableAuthCodeFlow:          resp.EnableAuthCodeFlow,
 		EnableClientCredentialsFlow: resp.EnableClientCredentialsFlow,
 		IsActive:                    resp.IsActive,
+		Status:                      resp.Status,
 	}
 
 	templates.RenderTempl(
@@ -180,7 +203,7 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 		http.StatusOK,
 		templates.AdminClientCreated(templates.ClientCreatedPageProps{
 			BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:  buildNavbarProps(userModel, "clients"),
+			NavbarProps:  buildNavbarProps(c, userModel, "clients"),
 			Client:       clientDisplay,
 			ClientSecret: resp.ClientSecretPlain,
 		}),
@@ -220,7 +243,7 @@ func (h *ClientHandler) ShowEditClientPage(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AdminClientForm(templates.ClientFormPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "clients"),
+		NavbarProps: buildNavbarProps(c, userModel, "clients"),
 		Client:      clientDisplay,
 		Title:       "Edit OAuth Client",
 		Method:      http.MethodPost,
@@ -275,7 +298,7 @@ func (h *ClientHandler) UpdateClient(c *gin.Context) {
 			http.StatusBadRequest,
 			templates.AdminClientForm(templates.ClientFormPageProps{
 				BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-				NavbarProps: buildNavbarProps(userModel, "clients"),
+				NavbarProps: buildNavbarProps(c, userModel, "clients"),
 				Client:      clientDisplay,
 				Error:       err.Error(),
 				Title:       "Edit OAuth Client",
@@ -340,7 +363,7 @@ func (h *ClientHandler) RegenerateSecret(c *gin.Context) {
 		http.StatusOK,
 		templates.AdminClientSecret(templates.ClientSecretPageProps{
 			BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:  buildNavbarProps(userModel, "clients"),
+			NavbarProps:  buildNavbarProps(c, userModel, "clients"),
 			Client:       client,
 			ClientSecret: newSecret,
 		}),
@@ -369,6 +392,10 @@ func (h *ClientHandler) ViewClient(c *gin.Context) {
 		successMsg = "All active tokens have been revoked. Users will need to re-authenticate."
 	case "updated":
 		successMsg = "Client updated successfully."
+	case "approved":
+		successMsg = "Client approved. It is now active and can be used for OAuth flows."
+	case "rejected":
+		successMsg = "Client rejected. It has been set to inactive."
 	}
 
 	templates.RenderTempl(
@@ -376,7 +403,7 @@ func (h *ClientHandler) ViewClient(c *gin.Context) {
 		http.StatusOK,
 		templates.AdminClientDetail(templates.ClientDetailPageProps{
 			BaseProps:        templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:      buildNavbarProps(userModel, "clients"),
+			NavbarProps:      buildNavbarProps(c, userModel, "clients"),
 			Client:           client,
 			ActiveTokenCount: activeTokenCount,
 			Success:          successMsg,
@@ -384,6 +411,40 @@ func (h *ClientHandler) ViewClient(c *gin.Context) {
 	)
 }
 
+// ApproveClient sets a pending client's status to active.
+func (h *ClientHandler) ApproveClient(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+
+	if err := h.clientService.ApproveClient(
+		c.Request.Context(),
+		clientID,
+		userID.(string),
+	); err != nil {
+		renderErrorPage(c, http.StatusInternalServerError, "Failed to approve client: "+err.Error())
+		return
+	}
+
+	c.Redirect(http.StatusFound, "/admin/clients/"+clientID+"?success=approved")
+}
+
+// RejectClient sets a pending client's status to inactive.
+func (h *ClientHandler) RejectClient(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+
+	if err := h.clientService.RejectClient(
+		c.Request.Context(),
+		clientID,
+		userID.(string),
+	); err != nil {
+		renderErrorPage(c, http.StatusInternalServerError, "Failed to reject client: "+err.Error())
+		return
+	}
+
+	c.Redirect(http.StatusFound, "/admin/clients/"+clientID+"?success=rejected")
+}
+
 // ListClientAuthorizations shows all users who have granted access to this client (admin overview).
 func (h *ClientHandler) ListClientAuthorizations(c *gin.Context) {
 	clientID := c.Param("id")
@@ -424,7 +485,7 @@ func (h *ClientHandler) ListClientAuthorizations(c *gin.Context) {
 		http.StatusOK,
 		templates.AdminClientAuthorizations(templates.ClientAuthorizationsPageProps{
 			BaseProps:      templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:    buildNavbarProps(userModel, "clients"),
+			NavbarProps:    buildNavbarProps(c, userModel, "clients"),
 			Client:         client,
 			Authorizations: displayAuths,
 		}),
@@ -452,7 +513,7 @@ func (h *ClientHandler) RevokeAllTokens(c *gin.Context) {
 			http.StatusInternalServerError,
 			templates.AdminClientDetail(templates.ClientDetailPageProps{
 				BaseProps:        templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-				NavbarProps:      buildNavbarProps(userModel, "clients"),
+				NavbarProps:      buildNavbarProps(c, userModel, "clients"),
 				Client:           client,
 				ActiveTokenCount: activeTokenCount,
 				Error:            "Failed to revoke tokens: " + err.Error(),
diff --git a/internal/handlers/session.go b/internal/handlers/session.go
index 1d7788f9..aef814a4 100644
--- a/internal/handlers/session.go
+++ b/internal/handlers/session.go
@@ -59,7 +59,7 @@ func (h *SessionHandler) ListSessions(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AccountSessions(templates.SessionsPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(user, "sessions"),
+		NavbarProps: buildNavbarProps(c, user, "sessions"),
 		Sessions:    tokens,
 		Pagination:  pagination,
 		Search:      search,
diff --git a/internal/handlers/user_client.go b/internal/handlers/user_client.go
new file mode 100644
index 00000000..3f8362f0
--- /dev/null
+++ b/internal/handlers/user_client.go
@@ -0,0 +1,372 @@
+package handlers
+
+import (
+	"errors"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/go-authgate/authgate/internal/middleware"
+	"github.com/go-authgate/authgate/internal/models"
+	"github.com/go-authgate/authgate/internal/services"
+	"github.com/go-authgate/authgate/internal/store"
+	"github.com/go-authgate/authgate/internal/templates"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UserClientHandler handles the /apps area for authenticated (non-admin) users
+// to register and manage their own OAuth applications.
+type UserClientHandler struct {
+	clientService *services.ClientService
+}
+
+func NewUserClientHandler(cs *services.ClientService) *UserClientHandler {
+	return &UserClientHandler{clientService: cs}
+}
+
+// ShowMyAppsPage lists all OAuth applications owned by the logged-in user.
+func (h *UserClientHandler) ShowMyAppsPage(c *gin.Context) {
+	userID, _ := c.Get("user_id")
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("page_size", "10"))
+	search := c.Query("search")
+
+	params := store.NewPaginationParams(page, pageSize, search)
+	apps, pagination, err := h.clientService.ListClientsByUser(userID.(string), params)
+	if err != nil {
+		renderErrorPage(c, http.StatusInternalServerError, "Failed to load apps: "+err.Error())
+		return
+	}
+
+	templates.RenderTempl(c, http.StatusOK, templates.MyApps(templates.MyAppsPageProps{
+		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+		NavbarProps: buildNavbarProps(c, userModel, "my-apps"),
+		Apps:        apps,
+		Pagination:  pagination,
+		PageSize:    pageSize,
+		Search:      search,
+	}))
+}
+
+// ShowCreateAppPage displays the form to register a new application.
+func (h *UserClientHandler) ShowCreateAppPage(c *gin.Context) {
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	templates.RenderTempl(c, http.StatusOK, templates.UserAppForm(templates.UserClientFormPageProps{
+		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+		NavbarProps: buildNavbarProps(c, userModel, "my-apps"),
+		Title:       "Register New App",
+		Method:      http.MethodPost,
+		Action:      "/apps",
+		IsEdit:      false,
+	}))
+}
+
+// CreateApp handles POST /apps to register a new OAuth client.
+func (h *UserClientHandler) CreateApp(c *gin.Context) {
+	userID, _ := c.Get("user_id")
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	req := services.CreateClientRequest{
+		ClientName:         c.PostForm("client_name"),
+		Description:        c.PostForm("description"),
+		UserID:             userID.(string),
+		Scopes:             c.PostForm("scopes"),
+		RedirectURIs:       parseRedirectURIs(c.PostForm("redirect_uris")),
+		CreatedBy:          userID.(string),
+		ClientType:         c.PostForm("client_type"),
+		EnableDeviceFlow:   c.PostForm("enable_device_flow") == queryValueTrue,
+		EnableAuthCodeFlow: c.PostForm("enable_auth_code_flow") == queryValueTrue,
+		IsAdminCreated:     false, // user-created: starts as pending
+	}
+
+	// Validate scopes before calling service to give a user-friendly error
+	if req.Scopes != "" {
+		for scope := range strings.FieldsSeq(req.Scopes) {
+			switch scope {
+			case "email", "profile", "openid", "offline_access":
+				// ok
+			default:
+				renderUserAppForm(
+					c,
+					userModel,
+					nil,
+					"/apps",
+					false,
+					"Invalid scope: "+scope+". Allowed scopes are: email, profile, openid, offline_access",
+				)
+				return
+			}
+		}
+	}
+
+	resp, err := h.clientService.CreateClient(c.Request.Context(), req)
+	if err != nil {
+		clientData := &templates.ClientDisplay{
+			ClientName:         req.ClientName,
+			Description:        req.Description,
+			Scopes:             req.Scopes,
+			RedirectURIs:       strings.Join(req.RedirectURIs, ", "),
+			ClientType:         req.ClientType,
+			EnableDeviceFlow:   req.EnableDeviceFlow,
+			EnableAuthCodeFlow: req.EnableAuthCodeFlow,
+		}
+		renderUserAppForm(c, userModel, clientData, "/apps", false, err.Error())
+		return
+	}
+
+	clientDisplay := appToDisplay(resp.OAuthApplication)
+
+	templates.RenderTempl(
+		c,
+		http.StatusOK,
+		templates.UserAppCreated(templates.UserClientCreatedPageProps{
+			BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+			NavbarProps: buildNavbarProps(c, userModel, "my-apps"),
+			Client:      clientDisplay,
+			PlainSecret: resp.ClientSecretPlain,
+		}),
+	)
+}
+
+// ShowAppPage displays details for a user-owned app.
+func (h *UserClientHandler) ShowAppPage(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	client, err := h.clientService.GetClient(clientID)
+	if err != nil {
+		renderErrorPage(c, http.StatusNotFound, "App not found")
+		return
+	}
+
+	if client.UserID != userID.(string) {
+		renderErrorPage(c, http.StatusForbidden, "You do not have access to this app")
+		return
+	}
+
+	activeTokens, _ := h.clientService.CountActiveTokens(clientID)
+
+	successMsg := ""
+	if c.Query("success") == "updated" {
+		successMsg = "App updated successfully."
+	}
+
+	templates.RenderTempl(
+		c,
+		http.StatusOK,
+		templates.UserAppDetail(templates.UserClientDetailPageProps{
+			BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+			NavbarProps:  buildNavbarProps(c, userModel, "my-apps"),
+			Client:       appToDisplay(client),
+			ActiveTokens: activeTokens,
+			Success:      successMsg,
+		}),
+	)
+}
+
+// ShowEditAppPage displays the edit form for a user-owned app.
+func (h *UserClientHandler) ShowEditAppPage(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	client, err := h.clientService.GetClient(clientID)
+	if err != nil {
+		renderErrorPage(c, http.StatusNotFound, "App not found")
+		return
+	}
+
+	if client.UserID != userID.(string) {
+		renderErrorPage(c, http.StatusForbidden, "You do not have access to this app")
+		return
+	}
+
+	action := "/apps/" + clientID
+	templates.RenderTempl(c, http.StatusOK, templates.UserAppForm(templates.UserClientFormPageProps{
+		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+		NavbarProps: buildNavbarProps(c, userModel, "my-apps"),
+		Title:       "Edit App",
+		Method:      http.MethodPost,
+		Action:      action,
+		IsEdit:      true,
+		Client:      appToDisplay(client),
+	}))
+}
+
+// UpdateApp handles POST /apps/:id to update a user-owned app.
+func (h *UserClientHandler) UpdateApp(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	req := services.UserUpdateClientRequest{
+		ClientName:         c.PostForm("client_name"),
+		Description:        c.PostForm("description"),
+		Scopes:             c.PostForm("scopes"),
+		RedirectURIs:       parseRedirectURIs(c.PostForm("redirect_uris")),
+		ClientType:         c.PostForm("client_type"),
+		EnableDeviceFlow:   c.PostForm("enable_device_flow") == queryValueTrue,
+		EnableAuthCodeFlow: c.PostForm("enable_auth_code_flow") == queryValueTrue,
+	}
+
+	err := h.clientService.UserUpdateClient(c.Request.Context(), clientID, userID.(string), req)
+	if err != nil {
+		if errors.Is(err, services.ErrClientOwnershipRequired) {
+			renderErrorPage(c, http.StatusForbidden, err.Error())
+			return
+		}
+
+		client, _ := h.clientService.GetClient(clientID)
+		clientData := &templates.ClientDisplay{
+			ClientName:         req.ClientName,
+			Description:        req.Description,
+			Scopes:             req.Scopes,
+			RedirectURIs:       strings.Join(req.RedirectURIs, ", "),
+			ClientType:         req.ClientType,
+			EnableDeviceFlow:   req.EnableDeviceFlow,
+			EnableAuthCodeFlow: req.EnableAuthCodeFlow,
+		}
+		if client != nil {
+			clientData.ID = client.ID
+			clientData.ClientID = client.ClientID
+			clientData.Status = client.Status
+		}
+		renderUserAppForm(c, userModel, clientData, "/apps/"+clientID, true, err.Error())
+		return
+	}
+
+	c.Redirect(http.StatusFound, "/apps/"+clientID+"?success=updated")
+}
+
+// DeleteApp handles POST /apps/:id/delete to remove a pending or inactive user-owned app.
+func (h *UserClientHandler) DeleteApp(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+
+	err := h.clientService.UserDeleteClient(c.Request.Context(), clientID, userID.(string))
+	if err != nil {
+		if errors.Is(err, services.ErrClientOwnershipRequired) {
+			renderErrorPage(c, http.StatusForbidden, err.Error())
+			return
+		}
+		if errors.Is(err, services.ErrCannotDeleteActiveClient) {
+			renderErrorPage(c, http.StatusBadRequest, err.Error())
+			return
+		}
+		renderErrorPage(c, http.StatusInternalServerError, "Failed to delete app: "+err.Error())
+		return
+	}
+
+	c.Redirect(http.StatusFound, "/apps")
+}
+
+// RegenerateAppSecret handles GET /apps/:id/regenerate-secret.
+func (h *UserClientHandler) RegenerateAppSecret(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+	user, _ := c.Get("user")
+	userModel := user.(*models.User)
+
+	// Ownership check
+	client, err := h.clientService.GetClient(clientID)
+	if err != nil {
+		renderErrorPage(c, http.StatusNotFound, "App not found")
+		return
+	}
+	if client.UserID != userID.(string) {
+		renderErrorPage(c, http.StatusForbidden, "You do not have access to this app")
+		return
+	}
+
+	newSecret, err := h.clientService.RegenerateSecret(
+		c.Request.Context(),
+		clientID,
+		userID.(string),
+	)
+	if err != nil {
+		renderErrorPage(
+			c,
+			http.StatusInternalServerError,
+			"Failed to regenerate secret: "+err.Error(),
+		)
+		return
+	}
+
+	refreshed, _ := h.clientService.GetClient(clientID)
+	display := appToDisplay(refreshed)
+
+	templates.RenderTempl(
+		c,
+		http.StatusOK,
+		templates.UserAppCreated(templates.UserClientCreatedPageProps{
+			BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+			NavbarProps: buildNavbarProps(c, userModel, "my-apps"),
+			Client:      display,
+			PlainSecret: newSecret,
+		}),
+	)
+}
+
+// appToDisplay converts an OAuthApplication to a ClientDisplay for user templates.
+func appToDisplay(app *models.OAuthApplication) *templates.ClientDisplay {
+	if app == nil {
+		return nil
+	}
+	return &templates.ClientDisplay{
+		ID:                          app.ID,
+		ClientID:                    app.ClientID,
+		ClientName:                  app.ClientName,
+		Description:                 app.Description,
+		UserID:                      app.UserID,
+		Scopes:                      app.Scopes,
+		GrantTypes:                  app.GrantTypes,
+		RedirectURIs:                app.RedirectURIs.Join(", "),
+		ClientType:                  app.ClientType,
+		EnableDeviceFlow:            app.EnableDeviceFlow,
+		EnableAuthCodeFlow:          app.EnableAuthCodeFlow,
+		EnableClientCredentialsFlow: app.EnableClientCredentialsFlow,
+		IsActive:                    app.IsActive,
+		Status:                      app.Status,
+		CreatedAt:                   app.CreatedAt,
+		UpdatedAt:                   app.UpdatedAt,
+	}
+}
+
+func renderUserAppForm(
+	c *gin.Context,
+	user *models.User,
+	client *templates.ClientDisplay,
+	action string,
+	isEdit bool,
+	errMsg string,
+) {
+	title := "Register New App"
+	if isEdit {
+		title = "Edit App"
+	}
+	templates.RenderTempl(
+		c,
+		http.StatusBadRequest,
+		templates.UserAppForm(templates.UserClientFormPageProps{
+			BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+			NavbarProps: buildNavbarProps(c, user, "my-apps"),
+			Title:       title,
+			Method:      http.MethodPost,
+			Action:      action,
+			IsEdit:      isEdit,
+			Client:      client,
+			Error:       errMsg,
+		}),
+	)
+}
diff --git a/internal/handlers/utils.go b/internal/handlers/utils.go
index ac771abf..30ef8b78 100644
--- a/internal/handlers/utils.go
+++ b/internal/handlers/utils.go
@@ -7,13 +7,24 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
+const ctxKeyPendingClientsCount = "pending_clients_count"
+
 // buildNavbarProps creates NavbarProps from a user model and active link identifier.
-func buildNavbarProps(user *models.User, activeLink string) templates.NavbarProps {
+// If the gin context contains a pending_clients_count value (set by InjectPendingCount
+// middleware), it is included in the navbar badge for admin users.
+func buildNavbarProps(c *gin.Context, user *models.User, activeLink string) templates.NavbarProps {
+	pendingCount := 0
+	if v, exists := c.Get(ctxKeyPendingClientsCount); exists {
+		if count, ok := v.(int); ok {
+			pendingCount = count
+		}
+	}
 	return templates.NavbarProps{
-		Username:   user.Username,
-		FullName:   user.FullName,
-		IsAdmin:    user.IsAdmin(),
-		ActiveLink: activeLink,
+		Username:            user.Username,
+		FullName:            user.FullName,
+		IsAdmin:             user.IsAdmin(),
+		ActiveLink:          activeLink,
+		PendingClientsCount: pendingCount,
 	}
 }
 
diff --git a/internal/models/audit_log.go b/internal/models/audit_log.go
index 64e5e1b3..9abca8e2 100644
--- a/internal/models/audit_log.go
+++ b/internal/models/audit_log.go
@@ -48,6 +48,10 @@ const (
 	EventUserAuthorizationRevoked   EventType = "USER_AUTHORIZATION_REVOKED"
 	EventClientTokensRevokedAll     EventType = "CLIENT_TOKENS_REVOKED_ALL" //nolint:gosec // G101: false positive, this is a const string describing an event type, not a credential
 
+	// Client approval events (user self-service workflow)
+	EventClientApproved EventType = "CLIENT_APPROVED"
+	EventClientRejected EventType = "CLIENT_REJECTED"
+
 	// Client Credentials Flow events (RFC 6749 §4.4)
 	EventClientCredentialsTokenIssued EventType = "CLIENT_CREDENTIALS_TOKEN_ISSUED" //nolint:gosec // G101: false positive
 
diff --git a/internal/models/oauth_application.go b/internal/models/oauth_application.go
index 07e17e38..978f65a1 100644
--- a/internal/models/oauth_application.go
+++ b/internal/models/oauth_application.go
@@ -14,6 +14,13 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
+// ClientStatus constants define the approval lifecycle of an OAuth client.
+const (
+	ClientStatusPending  = "pending"  // Awaiting admin approval
+	ClientStatusActive   = "active"   // Admin approved / admin-created
+	ClientStatusInactive = "inactive" // Admin rejected or disabled
+)
+
 // Base32 characters, but lowercased.
 const lowerBase32Chars = "abcdefghijklmnopqrstuvwxyz234567"
 
@@ -35,6 +42,7 @@ type OAuthApplication struct {
 	EnableAuthCodeFlow          bool        `gorm:"not null;default:false"`
 	EnableClientCredentialsFlow bool        `gorm:"not null;default:false"` // Client Credentials Grant (RFC 6749 §4.4); confidential clients only
 	IsActive                    bool        `gorm:"not null;default:true"`
+	Status                      string      `gorm:"not null;default:'active'"` // ClientStatusPending / ClientStatusActive / ClientStatusInactive
 	CreatedBy                   string
 	CreatedAt                   time.Time
 	UpdatedAt                   time.Time
diff --git a/internal/services/client.go b/internal/services/client.go
index 34ecfb50..b5840cb1 100644
--- a/internal/services/client.go
+++ b/internal/services/client.go
@@ -19,6 +19,29 @@ const (
 	ClientTypePublic       = "public"
 )
 
+// buildGrantTypes derives the GrantTypes string from per-flow enable flags.
+func buildGrantTypes(enableDevice, enableAuthCode, enableClientCredentials bool) string {
+	var grants []string
+	if enableDevice {
+		grants = append(grants, "device_code")
+	}
+	if enableAuthCode {
+		grants = append(grants, "authorization_code")
+	}
+	if enableClientCredentials {
+		grants = append(grants, "client_credentials")
+	}
+	return strings.Join(grants, " ")
+}
+
+// allowedUserScopes are the scopes that non-admin users may request.
+var allowedUserScopes = map[string]bool{
+	"email":          true,
+	"profile":        true,
+	"openid":         true,
+	"offline_access": true,
+}
+
 var (
 	ErrClientNotFound      = errors.New("client not found")
 	ErrInvalidClientData   = errors.New("invalid client data")
@@ -26,7 +49,10 @@ var (
 	ErrRedirectURIRequired = errors.New(
 		"at least one redirect URI is required when Authorization Code Flow is enabled",
 	)
-	ErrAtLeastOneGrantRequired = errors.New("at least one grant type must be enabled")
+	ErrAtLeastOneGrantRequired  = errors.New("at least one grant type must be enabled")
+	ErrClientOwnershipRequired  = errors.New("you do not own this client")
+	ErrCannotDeleteActiveClient = errors.New("cannot delete an active client")
+	ErrInvalidScopeForUser      = errors.New("scope not allowed for user-created clients")
 )
 
 // validateRedirectURIs checks that every URI in the slice is an absolute http/https
@@ -76,6 +102,18 @@ type CreateClientRequest struct {
 	EnableDeviceFlow            bool   // Enable Device Authorization Grant (RFC 8628)
 	EnableAuthCodeFlow          bool   // Enable Authorization Code Flow (RFC 6749)
 	EnableClientCredentialsFlow bool   // Enable Client Credentials Grant (RFC 6749 §4.4); confidential clients only
+	IsAdminCreated              bool   // When true: Status=active, IsActive=true; when false: Status=pending, IsActive=false
+}
+
+// UserUpdateClientRequest contains the restricted set of fields a non-admin user may update on their own client.
+type UserUpdateClientRequest struct {
+	ClientName         string
+	Description        string
+	Scopes             string // validated against allowedUserScopes
+	RedirectURIs       []string
+	ClientType         string
+	EnableDeviceFlow   bool
+	EnableAuthCodeFlow bool
 }
 
 type UpdateClientRequest struct {
@@ -144,17 +182,16 @@ func (s *ClientService) CreateClient(
 	}
 
 	// Derive GrantTypes string from the enabled flows
-	var grants []string
-	if enableDevice {
-		grants = append(grants, "device_code")
-	}
-	if enableAuthCode {
-		grants = append(grants, "authorization_code")
-	}
-	if enableClientCredentials {
-		grants = append(grants, "client_credentials")
+	grantTypes := buildGrantTypes(enableDevice, enableAuthCode, enableClientCredentials)
+
+	// Determine approval status based on creator role.
+	// Admin-created clients are immediately active; user-created clients require approval.
+	clientStatus := models.ClientStatusPending
+	isActive := false
+	if req.IsAdminCreated {
+		clientStatus = models.ClientStatusActive
+		isActive = true
 	}
-	grantTypes := strings.Join(grants, " ")
 
 	client := &models.OAuthApplication{
 		ClientID:                    clientID,
@@ -168,7 +205,8 @@ func (s *ClientService) CreateClient(
 		EnableDeviceFlow:            enableDevice,
 		EnableAuthCodeFlow:          enableAuthCode,
 		EnableClientCredentialsFlow: enableClientCredentials,
-		IsActive:                    true,
+		IsActive:                    isActive,
+		Status:                      clientStatus,
 		CreatedBy:                   req.CreatedBy,
 	}
 
@@ -182,6 +220,16 @@ func (s *ClientService) CreateClient(
 		return nil, err
 	}
 
+	// GORM treats false as the zero value for bool and ignores it during CREATE when
+	// the column has a `default:true` tag.  For pending (user-created) clients we must
+	// perform an explicit UPDATE to ensure IsActive is persisted as false.
+	if !isActive {
+		client.IsActive = false
+		if err := s.store.UpdateClient(client); err != nil {
+			return nil, err
+		}
+	}
+
 	// Log client creation
 	if s.auditService != nil {
 		s.auditService.Log(ctx, AuditLogEntry{
@@ -253,17 +301,11 @@ func (s *ClientService) UpdateClient(
 	client.EnableDeviceFlow = req.EnableDeviceFlow
 	client.EnableAuthCodeFlow = req.EnableAuthCodeFlow
 	client.EnableClientCredentialsFlow = enableClientCredentials
-	var grants []string
-	if req.EnableDeviceFlow {
-		grants = append(grants, "device_code")
-	}
-	if req.EnableAuthCodeFlow {
-		grants = append(grants, "authorization_code")
-	}
-	if enableClientCredentials {
-		grants = append(grants, "client_credentials")
-	}
-	client.GrantTypes = strings.Join(grants, " ")
+	client.GrantTypes = buildGrantTypes(
+		req.EnableDeviceFlow,
+		req.EnableAuthCodeFlow,
+		enableClientCredentials,
+	)
 
 	err = s.store.UpdateClient(client)
 	if err != nil {
@@ -454,3 +496,218 @@ func (s *ClientService) VerifyClientSecret(clientID, clientSecret string) error
 func (s *ClientService) CountActiveTokens(clientID string) (int64, error) {
 	return s.store.CountActiveTokensByClientID(clientID)
 }
+
+// CountPendingClients returns the number of clients awaiting admin approval.
+func (s *ClientService) CountPendingClients() (int64, error) {
+	return s.store.CountClientsByStatus(models.ClientStatusPending)
+}
+
+// ListClientsByUser returns paginated OAuth clients owned by the given user.
+func (s *ClientService) ListClientsByUser(
+	userID string,
+	params store.PaginationParams,
+) ([]models.OAuthApplication, store.PaginationResult, error) {
+	return s.store.ListClientsByUserID(userID, params)
+}
+
+// validateUserScopes checks that all requested scopes are in the allowed set for user-created clients.
+func validateUserScopes(scopes string) error {
+	for scope := range strings.FieldsSeq(scopes) {
+		if !allowedUserScopes[scope] {
+			return fmt.Errorf("%w: %q", ErrInvalidScopeForUser, scope)
+		}
+	}
+	return nil
+}
+
+// UserUpdateClient updates a client owned by actorUserID with the restricted field set.
+// Ownership is enforced; the approval Status is never changed by this method.
+func (s *ClientService) UserUpdateClient(
+	ctx context.Context,
+	clientID, actorUserID string,
+	req UserUpdateClientRequest,
+) error {
+	if strings.TrimSpace(req.ClientName) == "" {
+		return ErrClientNameRequired
+	}
+
+	if !req.EnableDeviceFlow && !req.EnableAuthCodeFlow {
+		return ErrAtLeastOneGrantRequired
+	}
+
+	if req.EnableAuthCodeFlow && len(req.RedirectURIs) == 0 {
+		return ErrRedirectURIRequired
+	}
+
+	if err := validateRedirectURIs(req.RedirectURIs); err != nil {
+		return err
+	}
+
+	if err := validateUserScopes(req.Scopes); err != nil {
+		return err
+	}
+
+	client, err := s.store.GetClient(clientID)
+	if err != nil {
+		return ErrClientNotFound
+	}
+
+	if client.UserID != actorUserID {
+		return ErrClientOwnershipRequired
+	}
+
+	client.ClientName = strings.TrimSpace(req.ClientName)
+	client.Description = strings.TrimSpace(req.Description)
+	client.Scopes = strings.TrimSpace(req.Scopes)
+	client.RedirectURIs = models.StringArray(req.RedirectURIs)
+
+	if req.ClientType == ClientTypePublic {
+		client.ClientType = ClientTypePublic
+	} else {
+		client.ClientType = ClientTypeConfidential
+	}
+
+	client.EnableDeviceFlow = req.EnableDeviceFlow
+	client.EnableAuthCodeFlow = req.EnableAuthCodeFlow
+	// User-created clients cannot enable client credentials flow.
+	client.EnableClientCredentialsFlow = false
+	client.GrantTypes = buildGrantTypes(req.EnableDeviceFlow, req.EnableAuthCodeFlow, false)
+
+	if err := s.store.UpdateClient(client); err != nil {
+		return err
+	}
+
+	if s.auditService != nil {
+		s.auditService.Log(ctx, AuditLogEntry{
+			EventType:    models.EventClientUpdated,
+			Severity:     models.SeverityInfo,
+			ActorUserID:  actorUserID,
+			ResourceType: models.ResourceClient,
+			ResourceID:   clientID,
+			ResourceName: client.ClientName,
+			Action:       "OAuth client updated by owner",
+			Details: models.AuditDetails{
+				"client_name": client.ClientName,
+				"grant_types": client.GrantTypes,
+				"scopes":      client.Scopes,
+			},
+			Success: true,
+		})
+	}
+
+	return nil
+}
+
+// UserDeleteClient deletes a client owned by actorUserID.
+// Deletion is blocked for clients with Status=active (must be rejected first).
+func (s *ClientService) UserDeleteClient(
+	ctx context.Context,
+	clientID, actorUserID string,
+) error {
+	client, err := s.store.GetClient(clientID)
+	if err != nil {
+		return ErrClientNotFound
+	}
+
+	if client.UserID != actorUserID {
+		return ErrClientOwnershipRequired
+	}
+
+	if client.Status == models.ClientStatusActive {
+		return ErrCannotDeleteActiveClient
+	}
+
+	if err := s.store.DeleteClient(clientID); err != nil {
+		return err
+	}
+
+	if s.auditService != nil {
+		s.auditService.Log(ctx, AuditLogEntry{
+			EventType:    models.EventClientDeleted,
+			Severity:     models.SeverityWarning,
+			ActorUserID:  actorUserID,
+			ResourceType: models.ResourceClient,
+			ResourceID:   clientID,
+			ResourceName: client.ClientName,
+			Action:       "OAuth client deleted by owner",
+			Details: models.AuditDetails{
+				"client_name": client.ClientName,
+			},
+			Success: true,
+		})
+	}
+
+	return nil
+}
+
+// ApproveClient sets a client's status to active and enables it for OAuth flows.
+func (s *ClientService) ApproveClient(
+	ctx context.Context,
+	clientID, adminUserID string,
+) error {
+	client, err := s.store.GetClient(clientID)
+	if err != nil {
+		return ErrClientNotFound
+	}
+
+	client.Status = models.ClientStatusActive
+	client.IsActive = true
+
+	if err := s.store.UpdateClient(client); err != nil {
+		return err
+	}
+
+	if s.auditService != nil {
+		s.auditService.Log(ctx, AuditLogEntry{
+			EventType:    models.EventClientApproved,
+			Severity:     models.SeverityInfo,
+			ActorUserID:  adminUserID,
+			ResourceType: models.ResourceClient,
+			ResourceID:   clientID,
+			ResourceName: client.ClientName,
+			Action:       "OAuth client approved",
+			Details: models.AuditDetails{
+				"client_name": client.ClientName,
+			},
+			Success: true,
+		})
+	}
+
+	return nil
+}
+
+// RejectClient sets a client's status to inactive and disables it for OAuth flows.
+func (s *ClientService) RejectClient(
+	ctx context.Context,
+	clientID, adminUserID string,
+) error {
+	client, err := s.store.GetClient(clientID)
+	if err != nil {
+		return ErrClientNotFound
+	}
+
+	client.Status = models.ClientStatusInactive
+	client.IsActive = false
+
+	if err := s.store.UpdateClient(client); err != nil {
+		return err
+	}
+
+	if s.auditService != nil {
+		s.auditService.Log(ctx, AuditLogEntry{
+			EventType:    models.EventClientRejected,
+			Severity:     models.SeverityInfo,
+			ActorUserID:  adminUserID,
+			ResourceType: models.ResourceClient,
+			ResourceID:   clientID,
+			ResourceName: client.ClientName,
+			Action:       "OAuth client rejected",
+			Details: models.AuditDetails{
+				"client_name": client.ClientName,
+			},
+			Success: true,
+		})
+	}
+
+	return nil
+}
diff --git a/internal/services/client_user_test.go b/internal/services/client_user_test.go
new file mode 100644
index 00000000..8ec25796
--- /dev/null
+++ b/internal/services/client_user_test.go
@@ -0,0 +1,347 @@
+package services
+
+import (
+	"context"
+	"testing"
+
+	"github.com/go-authgate/authgate/internal/models"
+	"github.com/go-authgate/authgate/internal/store"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// ============================================================
+// CreateClient – IsAdminCreated flag
+// ============================================================
+
+func TestCreateClient_AdminCreated_IsActive(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	userID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Admin Client",
+		UserID:         userID,
+		CreatedBy:      userID,
+		IsAdminCreated: true,
+	})
+	require.NoError(t, err)
+	assert.True(t, resp.IsActive)
+	assert.Equal(t, models.ClientStatusActive, resp.Status)
+}
+
+func TestCreateClient_UserCreated_IsPendingAndInactive(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	userID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "User Client",
+		UserID:         userID,
+		CreatedBy:      userID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+	assert.False(t, resp.IsActive)
+	assert.Equal(t, models.ClientStatusPending, resp.Status)
+}
+
+// ============================================================
+// UserUpdateClient – ownership enforcement
+// ============================================================
+
+func TestUserUpdateClient_OwnershipEnforced(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+	otherID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Owned Client",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	err = svc.UserUpdateClient(
+		context.Background(),
+		resp.ClientID,
+		otherID,
+		UserUpdateClientRequest{
+			ClientName:       "Renamed",
+			EnableDeviceFlow: true,
+		},
+	)
+	assert.ErrorIs(t, err, ErrClientOwnershipRequired)
+}
+
+func TestUserUpdateClient_OwnerCanUpdate(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "My App",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	err = svc.UserUpdateClient(
+		context.Background(),
+		resp.ClientID,
+		ownerID,
+		UserUpdateClientRequest{
+			ClientName:       "My App Updated",
+			EnableDeviceFlow: true,
+			Scopes:           "email profile",
+		},
+	)
+	require.NoError(t, err)
+
+	updated, err := svc.GetClient(resp.ClientID)
+	require.NoError(t, err)
+	assert.Equal(t, "My App Updated", updated.ClientName)
+}
+
+// ============================================================
+// UserUpdateClient – scope validation
+// ============================================================
+
+func TestUserUpdateClient_InvalidScopeRejected(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Scope App",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	err = svc.UserUpdateClient(
+		context.Background(),
+		resp.ClientID,
+		ownerID,
+		UserUpdateClientRequest{
+			ClientName:       "Scope App",
+			EnableDeviceFlow: true,
+			Scopes:           "admin superuser", // not allowed
+		},
+	)
+	assert.ErrorIs(t, err, ErrInvalidScopeForUser)
+}
+
+func TestUserUpdateClient_AllowedScopesAccepted(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Scope App OK",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	err = svc.UserUpdateClient(
+		context.Background(),
+		resp.ClientID,
+		ownerID,
+		UserUpdateClientRequest{
+			ClientName:       "Scope App OK",
+			EnableDeviceFlow: true,
+			Scopes:           "email profile openid offline_access",
+		},
+	)
+	require.NoError(t, err)
+}
+
+// ============================================================
+// UserDeleteClient – ownership + active block
+// ============================================================
+
+func TestUserDeleteClient_OwnershipEnforced(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+	otherID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Delete Target",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	err = svc.UserDeleteClient(context.Background(), resp.ClientID, otherID)
+	assert.ErrorIs(t, err, ErrClientOwnershipRequired)
+}
+
+func TestUserDeleteClient_ActiveClientBlocked(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+	adminID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Active Client",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	// Approve it first to make it active
+	require.NoError(t, svc.ApproveClient(context.Background(), resp.ClientID, adminID))
+
+	err = svc.UserDeleteClient(context.Background(), resp.ClientID, ownerID)
+	assert.ErrorIs(t, err, ErrCannotDeleteActiveClient)
+}
+
+func TestUserDeleteClient_PendingClientAllowed(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Pending Client",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+	assert.Equal(t, models.ClientStatusPending, resp.Status)
+
+	err = svc.UserDeleteClient(context.Background(), resp.ClientID, ownerID)
+	require.NoError(t, err)
+}
+
+// ============================================================
+// ApproveClient / RejectClient
+// ============================================================
+
+func TestApproveClient_SetsActiveStatus(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+	adminID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Pending",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+	assert.Equal(t, models.ClientStatusPending, resp.Status)
+	assert.False(t, resp.IsActive)
+
+	require.NoError(t, svc.ApproveClient(context.Background(), resp.ClientID, adminID))
+
+	approved, err := svc.GetClient(resp.ClientID)
+	require.NoError(t, err)
+	assert.Equal(t, models.ClientStatusActive, approved.Status)
+	assert.True(t, approved.IsActive)
+}
+
+func TestRejectClient_SetsInactiveStatus(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+	adminID := uuid.New().String()
+
+	resp, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "To Reject",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	require.NoError(t, svc.RejectClient(context.Background(), resp.ClientID, adminID))
+
+	rejected, err := svc.GetClient(resp.ClientID)
+	require.NoError(t, err)
+	assert.Equal(t, models.ClientStatusInactive, rejected.Status)
+	assert.False(t, rejected.IsActive)
+}
+
+// ============================================================
+// CountPendingClients
+// ============================================================
+
+func TestCountPendingClients(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	ownerID := uuid.New().String()
+	adminID := uuid.New().String()
+
+	// Initially zero pending (seeded default is active)
+	initial, err := svc.CountPendingClients()
+	require.NoError(t, err)
+
+	// Add two pending clients
+	resp1, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Pending 1",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+	_, err = svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName:     "Pending 2",
+		UserID:         ownerID,
+		CreatedBy:      ownerID,
+		IsAdminCreated: false,
+	})
+	require.NoError(t, err)
+
+	count, err := svc.CountPendingClients()
+	require.NoError(t, err)
+	assert.Equal(t, initial+2, count)
+
+	// Approve one → count goes back down
+	require.NoError(t, svc.ApproveClient(context.Background(), resp1.ClientID, adminID))
+	count, err = svc.CountPendingClients()
+	require.NoError(t, err)
+	assert.Equal(t, initial+1, count)
+}
+
+// ============================================================
+// ListClientsByUser
+// ============================================================
+
+func TestListClientsByUser(t *testing.T) {
+	s := setupTestStore(t)
+	svc := NewClientService(s, nil)
+	user1ID := uuid.New().String()
+	user2ID := uuid.New().String()
+
+	_, err := svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName: "App A", UserID: user1ID, CreatedBy: user1ID,
+	})
+	require.NoError(t, err)
+	_, err = svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName: "App B", UserID: user1ID, CreatedBy: user1ID,
+	})
+	require.NoError(t, err)
+	_, err = svc.CreateClient(context.Background(), CreateClientRequest{
+		ClientName: "Other", UserID: user2ID, CreatedBy: user2ID,
+	})
+	require.NoError(t, err)
+
+	params := store.NewPaginationParams(1, 10, "")
+	apps, pagination, err := svc.ListClientsByUser(user1ID, params)
+	require.NoError(t, err)
+	assert.Len(t, apps, 2)
+	assert.Equal(t, int64(2), pagination.Total)
+}
diff --git a/internal/store/pagination.go b/internal/store/pagination.go
index f1aa888d..195aa824 100644
--- a/internal/store/pagination.go
+++ b/internal/store/pagination.go
@@ -4,9 +4,10 @@ import "math"
 
 // PaginationParams contains parameters for paginated queries
 type PaginationParams struct {
-	Page     int    // Current page number (1-indexed)
-	PageSize int    // Number of items per page
-	Search   string // Search keyword
+	Page         int    // Current page number (1-indexed)
+	PageSize     int    // Number of items per page
+	Search       string // Search keyword
+	StatusFilter string // Optional status filter (e.g. "pending", "active", "inactive")
 }
 
 // PaginationResult contains pagination metadata
diff --git a/internal/store/sqlite.go b/internal/store/sqlite.go
index 33885c5f..a3a2fa25 100644
--- a/internal/store/sqlite.go
+++ b/internal/store/sqlite.go
@@ -194,6 +194,7 @@ func (s *Store) seedData(ctx context.Context, cfg *config.Config) error {
 			EnableAuthCodeFlow: true,
 			EnableDeviceFlow:   true,
 			IsActive:           true,
+			Status:             models.ClientStatusActive,
 		}
 		clientSecret, err := client.GenerateClientSecret(ctx)
 		if err != nil {
@@ -332,7 +333,7 @@ func (s *Store) ListClients() ([]models.OAuthApplication, error) {
 	return clients, nil
 }
 
-// ListClientsPaginated returns paginated OAuth clients with search support
+// ListClientsPaginated returns paginated OAuth clients with search and optional status filter support
 func (s *Store) ListClientsPaginated(
 	params PaginationParams,
 ) ([]models.OAuthApplication, PaginationResult, error) {
@@ -351,6 +352,11 @@ func (s *Store) ListClientsPaginated(
 		)
 	}
 
+	// Apply status filter if provided
+	if params.StatusFilter != "" {
+		query = query.Where("status = ?", params.StatusFilter)
+	}
+
 	// Count total records
 	if err := query.Count(&total).Error; err != nil {
 		return nil, PaginationResult{}, err
@@ -371,6 +377,50 @@ func (s *Store) ListClientsPaginated(
 	return clients, pagination, nil
 }
 
+// ListClientsByUserID returns paginated OAuth clients owned by the given user
+func (s *Store) ListClientsByUserID(
+	userID string,
+	params PaginationParams,
+) ([]models.OAuthApplication, PaginationResult, error) {
+	var clients []models.OAuthApplication
+	var total int64
+
+	query := s.db.Model(&models.OAuthApplication{}).Where("user_id = ?", userID)
+
+	if params.Search != "" {
+		searchPattern := "%" + params.Search + "%"
+		query = query.Where(
+			"client_name LIKE ? OR client_id LIKE ? OR description LIKE ?",
+			searchPattern, searchPattern, searchPattern,
+		)
+	}
+
+	if err := query.Count(&total).Error; err != nil {
+		return nil, PaginationResult{}, err
+	}
+
+	pagination := CalculatePagination(total, params.Page, params.PageSize)
+	offset := (params.Page - 1) * params.PageSize
+
+	if err := query.Order("created_at DESC").
+		Limit(params.PageSize).
+		Offset(offset).
+		Find(&clients).Error; err != nil {
+		return nil, PaginationResult{}, err
+	}
+
+	return clients, pagination, nil
+}
+
+// CountClientsByStatus returns the number of clients with the given status
+func (s *Store) CountClientsByStatus(status string) (int64, error) {
+	var count int64
+	err := s.db.Model(&models.OAuthApplication{}).
+		Where("status = ?", status).
+		Count(&count).Error
+	return count, err
+}
+
 func (s *Store) GetClientsByIDs(clientIDs []string) (map[string]*models.OAuthApplication, error) {
 	if len(clientIDs) == 0 {
 		return make(map[string]*models.OAuthApplication), nil
diff --git a/internal/templates/admin_client_detail.templ b/internal/templates/admin_client_detail.templ
index 758558c3..bf2a294c 100644
--- a/internal/templates/admin_client_detail.templ
+++ b/internal/templates/admin_client_detail.templ
@@ -75,12 +75,18 @@ templ AdminClientDetail(props ClientDetailPageProps) {
 						</div>
 						<div class="admin-detail-row">
 							<div class="admin-detail-label">Status</div>
-							<div class="admin-detail-value">
+							<div class="admin-detail-value" style="display:flex;gap:var(--space-2);flex-wrap:wrap;">
 								if props.Client.IsActive {
 									<span class="status-badge status-active">Active</span>
 								} else {
 									<span class="status-badge status-inactive">Inactive</span>
 								}
+								switch props.Client.Status {
+									case "pending":
+										<span class="status-badge" style="background:rgba(245,158,11,0.1);color:#D97706;border:1px solid rgba(245,158,11,0.3);">Pending approval</span>
+									case "inactive":
+										<span class="status-badge status-inactive">Rejected</span>
+								}
 							</div>
 						</div>
 						<div class="admin-detail-row">
@@ -92,6 +98,26 @@ templ AdminClientDetail(props ClientDetailPageProps) {
 							<div class="admin-detail-value">{ props.Client.UpdatedAt.Format("2006-01-02 15:04:05") }</div>
 						</div>
 					</div>
+					<!-- Pending Approval Actions -->
+					if props.Client.Status == "pending" {
+						<div style="margin-bottom:var(--space-4);padding:var(--space-3);background:rgba(245,158,11,0.1);border:1px solid rgba(245,158,11,0.3);border-radius:var(--radius-md);">
+							<p style="margin:0 0 var(--space-3);color:#92400E;font-weight:600;">⏳ This client is pending approval.</p>
+							<div style="display:flex;gap:var(--space-3);">
+								<form method="POST" action={ templ.URL("/admin/clients/" + props.Client.ClientID + "/approve") } style="margin:0;">
+									<input type="hidden" name="csrf_token" value={ props.CSRFToken }/>
+									<button type="submit" class="admin-action-btn primary" onclick="return confirm('Approve this client? It will become active and usable for OAuth flows.')">
+										✅ Approve
+									</button>
+								</form>
+								<form method="POST" action={ templ.URL("/admin/clients/" + props.Client.ClientID + "/reject") } style="margin:0;">
+									<input type="hidden" name="csrf_token" value={ props.CSRFToken }/>
+									<button type="submit" class="admin-action-btn danger" onclick="return confirm('Reject this client? It will be set to inactive.')">
+										❌ Reject
+									</button>
+								</form>
+							</div>
+						</div>
+					}
 					<!-- Standard Actions -->
 					<div class="admin-action-buttons">
 						<a href={ templ.URL("/admin/clients/" + props.Client.ClientID + "/edit") } class="admin-action-btn primary">
diff --git a/internal/templates/admin_client_form.templ b/internal/templates/admin_client_form.templ
index 42deb11d..0d1540a0 100644
--- a/internal/templates/admin_client_form.templ
+++ b/internal/templates/admin_client_form.templ
@@ -12,131 +12,13 @@ templ AdminClientForm(props ClientFormPageProps) {
 					@Alert(props.Error, AlertError)
 					<form method={ props.Method } action={ templ.URL(props.Action) } class="admin-form">
 						<input type="hidden" name="csrf_token" value={ props.CSRFToken }/>
-						<!-- Client Name -->
-						<div class="admin-form-group">
-							<label for="client_name" class="admin-form-label admin-form-label-required">Client Name</label>
-							if props.Client != nil {
-								<input type="text" id="client_name" name="client_name" class="admin-form-input" value={ props.Client.ClientName } required/>
-							} else {
-								<input type="text" id="client_name" name="client_name" class="admin-form-input" required/>
-							}
-							<small class="admin-form-hint">A human-readable name for this OAuth client</small>
-						</div>
-						<!-- Description -->
-						<div class="admin-form-group">
-							<label for="description" class="admin-form-label">Description</label>
-							if props.Client != nil {
-								<textarea id="description" name="description" class="admin-form-textarea" rows="3">{ props.Client.Description }</textarea>
-							} else {
-								<textarea id="description" name="description" class="admin-form-textarea" rows="3"></textarea>
-							}
-							<small class="admin-form-hint">Optional description of this client's purpose</small>
-						</div>
-						<!-- Client Type -->
-						<div class="admin-form-group">
-							<label for="client_type" class="admin-form-label admin-form-label-required">Client Type</label>
-							<select id="client_type" name="client_type" class="admin-form-select">
-								<option
-									value="public"
-									selected?={ props.Client == nil || props.Client.ClientType == "public" }
-								>
-									Public — SPAs, CLIs, mobile apps (PKCE required)
-								</option>
-								<option
-									value="confidential"
-									selected?={ props.Client != nil && props.Client.ClientType == "confidential" }
-								>
-									Confidential — server-side apps that can store a secret
-								</option>
-							</select>
-							<small class="admin-form-hint">
-								Public clients use PKCE instead (no secret required).
-								Confidential clients authenticate with a secret.
-							</small>
-						</div>
-						<!-- Grant Types (checkboxes) -->
-						<div class="admin-form-group">
-							<label class="admin-form-label admin-form-label-required">Grant Types</label>
-							<div class="admin-form-checkboxes">
-								<label class="admin-form-checkbox-label">
-									<input
-										type="checkbox"
-										name="enable_device_flow"
-										value="true"
-										checked?={ props.Client == nil || props.Client.EnableDeviceFlow }
-									/>
-									<span>
-										<strong>Device Authorization Flow</strong> (RFC 8628)
-										— for CLI tools and devices without a browser
-									</span>
-								</label>
-								<label class="admin-form-checkbox-label">
-									<input
-										type="checkbox"
-										name="enable_auth_code_flow"
-										value="true"
-										checked?={ props.Client != nil && props.Client.EnableAuthCodeFlow }
-									/>
-									<span>
-										<strong>Authorization Code Flow</strong> (RFC 6749)
-										— for web apps with a redirect URI callback
-									</span>
-								</label>
-								<label class="admin-form-checkbox-label" id="client_credentials_label">
-									<input
-										type="checkbox"
-										id="enable_client_credentials_flow"
-										name="enable_client_credentials_flow"
-										value="true"
-										checked?={ props.Client != nil && props.Client.EnableClientCredentialsFlow }
-									/>
-									<span>
-										<strong>Client Credentials Flow</strong> (RFC 6749 §4.4)
-										— for machine-to-machine (M2M) access
-										<span class="admin-form-badge-confidential" id="cc_flow_badge">Confidential only</span>
-									</span>
-								</label>
-							</div>
-							<small class="admin-form-hint">At least one grant type must be selected. Client Credentials Flow requires a confidential client.</small>
-						</div>
-						<!-- Scopes -->
-						<div class="admin-form-group">
-							<label for="scopeTextInput" class="admin-form-label">Scopes</label>
-							if props.Client != nil {
-								<input type="hidden" id="scopes" name="scopes" value={ props.Client.Scopes }/>
-							} else {
-								<input type="hidden" id="scopes" name="scopes" value="email profile"/>
-							}
-							<div class="admin-scope-picker" id="scopePicker">
-								<div class="admin-scope-tags" id="scopeTags"></div>
-								<input type="text" class="admin-scope-text-input" id="scopeTextInput"
-									placeholder="Add scope..." autocomplete="off" spellcheck="false"/>
-							</div>
-							<div class="admin-scope-presets" id="scopePresets">
-								<span class="admin-scope-presets-label">Quick add:</span>
-								<button type="button" class="admin-scope-preset-chip" data-scope="openid">openid</button>
-								<button type="button" class="admin-scope-preset-chip" data-scope="email">email</button>
-								<button type="button" class="admin-scope-preset-chip" data-scope="profile">profile</button>
-								<button type="button" class="admin-scope-preset-chip" data-scope="offline_access">offline_access</button>
-							</div>
-							<small class="admin-form-hint">
-								Click a preset to add it, or type a custom scope and press <kbd>Enter</kbd> or <kbd>Space</kbd>.
-								Click <strong>&times;</strong> on a tag to remove it.
-							</small>
-						</div>
-						<!-- Redirect URIs -->
-						<div class="admin-form-group">
-							<label for="redirect_uris" class="admin-form-label">Redirect URIs</label>
-							if props.Client != nil {
-								<textarea id="redirect_uris" name="redirect_uris" class="admin-form-textarea" rows="3">{ props.Client.RedirectURIs }</textarea>
-							} else {
-								<textarea id="redirect_uris" name="redirect_uris" class="admin-form-textarea" rows="3"></textarea>
-							}
-							<small class="admin-form-hint">
-								Comma-separated redirect URIs. Required when Authorization Code Flow is enabled.
-								Example: <code>https://app.example.com/callback</code>
-							</small>
-						</div>
+						@ClientFormCommonFields(ClientFormFieldsProps{
+							Client:                props.Client,
+							IsEdit:                props.IsEdit,
+							NameLabel:             "Client Name",
+							ShowClientCredentials: true,
+							ScopePresetsOnly:      false,
+						})
 						<!-- Status (edit only) -->
 						if props.IsEdit {
 							<div class="admin-form-group">
@@ -162,7 +44,6 @@ templ AdminClientForm(props ClientFormPageProps) {
 								</div>
 							</div>
 						}
-						<!-- Actions -->
 						<div class="admin-form-actions">
 							<button type="submit" class="admin-form-submit-btn">
 								if props.IsEdit {
@@ -174,115 +55,6 @@ templ AdminClientForm(props ClientFormPageProps) {
 							<a href="/admin/clients" class="admin-form-cancel-btn">Cancel</a>
 						</div>
 					</form>
-					<script>
-						(function () {
-							var clientTypeSelect = document.getElementById('client_type');
-							var ccCheckbox = document.getElementById('enable_client_credentials_flow');
-							var ccLabel = document.getElementById('client_credentials_label');
-
-							function syncClientCredentials() {
-								var isConfidential = clientTypeSelect.value === 'confidential';
-								ccCheckbox.disabled = !isConfidential;
-								if (!isConfidential) {
-									ccCheckbox.checked = false;
-								}
-								ccLabel.classList.toggle('admin-form-checkbox-label--disabled', !isConfidential);
-							}
-
-							clientTypeSelect.addEventListener('change', syncClientCredentials);
-							syncClientCredentials();
-						})();
-
-						(function () {
-							var hiddenInput  = document.getElementById('scopes');
-							var picker       = document.getElementById('scopePicker');
-							var tagsEl       = document.getElementById('scopeTags');
-							var textInput    = document.getElementById('scopeTextInput');
-							var presetsEl    = document.getElementById('scopePresets');
-							var presetChips  = presetsEl.querySelectorAll('.admin-scope-preset-chip');
-							var selected     = [];
-
-							function syncHidden() { hiddenInput.value = selected.join(' '); }
-
-							function renderTags() {
-								tagsEl.innerHTML = '';
-								selected.forEach(function (scope) {
-									var tag    = document.createElement('span');
-									tag.className = 'admin-scope-tag';
-									var label  = document.createElement('span');
-									label.className = 'admin-scope-tag-label';
-									label.textContent = scope;
-									var btn    = document.createElement('button');
-									btn.type   = 'button';
-									btn.className = 'admin-scope-tag-remove';
-									btn.setAttribute('aria-label', 'Remove ' + scope);
-									btn.textContent = '×';
-									btn.addEventListener('click', function () { removeScope(scope); });
-									tag.appendChild(label);
-									tag.appendChild(btn);
-									tagsEl.appendChild(tag);
-								});
-							}
-
-							function renderPresets() {
-								presetChips.forEach(function (chip) {
-									chip.disabled = selected.indexOf(chip.getAttribute('data-scope')) !== -1;
-								});
-							}
-
-							function render() { renderTags(); renderPresets(); syncHidden(); }
-
-							function addScope(raw) {
-								raw.trim().toLowerCase().split(/\s+/).forEach(function (s) {
-									if (s && selected.indexOf(s) === -1) { selected.push(s); }
-								});
-								render();
-							}
-
-							function removeScope(s) {
-								var i = selected.indexOf(s);
-								if (i !== -1) { selected.splice(i, 1); render(); }
-							}
-
-							function init() {
-								var v = hiddenInput.value.trim();
-								if (v) {
-									v.split(/\s+/).forEach(function(s) {
-										s = s.trim();
-										if (s && selected.indexOf(s) === -1) selected.push(s);
-									});
-								}
-								render();
-							}
-
-							textInput.addEventListener('keydown', function (e) {
-								if (e.key === 'Enter' || e.key === ' ') {
-									e.preventDefault();
-									if (textInput.value.trim()) { addScope(textInput.value); textInput.value = ''; }
-								}
-								if (e.key === 'Backspace' && !textInput.value && selected.length) {
-									removeScope(selected[selected.length - 1]);
-								}
-							});
-
-							textInput.addEventListener('blur', function () {
-								if (textInput.value.trim()) { addScope(textInput.value); textInput.value = ''; }
-							});
-
-							picker.addEventListener('click', function (e) {
-								if (e.target !== textInput) { textInput.focus(); }
-							});
-
-							presetChips.forEach(function (chip) {
-								chip.addEventListener('click', function () {
-									addScope(chip.getAttribute('data-scope'));
-									textInput.focus();
-								});
-							});
-
-							init();
-						})();
-					</script>
 				</div>
 			</div>
 		</div>
diff --git a/internal/templates/admin_clients.templ b/internal/templates/admin_clients.templ
index 880e8ae8..11ccc841 100644
--- a/internal/templates/admin_clients.templ
+++ b/internal/templates/admin_clients.templ
@@ -1,9 +1,8 @@
 package templates
 
 import (
-	"fmt"
+	"github.com/go-authgate/authgate/internal/models"
 	"github.com/go-authgate/authgate/internal/services"
-	"github.com/go-authgate/authgate/internal/store"
 )
 
 templ AdminClients(props ClientsPageProps) {
@@ -27,37 +26,14 @@ templ AdminClients(props ClientsPageProps) {
 						</a>
 					</div>
 					@Alert(props.Success, AlertSuccess)
-					<!-- Search and Filters -->
-					<div class="search-section">
-						<form method="GET" action="/admin/clients" class="search-grid">
-							<div class="search-group">
-								<label for="search" class="search-label">Search</label>
-								<div class="search-input-wrapper">
-									<span class="search-icon">🔍</span>
-									<input
-										type="text"
-										id="search"
-										name="search"
-										class="search-input"
-										placeholder="Search by name, client ID, or description..."
-										value={ props.Search }
-									/>
-								</div>
-							</div>
-							<div class="search-group">
-								<label for="page_size" class="search-label">Items per page</label>
-								<select name="page_size" id="page_size" class="page-size-select" onchange="this.form.submit()">
-									<option value="10" selected?={ props.PageSize == 10 }>10 items</option>
-									<option value="20" selected?={ props.PageSize == 20 }>20 items</option>
-									<option value="50" selected?={ props.PageSize == 50 }>50 items</option>
-								</select>
-							</div>
-							<div class="search-buttons">
-								<button type="submit" class="search-btn">Search</button>
-								<a href="/admin/clients" class="clear-btn">Clear</a>
-							</div>
-						</form>
+					<!-- Status Filter Tabs -->
+					<div style="display:flex;gap:var(--space-2);margin-bottom:var(--space-4);border-bottom:1px solid var(--color-border);padding-bottom:var(--space-3);">
+						@AdminClientsStatusTab("/admin/clients", "All", props.StatusFilter == "")
+						@AdminClientsStatusTab("/admin/clients?status=pending", "Pending", props.StatusFilter == models.ClientStatusPending)
+						@AdminClientsStatusTab("/admin/clients?status=active", "Active", props.StatusFilter == models.ClientStatusActive)
+						@AdminClientsStatusTab("/admin/clients?status=inactive", "Inactive", props.StatusFilter == models.ClientStatusInactive)
 					</div>
+					@ClientsSearchBar("/admin/clients", props.Search, props.PageSize)
 					if len(props.Clients) > 0 {
 						<div class="admin-clients-table-wrapper">
 							<table class="admin-clients-table">
@@ -107,8 +83,7 @@ templ AdminClients(props ClientsPageProps) {
 								</tbody>
 							</table>
 						</div>
-						<!-- Pagination Controls -->
-						@ClientsPagination(props.Pagination, props.PageSize, props.Search)
+						@ClientsListPagination(props.Pagination, props.PageSize, props.Search, "/admin/clients", "total clients")
 					} else {
 						<div class="empty-state">
 							<div class="empty-icon">
@@ -215,11 +190,7 @@ templ ClientTableRow(client services.ClientWithCreator, csrfToken string) {
 			</div>
 		</td>
 		<td>
-			if client.IsActive {
-				<span class="status-badge status-active">Active</span>
-			} else {
-				<span class="status-badge status-inactive">Inactive</span>
-			}
+			@AdminClientStatusBadges(client.IsActive, client.Status)
 		</td>
 		<td class="created-date-cell">
 			<div class="date-display">
@@ -236,6 +207,24 @@ templ ClientTableRow(client services.ClientWithCreator, csrfToken string) {
 		</td>
 		<td>
 			<div class="actions">
+				if client.Status == models.ClientStatusPending {
+					<!-- Quick approve/reject for pending clients -->
+					<form method="POST" action={ templ.URL("/admin/clients/" + client.ClientID + "/approve") } style="display:inline;">
+						<input type="hidden" name="csrf_token" value={ csrfToken }/>
+						<button type="submit" class="btn btn-success btn-small" title="Approve client">
+							Approve
+						</button>
+					</form>
+					<form method="POST" action={ templ.URL("/admin/clients/" + client.ClientID + "/reject") } style="display:inline;">
+						<input type="hidden" name="csrf_token" value={ csrfToken }/>
+						<button type="submit" class="btn btn-warning btn-small" title="Reject client">
+							Reject
+						</button>
+					</form>
+				}
+				<a href={ templ.URL("/admin/clients/" + client.ClientID) } class="btn btn-secondary btn-small" title="View client">
+					View
+				</a>
 				<a href={ templ.URL("/admin/clients/" + client.ClientID + "/edit") } class="btn btn-secondary btn-small" title="Edit client">
 					Edit
 				</a>
@@ -250,53 +239,39 @@ templ ClientTableRow(client services.ClientWithCreator, csrfToken string) {
 	</tr>
 }
 
-func buildClientsPaginationURL(page, pageSize int, search string) string {
-	searchParam := ""
-	if search != "" {
-		searchParam = "&search=" + search
-	}
-	return fmt.Sprintf("/admin/clients?page=%d&page_size=%d%s", page, pageSize, searchParam)
+// AdminClientsStatusTab renders a filter tab for the admin clients list.
+templ AdminClientsStatusTab(href, label string, isActive bool) {
+	<a
+		href={ templ.URL(href) }
+		style={
+			templ.SafeCSS(
+				"padding:var(--space-1) var(--space-3);border-radius:var(--radius-sm);font-size:var(--text-sm);font-weight:500;text-decoration:none;" +
+				func() string {
+					if isActive {
+						return "background:var(--color-primary);color:#fff;"
+					}
+					return "color:var(--color-text-secondary);"
+				}(),
+			),
+		}
+	>
+		{ label }
+	</a>
 }
 
-templ ClientsPagination(pagination store.PaginationResult, pageSize int, search string) {
-	<div class="pagination-container">
-		<div class="pagination-info">
-			<span>Showing</span>
-			<span class="pagination-info-total">{ fmt.Sprintf("%d", pagination.Total) }</span>
-			<span>total clients</span>
-		</div>
-		<div class="pagination-controls">
-			if pagination.HasPrev {
-				<a
-					href={ templ.URL(buildClientsPaginationURL(pagination.PrevPage, pageSize, search)) }
-					class="pagination-button"
-				>
-					<span class="pagination-button-icon">←</span>
-					<span>Previous</span>
-				</a>
-			} else {
-				<button class="pagination-button" disabled>
-					<span class="pagination-button-icon">←</span>
-					<span>Previous</span>
-				</button>
-			}
-			<span class="pagination-current">
-				Page { fmt.Sprintf("%d", pagination.CurrentPage) } of { fmt.Sprintf("%d", pagination.TotalPages) }
-			</span>
-			if pagination.HasNext {
-				<a
-					href={ templ.URL(buildClientsPaginationURL(pagination.NextPage, pageSize, search)) }
-					class="pagination-button"
-				>
-					<span>Next</span>
-					<span class="pagination-button-icon">→</span>
-				</a>
-			} else {
-				<button class="pagination-button" disabled>
-					<span>Next</span>
-					<span class="pagination-button-icon">→</span>
-				</button>
-			}
-		</div>
+// AdminClientStatusBadges renders the IsActive + Status pair for the admin list view.
+templ AdminClientStatusBadges(isActive bool, status string) {
+	<div style="display:flex;flex-direction:column;gap:var(--space-1);">
+		if isActive {
+			<span class="status-badge status-active">Active</span>
+		} else {
+			<span class="status-badge status-inactive">Inactive</span>
+		}
+		switch status {
+			case models.ClientStatusPending:
+				<span class="status-badge" style="background:rgba(245,158,11,0.1);color:#D97706;border:1px solid rgba(245,158,11,0.3);font-size:var(--text-xs);">Pending</span>
+			case models.ClientStatusInactive:
+				<span class="status-badge status-inactive" style="font-size:var(--text-xs);">Rejected</span>
+		}
 	</div>
 }
diff --git a/internal/templates/client_shared.templ b/internal/templates/client_shared.templ
new file mode 100644
index 00000000..f18cf170
--- /dev/null
+++ b/internal/templates/client_shared.templ
@@ -0,0 +1,369 @@
+package templates
+
+import (
+	"fmt"
+
+	"github.com/go-authgate/authgate/internal/models"
+	"github.com/go-authgate/authgate/internal/store"
+)
+
+// ClientStatusBadge renders a colored badge for a client approval status string.
+// Shared between the user /apps view and admin /admin/clients view.
+templ ClientStatusBadge(status string) {
+	switch status {
+		case models.ClientStatusPending:
+			<span class="status-badge" style="background:rgba(245,158,11,0.1);color:#D97706;border:1px solid rgba(245,158,11,0.3);">Pending</span>
+		case models.ClientStatusActive:
+			<span class="status-badge status-active">Active</span>
+		default:
+			<span class="status-badge status-inactive">Inactive</span>
+	}
+}
+
+// ClientsSearchBar renders the search/filter form shared by /apps and /admin/clients.
+// action is the form GET target (e.g. "/apps" or "/admin/clients").
+templ ClientsSearchBar(action, search string, pageSize int) {
+	<div class="search-section">
+		<form method="GET" action={ templ.URL(action) } class="search-grid">
+			<div class="search-group">
+				<label for="search" class="search-label">Search</label>
+				<div class="search-input-wrapper">
+					<span class="search-icon">🔍</span>
+					<input
+						type="text"
+						id="search"
+						name="search"
+						class="search-input"
+						placeholder="Search by name, client ID, or description..."
+						value={ search }
+					/>
+				</div>
+			</div>
+			<div class="search-group">
+				<label for="page_size" class="search-label">Items per page</label>
+				<select name="page_size" id="page_size" class="page-size-select" onchange="this.form.submit()">
+					<option value="10" selected?={ pageSize == 10 }>10 items</option>
+					<option value="20" selected?={ pageSize == 20 }>20 items</option>
+					<option value="50" selected?={ pageSize == 50 }>50 items</option>
+				</select>
+			</div>
+			<div class="search-buttons">
+				<button type="submit" class="search-btn">Search</button>
+				<a href={ templ.URL(action) } class="clear-btn">Clear</a>
+			</div>
+		</form>
+	</div>
+}
+
+// buildClientPaginationURL builds a URL for pagination links.
+// baseURL is the base path without page/page_size params (e.g. "/apps", "/admin/clients").
+func buildClientPaginationURL(baseURL string, page, pageSize int, search string) string {
+	url := fmt.Sprintf("%s?page=%d&page_size=%d", baseURL, page, pageSize)
+	if search != "" {
+		url += "&search=" + search
+	}
+	return url
+}
+
+// ClientsListPagination renders prev/next pagination shared by /apps and /admin/clients.
+// baseURL: base path for page links (e.g. "/apps", "/admin/clients").
+// countLabel: noun phrase after the count (e.g. "total apps", "total clients").
+templ ClientsListPagination(pagination store.PaginationResult, pageSize int, search, baseURL, countLabel string) {
+	<div class="pagination-container">
+		<div class="pagination-info">
+			<span>Showing</span>
+			<span class="pagination-info-total">{ fmt.Sprintf("%d", pagination.Total) }</span>
+			<span>{ countLabel }</span>
+		</div>
+		<div class="pagination-controls">
+			if pagination.HasPrev {
+				<a href={ templ.URL(buildClientPaginationURL(baseURL, pagination.PrevPage, pageSize, search)) } class="pagination-button">
+					<span class="pagination-button-icon">←</span>
+					<span>Previous</span>
+				</a>
+			} else {
+				<button class="pagination-button" disabled>
+					<span class="pagination-button-icon">←</span>
+					<span>Previous</span>
+				</button>
+			}
+			<span class="pagination-current">
+				Page { fmt.Sprintf("%d", pagination.CurrentPage) } of { fmt.Sprintf("%d", pagination.TotalPages) }
+			</span>
+			if pagination.HasNext {
+				<a href={ templ.URL(buildClientPaginationURL(baseURL, pagination.NextPage, pageSize, search)) } class="pagination-button">
+					<span>Next</span>
+					<span class="pagination-button-icon">→</span>
+				</a>
+			} else {
+				<button class="pagination-button" disabled>
+					<span>Next</span>
+					<span class="pagination-button-icon">→</span>
+				</button>
+			}
+		</div>
+	</div>
+}
+
+// ClientFormCommonFields renders the form fields shared by AdminClientForm and UserAppForm.
+// Callers wrap this in a <form> and append their own admin-only fields and submit/cancel buttons.
+templ ClientFormCommonFields(props ClientFormFieldsProps) {
+	<!-- Client Name -->
+	<div class="admin-form-group">
+		<label for="client_name" class="admin-form-label admin-form-label-required">{ props.NameLabel }</label>
+		if props.Client != nil {
+			<input type="text" id="client_name" name="client_name" class="admin-form-input" value={ props.Client.ClientName } required/>
+		} else {
+			<input type="text" id="client_name" name="client_name" class="admin-form-input" required/>
+		}
+		<small class="admin-form-hint">A human-readable name for this application</small>
+	</div>
+	<!-- Description -->
+	<div class="admin-form-group">
+		<label for="description" class="admin-form-label">Description</label>
+		if props.Client != nil {
+			<textarea id="description" name="description" class="admin-form-textarea" rows="3">{ props.Client.Description }</textarea>
+		} else {
+			<textarea id="description" name="description" class="admin-form-textarea" rows="3"></textarea>
+		}
+		<small class="admin-form-hint">Optional description of this application's purpose</small>
+	</div>
+	<!-- Client Type -->
+	<div class="admin-form-group">
+		<label for="client_type" class="admin-form-label admin-form-label-required">Client Type</label>
+		<select id="client_type" name="client_type" class="admin-form-select">
+			<option value="public" selected?={ props.Client == nil || props.Client.ClientType == "public" }>
+				Public — SPAs, CLIs, mobile apps (PKCE required)
+			</option>
+			<option value="confidential" selected?={ props.Client != nil && props.Client.ClientType == "confidential" }>
+				Confidential — server-side apps that can store a secret
+			</option>
+		</select>
+		<small class="admin-form-hint">Public clients use PKCE. Confidential clients authenticate with a secret.</small>
+	</div>
+	<!-- Grant Types -->
+	<div class="admin-form-group">
+		<label class="admin-form-label admin-form-label-required">Grant Types</label>
+		<div class="admin-form-checkboxes">
+			<label class="admin-form-checkbox-label">
+				<input
+					type="checkbox"
+					name="enable_device_flow"
+					value="true"
+					checked?={ props.Client == nil || props.Client.EnableDeviceFlow }
+				/>
+				<span>
+					<strong>Device Authorization Flow</strong> (RFC 8628)
+					— for CLI tools and devices without a browser
+				</span>
+			</label>
+			<label class="admin-form-checkbox-label">
+				<input
+					type="checkbox"
+					name="enable_auth_code_flow"
+					value="true"
+					checked?={ props.Client != nil && props.Client.EnableAuthCodeFlow }
+				/>
+				<span>
+					<strong>Authorization Code Flow</strong> (RFC 6749)
+					— for web apps with a redirect URI callback
+				</span>
+			</label>
+			if props.ShowClientCredentials {
+				<label class="admin-form-checkbox-label" id="client_credentials_label">
+					<input
+						type="checkbox"
+						id="enable_client_credentials_flow"
+						name="enable_client_credentials_flow"
+						value="true"
+						checked?={ props.Client != nil && props.Client.EnableClientCredentialsFlow }
+					/>
+					<span>
+						<strong>Client Credentials Flow</strong> (RFC 6749 §4.4)
+						— for machine-to-machine (M2M) access
+						<span class="admin-form-badge-confidential" id="cc_flow_badge">Confidential only</span>
+					</span>
+				</label>
+			}
+		</div>
+		if props.ShowClientCredentials {
+			<small class="admin-form-hint">At least one grant type must be selected. Client Credentials Flow requires a confidential client.</small>
+		} else {
+			<small class="admin-form-hint">At least one grant type must be selected.</small>
+		}
+	</div>
+	<!-- Scopes -->
+	<div class="admin-form-group">
+		<label for="scopeTextInput" class="admin-form-label">Scopes</label>
+		if props.Client != nil {
+			<input type="hidden" id="scopes" name="scopes" value={ props.Client.Scopes }/>
+		} else {
+			<input type="hidden" id="scopes" name="scopes" value="email profile"/>
+		}
+		<div class="admin-scope-picker" id="scopePicker">
+			<div class="admin-scope-tags" id="scopeTags"></div>
+			if props.ScopePresetsOnly {
+				<input type="text" class="admin-scope-text-input" id="scopeTextInput"
+					placeholder="Select a preset below..." autocomplete="off" readonly/>
+			} else {
+				<input type="text" class="admin-scope-text-input" id="scopeTextInput"
+					placeholder="Add scope..." autocomplete="off" spellcheck="false"/>
+			}
+		</div>
+		<div class="admin-scope-presets" id="scopePresets">
+			if props.ScopePresetsOnly {
+				<span class="admin-scope-presets-label">Available scopes:</span>
+			} else {
+				<span class="admin-scope-presets-label">Quick add:</span>
+			}
+			<button type="button" class="admin-scope-preset-chip" data-scope="openid">openid</button>
+			<button type="button" class="admin-scope-preset-chip" data-scope="email">email</button>
+			<button type="button" class="admin-scope-preset-chip" data-scope="profile">profile</button>
+			<button type="button" class="admin-scope-preset-chip" data-scope="offline_access">offline_access</button>
+		</div>
+		<small class="admin-form-hint">
+			if props.ScopePresetsOnly {
+				Click a preset to add it. Click <strong>&times;</strong> on a tag to remove it.
+			} else {
+				Click a preset to add it, or type a custom scope and press <kbd>Enter</kbd> or <kbd>Space</kbd>.
+				Click <strong>&times;</strong> on a tag to remove it.
+			}
+		</small>
+	</div>
+	<!-- Redirect URIs -->
+	<div class="admin-form-group">
+		<label for="redirect_uris" class="admin-form-label">Redirect URIs</label>
+		if props.Client != nil {
+			<textarea id="redirect_uris" name="redirect_uris" class="admin-form-textarea" rows="3">{ props.Client.RedirectURIs }</textarea>
+		} else {
+			<textarea id="redirect_uris" name="redirect_uris" class="admin-form-textarea" rows="3"></textarea>
+		}
+		<small class="admin-form-hint">
+			Comma-separated redirect URIs. Required when Authorization Code Flow is enabled.
+			Example: <code>https://app.example.com/callback</code>
+		</small>
+	</div>
+	if props.ShowClientCredentials {
+		@clientCredentialsScript()
+	}
+	@clientScopePickerScript()
+}
+
+// clientCredentialsScript renders the JS that syncs the Client Credentials checkbox
+// with the Client Type select. Only emitted when ShowClientCredentials is true.
+templ clientCredentialsScript() {
+	<script>
+		(function () {
+			var clientTypeSelect = document.getElementById('client_type');
+			var ccCheckbox = document.getElementById('enable_client_credentials_flow');
+			var ccLabel = document.getElementById('client_credentials_label');
+
+			function syncClientCredentials() {
+				var isConfidential = clientTypeSelect.value === 'confidential';
+				ccCheckbox.disabled = !isConfidential;
+				if (!isConfidential) {
+					ccCheckbox.checked = false;
+				}
+				ccLabel.classList.toggle('admin-form-checkbox-label--disabled', !isConfidential);
+			}
+
+			clientTypeSelect.addEventListener('change', syncClientCredentials);
+			syncClientCredentials();
+		})();
+	</script>
+}
+
+// clientScopePickerScript renders the unified scope picker JS.
+// Preset-only mode is auto-detected via the readonly attribute on the text input.
+templ clientScopePickerScript() {
+	<script>
+		(function () {
+			var hiddenInput = document.getElementById('scopes');
+			var picker      = document.getElementById('scopePicker');
+			var tagsEl      = document.getElementById('scopeTags');
+			var textInput   = document.getElementById('scopeTextInput');
+			var presetsEl   = document.getElementById('scopePresets');
+			var presetChips = presetsEl.querySelectorAll('.admin-scope-preset-chip');
+			var selected    = [];
+			var presetsOnly = textInput.hasAttribute('readonly');
+
+			function syncHidden() { hiddenInput.value = selected.join(' '); }
+
+			function renderTags() {
+				tagsEl.innerHTML = '';
+				selected.forEach(function (scope) {
+					var tag   = document.createElement('span');
+					tag.className = 'admin-scope-tag';
+					var label = document.createElement('span');
+					label.className = 'admin-scope-tag-label';
+					label.textContent = scope;
+					var btn   = document.createElement('button');
+					btn.type  = 'button';
+					btn.className = 'admin-scope-tag-remove';
+					btn.setAttribute('aria-label', 'Remove ' + scope);
+					btn.textContent = '×';
+					btn.addEventListener('click', function () { removeScope(scope); });
+					tag.appendChild(label);
+					tag.appendChild(btn);
+					tagsEl.appendChild(tag);
+				});
+			}
+
+			function renderPresets() {
+				presetChips.forEach(function (chip) {
+					chip.disabled = selected.indexOf(chip.getAttribute('data-scope')) !== -1;
+				});
+			}
+
+			function render() { renderTags(); renderPresets(); syncHidden(); }
+
+			function addScope(s) {
+				s = s.trim().toLowerCase();
+				if (s && selected.indexOf(s) === -1) { selected.push(s); render(); }
+			}
+
+			function removeScope(s) {
+				var i = selected.indexOf(s);
+				if (i !== -1) { selected.splice(i, 1); render(); }
+			}
+
+			function init() {
+				var v = hiddenInput.value.trim();
+				if (v) {
+					v.split(/\s+/).forEach(function (s) {
+						s = s.trim();
+						if (s && selected.indexOf(s) === -1) { selected.push(s); }
+					});
+				}
+				render();
+			}
+
+			if (!presetsOnly) {
+				textInput.addEventListener('keydown', function (e) {
+					if (e.key === 'Enter' || e.key === ' ') {
+						e.preventDefault();
+						if (textInput.value.trim()) { addScope(textInput.value); textInput.value = ''; }
+					}
+					if (e.key === 'Backspace' && !textInput.value && selected.length) {
+						removeScope(selected[selected.length - 1]);
+					}
+				});
+				textInput.addEventListener('blur', function () {
+					if (textInput.value.trim()) { addScope(textInput.value); textInput.value = ''; }
+				});
+				picker.addEventListener('click', function (e) {
+					if (e.target !== textInput) { textInput.focus(); }
+				});
+			}
+
+			presetChips.forEach(function (chip) {
+				chip.addEventListener('click', function () {
+					addScope(chip.getAttribute('data-scope'));
+					if (!presetsOnly) { textInput.focus(); }
+				});
+			});
+
+			init();
+		})();
+	</script>
+}
diff --git a/internal/templates/my_apps.templ b/internal/templates/my_apps.templ
new file mode 100644
index 00000000..14e6f79d
--- /dev/null
+++ b/internal/templates/my_apps.templ
@@ -0,0 +1,118 @@
+package templates
+
+import "github.com/go-authgate/authgate/internal/models"
+
+templ MyApps(props MyAppsPageProps) {
+	@Layout("My Apps", LayoutHasNavbar, &props.NavbarProps) {
+		<link rel="stylesheet" href="/static/css/pages/admin-clients.css"/>
+		<div class="main-content">
+			<div class="container">
+				<div class="card">
+					<div class="admin-clients-header">
+						<h1 class="admin-clients-title">
+							<span class="admin-clients-title-icon">🗂️</span>
+							<span>My Apps</span>
+						</h1>
+						<a href="/apps/new" class="admin-create-btn">
+							<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+								<line x1="12" y1="5" x2="12" y2="19"></line>
+								<line x1="5" y1="12" x2="19" y2="12"></line>
+							</svg>
+							Register New App
+						</a>
+					</div>
+					@ClientsSearchBar("/apps", props.Search, props.PageSize)
+					if len(props.Apps) > 0 {
+						<div class="admin-clients-table-wrapper">
+							<table class="admin-clients-table">
+								<thead>
+									<tr>
+										<th class="col-client-name"><span>App Name</span></th>
+										<th class="col-client-id"><span>Client ID</span></th>
+										<th class="col-grant-types"><span>Grant Types</span></th>
+										<th class="col-status"><span>Approval Status</span></th>
+										<th class="col-created"><span>Created</span></th>
+										<th class="col-actions"><span>Actions</span></th>
+									</tr>
+								</thead>
+								<tbody>
+									for _, app := range props.Apps {
+										@MyAppTableRow(app)
+									}
+								</tbody>
+							</table>
+						</div>
+						@ClientsListPagination(props.Pagination, props.PageSize, props.Search, "/apps", "total apps")
+					} else {
+						<div class="empty-state">
+							<div class="empty-icon">
+								if props.Search != "" {
+									🔍
+								} else {
+									🗂️
+								}
+							</div>
+							<h3 class="empty-title">
+								if props.Search != "" {
+									No apps found
+								} else {
+									No apps yet
+								}
+							</h3>
+							<p class="empty-text">
+								if props.Search != "" {
+									Try adjusting your search terms or clear the filter.
+								} else {
+									Register your first OAuth application to let it use AuthGate for authentication.
+								}
+							</p>
+							if props.Search == "" {
+								<a href="/apps/new" class="admin-create-btn">
+									<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+										<line x1="12" y1="5" x2="12" y2="19"></line>
+										<line x1="5" y1="12" x2="19" y2="12"></line>
+									</svg>
+									Register Your First App
+								</a>
+							}
+						</div>
+					}
+				</div>
+			</div>
+		</div>
+	}
+}
+
+templ MyAppTableRow(app models.OAuthApplication) {
+	<tr>
+		<td>
+			<div class="client-name-cell">
+				<strong class="client-name-title">{ app.ClientName }</strong>
+				if app.Description != "" {
+					<div class="client-description" style="display:none;">{ app.Description }</div>
+				}
+			</div>
+		</td>
+		<td>
+			<div class="client-id client-id-box">{ app.ClientID }</div>
+		</td>
+		<td>
+			<code class="grant-types-code">{ app.GrantTypes }</code>
+		</td>
+		<td>
+			@ClientStatusBadge(app.Status)
+		</td>
+		<td class="created-date-cell">
+			<div class="date-display">
+				<span class="date-display-day">{ app.CreatedAt.Format("2006-01-02") }</span>
+				<span class="date-display-time">{ app.CreatedAt.Format("15:04") }</span>
+			</div>
+		</td>
+		<td>
+			<div class="actions">
+				<a href={ templ.URL("/apps/" + app.ClientID) } class="btn btn-secondary btn-small">View</a>
+				<a href={ templ.URL("/apps/" + app.ClientID + "/edit") } class="btn btn-secondary btn-small">Edit</a>
+			</div>
+		</td>
+	</tr>
+}
diff --git a/internal/templates/navbar_component.templ b/internal/templates/navbar_component.templ
index 9fe27852..a7653184 100644
--- a/internal/templates/navbar_component.templ
+++ b/internal/templates/navbar_component.templ
@@ -1,5 +1,7 @@
 package templates
 
+import "fmt"
+
 templ Navbar(props *NavbarProps) {
 	<nav class="navbar">
 		<div class="navbar-container">
@@ -16,10 +18,11 @@ templ Navbar(props *NavbarProps) {
 						@NavLink("/device", "Device Authorization", props.ActiveLink == "device")
 						@NavDropdown(
 							"Account",
-							props.ActiveLink == "sessions" || props.ActiveLink == "authorizations",
+							props.ActiveLink == "sessions" || props.ActiveLink == "authorizations" || props.ActiveLink == "my-apps",
 						) {
 							@NavDropdownItem("/account/sessions", "Active Sessions", props.ActiveLink == "sessions", false, false)
 							@NavDropdownItem("/account/authorizations", "Authorized Apps", props.ActiveLink == "authorizations", false, false)
+							@NavDropdownItem("/apps", "My Apps", props.ActiveLink == "my-apps", false, false)
 						}
 						@NavDropdown("Docs", props.ActiveLink == "docs-getting-started" || props.ActiveLink == "docs-device-flow" || props.ActiveLink == "docs-auth-code-flow") {
 							@NavDropdownItem("/docs/getting-started", "Getting Started", props.ActiveLink == "docs-getting-started", false, false)
@@ -32,7 +35,7 @@ templ Navbar(props *NavbarProps) {
 						if props.IsAdmin {
 							<div class="navbar-admin-divider" aria-hidden="true"></div>
 							@NavAdminDropdown(props.ActiveLink == "clients" || props.ActiveLink == "audit") {
-								@NavDropdownItem("/admin/clients", "OAuth Clients", props.ActiveLink == "clients", true, false)
+								@NavDropdownItemWithBadge("/admin/clients", "OAuth Clients", props.ActiveLink == "clients", props.PendingClientsCount)
 								@NavDropdownItem("/admin/audit", "Audit Logs", props.ActiveLink == "audit", true, false)
 							}
 						}
@@ -129,3 +132,20 @@ templ NavDropdownItem(href, label string, isActive bool, isAdmin bool, isExterna
 		{ label }
 	</a>
 }
+
+// NavDropdownItemWithBadge renders an admin dropdown item with an optional numeric badge.
+templ NavDropdownItemWithBadge(href, label string, isActive bool, badgeCount int) {
+	<a
+		href={ templ.URL(href) }
+		class={ templ.Classes("navbar-dropdown-item", templ.KV("active", isActive), "admin") }
+		role="menuitem"
+		style="display:flex;align-items:center;gap:var(--space-2);"
+	>
+		{ label }
+		if badgeCount > 0 {
+			<span style="display:inline-flex;align-items:center;justify-content:center;min-width:18px;height:18px;padding:0 5px;background:#EF4444;color:#fff;border-radius:9px;font-size:11px;font-weight:700;line-height:1;">
+				{ fmt.Sprintf("%d", badgeCount) }
+			</span>
+		}
+	</a>
+}
diff --git a/internal/templates/props.go b/internal/templates/props.go
index 8dd0fa77..4842997e 100644
--- a/internal/templates/props.go
+++ b/internal/templates/props.go
@@ -15,10 +15,11 @@ type BaseProps struct {
 
 // NavbarProps contains properties for the navigation bar
 type NavbarProps struct {
-	Username   string
-	FullName   string
-	IsAdmin    bool
-	ActiveLink string // "device", "sessions", "clients", "audit"
+	Username            string
+	FullName            string
+	IsAdmin             bool
+	ActiveLink          string // "device", "sessions", "clients", "audit"
+	PendingClientsCount int    // Badge count for admin → OAuth Clients link
 }
 
 // DisplayName returns FullName if set, otherwise Username.
@@ -91,12 +92,13 @@ type SessionsPageProps struct {
 type ClientsPageProps struct {
 	BaseProps
 	NavbarProps
-	User       *models.User
-	Clients    []services.ClientWithCreator
-	Pagination store.PaginationResult
-	Search     string
-	PageSize   int
-	Success    string
+	User         *models.User
+	Clients      []services.ClientWithCreator
+	Pagination   store.PaginationResult
+	Search       string
+	PageSize     int
+	Success      string
+	StatusFilter string // "pending", "active", "inactive", or "" for all
 }
 
 // ClientDisplay wraps OAuthApplication with string fields for template rendering
@@ -105,6 +107,7 @@ type ClientDisplay struct {
 	ClientID                    string
 	ClientName                  string
 	Description                 string
+	UserID                      string
 	Scopes                      string
 	GrantTypes                  string
 	RedirectURIs                string // Comma-separated string
@@ -113,6 +116,7 @@ type ClientDisplay struct {
 	EnableAuthCodeFlow          bool
 	EnableClientCredentialsFlow bool
 	IsActive                    bool
+	Status                      string // "pending", "active", "inactive"
 	CreatedAt                   time.Time
 	UpdatedAt                   time.Time
 }
@@ -226,6 +230,55 @@ type DocsPageProps struct {
 	Entries     []DocsEntry
 }
 
+// MyAppsPageProps contains properties for the user's own app list page
+type MyAppsPageProps struct {
+	BaseProps
+	NavbarProps
+	Apps       []models.OAuthApplication
+	Pagination store.PaginationResult
+	PageSize   int
+	Search     string
+}
+
+// UserClientFormPageProps contains properties for the user app create/edit form page
+type UserClientFormPageProps struct {
+	BaseProps
+	NavbarProps
+	Title  string
+	Action string
+	Method string
+	IsEdit bool
+	Client *ClientDisplay // nil when creating
+	Error  string
+}
+
+// UserClientDetailPageProps contains properties for the user app detail page
+type UserClientDetailPageProps struct {
+	BaseProps
+	NavbarProps
+	Client       *ClientDisplay
+	ActiveTokens int64
+	Success      string
+	Error        string
+}
+
+// UserClientCreatedPageProps contains properties for the post-creation page (one-time secret reveal)
+type UserClientCreatedPageProps struct {
+	BaseProps
+	NavbarProps
+	Client      *ClientDisplay
+	PlainSecret string
+}
+
+// ClientFormFieldsProps configures the shared client form fields component.
+type ClientFormFieldsProps struct {
+	Client                *ClientDisplay
+	IsEdit                bool
+	NameLabel             string // Display label: "App Name" (user) or "Client Name" (admin)
+	ShowClientCredentials bool   // Show Client Credentials Flow checkbox (admin only)
+	ScopePresetsOnly      bool   // Restrict scopes to preset chips only (user form)
+}
+
 // AuditLogsPageProps contains properties for the audit logs page
 type AuditLogsPageProps struct {
 	BaseProps
diff --git a/internal/templates/static/css/pages/admin-clients.css b/internal/templates/static/css/pages/admin-clients.css
index 022bbf08..5979bc08 100644
--- a/internal/templates/static/css/pages/admin-clients.css
+++ b/internal/templates/static/css/pages/admin-clients.css
@@ -302,6 +302,28 @@
   box-shadow: 0 3px 10px rgba(239, 68, 68, 0.4);
 }
 
+.btn-small.btn-success {
+  background: linear-gradient(135deg, #22C55E, #16A34A);
+  color: white;
+  box-shadow: 0 2px 6px rgba(34, 197, 94, 0.3);
+}
+
+.btn-small.btn-success:hover {
+  transform: translateY(-1px);
+  box-shadow: 0 3px 10px rgba(34, 197, 94, 0.4);
+}
+
+.btn-small.btn-warning {
+  background: linear-gradient(135deg, #F59E0B, #D97706);
+  color: white;
+  box-shadow: 0 2px 6px rgba(245, 158, 11, 0.3);
+}
+
+.btn-small.btn-warning:hover {
+  transform: translateY(-1px);
+  box-shadow: 0 3px 10px rgba(245, 158, 11, 0.4);
+}
+
 /* ============================================
    Responsive Design
    ============================================ */
diff --git a/internal/templates/user_app_created.templ b/internal/templates/user_app_created.templ
new file mode 100644
index 00000000..59bdaf23
--- /dev/null
+++ b/internal/templates/user_app_created.templ
@@ -0,0 +1,50 @@
+package templates
+
+templ UserAppCreated(props UserClientCreatedPageProps) {
+	@Layout("App Registered", LayoutHasNavbar, &props.NavbarProps) {
+		<link rel="stylesheet" href="/static/css/pages/admin-forms.css"/>
+		<div class="main-content">
+			<div class="admin-form-container">
+				<div class="card">
+					<div class="admin-form-header">
+						<h1 class="admin-form-title">App Registered! 🎉</h1>
+					</div>
+					<!-- Pending notice -->
+					<div style="margin-bottom:var(--space-4);padding:var(--space-3);background:rgba(245,158,11,0.1);border:1px solid rgba(245,158,11,0.3);border-radius:var(--radius-md);color:#92400E;">
+						<strong>⏳ Pending admin approval</strong> — Your app has been registered. An admin must approve it before it can be used for OAuth flows.
+					</div>
+					<!-- Client ID -->
+					<div class="admin-detail-section">
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">App Name</div>
+							<div class="admin-detail-value">{ props.Client.ClientName }</div>
+						</div>
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Client ID</div>
+							<div class="admin-detail-value">
+								<code class="client-id-box">{ props.Client.ClientID }</code>
+							</div>
+						</div>
+						if props.PlainSecret != "" {
+							<div class="admin-detail-row">
+								<div class="admin-detail-label">Client Secret</div>
+								<div class="admin-detail-value">
+									<div style="padding:var(--space-3);background:rgba(239,68,68,0.06);border:1px solid rgba(239,68,68,0.2);border-radius:var(--radius-md);">
+										<p style="margin:0 0 var(--space-2);color:var(--color-danger);font-weight:600;">
+											⚠️ This secret is shown only once. Copy it now.
+										</p>
+										<code class="client-id-box" style="word-break:break-all;">{ props.PlainSecret }</code>
+									</div>
+								</div>
+							</div>
+						}
+					</div>
+					<div class="admin-action-buttons">
+						<a href={ templ.URL("/apps/" + props.Client.ClientID) } class="admin-action-btn primary">View My App</a>
+						<a href="/apps" class="admin-action-btn secondary">← Back to My Apps</a>
+					</div>
+				</div>
+			</div>
+		</div>
+	}
+}
diff --git a/internal/templates/user_app_detail.templ b/internal/templates/user_app_detail.templ
new file mode 100644
index 00000000..7cb12bb4
--- /dev/null
+++ b/internal/templates/user_app_detail.templ
@@ -0,0 +1,136 @@
+package templates
+
+import (
+	"fmt"
+
+	"github.com/go-authgate/authgate/internal/models"
+)
+
+templ UserAppDetail(props UserClientDetailPageProps) {
+	@Layout(props.Client.ClientName, LayoutHasNavbar, &props.NavbarProps) {
+		<link rel="stylesheet" href="/static/css/pages/admin-forms.css"/>
+		<div class="main-content">
+			<div class="admin-form-container">
+				<div class="card">
+					<div class="admin-form-header">
+						<h1 class="admin-form-title">{ props.Client.ClientName }</h1>
+					</div>
+					@Alert(props.Error, AlertError)
+					@Alert(props.Success, AlertSuccess)
+					<!-- Approval Status Banner -->
+					switch props.Client.Status {
+						case models.ClientStatusPending:
+							<div style="margin-bottom:var(--space-4);padding:var(--space-3);background:rgba(245,158,11,0.1);border:1px solid rgba(245,158,11,0.3);border-radius:var(--radius-md);color:#92400E;">
+								<strong>⏳ Awaiting admin approval</strong> — Your app has been registered and is pending review. It cannot be used for OAuth flows until an admin approves it.
+							</div>
+						case models.ClientStatusInactive:
+							<div style="margin-bottom:var(--space-4);padding:var(--space-3);background:rgba(239,68,68,0.08);border:1px solid rgba(239,68,68,0.25);border-radius:var(--radius-md);color:#991B1B;">
+								<strong>❌ App rejected / inactive</strong> — This app has been rejected or deactivated by an admin. Contact your administrator for more information.
+							</div>
+						default:
+							<div style="margin-bottom:var(--space-4);padding:var(--space-3);background:rgba(34,197,94,0.1);border:1px solid rgba(34,197,94,0.3);border-radius:var(--radius-md);color:#166534;">
+								<strong>✅ Active</strong> — Your app is approved and can be used for OAuth flows.
+							</div>
+					}
+					<div class="admin-detail-section">
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Client ID</div>
+							<div class="admin-detail-value">{ props.Client.ClientID }</div>
+						</div>
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">App Name</div>
+							<div class="admin-detail-value">{ props.Client.ClientName }</div>
+						</div>
+						if props.Client.Description != "" {
+							<div class="admin-detail-row">
+								<div class="admin-detail-label">Description</div>
+								<div class="admin-detail-value">{ props.Client.Description }</div>
+							</div>
+						}
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Client Type</div>
+							<div class="admin-detail-value">
+								if props.Client.ClientType == "public" {
+									<span class="status-badge" style="background:rgba(245,158,11,0.1);color:#D97706;border:1px solid rgba(245,158,11,0.3);">Public</span>
+								} else {
+									<span class="status-badge" style="background:rgba(0,114,255,0.1);color:#0072ff;border:1px solid rgba(0,114,255,0.3);">Confidential</span>
+								}
+							</div>
+						</div>
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Scopes</div>
+							<div class="admin-detail-value">{ props.Client.Scopes }</div>
+						</div>
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Grant Types</div>
+							<div class="admin-detail-value">{ props.Client.GrantTypes }</div>
+						</div>
+						if props.Client.RedirectURIs != "" {
+							<div class="admin-detail-row">
+								<div class="admin-detail-label">Redirect URIs</div>
+								<div class="admin-detail-value">{ props.Client.RedirectURIs }</div>
+							</div>
+						}
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Active Tokens</div>
+							<div class="admin-detail-value">{ fmt.Sprintf("%d", props.ActiveTokens) }</div>
+						</div>
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Created At</div>
+							<div class="admin-detail-value">{ props.Client.CreatedAt.Format("2006-01-02 15:04:05") }</div>
+						</div>
+						<div class="admin-detail-row">
+							<div class="admin-detail-label">Updated At</div>
+							<div class="admin-detail-value">{ props.Client.UpdatedAt.Format("2006-01-02 15:04:05") }</div>
+						</div>
+					</div>
+					<!-- Actions -->
+					<div class="admin-action-buttons">
+						<a href={ templ.URL("/apps/" + props.Client.ClientID + "/edit") } class="admin-action-btn primary">
+							✏️ Edit App
+						</a>
+						if props.Client.ClientType == "confidential" {
+							<a
+								href={ templ.URL("/apps/" + props.Client.ClientID + "/regenerate-secret") }
+								class="admin-action-btn secondary"
+								onclick="return confirm('Are you sure? This will invalidate the current secret.');"
+							>
+								🔄 Regenerate Secret
+							</a>
+						}
+						<a href="/apps" class="admin-action-btn secondary">← Back to My Apps</a>
+					</div>
+					<!-- Danger Zone: Delete -->
+					if props.Client.Status != models.ClientStatusActive {
+						<div class="admin-danger-zone">
+							<div class="admin-danger-zone-header">
+								<h3 class="admin-danger-zone-title">⚠️ Danger Zone</h3>
+								<p class="admin-danger-zone-desc">
+									Deleting this app is irreversible. Active apps must be deactivated by an admin before they can be deleted.
+								</p>
+							</div>
+							<div class="admin-danger-zone-body">
+								<div class="admin-danger-item">
+									<div class="admin-danger-item-info">
+										<strong>Delete App</strong>
+										<span>Permanently remove this app and all associated data.</span>
+									</div>
+									<form method="POST" action={ templ.URL("/apps/" + props.Client.ClientID + "/delete") } style="margin:0;">
+										<input type="hidden" name="csrf_token" value={ props.CSRFToken }/>
+										<button
+											type="submit"
+											class="admin-action-btn danger"
+											onclick="return confirm('Delete this app permanently? This cannot be undone.')"
+										>
+											Delete App
+										</button>
+									</form>
+								</div>
+							</div>
+						</div>
+					}
+				</div>
+			</div>
+		</div>
+	}
+}
diff --git a/internal/templates/user_app_form.templ b/internal/templates/user_app_form.templ
new file mode 100644
index 00000000..bee29467
--- /dev/null
+++ b/internal/templates/user_app_form.templ
@@ -0,0 +1,42 @@
+package templates
+
+templ UserAppForm(props UserClientFormPageProps) {
+	@Layout(props.Title, LayoutHasNavbar, &props.NavbarProps) {
+		<link rel="stylesheet" href="/static/css/pages/admin-forms.css"/>
+		<div class="main-content">
+			<div class="admin-form-container">
+				<div class="card">
+					<div class="admin-form-header">
+						<h1 class="admin-form-title">{ props.Title }</h1>
+					</div>
+					@Alert(props.Error, AlertError)
+					if !props.IsEdit {
+						<div class="admin-info-notice" style="margin-bottom:var(--space-4);padding:var(--space-3);background:rgba(59,130,246,0.08);border:1px solid rgba(59,130,246,0.25);border-radius:var(--radius-md);color:var(--color-text-secondary);">
+							<strong>Note:</strong> New apps require admin approval before they can be used for OAuth flows. You will see a <em>Pending</em> status until an admin reviews your request.
+						</div>
+					}
+					<form method={ props.Method } action={ templ.URL(props.Action) } class="admin-form">
+						<input type="hidden" name="csrf_token" value={ props.CSRFToken }/>
+						@ClientFormCommonFields(ClientFormFieldsProps{
+							Client:                props.Client,
+							IsEdit:                props.IsEdit,
+							NameLabel:             "App Name",
+							ShowClientCredentials: false,
+							ScopePresetsOnly:      true,
+						})
+						<div class="admin-form-actions">
+							<button type="submit" class="admin-form-submit-btn">
+								if props.IsEdit {
+									Update App
+								} else {
+									Register App
+								}
+							</button>
+							<a href="/apps" class="admin-form-cancel-btn">Cancel</a>
+						</div>
+					</form>
+				</div>
+			</div>
+		</div>
+	}
+}