diff --git a/drizzle/0001_green_warpath.sql b/drizzle/0001_green_warpath.sql
new file mode 100644
index 0000000..d552e90
--- /dev/null
+++ b/drizzle/0001_green_warpath.sql
@@ -0,0 +1 @@
+ALTER TABLE "applications" ADD COLUMN "metadata" jsonb DEFAULT '{}'::jsonb NOT NULL;
\ No newline at end of file
diff --git a/drizzle/meta/_journal.json b/drizzle/meta/_journal.json
index 19799fd..d119863 100644
--- a/drizzle/meta/_journal.json
+++ b/drizzle/meta/_journal.json
@@ -8,6 +8,13 @@
       "when": 1776085749779,
       "tag": "0000_initial_schema",
       "breakpoints": false
+    },
+    {
+      "idx": 1,
+      "version": "7",
+      "when": 1777905152125,
+      "tag": "0001_green_warpath",
+      "breakpoints": true
     }
   ]
-}
+}
\ No newline at end of file
diff --git a/frontend/src/api/applications.ts b/frontend/src/api/applications.ts
index f4b24db..9b26c09 100644
--- a/frontend/src/api/applications.ts
+++ b/frontend/src/api/applications.ts
@@ -30,6 +30,14 @@ export interface CreateApplicationBody {
   url?: string
   icon?: string
   enabledSocialProviders?: string[] | null
+  /**
+   * Free-form per-application metadata. Stored as a flat string→string map
+   * and surfaced inside the JWT under the `client_attrs` field for resource
+   * servers (e.g. EMQX uses `client_attrs.NAME` in its ACL placeholders).
+   * Reserved JWT claim names (sub, iss, aud, exp, etc.) are rejected
+   * server-side; keys must be valid identifiers.
+   */
+  metadata?: Record<string, string>
 }
 
 export async function createApplication(body: CreateApplicationBody): Promise<ApplicationCreateResponse> {
@@ -49,6 +57,7 @@ export async function createApplication(body: CreateApplicationBody): Promise<Ap
       url: body.url ?? null,
       icon: body.icon ?? null,
       enabledSocialProviders: body.enabledSocialProviders ?? null,
+      metadata: body.metadata ?? {},
       createdAt: new Date().toISOString(),
       updatedAt: new Date().toISOString(),
     };
diff --git a/frontend/src/components/applications/ApplicationFormModal.vue b/frontend/src/components/applications/ApplicationFormModal.vue
index cf43e38..d232556 100644
--- a/frontend/src/components/applications/ApplicationFormModal.vue
+++ b/frontend/src/components/applications/ApplicationFormModal.vue
@@ -45,8 +45,16 @@ const form = ref({
   allowedScopes: ['openid', 'profile', 'email', 'roles', 'permissions', 'features'] as string[],
   redirectUris: [''] as string[],
   enabledSocialProviders: null as string[] | null,
+  // Metadata is edited as an ordered list of key/value pairs in the UI;
+  // we serialize back to a plain Record<string, string> on submit. Keys must
+  // be valid identifiers (server enforces /^[a-zA-Z_][a-zA-Z0-9_]*$/) and
+  // both keys/values are strings (EMQX `client_attrs` contract).
+  metadata: [] as Array<{ key: string; value: string }>,
 });
 
+// Validate identifier-style keys client-side (server enforces too).
+const METADATA_KEY_RE = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+
 function slugify(name: string) {
   return name.toLowerCase().replace(/\s+/g, '-').replace(/[^a-z0-9-]/g, '');
 }
@@ -102,6 +110,10 @@ watch(
         enabledSocialProviders: a.enabledSocialProviders
           ? [...a.enabledSocialProviders]
           : null,
+        metadata: Object.entries(a.metadata ?? {}).map(([key, value]) => ({
+          key,
+          value: String(value),
+        })),
       };
     } else {
       lastAutoRedirectUri.value = '';
@@ -119,6 +131,7 @@ watch(
         allowedScopes: ['openid', 'profile', 'email', 'roles', 'permissions', 'features'],
         redirectUris: [''],
         enabledSocialProviders: null,
+        metadata: [],
       };
     }
   },
@@ -179,9 +192,46 @@ function removeRedirectUri(i: number) {
   form.value.redirectUris.splice(i, 1);
 }
 
+function addMetadataEntry() {
+  form.value.metadata.push({ key: '', value: '' });
+}
+function removeMetadataEntry(i: number) {
+  form.value.metadata.splice(i, 1);
+}
+function isMetadataKeyValid(key: string): boolean {
+  return key === '' || METADATA_KEY_RE.test(key);
+}
+const metadataDuplicateKeys = computed<Set<string>>(() => {
+  const seen = new Map<string, number>();
+  for (const { key } of form.value.metadata) {
+    if (!key) continue;
+    seen.set(key, (seen.get(key) ?? 0) + 1);
+  }
+  return new Set([...seen.entries()].filter(([, n]) => n > 1).map(([k]) => k));
+});
+const metadataHasError = computed(() => {
+  if (metadataDuplicateKeys.value.size > 0) return true;
+  return form.value.metadata.some(
+    ({ key, value }) =>
+      // Empty rows are silently dropped on submit, but a row with only one
+      // side filled is an error.
+      (key === '' && value !== '') || (key !== '' && !METADATA_KEY_RE.test(key)),
+  );
+});
+
 async function submit() {
   if (!form.value.name) return;
   if (!isEdit.value && !form.value.slug) return;
+  if (metadataHasError.value) {
+    toast.error(t('applications.metadataInvalid'));
+    return;
+  }
+  // Drop empty rows; collapse to a plain Record<string, string>.
+  const metadata: Record<string, string> = {};
+  for (const { key, value } of form.value.metadata) {
+    if (!key) continue;
+    metadata[key] = value;
+  }
   loading.value = true;
   try {
     const body = {
@@ -196,6 +246,7 @@ async function submit() {
       allowedScopes: form.value.allowedScopes,
       redirectUris: form.value.redirectUris.filter(Boolean),
       enabledSocialProviders: form.value.enabledSocialProviders,
+      metadata,
     };
     if (isEdit.value && props.application) {
       const res = await updateApplication(props.application.id, body);
@@ -352,6 +403,69 @@ async function submit() {
           </div>
         </div>
       </div>
+
+      <!--
+        Metadata: per-application key/value pairs that AuthService injects
+        into JWTs under the `client_attrs` field. Used by resource servers
+        such as EMQX (ACL via `${client_attrs.NAME}` placeholders).
+        Keys must be valid identifiers (server-enforced), values are strings.
+      -->
+      <div>
+        <div class="flex items-center justify-between mb-2">
+          <p class="text-xs font-medium text-surface-500 uppercase tracking-wider">
+            {{ t('applications.metadata') }}
+          </p>
+          <button
+            type="button"
+            @click="addMetadataEntry"
+            class="text-xs text-primary-400 hover:text-primary-300 transition-colors font-medium"
+          >
+            + {{ t('applications.addMetadataEntry') }}
+          </button>
+        </div>
+        <p class="text-xs text-surface-500 mb-2">
+          {{ t('applications.metadataDescription') }}
+        </p>
+        <div v-if="form.metadata.length === 0" class="text-xs text-surface-600 italic py-1">
+          {{ t('applications.metadataEmpty') }}
+        </div>
+        <div v-else class="space-y-2">
+          <div
+            v-for="(entry, i) in form.metadata"
+            :key="i"
+            class="flex gap-2"
+          >
+            <input
+              v-model="entry.key"
+              :placeholder="t('applications.metadataKeyPlaceholder')"
+              :class="[
+                'w-1/3 px-3 py-2 text-sm bg-surface-800/80 border rounded-md text-surface-100 placeholder:text-surface-600 focus:outline-none focus:ring-2 focus:ring-primary-500/40 focus:border-primary-500/60 transition-all font-mono',
+                isMetadataKeyValid(entry.key) && !metadataDuplicateKeys.has(entry.key)
+                  ? 'border-surface-700/60'
+                  : 'border-red-500/60',
+              ]"
+            />
+            <input
+              v-model="entry.value"
+              :placeholder="t('applications.metadataValuePlaceholder')"
+              class="flex-1 px-3 py-2 text-sm bg-surface-800/80 border border-surface-700/60 rounded-md text-surface-100 placeholder:text-surface-600 focus:outline-none focus:ring-2 focus:ring-primary-500/40 focus:border-primary-500/60 transition-all"
+            />
+            <button
+              type="button"
+              @click="removeMetadataEntry(i)"
+              class="px-2 text-surface-600 hover:text-red-400 transition-colors text-lg leading-none"
+            >
+              ✕
+            </button>
+          </div>
+        </div>
+        <p
+          v-if="metadataDuplicateKeys.size > 0"
+          class="text-xs text-red-400 mt-2"
+        >
+          {{ t('applications.metadataDuplicateKey') }}
+        </p>
+      </div>
     </form>
     <template #footer>
       <BaseButton variant="ghost" @click="emit('close')">{{ t('common.cancel') }}</BaseButton>
diff --git a/frontend/src/i18n/en.ts b/frontend/src/i18n/en.ts
index d8cf2da..5cd24e7 100644
--- a/frontend/src/i18n/en.ts
+++ b/frontend/src/i18n/en.ts
@@ -200,6 +200,15 @@ export default {
     addRedirectUri: 'Add redirect URI',
     inheritProviders: 'Inherit global config',
     overrideProviders: 'Override providers',
+    metadata: 'Metadata (JWT client_attrs)',
+    metadataDescription:
+      'Per-application key/value pairs surfaced to resource servers via the JWT `client_attrs` field. Used for example by EMQX ACL placeholders such as ${client_attrs.agent_owner}.',
+    metadataEmpty: 'No metadata. Add an entry to attach custom claims to issued tokens.',
+    metadataKeyPlaceholder: 'key (identifier)',
+    metadataValuePlaceholder: 'value (string)',
+    addMetadataEntry: 'Add entry',
+    metadataDuplicateKey: 'Duplicate key \u2014 each metadata key must be unique.',
+    metadataInvalid: 'Metadata contains invalid keys. Keys must be valid identifiers and unique.',
     filterActive: 'Filter by active',
     filterType: 'Filter by type',
     filterMfa: 'Filter by MFA',
diff --git a/frontend/src/i18n/fr.ts b/frontend/src/i18n/fr.ts
index 3ec1934..af2a9f6 100644
--- a/frontend/src/i18n/fr.ts
+++ b/frontend/src/i18n/fr.ts
@@ -200,6 +200,15 @@ export default {
     addRedirectUri: 'Ajouter une URI',
     inheritProviders: 'Hériter de la config globale',
     overrideProviders: 'Remplacer les fournisseurs',
+    metadata: 'Métadonnées (JWT client_attrs)',
+    metadataDescription:
+      'Paires clé/valeur spécifiques à l’application, exposées aux services consommateurs via le champ JWT `client_attrs`. Utilisées par exemple par les ACL EMQX via ${client_attrs.agent_owner}.',
+    metadataEmpty: 'Aucune métadonnée. Ajoutez une entrée pour injecter des claims personnalisés dans les tokens.',
+    metadataKeyPlaceholder: 'clé (identifiant)',
+    metadataValuePlaceholder: 'valeur (chaîne)',
+    addMetadataEntry: 'Ajouter une entrée',
+    metadataDuplicateKey: 'Clé dupliquée — chaque clé de métadonnées doit être unique.',
+    metadataInvalid: 'Les métadonnées contiennent des clés invalides. Les clés doivent être des identifiants valides et uniques.',
     filterActive: 'Filtrer par statut',
     filterType: 'Filtrer par type',
     filterMfa: 'Filtrer par MFA',
diff --git a/frontend/src/mocks/data.ts b/frontend/src/mocks/data.ts
index a9af40b..148ea19 100644
--- a/frontend/src/mocks/data.ts
+++ b/frontend/src/mocks/data.ts
@@ -126,6 +126,7 @@ export const MOCK_APPLICATIONS: Application[] = [
     url: 'https://dashboard.circle.internal',
     icon: null,
     enabledSocialProviders: null,
+    metadata: {},
     createdAt: '2024-01-15T10:00:00.000Z',
     updatedAt: '2024-11-01T12:00:00.000Z',
   },
@@ -144,6 +145,7 @@ export const MOCK_APPLICATIONS: Application[] = [
     url: 'https://app.acme.com',
     icon: 'https://acme.com/favicon.ico',
     enabledSocialProviders: ['google', 'github'],
+    metadata: {},
     createdAt: '2024-03-22T14:30:00.000Z',
     updatedAt: '2024-10-15T09:45:00.000Z',
   },
@@ -162,6 +164,7 @@ export const MOCK_APPLICATIONS: Application[] = [
     url: null,
     icon: null,
     enabledSocialProviders: [],
+    metadata: { client_kind: 'server' },
     createdAt: '2024-06-01T08:00:00.000Z',
     updatedAt: '2024-06-01T08:00:00.000Z',
   },
diff --git a/frontend/src/mocks/mocks/data.ts b/frontend/src/mocks/mocks/data.ts
index a9af40b..148ea19 100644
--- a/frontend/src/mocks/mocks/data.ts
+++ b/frontend/src/mocks/mocks/data.ts
@@ -126,6 +126,7 @@ export const MOCK_APPLICATIONS: Application[] = [
     url: 'https://dashboard.circle.internal',
     icon: null,
     enabledSocialProviders: null,
+    metadata: {},
     createdAt: '2024-01-15T10:00:00.000Z',
     updatedAt: '2024-11-01T12:00:00.000Z',
   },
@@ -144,6 +145,7 @@ export const MOCK_APPLICATIONS: Application[] = [
     url: 'https://app.acme.com',
     icon: 'https://acme.com/favicon.ico',
     enabledSocialProviders: ['google', 'github'],
+    metadata: {},
     createdAt: '2024-03-22T14:30:00.000Z',
     updatedAt: '2024-10-15T09:45:00.000Z',
   },
@@ -162,6 +164,7 @@ export const MOCK_APPLICATIONS: Application[] = [
     url: null,
     icon: null,
     enabledSocialProviders: [],
+    metadata: { client_kind: 'server' },
     createdAt: '2024-06-01T08:00:00.000Z',
     updatedAt: '2024-06-01T08:00:00.000Z',
   },
diff --git a/frontend/src/types/index.ts b/frontend/src/types/index.ts
index bdcb969..bc92a6b 100644
--- a/frontend/src/types/index.ts
+++ b/frontend/src/types/index.ts
@@ -67,6 +67,7 @@ export interface Application {
   url: string | null
   icon: string | null
   enabledSocialProviders: string[] | null
+  metadata: Record<string, string>
   createdAt: string
   updatedAt: string
 }
diff --git a/src/auth.ts b/src/auth.ts
index 8bd7548..17263aa 100644
--- a/src/auth.ts
+++ b/src/auth.ts
@@ -26,6 +26,50 @@ import { APIError } from "better-auth";
 
 const schema = { ...authSchema, ...customSchema };
 
+/**
+ * Reserved JWT claim names (mirror of admin route validation). Any per-app
+ * metadata key matching one of these is silently dropped at injection time as
+ * a defence-in-depth measure: even if an admin bypassed the input validator,
+ * we never let user-provided values shadow OAuth-managed claims.
+ */
+const RESERVED_JWT_CLAIMS = new Set([
+  "sub", "aud", "iss", "exp", "iat", "nbf", "jti",
+  "scope", "scopes", "azp", "client_id", "token_type",
+  "auth_time", "acr", "amr", "client_attrs",
+]);
+
+/**
+ * Resolve and sanitise the per-application metadata for a given client slug,
+ * returning a JWT fragment of the shape `{ client_attrs: { ... } }` ready to
+ * be merged into the access / id / userinfo token.
+ *
+ * The fragment is empty (no `client_attrs` field at all) when the slug is
+ * missing, the application does not exist, or its metadata is empty — so we
+ * never emit a noisy empty object.
+ *
+ * String-typed values only: this matches EMQX 5's JWT → client_attrs contract
+ * ("both keys and values must be of string type"), which is the de-facto
+ * convention for resource servers that consume per-client attributes.
+ */
+async function getApplicationMetadataClaims(
+  clientId: string | undefined,
+): Promise<Record<string, unknown>> {
+  if (!clientId) return {};
+  const [row] = await db
+    .select({ metadata: applications.metadata })
+    .from(applications)
+    .where(eq(applications.slug, clientId))
+    .limit(1);
+  const meta = (row?.metadata ?? {}) as Record<string, unknown>;
+  const attrs: Record<string, string> = {};
+  for (const [k, v] of Object.entries(meta)) {
+    if (RESERVED_JWT_CLAIMS.has(k)) continue;
+    if (typeof v === "string") attrs[k] = v;
+  }
+  if (Object.keys(attrs).length === 0) return {};
+  return { client_attrs: attrs };
+}
+
 export const auth = betterAuth({
   database: drizzleAdapter(db, { provider: "pg", schema }),
   secret: config.betterAuth.secret,
@@ -284,15 +328,19 @@ export const auth = betterAuth({
             }
           }
         }
-        return getUserClaims(user.id, clientId, scopes, {
-          email: (user as Record<string, unknown>).email as string | null | undefined,
-          emailVerified: (user as Record<string, unknown>).emailVerified as boolean | null | undefined,
-          name: (user as Record<string, unknown>).name as string | null | undefined,
-          company: (user as Record<string, unknown>).company as string | null | undefined,
-          image: (user as Record<string, unknown>).image as string | null | undefined,
-          phone: (user as Record<string, unknown>).phone as string | null | undefined,
-          updatedAt: (user as Record<string, unknown>).updatedAt as Date | null | undefined,
-        });
+        return {
+          ...(await getUserClaims(user.id, clientId, scopes, {
+            email: (user as Record<string, unknown>).email as string | null | undefined,
+            emailVerified: (user as Record<string, unknown>).emailVerified as boolean | null | undefined,
+            name: (user as Record<string, unknown>).name as string | null | undefined,
+            company: (user as Record<string, unknown>).company as string | null | undefined,
+            image: (user as Record<string, unknown>).image as string | null | undefined,
+            phone: (user as Record<string, unknown>).phone as string | null | undefined,
+            updatedAt: (user as Record<string, unknown>).updatedAt as Date | null | undefined,
+          })),
+          // Per-app metadata claims (additive; reserved keys are filtered).
+          ...(await getApplicationMetadataClaims(clientId)),
+        };
       },
       // `customIdTokenClaims` only affects the ID token; this callback is what
       // puts roles/permissions/features/email/name/org_id in the Bearer JWT that
@@ -301,10 +349,14 @@ export const auth = betterAuth({
       // `referenceId` is the org ID stored at consent time via postLogin flow.
       // `metadata.clientId` holds the OAuth client slug (application slug).
       customAccessTokenClaims: async ({ user, scopes, metadata, referenceId }) => {
-        // `user` is null for client_credentials grants (machine-to-machine)
-        if (!user) return {};
         const clientId = (metadata as Record<string, unknown> | undefined)
           ?.clientId as string | undefined;
+        // Per-app metadata is injected for BOTH user-bound and
+        // client_credentials grants under the JWT `client_attrs` field. For
+        // machine-to-machine tokens this is the sole source of custom claims
+        // (no user → no roles/permissions/features).
+        const appAttrs = await getApplicationMetadataClaims(clientId);
+        if (!user) return appAttrs;
         const claims = await getUserClaims(user.id, clientId, scopes, {
           email: (user as Record<string, unknown>).email as string | null | undefined,
           emailVerified: (user as Record<string, unknown>).emailVerified as boolean | null | undefined,
@@ -319,7 +371,7 @@ export const auth = betterAuth({
         if (scopes.includes("org") && referenceId) {
           (claims as Record<string, unknown>).org_id = referenceId;
         }
-        return claims;
+        return { ...claims, ...appAttrs };
       },
       // Same data in /oauth2/userinfo response.
       // clientId is read from the access token's azp (authorized party) claim.
@@ -327,15 +379,18 @@ export const auth = betterAuth({
         const clientId = (jwt as Record<string, unknown>)?.azp as
           | string
           | undefined;
-        return getUserClaims(user.id, clientId, scopes, {
-          email: (user as Record<string, unknown>).email as string | null | undefined,
-          emailVerified: (user as Record<string, unknown>).emailVerified as boolean | null | undefined,
-          name: (user as Record<string, unknown>).name as string | null | undefined,
-          company: (user as Record<string, unknown>).company as string | null | undefined,
-          image: (user as Record<string, unknown>).image as string | null | undefined,
-          phone: (user as Record<string, unknown>).phone as string | null | undefined,
-          updatedAt: (user as Record<string, unknown>).updatedAt as Date | null | undefined,
-        });
+        return {
+          ...(await getUserClaims(user.id, clientId, scopes, {
+            email: (user as Record<string, unknown>).email as string | null | undefined,
+            emailVerified: (user as Record<string, unknown>).emailVerified as boolean | null | undefined,
+            name: (user as Record<string, unknown>).name as string | null | undefined,
+            company: (user as Record<string, unknown>).company as string | null | undefined,
+            image: (user as Record<string, unknown>).image as string | null | undefined,
+            phone: (user as Record<string, unknown>).phone as string | null | undefined,
+            updatedAt: (user as Record<string, unknown>).updatedAt as Date | null | undefined,
+          })),
+          ...(await getApplicationMetadataClaims(clientId)),
+        };
       },
       // When the "org" scope is requested: after login, determine whether we need
       // to redirect the user to the org-selection page (postLogin flow).
diff --git a/src/db/schema.ts b/src/db/schema.ts
index 1d8f674..9fa56f8 100644
--- a/src/db/schema.ts
+++ b/src/db/schema.ts
@@ -32,6 +32,12 @@ export const applications = pgTable(
     url: text("url"),
     icon: text("icon"),
     enabledSocialProviders: text("enabled_social_providers").array(),
+    // Free-form per-application metadata. Stored as a flat string→string map
+    // and surfaced inside the JWT under the `client_attrs` field (per EMQX 5
+    // / RFC-style client attribute convention). Resource servers reference
+    // entries via placeholders such as ${client_attrs.agent_owner}. Reserved
+    // OIDC/OAuth claim names are filtered out at injection time.
+    metadata: jsonb("metadata").notNull().default({}),
     createdAt: timestamp("created_at", { withTimezone: true })
       .defaultNow()
       .notNull(),
diff --git a/src/routes/admin/applications.ts b/src/routes/admin/applications.ts
index 5a2641e..d868ba7 100644
--- a/src/routes/admin/applications.ts
+++ b/src/routes/admin/applications.ts
@@ -34,6 +34,45 @@ function hashClientSecret(secret: string): string {
   return createHash("sha256").update(secret).digest().toString("base64url");
 }
 
+/**
+ * Reserved JWT claim names that MUST NOT be overridden via per-application
+ * metadata. These are managed by the OAuth provider itself.
+ */
+const RESERVED_JWT_CLAIMS = new Set([
+  "sub",
+  "aud",
+  "iss",
+  "exp",
+  "iat",
+  "nbf",
+  "jti",
+  "scope",
+  "scopes",
+  "azp",
+  "client_id",
+  "token_type",
+  "auth_time",
+  "acr",
+  "amr",
+]);
+
+/**
+ * Zod schema for the `metadata` field on applications. Values are restricted
+ * to strings because they are surfaced to resource servers via the JWT
+ * `client_attrs` field, whose contract requires string-typed entries (see
+ * EMQX 5 JWT authn / client attributes spec). Keep keys to safe identifiers.
+ */
+const metadataSchema = z
+  .record(z.string().max(256))
+  .refine(
+    (m) => Object.keys(m).every((k) => !RESERVED_JWT_CLAIMS.has(k)),
+    { message: "metadata keys must not collide with reserved JWT claims" },
+  )
+  .refine(
+    (m) => Object.keys(m).every((k) => /^[a-zA-Z_][a-zA-Z0-9_]*$/.test(k)),
+    { message: "metadata keys must be valid identifiers (letters, digits, underscore)" },
+  );
+
 // ── Middleware ────────────────────────────────────────────────────────────────
 
 async function requireAdmin(
@@ -81,6 +120,7 @@ const createAppSchema = z.object({
     .array(z.enum(["google", "github", "linkedin", "microsoft", "apple"]))
     .nullable()
     .optional(),
+  metadata: metadataSchema.optional().default({}),
 });
 
 const updateAppSchema = createAppSchema.partial().omit({ slug: true, isPublic: true });
@@ -150,6 +190,7 @@ export async function applicationRoutes(
           url: data.url,
           icon: data.icon,
           enabledSocialProviders: data.enabledSocialProviders ?? null,
+          metadata: data.metadata ?? {},
         })
         .returning();