diff --git a/.gitignore b/.gitignore
index 3c4efe2..376a0b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -258,4 +258,7 @@ paket-files/
 
 # Python Tools for Visual Studio (PTVS)
 __pycache__/
-*.pyc
\ No newline at end of file
+*.pyc
+
+# Git worktrees
+.worktrees/
\ No newline at end of file
diff --git a/README.md b/README.md
index e1c17eb..e650a12 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,12 @@
 - [LtiAdvantage.IntegrationTests](https://github.com/LtiLibrary/LtiAdvantage/tree/master/test/LtiAdvantage.IntegrationTests) integration tests.
 - [LtiAdvantage.UnitTests](https://github.com/LtiLibrary/LtiAdvantage/tree/master/test/LtiAdvantage.UnitTests) unit tests.
 
+### What's new
+
+- [LTI Submission Review 1.0](https://www.imsglobal.org/spec/lti-sr/v1p0) (`LtiSubmissionReviewRequest`, `for_user` claim, AGS `submissionReview` extension)
+- [JWKS publishing](https://www.imsglobal.org/spec/security/v1p0#tool-jwk-set-url) (`JwksControllerBase` + `IJwksKeyStore`) for `/.well-known/jwks.json`
+- [LTI Dynamic Registration 1.0](https://www.imsglobal.org/spec/lti-dr/v1p0) — tool-side `HttpClient` extensions and platform-side `DynamicRegistrationControllerBase`
+
 ## NuGet
 | Library | Release | Prerelease |
 | --- | --- | --- |
diff --git a/src/LtiAdvantage.AspNetCore/DynamicRegistration/DynamicRegistrationControllerBase.cs b/src/LtiAdvantage.AspNetCore/DynamicRegistration/DynamicRegistrationControllerBase.cs
new file mode 100644
index 0000000..6180c96
--- /dev/null
+++ b/src/LtiAdvantage.AspNetCore/DynamicRegistration/DynamicRegistrationControllerBase.cs
@@ -0,0 +1,76 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+using System.Threading.Tasks;
+using LtiAdvantage.DynamicRegistration;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace LtiAdvantage.AspNetCore.DynamicRegistration
+{
+    /// <summary>
+    /// Platform-side endpoint for LTI Dynamic Registration 1.0.
+    /// See https://www.imsglobal.org/spec/lti-dr/v1p0/#registration-endpoint
+    /// </summary>
+    [ApiController]
+    [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
+    public abstract class DynamicRegistrationControllerBase : ControllerBase, IDynamicRegistrationController
+    {
+        private readonly IWebHostEnvironment _env;
+        private readonly ILogger<DynamicRegistrationControllerBase> _logger;
+
+        /// <summary>Initializes the base.</summary>
+        protected DynamicRegistrationControllerBase(IWebHostEnvironment env, ILogger<DynamicRegistrationControllerBase> logger)
+        {
+            _env = env;
+            _logger = logger;
+        }
+
+        /// <summary>
+        /// Persist the registration. Implementations MUST set <see cref="ToolConfiguration.ClientId"/>
+        /// on <c>request.Tool</c> (or return a new instance) before returning.
+        /// </summary>
+        protected abstract Task<ActionResult<ToolConfiguration>> OnRegisterAsync(RegisterToolRequest request);
+
+        /// <inheritdoc />
+        [HttpPost]
+        [Consumes("application/json")]
+        [Produces("application/json")]
+        [ProducesResponseType(typeof(ToolConfiguration), StatusCodes.Status201Created)]
+        [ProducesResponseType(StatusCodes.Status400BadRequest)]
+        [ProducesResponseType(typeof(ProblemDetails), StatusCodes.Status500InternalServerError)]
+        [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme,
+            Policy = Constants.LtiScopes.DynamicRegistration.Scope)]
+        [Route("lti/register", Name = "lti-dynamic-registration")]
+        public async Task<ActionResult<ToolConfiguration>> RegisterAsync([Required] [FromBody] ToolConfiguration tool)
+        {
+            try
+            {
+                _logger.LogDebug($"Entering {nameof(RegisterAsync)}.");
+                var result = await OnRegisterAsync(new RegisterToolRequest(tool)).ConfigureAwait(false);
+                if (result.Result is ObjectResult o && o.StatusCode == null) o.StatusCode = StatusCodes.Status201Created;
+                else if (result.Value != null && result.Result == null) return Created(string.Empty, result.Value);
+                return result;
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, $"An unexpected error occurred in {nameof(RegisterAsync)}.");
+                return StatusCode(StatusCodes.Status500InternalServerError, new ProblemDetails
+                {
+                    Title = "An unexpected error occurred",
+                    Status = StatusCodes.Status500InternalServerError,
+                    Detail = _env.IsDevelopment() ? ex.Message + ex.StackTrace : ex.Message
+                });
+            }
+            finally
+            {
+                _logger.LogDebug($"Exiting {nameof(RegisterAsync)}.");
+            }
+        }
+    }
+}
diff --git a/src/LtiAdvantage.AspNetCore/DynamicRegistration/IDynamicRegistrationController.cs b/src/LtiAdvantage.AspNetCore/DynamicRegistration/IDynamicRegistrationController.cs
new file mode 100644
index 0000000..0f6a5f0
--- /dev/null
+++ b/src/LtiAdvantage.AspNetCore/DynamicRegistration/IDynamicRegistrationController.cs
@@ -0,0 +1,13 @@
+using System.Threading.Tasks;
+using LtiAdvantage.DynamicRegistration;
+using Microsoft.AspNetCore.Mvc;
+
+namespace LtiAdvantage.AspNetCore.DynamicRegistration
+{
+    /// <summary>The platform-side LTI Dynamic Registration endpoint.</summary>
+    public interface IDynamicRegistrationController
+    {
+        /// <summary>Registers a new tool. Returns 201 with the assigned <c>client_id</c> echoed back.</summary>
+        Task<ActionResult<ToolConfiguration>> RegisterAsync([FromBody] ToolConfiguration tool);
+    }
+}
diff --git a/src/LtiAdvantage.AspNetCore/DynamicRegistration/RegisterToolRequest.cs b/src/LtiAdvantage.AspNetCore/DynamicRegistration/RegisterToolRequest.cs
new file mode 100644
index 0000000..887cab6
--- /dev/null
+++ b/src/LtiAdvantage.AspNetCore/DynamicRegistration/RegisterToolRequest.cs
@@ -0,0 +1,15 @@
+using LtiAdvantage.DynamicRegistration;
+
+namespace LtiAdvantage.AspNetCore.DynamicRegistration
+{
+    /// <summary>Request passed to the controller's <c>OnRegisterAsync</c> override.</summary>
+    public class RegisterToolRequest
+    {
+        /// <summary>Wraps the submitted tool configuration.</summary>
+        /// <param name="tool">The submitted tool configuration.</param>
+        public RegisterToolRequest(ToolConfiguration tool) => Tool = tool;
+
+        /// <summary>The submitted tool configuration. The override should populate <see cref="ToolConfiguration.ClientId"/>.</summary>
+        public ToolConfiguration Tool { get; }
+    }
+}
diff --git a/src/LtiAdvantage.AspNetCore/Jwks/IJwksController.cs b/src/LtiAdvantage.AspNetCore/Jwks/IJwksController.cs
new file mode 100644
index 0000000..bba16c5
--- /dev/null
+++ b/src/LtiAdvantage.AspNetCore/Jwks/IJwksController.cs
@@ -0,0 +1,13 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.IdentityModel.Tokens;
+
+namespace LtiAdvantage.AspNetCore.Jwks
+{
+    /// <summary>JWKS publication endpoint.</summary>
+    public interface IJwksController
+    {
+        /// <summary>Returns the JSON Web Key Set.</summary>
+        Task<ActionResult<JsonWebKeySet>> GetJwksAsync();
+    }
+}
diff --git a/src/LtiAdvantage.AspNetCore/Jwks/JwksControllerBase.cs b/src/LtiAdvantage.AspNetCore/Jwks/JwksControllerBase.cs
new file mode 100644
index 0000000..2eb2974
--- /dev/null
+++ b/src/LtiAdvantage.AspNetCore/Jwks/JwksControllerBase.cs
@@ -0,0 +1,55 @@
+using System.Threading.Tasks;
+using LtiAdvantage.Jwks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
+
+namespace LtiAdvantage.AspNetCore.Jwks
+{
+    /// <summary>
+    /// Publishes the platform's (or tool's) JWKS at a well-known URL so that
+    /// peers can verify signed JWTs. Anonymous; unauthenticated.
+    /// </summary>
+    [ApiController]
+    public abstract class JwksControllerBase : ControllerBase, IJwksController
+    {
+        private readonly IJwksKeyStore _keyStore;
+        private readonly ILogger<JwksControllerBase> _logger;
+
+        /// <summary>
+        /// Constructs a new <see cref="JwksControllerBase"/>.
+        /// </summary>
+        /// <param name="keyStore">The key store providing public keys to publish.</param>
+        /// <param name="logger">The logger.</param>
+        protected JwksControllerBase(IJwksKeyStore keyStore, ILogger<JwksControllerBase> logger)
+        {
+            _keyStore = keyStore;
+            _logger = logger;
+        }
+
+        /// <summary>
+        /// Returns the JSON Web Key Set containing the public keys used to verify
+        /// signed JWTs issued by this server.
+        /// </summary>
+        [HttpGet]
+        [Produces(Constants.MediaTypes.Jwks)]
+        [ProducesResponseType(typeof(JsonWebKeySet), StatusCodes.Status200OK)]
+        [Route(".well-known/jwks.json", Name = Constants.ServiceEndpoints.Jwks.JwksService)]
+        public async Task<ActionResult<JsonWebKeySet>> GetJwksAsync()
+        {
+            _logger.LogDebug($"Entering {nameof(GetJwksAsync)}.");
+            try
+            {
+                var keys = await _keyStore.GetPublicKeysAsync().ConfigureAwait(false);
+                var set = new JsonWebKeySet();
+                foreach (var k in keys) set.Keys.Add(k);
+                return set;
+            }
+            finally
+            {
+                _logger.LogDebug($"Exiting {nameof(GetJwksAsync)}.");
+            }
+        }
+    }
+}
diff --git a/src/LtiAdvantage.AspNetCore/LtiAdvantage.AspNetCore.xml b/src/LtiAdvantage.AspNetCore/LtiAdvantage.AspNetCore.xml
index 1ee0be3..b1dbd4a 100644
--- a/src/LtiAdvantage.AspNetCore/LtiAdvantage.AspNetCore.xml
+++ b/src/LtiAdvantage.AspNetCore/LtiAdvantage.AspNetCore.xml
@@ -383,6 +383,65 @@
             Get or set the line item id.
             </summary>
         </member>
+        <member name="T:LtiAdvantage.AspNetCore.DynamicRegistration.DynamicRegistrationControllerBase">
+            <summary>
+            Platform-side endpoint for LTI Dynamic Registration 1.0.
+            See https://www.imsglobal.org/spec/lti-dr/v1p0/#registration-endpoint
+            </summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.DynamicRegistration.DynamicRegistrationControllerBase.#ctor(Microsoft.AspNetCore.Hosting.IWebHostEnvironment,Microsoft.Extensions.Logging.ILogger{LtiAdvantage.AspNetCore.DynamicRegistration.DynamicRegistrationControllerBase})">
+            <summary>Initializes the base.</summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.DynamicRegistration.DynamicRegistrationControllerBase.OnRegisterAsync(LtiAdvantage.AspNetCore.DynamicRegistration.RegisterToolRequest)">
+            <summary>
+            Persist the registration. Implementations MUST set <see cref="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ClientId"/>
+            on <c>request.Tool</c> (or return a new instance) before returning.
+            </summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.DynamicRegistration.DynamicRegistrationControllerBase.RegisterAsync(LtiAdvantage.DynamicRegistration.ToolConfiguration)">
+            <inheritdoc />
+        </member>
+        <member name="T:LtiAdvantage.AspNetCore.DynamicRegistration.IDynamicRegistrationController">
+            <summary>The platform-side LTI Dynamic Registration endpoint.</summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.DynamicRegistration.IDynamicRegistrationController.RegisterAsync(LtiAdvantage.DynamicRegistration.ToolConfiguration)">
+            <summary>Registers a new tool. Returns 201 with the assigned <c>client_id</c> echoed back.</summary>
+        </member>
+        <member name="T:LtiAdvantage.AspNetCore.DynamicRegistration.RegisterToolRequest">
+            <summary>Request passed to the controller's <c>OnRegisterAsync</c> override.</summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.DynamicRegistration.RegisterToolRequest.#ctor(LtiAdvantage.DynamicRegistration.ToolConfiguration)">
+            <summary>Wraps the submitted tool configuration.</summary>
+            <param name="tool">The submitted tool configuration.</param>
+        </member>
+        <member name="P:LtiAdvantage.AspNetCore.DynamicRegistration.RegisterToolRequest.Tool">
+            <summary>The submitted tool configuration. The override should populate <see cref="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ClientId"/>.</summary>
+        </member>
+        <member name="T:LtiAdvantage.AspNetCore.Jwks.IJwksController">
+            <summary>JWKS publication endpoint.</summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.Jwks.IJwksController.GetJwksAsync">
+            <summary>Returns the JSON Web Key Set.</summary>
+        </member>
+        <member name="T:LtiAdvantage.AspNetCore.Jwks.JwksControllerBase">
+            <summary>
+            Publishes the platform's (or tool's) JWKS at a well-known URL so that
+            peers can verify signed JWTs. Anonymous; unauthenticated.
+            </summary>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.Jwks.JwksControllerBase.#ctor(LtiAdvantage.Jwks.IJwksKeyStore,Microsoft.Extensions.Logging.ILogger{LtiAdvantage.AspNetCore.Jwks.JwksControllerBase})">
+            <summary>
+            Constructs a new <see cref="T:LtiAdvantage.AspNetCore.Jwks.JwksControllerBase"/>.
+            </summary>
+            <param name="keyStore">The key store providing public keys to publish.</param>
+            <param name="logger">The logger.</param>
+        </member>
+        <member name="M:LtiAdvantage.AspNetCore.Jwks.JwksControllerBase.GetJwksAsync">
+            <summary>
+            Returns the JSON Web Key Set containing the public keys used to verify
+            signed JWTs issued by this server.
+            </summary>
+        </member>
         <member name="T:LtiAdvantage.AspNetCore.Lti.ServiceResponse">
             <summary>
             Represents an LTI service response.
diff --git a/src/LtiAdvantage.IdentityModel/Client/HttpClientDynamicRegistrationExtensions.cs b/src/LtiAdvantage.IdentityModel/Client/HttpClientDynamicRegistrationExtensions.cs
new file mode 100644
index 0000000..b2064a6
--- /dev/null
+++ b/src/LtiAdvantage.IdentityModel/Client/HttpClientDynamicRegistrationExtensions.cs
@@ -0,0 +1,83 @@
+using System;
+using System.Net.Http;
+using System.Net.Http.Headers;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using LtiAdvantage.DynamicRegistration;
+
+namespace LtiAdvantage.IdentityModel.Client
+{
+    /// <summary>
+    /// HttpClient extensions implementing the tool side of LTI Dynamic Registration 1.0.
+    /// </summary>
+    public static class HttpClientDynamicRegistrationExtensions
+    {
+        /// <summary>
+        /// Fetches the platform's OpenID configuration document (<see cref="PlatformOpenIdConfiguration"/>).
+        /// </summary>
+        /// <param name="client">The HTTP client.</param>
+        /// <param name="openIdConfigurationUrl">The URL passed by the platform in the registration init launch.</param>
+        /// <param name="cancellationToken">Optional cancellation token.</param>
+        public static async Task<PlatformOpenIdConfiguration> GetPlatformOpenIdConfigurationAsync(
+            this HttpClient client, string openIdConfigurationUrl, CancellationToken cancellationToken = default)
+        {
+            if (client == null) throw new ArgumentNullException(nameof(client));
+            if (string.IsNullOrWhiteSpace(openIdConfigurationUrl))
+                throw new ArgumentException("URL is required", nameof(openIdConfigurationUrl));
+
+            using var response = await client.GetAsync(openIdConfigurationUrl, cancellationToken).ConfigureAwait(false);
+            if (!response.IsSuccessStatusCode)
+            {
+                var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                throw new HttpRequestException(
+                    $"Dynamic Registration failed: {(int)response.StatusCode} {response.ReasonPhrase}. Body: {errorBody}");
+            }
+            var body = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            return JsonSerializer.Deserialize<PlatformOpenIdConfiguration>(body);
+        }
+
+        /// <summary>
+        /// POSTs a tool registration request to the platform's <c>registration_endpoint</c>
+        /// using the bearer registration token supplied during the registration init launch.
+        /// Returns the platform-assigned <see cref="ToolConfiguration"/> (echoed config + <c>client_id</c>).
+        /// </summary>
+        /// <param name="client">The HTTP client.</param>
+        /// <param name="registrationEndpoint">The platform's registration endpoint URL.</param>
+        /// <param name="registrationAccessToken">Bearer token from the registration init launch.</param>
+        /// <param name="tool">The tool configuration to register.</param>
+        /// <param name="cancellationToken">Optional cancellation token.</param>
+        public static async Task<ToolConfiguration> RegisterToolAsync(
+            this HttpClient client,
+            string registrationEndpoint,
+            string registrationAccessToken,
+            ToolConfiguration tool,
+            CancellationToken cancellationToken = default)
+        {
+            if (client == null) throw new ArgumentNullException(nameof(client));
+            if (string.IsNullOrWhiteSpace(registrationEndpoint))
+                throw new ArgumentException("URL is required", nameof(registrationEndpoint));
+            if (string.IsNullOrWhiteSpace(registrationAccessToken))
+                throw new ArgumentException("Token is required", nameof(registrationAccessToken));
+            if (tool == null) throw new ArgumentNullException(nameof(tool));
+
+            var json = JsonSerializer.Serialize(tool);
+            using var request = new HttpRequestMessage(HttpMethod.Post, registrationEndpoint)
+            {
+                Content = new StringContent(json, Encoding.UTF8, "application/json")
+            };
+            request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", registrationAccessToken);
+
+            using var response = await client.SendAsync(request, cancellationToken).ConfigureAwait(false);
+            if (!response.IsSuccessStatusCode)
+            {
+                var errorBody = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+                throw new HttpRequestException(
+                    $"Dynamic Registration failed: {(int)response.StatusCode} {response.ReasonPhrase}. Body: {errorBody}");
+            }
+            var body = await response.Content.ReadAsStringAsync(cancellationToken).ConfigureAwait(false);
+            return JsonSerializer.Deserialize<ToolConfiguration>(body);
+        }
+    }
+}
diff --git a/src/LtiAdvantage.IdentityModel/LtiAdvantage.IdentityModel.csproj b/src/LtiAdvantage.IdentityModel/LtiAdvantage.IdentityModel.csproj
index bdd38d4..0a8977e 100644
--- a/src/LtiAdvantage.IdentityModel/LtiAdvantage.IdentityModel.csproj
+++ b/src/LtiAdvantage.IdentityModel/LtiAdvantage.IdentityModel.csproj
@@ -24,4 +24,8 @@
     <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.14.0" />
   </ItemGroup>
 
+  <ItemGroup>
+    <ProjectReference Include="..\LtiAdvantage\LtiAdvantage.csproj" />
+  </ItemGroup>
+
 </Project>
diff --git a/src/LtiAdvantage/AssignmentGradeServices/LineItem.cs b/src/LtiAdvantage/AssignmentGradeServices/LineItem.cs
index 1f07d09..0efdcbb 100644
--- a/src/LtiAdvantage/AssignmentGradeServices/LineItem.cs
+++ b/src/LtiAdvantage/AssignmentGradeServices/LineItem.cs
@@ -1,5 +1,6 @@
 using System;
 using System.Text.Json.Serialization;
+using LtiAdvantage.SubmissionReview;
 
 namespace LtiAdvantage.AssignmentGradeServices
 {
@@ -56,5 +57,13 @@ public class LineItem
         /// </summary>
         [JsonPropertyName("tag")]
         public string Tag { get; set; }
+
+        /// <summary>
+        /// Submission Review extension. When present, the platform uses
+        /// <c>SubmissionReviewExtension.Url</c> for LtiSubmissionReviewRequest
+        /// launches against this line item.
+        /// </summary>
+        [JsonPropertyName("submissionReview")]
+        public SubmissionReviewProperty SubmissionReviewExtension { get; set; }
     }
 }
diff --git a/src/LtiAdvantage/Constants.cs b/src/LtiAdvantage/Constants.cs
index de5b58b..8ee66de 100644
--- a/src/LtiAdvantage/Constants.cs
+++ b/src/LtiAdvantage/Constants.cs
@@ -59,6 +59,11 @@ public static class Lti
             /// </summary>
             public const string LtiResourceLinkRequestMessageType = "LtiResourceLinkRequest";
 
+            /// <summary>
+            /// The message type of an LtiSubmissionReviewRequest.
+            /// </summary>
+            public const string LtiSubmissionReviewRequestMessageType = "LtiSubmissionReviewRequest";
+
             /// <summary>
             /// LTI version.
             /// </summary>
@@ -115,6 +120,11 @@ public static class LtiClaims
             /// </summary>
             public const string ErrorMessage = "https://purl.imsglobal.org/spec/lti-dl/claim/errormsg";
 
+            /// <summary>
+            /// The user whose submission is being reviewed (Submission Review 1.0 §3.2).
+            /// </summary>
+            public const string ForUser = "https://purl.imsglobal.org/spec/lti-sr/claim/for_user";
+
             /// <summary>
             /// Information to help the Tool present itself appropriately.
             /// </summary>
@@ -141,6 +151,12 @@ public static class LtiClaims
             /// </summary>
             public const string LtiMigration = "https://purl.imsglobal.org/spec/lti/claim/lti1p1";
 
+            /// <summary>The LTI Platform Configuration claim on an OpenID configuration document (Dynamic Registration §3.5).</summary>
+            public const string LtiPlatformConfiguration = "https://purl.imsglobal.org/spec/lti-platform-configuration";
+
+            /// <summary>The LTI Tool Configuration claim on a registration request body (Dynamic Registration §3.6).</summary>
+            public const string LtiToolConfiguration = "https://purl.imsglobal.org/spec/lti-tool-configuration";
+
             /// <summary>
             /// Optional plain text message.
             /// </summary>
@@ -223,6 +239,13 @@ public static class Ags
                 public const string ScoreReadonly = "https://purl.imsglobal.org/spec/lti-ags/scope/score.readonly";
             }
 
+            /// <summary>LTI Dynamic Registration scopes (Dynamic Registration §4.4).</summary>
+            public static class DynamicRegistration
+            {
+                /// <summary>Scope required on the registration access token.</summary>
+                public const string Scope = "https://purl.imsglobal.org/spec/lti-reg/scope/registration";
+            }
+
             /// <summary>
             /// Names and Role Provisioning Service scopes.
             /// </summary>
@@ -240,6 +263,11 @@ public static class Nrps
         /// </summary>
         public static class MediaTypes
         {
+            /// <summary>
+            /// JSON Web Key Set media type (RFC 7517 §6).
+            /// </summary>
+            public const string Jwks = "application/jwk-set+json";
+
             /// <summary>
             /// https://www.imsglobal.org/spec/lti-ags/v2p0/#media-types-and-schemas
             /// </summary>
@@ -369,6 +397,15 @@ public static class Ags
                 public const string ScoresService = "scores";
             }
 
+            /// <summary>
+            /// JWKS publication endpoint.
+            /// </summary>
+            public static class Jwks
+            {
+                /// <summary>The well-known JWKS endpoint route name.</summary>
+                public const string JwksService = "jwks";
+            }
+
             /// <summary>
             /// Names and Role Provisioning Service endpoints.
             /// </summary>
diff --git a/src/LtiAdvantage/DynamicRegistration/LtiPlatformConfiguration.cs b/src/LtiAdvantage/DynamicRegistration/LtiPlatformConfiguration.cs
new file mode 100644
index 0000000..56ac3d1
--- /dev/null
+++ b/src/LtiAdvantage/DynamicRegistration/LtiPlatformConfiguration.cs
@@ -0,0 +1,28 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.DynamicRegistration
+{
+    /// <summary>
+    /// Value of the LTI extension claim on a platform's OpenID configuration document.
+    /// See https://www.imsglobal.org/spec/lti-dr/v1p0/#lti-platform-configuration
+    /// </summary>
+    public class LtiPlatformConfiguration
+    {
+        /// <summary>The product family code identifying the platform vendor.</summary>
+        [JsonPropertyName("product_family_code")]
+        public string ProductFamilyCode { get; set; }
+
+        /// <summary>The platform's version string.</summary>
+        [JsonPropertyName("version")]
+        public string Version { get; set; }
+
+        /// <summary>The set of LTI message types this platform supports launching, plus optional placements.</summary>
+        [JsonPropertyName("messages_supported")]
+        public IList<MessageDescriptor> MessagesSupported { get; set; }
+
+        /// <summary>Custom variable expansions the platform supports (e.g. <c>"Person.email.primary"</c>).</summary>
+        [JsonPropertyName("variables")]
+        public IList<string> Variables { get; set; }
+    }
+}
diff --git a/src/LtiAdvantage/DynamicRegistration/LtiToolConfiguration.cs b/src/LtiAdvantage/DynamicRegistration/LtiToolConfiguration.cs
new file mode 100644
index 0000000..617af28
--- /dev/null
+++ b/src/LtiAdvantage/DynamicRegistration/LtiToolConfiguration.cs
@@ -0,0 +1,44 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.DynamicRegistration
+{
+    /// <summary>
+    /// LTI extension claim on a Dynamic Registration request body.
+    /// See https://www.imsglobal.org/spec/lti-dr/v1p0/#lti-tool-configuration
+    /// </summary>
+    public class LtiToolConfiguration
+    {
+        /// <summary>The tool's primary domain (without scheme, no path).</summary>
+        [JsonPropertyName("domain")]
+        public string Domain { get; set; }
+
+        /// <summary>Additional domains the tool also serves from.</summary>
+        [JsonPropertyName("secondary_domains")]
+        public IList<string> SecondaryDomains { get; set; }
+
+        /// <summary>Optional deployment id requested by the tool.</summary>
+        [JsonPropertyName("deployment_id")]
+        public string DeploymentId { get; set; }
+
+        /// <summary>Default target_link_uri for launches.</summary>
+        [JsonPropertyName("target_link_uri")]
+        public string TargetLinkUri { get; set; }
+
+        /// <summary>Custom parameters to merge into every launch.</summary>
+        [JsonPropertyName("custom_parameters")]
+        public IDictionary<string, string> CustomParameters { get; set; }
+
+        /// <summary>Human-readable description of the tool.</summary>
+        [JsonPropertyName("description")]
+        public string Description { get; set; }
+
+        /// <summary>The OpenID claims this tool requests (e.g. <c>"name"</c>, <c>"email"</c>).</summary>
+        [JsonPropertyName("claims")]
+        public IList<string> Claims { get; set; }
+
+        /// <summary>The LTI message types this tool supports receiving.</summary>
+        [JsonPropertyName("messages")]
+        public IList<MessageDescriptor> Messages { get; set; }
+    }
+}
diff --git a/src/LtiAdvantage/DynamicRegistration/MessageDescriptor.cs b/src/LtiAdvantage/DynamicRegistration/MessageDescriptor.cs
new file mode 100644
index 0000000..b2300c6
--- /dev/null
+++ b/src/LtiAdvantage/DynamicRegistration/MessageDescriptor.cs
@@ -0,0 +1,41 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.DynamicRegistration
+{
+    /// <summary>
+    /// Describes a supported LTI message type. Used in both
+    /// <see cref="LtiPlatformConfiguration"/> (what the platform launches)
+    /// and <see cref="LtiToolConfiguration"/> (what the tool can receive).
+    /// </summary>
+    public class MessageDescriptor
+    {
+        /// <summary>The message type, e.g. <c>"LtiResourceLinkRequest"</c>.</summary>
+        [JsonPropertyName("type")]
+        public string Type { get; set; }
+
+        /// <summary>Per-message target_link_uri (tool side).</summary>
+        [JsonPropertyName("target_link_uri")]
+        public string TargetLinkUri { get; set; }
+
+        /// <summary>Per-message label shown by the platform (tool side).</summary>
+        [JsonPropertyName("label")]
+        public string Label { get; set; }
+
+        /// <summary>Per-message icon URI (tool side).</summary>
+        [JsonPropertyName("icon_uri")]
+        public string IconUri { get; set; }
+
+        /// <summary>Custom parameters to merge into this launch (tool side).</summary>
+        [JsonPropertyName("custom_parameters")]
+        public IDictionary<string, string> CustomParameters { get; set; }
+
+        /// <summary>Placements this message is offered for (e.g. <c>"ContentArea"</c>, <c>"RichTextEditor"</c>).</summary>
+        [JsonPropertyName("placements")]
+        public IList<string> Placements { get; set; }
+
+        /// <summary>Roles required for this launch (tool side).</summary>
+        [JsonPropertyName("roles")]
+        public IList<string> Roles { get; set; }
+    }
+}
diff --git a/src/LtiAdvantage/DynamicRegistration/PlatformOpenIdConfiguration.cs b/src/LtiAdvantage/DynamicRegistration/PlatformOpenIdConfiguration.cs
new file mode 100644
index 0000000..1026eaa
--- /dev/null
+++ b/src/LtiAdvantage/DynamicRegistration/PlatformOpenIdConfiguration.cs
@@ -0,0 +1,65 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.DynamicRegistration
+{
+    /// <summary>
+    /// A platform's OpenID Provider Metadata document (RFC 8414) including
+    /// the LTI Dynamic Registration extension claim
+    /// (<c>https://purl.imsglobal.org/spec/lti-platform-configuration</c>).
+    /// </summary>
+    public class PlatformOpenIdConfiguration
+    {
+        /// <summary>The platform's issuer identifier URL.</summary>
+        [JsonPropertyName("issuer")]
+        public string Issuer { get; set; }
+
+        /// <summary>OAuth 2 authorization endpoint URL.</summary>
+        [JsonPropertyName("authorization_endpoint")]
+        public string AuthorizationEndpoint { get; set; }
+
+        /// <summary>OAuth 2 token endpoint URL.</summary>
+        [JsonPropertyName("token_endpoint")]
+        public string TokenEndpoint { get; set; }
+
+        /// <summary>Auth methods supported at the token endpoint (typically <c>private_key_jwt</c>).</summary>
+        [JsonPropertyName("token_endpoint_auth_methods_supported")]
+        public IList<string> TokenEndpointAuthMethodsSupported { get; set; }
+
+        /// <summary>JWS algorithms supported for client assertions.</summary>
+        [JsonPropertyName("token_endpoint_auth_signing_alg_values_supported")]
+        public IList<string> TokenEndpointAuthSigningAlgValuesSupported { get; set; }
+
+        /// <summary>URL of the platform's public JWKS document.</summary>
+        [JsonPropertyName("jwks_uri")]
+        public string JwksUri { get; set; }
+
+        /// <summary>URL the tool POSTs its registration request to.</summary>
+        [JsonPropertyName("registration_endpoint")]
+        public string RegistrationEndpoint { get; set; }
+
+        /// <summary>OAuth 2 scopes the platform supports.</summary>
+        [JsonPropertyName("scopes_supported")]
+        public IList<string> ScopesSupported { get; set; }
+
+        /// <summary>OAuth 2 response types the platform supports (typically <c>id_token</c>).</summary>
+        [JsonPropertyName("response_types_supported")]
+        public IList<string> ResponseTypesSupported { get; set; }
+
+        /// <summary>Subject types supported (typically <c>public</c>).</summary>
+        [JsonPropertyName("subject_types_supported")]
+        public IList<string> SubjectTypesSupported { get; set; }
+
+        /// <summary>JWS signing algorithms supported for ID tokens (typically <c>RS256</c>).</summary>
+        [JsonPropertyName("id_token_signing_alg_values_supported")]
+        public IList<string> IdTokenSigningAlgValuesSupported { get; set; }
+
+        /// <summary>Standard claims the platform supports.</summary>
+        [JsonPropertyName("claims_supported")]
+        public IList<string> ClaimsSupported { get; set; }
+
+        /// <summary>The LTI extension claim. Constant: <see cref="Constants.LtiClaims.LtiPlatformConfiguration"/>.</summary>
+        [JsonPropertyName("https://purl.imsglobal.org/spec/lti-platform-configuration")]
+        public LtiPlatformConfiguration LtiPlatformConfiguration { get; set; }
+    }
+}
diff --git a/src/LtiAdvantage/DynamicRegistration/ToolConfiguration.cs b/src/LtiAdvantage/DynamicRegistration/ToolConfiguration.cs
new file mode 100644
index 0000000..0c379f5
--- /dev/null
+++ b/src/LtiAdvantage/DynamicRegistration/ToolConfiguration.cs
@@ -0,0 +1,65 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.DynamicRegistration
+{
+    /// <summary>
+    /// Tool-side registration request body sent to a platform's
+    /// <c>registration_endpoint</c>. Mirrors OIDC client metadata
+    /// (RFC 7591) plus the LTI <c>lti-tool-configuration</c> claim.
+    /// </summary>
+    public class ToolConfiguration
+    {
+        /// <summary>OIDC application_type — typically <c>"web"</c>.</summary>
+        [JsonPropertyName("application_type")]
+        public string ApplicationType { get; set; } = "web";
+
+        /// <summary>OAuth 2 response types — typically <c>["id_token"]</c>.</summary>
+        [JsonPropertyName("response_types")]
+        public IList<string> ResponseTypes { get; set; }
+
+        /// <summary>OAuth 2 grant types — typically <c>["implicit", "client_credentials"]</c>.</summary>
+        [JsonPropertyName("grant_types")]
+        public IList<string> GrantTypes { get; set; }
+
+        /// <summary>The OIDC initiate_login_uri.</summary>
+        [JsonPropertyName("initiate_login_uri")]
+        public string InitiateLoginUri { get; set; }
+
+        /// <summary>Allowed launch redirect URIs.</summary>
+        [JsonPropertyName("redirect_uris")]
+        public IList<string> RedirectUris { get; set; }
+
+        /// <summary>Human-readable client name.</summary>
+        [JsonPropertyName("client_name")]
+        public string ClientName { get; set; }
+
+        /// <summary>The tool's homepage URL.</summary>
+        [JsonPropertyName("client_uri")]
+        public string ClientUri { get; set; }
+
+        /// <summary>The tool's logo image URL.</summary>
+        [JsonPropertyName("logo_uri")]
+        public string LogoUri { get; set; }
+
+        /// <summary>Space-separated list of scopes the tool will request.</summary>
+        [JsonPropertyName("scope")]
+        public string Scope { get; set; }
+
+        /// <summary>Auth method at the token endpoint — typically <c>"private_key_jwt"</c>.</summary>
+        [JsonPropertyName("token_endpoint_auth_method")]
+        public string TokenEndpointAuthMethod { get; set; } = "private_key_jwt";
+
+        /// <summary>URL of the tool's public JWKS document.</summary>
+        [JsonPropertyName("jwks_uri")]
+        public string JwksUri { get; set; }
+
+        /// <summary>Echoed back by the platform on successful registration (Dynamic Registration §4.5).</summary>
+        [JsonPropertyName("client_id")]
+        public string ClientId { get; set; }
+
+        /// <summary>The LTI extension claim. Constant: <see cref="Constants.LtiClaims.LtiToolConfiguration"/>.</summary>
+        [JsonPropertyName("https://purl.imsglobal.org/spec/lti-tool-configuration")]
+        public LtiToolConfiguration LtiToolConfiguration { get; set; }
+    }
+}
diff --git a/src/LtiAdvantage/Jwks/IJwksKeyStore.cs b/src/LtiAdvantage/Jwks/IJwksKeyStore.cs
new file mode 100644
index 0000000..9ab2423
--- /dev/null
+++ b/src/LtiAdvantage/Jwks/IJwksKeyStore.cs
@@ -0,0 +1,28 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Microsoft.IdentityModel.Tokens;
+
+namespace LtiAdvantage.Jwks
+{
+    /// <summary>
+    /// Provides the set of public keys to publish at /.well-known/jwks.json.
+    /// Implementations decide how keys are stored, rotated, and retired —
+    /// typically all currently-active and recently-retired (still in token TTL)
+    /// signing keys are returned, each with a stable <c>kid</c>.
+    /// </summary>
+    public interface IJwksKeyStore
+    {
+        /// <summary>
+        /// Returns the public keys to publish in the JWKS document.
+        ///
+        /// Rotation guidance:
+        /// - Always include the current signing key (the one used to sign tokens issued now).
+        /// - Continue to include each retired signing key for at least the longest TTL of any token signed with it,
+        ///   so verifiers can still validate in-flight tokens after rotation.
+        /// - Each key MUST have a stable, unique <c>Kid</c>.
+        /// - Set <c>Use = "sig"</c> and <c>Alg = "RS256"</c> for LTI 1.3 signing keys.
+        /// - Do NOT include private key material — only the public components (<c>N</c>, <c>E</c>).
+        /// </summary>
+        Task<IReadOnlyList<JsonWebKey>> GetPublicKeysAsync();
+    }
+}
diff --git a/src/LtiAdvantage/Lti/LtiSubmissionReviewRequest.cs b/src/LtiAdvantage/Lti/LtiSubmissionReviewRequest.cs
new file mode 100644
index 0000000..86fedbf
--- /dev/null
+++ b/src/LtiAdvantage/Lti/LtiSubmissionReviewRequest.cs
@@ -0,0 +1,77 @@
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using LtiAdvantage.AssignmentGradeServices;
+using LtiAdvantage.NamesRoleProvisioningService;
+using LtiAdvantage.SubmissionReview;
+using LtiAdvantage.Utilities;
+
+namespace LtiAdvantage.Lti
+{
+    /// <inheritdoc />
+    /// <summary>
+    /// LTI Submission Review request (https://www.imsglobal.org/spec/lti-sr/v1p0).
+    /// </summary>
+    [SuppressMessage("ReSharper", "ClassNeverInstantiated.Global")]
+    public class LtiSubmissionReviewRequest : LtiRequest
+    {
+        /// <inheritdoc />
+        /// <summary>
+        /// Create an instance of <see cref="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest" /> with default
+        /// values for the MessageType and Version claims.
+        /// </summary>
+        public LtiSubmissionReviewRequest()
+        {
+            MessageType = Constants.Lti.LtiSubmissionReviewRequestMessageType;
+            Version = Constants.Lti.Version;
+        }
+
+        /// <inheritdoc />
+        /// <summary>
+        /// Create an instance of <see cref="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest" /> with the claims.
+        /// </summary>
+        /// <param name="claims">A list of claims.</param>
+        public LtiSubmissionReviewRequest(IEnumerable<Claim> claims) : base(claims)
+        {
+        }
+
+        /// <inheritdoc />
+        /// <summary>
+        /// Create an instance of <see cref="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest" /> with the
+        /// claims in payload.
+        /// </summary>
+        /// <param name="payload"></param>
+        public LtiSubmissionReviewRequest(JwtPayload payload) : base(payload.Claims)
+        {
+        }
+
+        /// <summary>The Assignment and Grade Services claim (the lineitem under review).</summary>
+        public AssignmentGradeServicesClaimValueType AssignmentGradeServices
+        {
+            get => this.GetClaimValue<AssignmentGradeServicesClaimValueType>(Constants.LtiClaims.AssignmentGradeServices);
+            set => this.SetClaimValue(Constants.LtiClaims.AssignmentGradeServices, value);
+        }
+
+        /// <summary>The Names and Roles Provisioning Service claim.</summary>
+        public NamesRoleServiceClaimValueType NamesRoleService
+        {
+            get => this.GetClaimValue<NamesRoleServiceClaimValueType>(Constants.LtiClaims.NamesRoleService);
+            set => this.SetClaimValue(Constants.LtiClaims.NamesRoleService, value);
+        }
+
+        /// <summary>The resource_link claim (same shape as in LtiResourceLinkRequest).</summary>
+        public ResourceLinkClaimValueType ResourceLink
+        {
+            get => this.GetClaimValue<ResourceLinkClaimValueType>(Constants.LtiClaims.ResourceLink);
+            set => this.SetClaimValue(Constants.LtiClaims.ResourceLink, value);
+        }
+
+        /// <summary>The for_user claim (the user whose submission is being reviewed).</summary>
+        public ForUserClaimValueType ForUser
+        {
+            get => this.GetClaimValue<ForUserClaimValueType>(Constants.LtiClaims.ForUser);
+            set => this.SetClaimValue(Constants.LtiClaims.ForUser, value);
+        }
+    }
+}
diff --git a/src/LtiAdvantage/LtiAdvantage.xml b/src/LtiAdvantage/LtiAdvantage.xml
index 67e37f6..ea821d4 100644
--- a/src/LtiAdvantage/LtiAdvantage.xml
+++ b/src/LtiAdvantage/LtiAdvantage.xml
@@ -141,6 +141,13 @@
             Optional tag.
             </summary>
         </member>
+        <member name="P:LtiAdvantage.AssignmentGradeServices.LineItem.SubmissionReviewExtension">
+            <summary>
+            Submission Review extension. When present, the platform uses
+            <c>SubmissionReviewExtension.Url</c> for LtiSubmissionReviewRequest
+            launches against this line item.
+            </summary>
+        </member>
         <member name="T:LtiAdvantage.AssignmentGradeServices.LineItemContainer">
             <inheritdoc />
             <summary>
@@ -317,6 +324,11 @@
             The message type of an LtiResourceLinkRequest.
             </summary>
         </member>
+        <member name="F:LtiAdvantage.Constants.Lti.LtiSubmissionReviewRequestMessageType">
+            <summary>
+            The message type of an LtiSubmissionReviewRequest.
+            </summary>
+        </member>
         <member name="F:LtiAdvantage.Constants.Lti.Version">
             <summary>
             LTI version.
@@ -372,6 +384,11 @@
             Optional plain text message.
             </summary>
         </member>
+        <member name="F:LtiAdvantage.Constants.LtiClaims.ForUser">
+            <summary>
+            The user whose submission is being reviewed (Submission Review 1.0 §3.2).
+            </summary>
+        </member>
         <member name="F:LtiAdvantage.Constants.LtiClaims.LaunchPresentation">
             <summary>
             Information to help the Tool present itself appropriately.
@@ -398,6 +415,12 @@
             Optional LTI 1.1 migration mapping.
             </summary>
         </member>
+        <member name="F:LtiAdvantage.Constants.LtiClaims.LtiPlatformConfiguration">
+            <summary>The LTI Platform Configuration claim on an OpenID configuration document (Dynamic Registration §3.5).</summary>
+        </member>
+        <member name="F:LtiAdvantage.Constants.LtiClaims.LtiToolConfiguration">
+            <summary>The LTI Tool Configuration claim on a registration request body (Dynamic Registration §3.6).</summary>
+        </member>
         <member name="F:LtiAdvantage.Constants.LtiClaims.Message">
             <summary>
             Optional plain text message.
@@ -478,6 +501,12 @@
             Custom Assignment and Grade Service score readonly scope.
             </summary>
         </member>
+        <member name="T:LtiAdvantage.Constants.LtiScopes.DynamicRegistration">
+            <summary>LTI Dynamic Registration scopes (Dynamic Registration §4.4).</summary>
+        </member>
+        <member name="F:LtiAdvantage.Constants.LtiScopes.DynamicRegistration.Scope">
+            <summary>Scope required on the registration access token.</summary>
+        </member>
         <member name="T:LtiAdvantage.Constants.LtiScopes.Nrps">
             <summary>
             Names and Role Provisioning Service scopes.
@@ -493,6 +522,11 @@
             Service media types.
             </summary>
         </member>
+        <member name="F:LtiAdvantage.Constants.MediaTypes.Jwks">
+            <summary>
+            JSON Web Key Set media type (RFC 7517 §6).
+            </summary>
+        </member>
         <member name="F:LtiAdvantage.Constants.MediaTypes.LineItem">
             <summary>
             https://www.imsglobal.org/spec/lti-ags/v2p0/#media-types-and-schemas
@@ -619,6 +653,14 @@
             Scores endpoint.
             </summary>
         </member>
+        <member name="T:LtiAdvantage.Constants.ServiceEndpoints.Jwks">
+            <summary>
+            JWKS publication endpoint.
+            </summary>
+        </member>
+        <member name="F:LtiAdvantage.Constants.ServiceEndpoints.Jwks.JwksService">
+            <summary>The well-known JWKS endpoint route name.</summary>
+        </member>
         <member name="T:LtiAdvantage.Constants.ServiceEndpoints.Nrps">
             <summary>
             Names and Role Provisioning Service endpoints.
@@ -1225,6 +1267,195 @@
             Comma-separate list of features for window.open().
             </summary>
         </member>
+        <member name="T:LtiAdvantage.DynamicRegistration.LtiPlatformConfiguration">
+            <summary>
+            Value of the LTI extension claim on a platform's OpenID configuration document.
+            See https://www.imsglobal.org/spec/lti-dr/v1p0/#lti-platform-configuration
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiPlatformConfiguration.ProductFamilyCode">
+            <summary>The product family code identifying the platform vendor.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiPlatformConfiguration.Version">
+            <summary>The platform's version string.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiPlatformConfiguration.MessagesSupported">
+            <summary>The set of LTI message types this platform supports launching, plus optional placements.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiPlatformConfiguration.Variables">
+            <summary>Custom variable expansions the platform supports (e.g. <c>"Person.email.primary"</c>).</summary>
+        </member>
+        <member name="T:LtiAdvantage.DynamicRegistration.LtiToolConfiguration">
+            <summary>
+            LTI extension claim on a Dynamic Registration request body.
+            See https://www.imsglobal.org/spec/lti-dr/v1p0/#lti-tool-configuration
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.Domain">
+            <summary>The tool's primary domain (without scheme, no path).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.SecondaryDomains">
+            <summary>Additional domains the tool also serves from.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.DeploymentId">
+            <summary>Optional deployment id requested by the tool.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.TargetLinkUri">
+            <summary>Default target_link_uri for launches.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.CustomParameters">
+            <summary>Custom parameters to merge into every launch.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.Description">
+            <summary>Human-readable description of the tool.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.Claims">
+            <summary>The OpenID claims this tool requests (e.g. <c>"name"</c>, <c>"email"</c>).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.LtiToolConfiguration.Messages">
+            <summary>The LTI message types this tool supports receiving.</summary>
+        </member>
+        <member name="T:LtiAdvantage.DynamicRegistration.MessageDescriptor">
+            <summary>
+            Describes a supported LTI message type. Used in both
+            <see cref="T:LtiAdvantage.DynamicRegistration.LtiPlatformConfiguration"/> (what the platform launches)
+            and <see cref="T:LtiAdvantage.DynamicRegistration.LtiToolConfiguration"/> (what the tool can receive).
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.Type">
+            <summary>The message type, e.g. <c>"LtiResourceLinkRequest"</c>.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.TargetLinkUri">
+            <summary>Per-message target_link_uri (tool side).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.Label">
+            <summary>Per-message label shown by the platform (tool side).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.IconUri">
+            <summary>Per-message icon URI (tool side).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.CustomParameters">
+            <summary>Custom parameters to merge into this launch (tool side).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.Placements">
+            <summary>Placements this message is offered for (e.g. <c>"ContentArea"</c>, <c>"RichTextEditor"</c>).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.MessageDescriptor.Roles">
+            <summary>Roles required for this launch (tool side).</summary>
+        </member>
+        <member name="T:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration">
+            <summary>
+            A platform's OpenID Provider Metadata document (RFC 8414) including
+            the LTI Dynamic Registration extension claim
+            (<c>https://purl.imsglobal.org/spec/lti-platform-configuration</c>).
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.Issuer">
+            <summary>The platform's issuer identifier URL.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.AuthorizationEndpoint">
+            <summary>OAuth 2 authorization endpoint URL.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.TokenEndpoint">
+            <summary>OAuth 2 token endpoint URL.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.TokenEndpointAuthMethodsSupported">
+            <summary>Auth methods supported at the token endpoint (typically <c>private_key_jwt</c>).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.TokenEndpointAuthSigningAlgValuesSupported">
+            <summary>JWS algorithms supported for client assertions.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.JwksUri">
+            <summary>URL of the platform's public JWKS document.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.RegistrationEndpoint">
+            <summary>URL the tool POSTs its registration request to.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.ScopesSupported">
+            <summary>OAuth 2 scopes the platform supports.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.ResponseTypesSupported">
+            <summary>OAuth 2 response types the platform supports (typically <c>id_token</c>).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.SubjectTypesSupported">
+            <summary>Subject types supported (typically <c>public</c>).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.IdTokenSigningAlgValuesSupported">
+            <summary>JWS signing algorithms supported for ID tokens (typically <c>RS256</c>).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.ClaimsSupported">
+            <summary>Standard claims the platform supports.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.PlatformOpenIdConfiguration.LtiPlatformConfiguration">
+            <summary>The LTI extension claim. Constant: <see cref="F:LtiAdvantage.Constants.LtiClaims.LtiPlatformConfiguration"/>.</summary>
+        </member>
+        <member name="T:LtiAdvantage.DynamicRegistration.ToolConfiguration">
+            <summary>
+            Tool-side registration request body sent to a platform's
+            <c>registration_endpoint</c>. Mirrors OIDC client metadata
+            (RFC 7591) plus the LTI <c>lti-tool-configuration</c> claim.
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ApplicationType">
+            <summary>OIDC application_type — typically <c>"web"</c>.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ResponseTypes">
+            <summary>OAuth 2 response types — typically <c>["id_token"]</c>.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.GrantTypes">
+            <summary>OAuth 2 grant types — typically <c>["implicit", "client_credentials"]</c>.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.InitiateLoginUri">
+            <summary>The OIDC initiate_login_uri.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.RedirectUris">
+            <summary>Allowed launch redirect URIs.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ClientName">
+            <summary>Human-readable client name.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ClientUri">
+            <summary>The tool's homepage URL.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.LogoUri">
+            <summary>The tool's logo image URL.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.Scope">
+            <summary>Space-separated list of scopes the tool will request.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.TokenEndpointAuthMethod">
+            <summary>Auth method at the token endpoint — typically <c>"private_key_jwt"</c>.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.JwksUri">
+            <summary>URL of the tool's public JWKS document.</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.ClientId">
+            <summary>Echoed back by the platform on successful registration (Dynamic Registration §4.5).</summary>
+        </member>
+        <member name="P:LtiAdvantage.DynamicRegistration.ToolConfiguration.LtiToolConfiguration">
+            <summary>The LTI extension claim. Constant: <see cref="F:LtiAdvantage.Constants.LtiClaims.LtiToolConfiguration"/>.</summary>
+        </member>
+        <member name="T:LtiAdvantage.Jwks.IJwksKeyStore">
+            <summary>
+            Provides the set of public keys to publish at /.well-known/jwks.json.
+            Implementations decide how keys are stored, rotated, and retired —
+            typically all currently-active and recently-retired (still in token TTL)
+            signing keys are returned, each with a stable <c>kid</c>.
+            </summary>
+        </member>
+        <member name="M:LtiAdvantage.Jwks.IJwksKeyStore.GetPublicKeysAsync">
+             <summary>
+             Returns the public keys to publish in the JWKS document.
+            
+             Rotation guidance:
+             - Always include the current signing key (the one used to sign tokens issued now).
+             - Continue to include each retired signing key for at least the longest TTL of any token signed with it,
+               so verifiers can still validate in-flight tokens after rotation.
+             - Each key MUST have a stable, unique <c>Kid</c>.
+             - Set <c>Use = "sig"</c> and <c>Alg = "RS256"</c> for LTI 1.3 signing keys.
+             - Do NOT include private key material — only the public components (<c>N</c>, <c>E</c>).
+             </summary>
+        </member>
         <member name="T:LtiAdvantage.Lti.ContextClaimValueType">
             <summary>
             Properties of the context from which the launch originated (for example, course id and title).
@@ -2627,6 +2858,46 @@
             </example>
             </summary>
         </member>
+        <member name="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest">
+            <inheritdoc />
+            <summary>
+            LTI Submission Review request (https://www.imsglobal.org/spec/lti-sr/v1p0).
+            </summary>
+        </member>
+        <member name="M:LtiAdvantage.Lti.LtiSubmissionReviewRequest.#ctor">
+            <inheritdoc />
+            <summary>
+            Create an instance of <see cref="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest" /> with default
+            values for the MessageType and Version claims.
+            </summary>
+        </member>
+        <member name="M:LtiAdvantage.Lti.LtiSubmissionReviewRequest.#ctor(System.Collections.Generic.IEnumerable{System.Security.Claims.Claim})">
+            <inheritdoc />
+            <summary>
+            Create an instance of <see cref="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest" /> with the claims.
+            </summary>
+            <param name="claims">A list of claims.</param>
+        </member>
+        <member name="M:LtiAdvantage.Lti.LtiSubmissionReviewRequest.#ctor(System.IdentityModel.Tokens.Jwt.JwtPayload)">
+            <inheritdoc />
+            <summary>
+            Create an instance of <see cref="T:LtiAdvantage.Lti.LtiSubmissionReviewRequest" /> with the
+            claims in payload.
+            </summary>
+            <param name="payload"></param>
+        </member>
+        <member name="P:LtiAdvantage.Lti.LtiSubmissionReviewRequest.AssignmentGradeServices">
+            <summary>The Assignment and Grade Services claim (the lineitem under review).</summary>
+        </member>
+        <member name="P:LtiAdvantage.Lti.LtiSubmissionReviewRequest.NamesRoleService">
+            <summary>The Names and Roles Provisioning Service claim.</summary>
+        </member>
+        <member name="P:LtiAdvantage.Lti.LtiSubmissionReviewRequest.ResourceLink">
+            <summary>The resource_link claim (same shape as in LtiResourceLinkRequest).</summary>
+        </member>
+        <member name="P:LtiAdvantage.Lti.LtiSubmissionReviewRequest.ForUser">
+            <summary>The for_user claim (the user whose submission is being reviewed).</summary>
+        </member>
         <member name="T:LtiAdvantage.Lti.PlatformClaimValueType">
             <summary>
             Properties associated with the platform initiating the launch.
@@ -2998,6 +3269,50 @@
             Service version. Default is <see cref="F:LtiAdvantage.NamesRoleProvisioningService.NamesRoleServiceClaimValueType.Version"/>.
             </summary>
         </member>
+        <member name="T:LtiAdvantage.SubmissionReview.ForUserClaimValueType">
+            <summary>
+            The user whose submission is being reviewed.
+            See https://www.imsglobal.org/spec/lti-sr/v1p0/#for-user-claim
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.UserId">
+            <summary>The user_id of the reviewed user.</summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.Name">
+            <summary>The reviewed user's full name.</summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.GivenName">
+            <summary>The reviewed user's given (first) name.</summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.FamilyName">
+            <summary>The reviewed user's family (last) name.</summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.Email">
+            <summary>The reviewed user's email.</summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.Roles">
+            <summary>The roles of the reviewed user in the context.</summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.ForUserClaimValueType.PersonSourcedId">
+            <summary>The person sourcedId of the reviewed user.</summary>
+        </member>
+        <member name="T:LtiAdvantage.SubmissionReview.SubmissionReviewProperty">
+            <summary>
+            Submission Review extension on an AGS LineItem.
+            See https://www.imsglobal.org/spec/lti-sr/v1p0/#submissionreview-extension
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.SubmissionReviewProperty.Url">
+            <summary>
+            The launch URL the platform should use when launching back into
+            the tool to review a submission for this line item.
+            </summary>
+        </member>
+        <member name="P:LtiAdvantage.SubmissionReview.SubmissionReviewProperty.Custom">
+            <summary>
+            Optional custom parameters to include with each Submission Review launch.
+            </summary>
+        </member>
         <member name="T:LtiAdvantage.Utilities.EnumExtensions">
             <summary>
             Enum extensions.
diff --git a/src/LtiAdvantage/SubmissionReview/ForUserClaimValueType.cs b/src/LtiAdvantage/SubmissionReview/ForUserClaimValueType.cs
new file mode 100644
index 0000000..7990e6a
--- /dev/null
+++ b/src/LtiAdvantage/SubmissionReview/ForUserClaimValueType.cs
@@ -0,0 +1,40 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.SubmissionReview
+{
+    /// <summary>
+    /// The user whose submission is being reviewed.
+    /// See https://www.imsglobal.org/spec/lti-sr/v1p0/#for-user-claim
+    /// </summary>
+    public class ForUserClaimValueType
+    {
+        /// <summary>The user_id of the reviewed user.</summary>
+        [JsonPropertyName("user_id")]
+        public string UserId { get; set; }
+
+        /// <summary>The reviewed user's full name.</summary>
+        [JsonPropertyName("name")]
+        public string Name { get; set; }
+
+        /// <summary>The reviewed user's given (first) name.</summary>
+        [JsonPropertyName("given_name")]
+        public string GivenName { get; set; }
+
+        /// <summary>The reviewed user's family (last) name.</summary>
+        [JsonPropertyName("family_name")]
+        public string FamilyName { get; set; }
+
+        /// <summary>The reviewed user's email.</summary>
+        [JsonPropertyName("email")]
+        public string Email { get; set; }
+
+        /// <summary>The roles of the reviewed user in the context.</summary>
+        [JsonPropertyName("roles")]
+        public IList<string> Roles { get; set; }
+
+        /// <summary>The person sourcedId of the reviewed user.</summary>
+        [JsonPropertyName("person_sourcedid")]
+        public string PersonSourcedId { get; set; }
+    }
+}
diff --git a/src/LtiAdvantage/SubmissionReview/SubmissionReviewProperty.cs b/src/LtiAdvantage/SubmissionReview/SubmissionReviewProperty.cs
new file mode 100644
index 0000000..2aac21e
--- /dev/null
+++ b/src/LtiAdvantage/SubmissionReview/SubmissionReviewProperty.cs
@@ -0,0 +1,25 @@
+using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
+namespace LtiAdvantage.SubmissionReview
+{
+    /// <summary>
+    /// Submission Review extension on an AGS LineItem.
+    /// See https://www.imsglobal.org/spec/lti-sr/v1p0/#submissionreview-extension
+    /// </summary>
+    public class SubmissionReviewProperty
+    {
+        /// <summary>
+        /// The launch URL the platform should use when launching back into
+        /// the tool to review a submission for this line item.
+        /// </summary>
+        [JsonPropertyName("url")]
+        public string Url { get; set; }
+
+        /// <summary>
+        /// Optional custom parameters to include with each Submission Review launch.
+        /// </summary>
+        [JsonPropertyName("custom")]
+        public IDictionary<string, string> Custom { get; set; }
+    }
+}
diff --git a/test/LtiAdvantage.IntegrationTests/Controllers/DynamicRegistrationController.cs b/test/LtiAdvantage.IntegrationTests/Controllers/DynamicRegistrationController.cs
new file mode 100644
index 0000000..4fac230
--- /dev/null
+++ b/test/LtiAdvantage.IntegrationTests/Controllers/DynamicRegistrationController.cs
@@ -0,0 +1,23 @@
+using System;
+using System.Threading.Tasks;
+using LtiAdvantage.AspNetCore.DynamicRegistration;
+using LtiAdvantage.DynamicRegistration;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+
+namespace LtiAdvantage.IntegrationTests.Controllers
+{
+    public class DynamicRegistrationController : DynamicRegistrationControllerBase
+    {
+        public DynamicRegistrationController(IWebHostEnvironment env, ILogger<DynamicRegistrationControllerBase> logger)
+            : base(env, logger) { }
+
+        protected override Task<ActionResult<ToolConfiguration>> OnRegisterAsync(RegisterToolRequest request)
+        {
+            request.Tool.ClientId = Guid.NewGuid().ToString();
+            return Task.FromResult<ActionResult<ToolConfiguration>>(
+                new ObjectResult(request.Tool) { StatusCode = 201 });
+        }
+    }
+}
diff --git a/test/LtiAdvantage.IntegrationTests/Controllers/JwksController.cs b/test/LtiAdvantage.IntegrationTests/Controllers/JwksController.cs
new file mode 100644
index 0000000..31e11e4
--- /dev/null
+++ b/test/LtiAdvantage.IntegrationTests/Controllers/JwksController.cs
@@ -0,0 +1,35 @@
+using System.Collections.Generic;
+using System.Security.Cryptography;
+using System.Threading.Tasks;
+using LtiAdvantage.AspNetCore.Jwks;
+using LtiAdvantage.Jwks;
+using Microsoft.Extensions.Logging;
+using Microsoft.IdentityModel.Tokens;
+
+namespace LtiAdvantage.IntegrationTests.Controllers
+{
+    public class JwksController : JwksControllerBase
+    {
+        public JwksController(IJwksKeyStore keyStore, ILogger<JwksControllerBase> logger)
+            : base(keyStore, logger) { }
+    }
+
+    public class TestJwksKeyStore : IJwksKeyStore
+    {
+        public Task<IReadOnlyList<JsonWebKey>> GetPublicKeysAsync()
+        {
+            using var rsa = RSA.Create(2048);
+            var rsaParams = rsa.ExportParameters(includePrivateParameters: false);
+            var jwk = new JsonWebKey
+            {
+                Kty = "RSA",
+                Use = "sig",
+                Alg = "RS256",
+                Kid = "test-kid-1",
+                N = Base64UrlEncoder.Encode(rsaParams.Modulus),
+                E = Base64UrlEncoder.Encode(rsaParams.Exponent),
+            };
+            return Task.FromResult<IReadOnlyList<JsonWebKey>>(new[] { jwk });
+        }
+    }
+}
diff --git a/test/LtiAdvantage.IntegrationTests/DynamicRegistration/DynamicRegistrationControllerShould.cs b/test/LtiAdvantage.IntegrationTests/DynamicRegistration/DynamicRegistrationControllerShould.cs
new file mode 100644
index 0000000..c080d56
--- /dev/null
+++ b/test/LtiAdvantage.IntegrationTests/DynamicRegistration/DynamicRegistrationControllerShould.cs
@@ -0,0 +1,80 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using System.Text.Json;
+using System.Threading.Tasks;
+using LtiAdvantage.DynamicRegistration;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.Logging;
+using Xunit;
+
+namespace LtiAdvantage.IntegrationTests.DynamicRegistration
+{
+    public class DynamicRegistrationControllerShould : IDisposable
+    {
+        private const string Url = "lti/register";
+        private readonly HttpClient _client;
+        private readonly TestServer _server;
+
+        public DynamicRegistrationControllerShould()
+        {
+            _server = new TestServer(new WebHostBuilder()
+                .UseContentRoot(AppContext.BaseDirectory)
+                .ConfigureLogging(l => { l.AddConsole(); l.AddDebug(); })
+                .UseStartup<Startup>());
+            _client = _server.CreateClient();
+        }
+
+        [Fact]
+        public async Task Reject_WhenScopeMissing()
+        {
+            // Authenticated but with a non-registration scope → policy denies.
+            _client.DefaultRequestHeaders.Add("x-test-scope",
+                Constants.LtiScopes.Nrps.MembershipReadonly);
+            var resp = await PostAsync(MinimalTool());
+            Assert.Equal(HttpStatusCode.Forbidden, resp.StatusCode);
+        }
+
+        [Fact]
+        public async Task RegisterTool_AndReturnClientId()
+        {
+            _client.DefaultRequestHeaders.Add("x-test-scope",
+                Constants.LtiScopes.DynamicRegistration.Scope);
+
+            var resp = await PostAsync(MinimalTool());
+
+            Assert.Equal(HttpStatusCode.Created, resp.StatusCode);
+            var body = await resp.Content.ReadAsStringAsync();
+            var registered = JsonSerializer.Deserialize<ToolConfiguration>(body);
+            Assert.False(string.IsNullOrWhiteSpace(registered.ClientId));
+            Assert.Equal("Example Tool", registered.ClientName);
+        }
+
+        private Task<HttpResponseMessage> PostAsync(ToolConfiguration tool)
+        {
+            var json = JsonSerializer.Serialize(tool);
+            return _client.PostAsync(Url, new StringContent(json, Encoding.UTF8, "application/json"));
+        }
+
+        private static ToolConfiguration MinimalTool() => new()
+        {
+            ApplicationType = "web",
+            ClientName = "Example Tool",
+            InitiateLoginUri = "https://tool.example.com/login",
+            RedirectUris = new[] { "https://tool.example.com/launch" },
+            JwksUri = "https://tool.example.com/.well-known/jwks.json",
+            ResponseTypes = new[] { "id_token" },
+            GrantTypes = new[] { "implicit", "client_credentials" },
+            TokenEndpointAuthMethod = "private_key_jwt",
+            LtiToolConfiguration = new LtiToolConfiguration
+            {
+                Domain = "tool.example.com",
+                TargetLinkUri = "https://tool.example.com/launch"
+            }
+        };
+
+        public void Dispose() { _client?.Dispose(); _server?.Dispose(); }
+    }
+}
diff --git a/test/LtiAdvantage.IntegrationTests/Jwks/JwksControllerShould.cs b/test/LtiAdvantage.IntegrationTests/Jwks/JwksControllerShould.cs
new file mode 100644
index 0000000..edb6613
--- /dev/null
+++ b/test/LtiAdvantage.IntegrationTests/Jwks/JwksControllerShould.cs
@@ -0,0 +1,61 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Text.Json;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.Logging;
+using Xunit;
+
+namespace LtiAdvantage.IntegrationTests.Jwks
+{
+    public class JwksControllerShould : IDisposable
+    {
+        private readonly HttpClient _client;
+        private readonly TestServer _server;
+
+        public JwksControllerShould()
+        {
+            _server = new TestServer(new WebHostBuilder()
+                .UseContentRoot(AppContext.BaseDirectory)
+                .ConfigureLogging(l => { l.AddConsole(); l.AddDebug(); })
+                .UseStartup<Startup>());
+            _client = _server.CreateClient();
+        }
+
+        [Fact]
+        public async Task ReturnPublicJwks_Anonymously()
+        {
+            var response = await _client.GetAsync(".well-known/jwks.json");
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+            Assert.StartsWith("application/jwk-set+json",
+                response.Content.Headers.ContentType.ToString());
+
+            var body = await response.Content.ReadAsStringAsync();
+            using var doc = JsonDocument.Parse(body);
+            Assert.True(doc.RootElement.TryGetProperty("keys", out var keys));
+            Assert.True(keys.GetArrayLength() >= 1);
+
+            var first = keys[0];
+            Assert.Equal("test-kid-1", first.GetProperty("kid").GetString());
+            Assert.Equal("sig", first.GetProperty("use").GetString());
+            Assert.Equal("RSA", first.GetProperty("kty").GetString());
+
+            // Public key parameters MUST be present.
+            Assert.False(string.IsNullOrEmpty(first.GetProperty("n").GetString()), "modulus n missing");
+            Assert.False(string.IsNullOrEmpty(first.GetProperty("e").GetString()), "exponent e missing");
+            Assert.Equal("RS256", first.GetProperty("alg").GetString());
+
+            // Private RSA parameters MUST NOT be present.
+            Assert.False(first.TryGetProperty("d",  out _), "private exponent d must not be published");
+            Assert.False(first.TryGetProperty("p",  out _), "private prime p must not be published");
+            Assert.False(first.TryGetProperty("q",  out _), "private prime q must not be published");
+            Assert.False(first.TryGetProperty("dp", out _), "dp must not be published");
+            Assert.False(first.TryGetProperty("dq", out _), "dq must not be published");
+            Assert.False(first.TryGetProperty("qi", out _), "qi must not be published");
+        }
+
+        public void Dispose() { _client?.Dispose(); _server?.Dispose(); }
+    }
+}
diff --git a/test/LtiAdvantage.IntegrationTests/Startup.cs b/test/LtiAdvantage.IntegrationTests/Startup.cs
index 0e8e895..6ce7fce 100644
--- a/test/LtiAdvantage.IntegrationTests/Startup.cs
+++ b/test/LtiAdvantage.IntegrationTests/Startup.cs
@@ -17,6 +17,8 @@ public void ConfigureServices(IServiceCollection services)
                 .AddScheme<TestAuthOptions, TestAuthHandler>(JwtBearerDefaults.AuthenticationScheme, options => { });
 
             services.AddLtiAdvantagePolicies();
+
+            services.AddSingleton<LtiAdvantage.Jwks.IJwksKeyStore, Controllers.TestJwksKeyStore>();
         }
 
         public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
@@ -26,6 +28,7 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
             app.UseAuthorization();
             app.UseEndpoints(endpoints =>
             {
+                endpoints.MapControllers();
                 endpoints.MapControllerRoute(
                     "default",
                     "{controller}/{action=Index}/{id?}");
diff --git a/test/LtiAdvantage.UnitTests/AssignmentGradeServices/LineItemShould.cs b/test/LtiAdvantage.UnitTests/AssignmentGradeServices/LineItemShould.cs
index 1d90da2..78bc31f 100644
--- a/test/LtiAdvantage.UnitTests/AssignmentGradeServices/LineItemShould.cs
+++ b/test/LtiAdvantage.UnitTests/AssignmentGradeServices/LineItemShould.cs
@@ -2,6 +2,7 @@
 using System.Globalization;
 using System.Text.Json;
 using LtiAdvantage.AssignmentGradeServices;
+using LtiAdvantage.SubmissionReview;
 using Xunit;
 
 namespace LtiAdvantage.UnitTests.AssignmentGradeServices
@@ -41,5 +42,28 @@ public void SerializeToValidJson()
 
             JsonAssert.Equal(referenceJson, lineItemJson);
         }
+
+        [Fact]
+        public void RoundTripSubmissionReviewProperty()
+        {
+            var lineItem = new LineItem
+            {
+                Id = "https://platform.example.com/lineitems/1",
+                Label = "Essay",
+                ScoreMaximum = 10,
+                SubmissionReviewExtension = new SubmissionReviewProperty
+                {
+                    Url = "https://tool.example.com/review",
+                    Custom = new System.Collections.Generic.Dictionary<string, string> { ["a"] = "1" }
+                }
+            };
+
+            var json = JsonSerializer.Serialize(lineItem);
+            var roundTripped = JsonSerializer.Deserialize<LineItem>(json);
+
+            Assert.NotNull(roundTripped.SubmissionReviewExtension);
+            Assert.Equal("https://tool.example.com/review", roundTripped.SubmissionReviewExtension.Url);
+            Assert.Equal("1", roundTripped.SubmissionReviewExtension.Custom["a"]);
+        }
     }
 }
diff --git a/test/LtiAdvantage.UnitTests/DynamicRegistration/HttpClientDynamicRegistrationExtensionsShould.cs b/test/LtiAdvantage.UnitTests/DynamicRegistration/HttpClientDynamicRegistrationExtensionsShould.cs
new file mode 100644
index 0000000..cb63243
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/DynamicRegistration/HttpClientDynamicRegistrationExtensionsShould.cs
@@ -0,0 +1,101 @@
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Text;
+using System.Text.Json;
+using System.Threading;
+using System.Threading.Tasks;
+using LtiAdvantage.DynamicRegistration;
+using LtiAdvantage.IdentityModel.Client;
+using Xunit;
+
+namespace LtiAdvantage.UnitTests.DynamicRegistration
+{
+    public class HttpClientDynamicRegistrationExtensionsShould
+    {
+        [Fact]
+        public async Task FetchPlatformConfiguration_FromOpenidConfigurationUrl()
+        {
+            var configJson = TestUtils.LoadReferenceJsonFile("PlatformOpenIdConfiguration");
+            var handler = new StubHandler((req, ct) =>
+            {
+                Assert.Equal("https://platform.example.com/.well-known/openid-configuration",
+                    req.RequestUri.ToString());
+                return new HttpResponseMessage(HttpStatusCode.OK)
+                {
+                    Content = new StringContent(configJson, Encoding.UTF8, "application/json")
+                };
+            });
+            using var client = new HttpClient(handler);
+
+            var config = await client.GetPlatformOpenIdConfigurationAsync(
+                "https://platform.example.com/.well-known/openid-configuration");
+
+            Assert.Equal("https://platform.example.com", config.Issuer);
+            Assert.Equal("https://platform.example.com/lti/register", config.RegistrationEndpoint);
+        }
+
+        [Fact]
+        public async Task PostRegistration_WithBearerToken()
+        {
+            var responseJson = TestUtils.LoadReferenceJsonFile("ToolConfiguration");
+            // Pretend the platform echoed back with a client_id assigned.
+            var responseTool = JsonSerializer.Deserialize<ToolConfiguration>(responseJson);
+            responseTool.ClientId = "client-9";
+            var responseBody = JsonSerializer.Serialize(responseTool);
+
+            HttpRequestMessage capturedRequest = null;
+            var handler = new StubHandler((req, ct) =>
+            {
+                capturedRequest = req;
+                return new HttpResponseMessage(HttpStatusCode.Created)
+                {
+                    Content = new StringContent(responseBody, Encoding.UTF8, "application/json")
+                };
+            });
+            using var client = new HttpClient(handler);
+
+            var request = JsonSerializer.Deserialize<ToolConfiguration>(
+                TestUtils.LoadReferenceJsonFile("ToolConfiguration"));
+
+            var result = await client.RegisterToolAsync(
+                "https://platform.example.com/lti/register",
+                "registration-token-xyz",
+                request);
+
+            Assert.Equal("client-9", result.ClientId);
+            Assert.Equal("Bearer", capturedRequest.Headers.Authorization.Scheme);
+            Assert.Equal("registration-token-xyz", capturedRequest.Headers.Authorization.Parameter);
+            Assert.Equal("application/json", capturedRequest.Content.Headers.ContentType.MediaType);
+        }
+
+        [Fact]
+        public async Task SurfaceErrorBody_OnRegistrationFailure()
+        {
+            const string errorBody = """{"error":"invalid_redirect_uri","error_description":"bad uri"}""";
+            var handler = new StubHandler((req, ct) =>
+                new HttpResponseMessage(HttpStatusCode.BadRequest)
+                {
+                    Content = new StringContent(errorBody, Encoding.UTF8, "application/json")
+                });
+            using var client = new HttpClient(handler);
+
+            var ex = await Assert.ThrowsAsync<HttpRequestException>(() =>
+                client.RegisterToolAsync(
+                    "https://platform.example.com/lti/register",
+                    "tok",
+                    new ToolConfiguration()));
+
+            Assert.Contains("400", ex.Message);
+            Assert.Contains("invalid_redirect_uri", ex.Message);
+        }
+
+        private sealed class StubHandler : HttpMessageHandler
+        {
+            private readonly Func<HttpRequestMessage, CancellationToken, HttpResponseMessage> _fn;
+            public StubHandler(Func<HttpRequestMessage, CancellationToken, HttpResponseMessage> fn) => _fn = fn;
+            protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage r, CancellationToken c)
+                => Task.FromResult(_fn(r, c));
+        }
+    }
+}
diff --git a/test/LtiAdvantage.UnitTests/DynamicRegistration/PlatformOpenIdConfigurationShould.cs b/test/LtiAdvantage.UnitTests/DynamicRegistration/PlatformOpenIdConfigurationShould.cs
new file mode 100644
index 0000000..75022ee
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/DynamicRegistration/PlatformOpenIdConfigurationShould.cs
@@ -0,0 +1,32 @@
+using System.Text.Json;
+using LtiAdvantage.DynamicRegistration;
+using Xunit;
+
+namespace LtiAdvantage.UnitTests.DynamicRegistration
+{
+    public class PlatformOpenIdConfigurationShould
+    {
+        [Fact]
+        public void ParseSpecExample()
+        {
+            var json = TestUtils.LoadReferenceJsonFile("PlatformOpenIdConfiguration");
+            var config = JsonSerializer.Deserialize<PlatformOpenIdConfiguration>(json);
+
+            Assert.Equal("https://platform.example.com", config.Issuer);
+            Assert.Equal("https://platform.example.com/lti/register", config.RegistrationEndpoint);
+            Assert.Contains("private_key_jwt", config.TokenEndpointAuthMethodsSupported);
+            Assert.NotNull(config.LtiPlatformConfiguration);
+            Assert.Equal("ExamplePlatform", config.LtiPlatformConfiguration.ProductFamilyCode);
+            Assert.Equal(2, config.LtiPlatformConfiguration.MessagesSupported.Count);
+        }
+
+        [Fact]
+        public void RoundTrip()
+        {
+            var json = TestUtils.LoadReferenceJsonFile("PlatformOpenIdConfiguration");
+            var config = JsonSerializer.Deserialize<PlatformOpenIdConfiguration>(json);
+            var roundTripped = JsonSerializer.Serialize(config);
+            JsonAssert.Equal(json, roundTripped);
+        }
+    }
+}
diff --git a/test/LtiAdvantage.UnitTests/DynamicRegistration/ToolConfigurationShould.cs b/test/LtiAdvantage.UnitTests/DynamicRegistration/ToolConfigurationShould.cs
new file mode 100644
index 0000000..deb8153
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/DynamicRegistration/ToolConfigurationShould.cs
@@ -0,0 +1,32 @@
+using System.Text.Json;
+using LtiAdvantage.DynamicRegistration;
+using Xunit;
+
+namespace LtiAdvantage.UnitTests.DynamicRegistration
+{
+    public class ToolConfigurationShould
+    {
+        [Fact]
+        public void ParseSpecExample()
+        {
+            var json = TestUtils.LoadReferenceJsonFile("ToolConfiguration");
+            var tool = JsonSerializer.Deserialize<ToolConfiguration>(json);
+
+            Assert.Equal("web", tool.ApplicationType);
+            Assert.Equal("private_key_jwt", tool.TokenEndpointAuthMethod);
+            Assert.NotNull(tool.LtiToolConfiguration);
+            Assert.Equal("tool.example.com", tool.LtiToolConfiguration.Domain);
+            Assert.Single(tool.LtiToolConfiguration.Messages);
+            Assert.Equal("LtiDeepLinkingRequest", tool.LtiToolConfiguration.Messages[0].Type);
+        }
+
+        [Fact]
+        public void RoundTrip()
+        {
+            var json = TestUtils.LoadReferenceJsonFile("ToolConfiguration");
+            var tool = JsonSerializer.Deserialize<ToolConfiguration>(json);
+            var roundTripped = JsonSerializer.Serialize(tool);
+            JsonAssert.Equal(json, roundTripped);
+        }
+    }
+}
diff --git a/test/LtiAdvantage.UnitTests/LtiAdvantage.UnitTests.csproj b/test/LtiAdvantage.UnitTests/LtiAdvantage.UnitTests.csproj
index e13c564..c5fda50 100644
--- a/test/LtiAdvantage.UnitTests/LtiAdvantage.UnitTests.csproj
+++ b/test/LtiAdvantage.UnitTests/LtiAdvantage.UnitTests.csproj
@@ -10,9 +10,12 @@
     <None Remove="ReferenceJson\LineItem.json" />
     <None Remove="ReferenceJson\LineItemContainer.json" />
     <None Remove="ReferenceJson\LtiResourceLinkRequest.json" />
+    <None Remove="ReferenceJson\LtiSubmissionReviewRequest.json" />
+    <None Remove="ReferenceJson\PlatformOpenIdConfiguration.json" />
     <None Remove="ReferenceJson\Result.json" />
     <None Remove="ReferenceJson\ResultContainer.json" />
     <None Remove="ReferenceJson\Score.json" />
+    <None Remove="ReferenceJson\ToolConfiguration.json" />
   </ItemGroup>
 
   <ItemGroup>
@@ -25,6 +28,12 @@
     <Content Include="ReferenceJson\LtiResourceLinkRequest.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </Content>
+    <Content Include="ReferenceJson\LtiSubmissionReviewRequest.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </Content>
+    <Content Include="ReferenceJson\PlatformOpenIdConfiguration.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </Content>
     <Content Include="ReferenceJson\Result.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </Content>
@@ -34,6 +43,9 @@
     <Content Include="ReferenceJson\Score.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </Content>
+    <Content Include="ReferenceJson\ToolConfiguration.json">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </Content>
   </ItemGroup>
 
   <ItemGroup>
@@ -51,6 +63,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\LtiAdvantage\LtiAdvantage.csproj" />
+    <ProjectReference Include="..\..\src\LtiAdvantage.IdentityModel\LtiAdvantage.IdentityModel.csproj" />
   </ItemGroup>
 
 </Project>
diff --git a/test/LtiAdvantage.UnitTests/ReferenceJson/LtiSubmissionReviewRequest.json b/test/LtiAdvantage.UnitTests/ReferenceJson/LtiSubmissionReviewRequest.json
new file mode 100644
index 0000000..bf126a9
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/ReferenceJson/LtiSubmissionReviewRequest.json
@@ -0,0 +1,24 @@
+{
+  "iss": "https://platform.example.com",
+  "aud": ["abcd-1234"],
+  "sub": "instructor-9",
+  "exp": 1933333333,
+  "iat": 1933332433,
+  "nonce": "nonce-1",
+  "https://purl.imsglobal.org/spec/lti/claim/message_type": "LtiSubmissionReviewRequest",
+  "https://purl.imsglobal.org/spec/lti/claim/version": "1.3.0",
+  "https://purl.imsglobal.org/spec/lti/claim/deployment_id": "dep-1",
+  "https://purl.imsglobal.org/spec/lti/claim/target_link_uri": "https://tool.example.com/review",
+  "https://purl.imsglobal.org/spec/lti/claim/resource_link": { "id": "rl-1" },
+  "https://purl.imsglobal.org/spec/lti/claim/roles": [
+    "http://purl.imsglobal.org/vocab/lis/v2/membership#Instructor"
+  ],
+  "https://purl.imsglobal.org/spec/lti-sr/claim/for_user": {
+    "user_id": "student-7",
+    "name": "Jane Doe",
+    "given_name": "Jane",
+    "family_name": "Doe",
+    "email": "jane@example.edu",
+    "roles": ["http://purl.imsglobal.org/vocab/lis/v2/membership#Learner"]
+  }
+}
diff --git a/test/LtiAdvantage.UnitTests/ReferenceJson/PlatformOpenIdConfiguration.json b/test/LtiAdvantage.UnitTests/ReferenceJson/PlatformOpenIdConfiguration.json
new file mode 100644
index 0000000..f44bf66
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/ReferenceJson/PlatformOpenIdConfiguration.json
@@ -0,0 +1,28 @@
+{
+  "issuer": "https://platform.example.com",
+  "authorization_endpoint": "https://platform.example.com/auth",
+  "token_endpoint": "https://platform.example.com/token",
+  "token_endpoint_auth_methods_supported": ["private_key_jwt"],
+  "token_endpoint_auth_signing_alg_values_supported": ["RS256"],
+  "jwks_uri": "https://platform.example.com/.well-known/jwks.json",
+  "registration_endpoint": "https://platform.example.com/lti/register",
+  "scopes_supported": [
+    "openid",
+    "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem",
+    "https://purl.imsglobal.org/spec/lti-ags/scope/score",
+    "https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly"
+  ],
+  "response_types_supported": ["id_token"],
+  "subject_types_supported": ["public"],
+  "id_token_signing_alg_values_supported": ["RS256"],
+  "claims_supported": ["sub", "iss", "name", "email"],
+  "https://purl.imsglobal.org/spec/lti-platform-configuration": {
+    "product_family_code": "ExamplePlatform",
+    "version": "1.0",
+    "messages_supported": [
+      { "type": "LtiResourceLinkRequest" },
+      { "type": "LtiDeepLinkingRequest", "placements": ["ContentArea", "RichTextEditor"] }
+    ],
+    "variables": ["CourseSection.sourcedId", "Person.email.primary"]
+  }
+}
diff --git a/test/LtiAdvantage.UnitTests/ReferenceJson/ToolConfiguration.json b/test/LtiAdvantage.UnitTests/ReferenceJson/ToolConfiguration.json
new file mode 100644
index 0000000..ae6ae44
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/ReferenceJson/ToolConfiguration.json
@@ -0,0 +1,28 @@
+{
+  "application_type": "web",
+  "response_types": ["id_token"],
+  "grant_types": ["implicit", "client_credentials"],
+  "initiate_login_uri": "https://tool.example.com/login",
+  "redirect_uris": ["https://tool.example.com/launch"],
+  "client_name": "Example Tool",
+  "client_uri": "https://tool.example.com",
+  "logo_uri": "https://tool.example.com/logo.png",
+  "scope": "https://purl.imsglobal.org/spec/lti-ags/scope/lineitem https://purl.imsglobal.org/spec/lti-ags/scope/score https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly",
+  "token_endpoint_auth_method": "private_key_jwt",
+  "jwks_uri": "https://tool.example.com/.well-known/jwks.json",
+  "https://purl.imsglobal.org/spec/lti-tool-configuration": {
+    "domain": "tool.example.com",
+    "description": "An example LTI 1.3 tool",
+    "target_link_uri": "https://tool.example.com/launch",
+    "custom_parameters": { "context_history": "$Context.id.history" },
+    "claims": ["iss", "sub", "name", "email"],
+    "messages": [
+      {
+        "type": "LtiDeepLinkingRequest",
+        "target_link_uri": "https://tool.example.com/dl",
+        "label": "Add example content",
+        "placements": ["ContentArea"]
+      }
+    ]
+  }
+}
diff --git a/test/LtiAdvantage.UnitTests/SubmissionReview/LtiSubmissionReviewRequestShould.cs b/test/LtiAdvantage.UnitTests/SubmissionReview/LtiSubmissionReviewRequestShould.cs
new file mode 100644
index 0000000..d790f14
--- /dev/null
+++ b/test/LtiAdvantage.UnitTests/SubmissionReview/LtiSubmissionReviewRequestShould.cs
@@ -0,0 +1,50 @@
+using System.Text.Json;
+using LtiAdvantage.Lti;
+using LtiAdvantage.SubmissionReview;
+using Xunit;
+
+namespace LtiAdvantage.UnitTests.SubmissionReview
+{
+    public class LtiSubmissionReviewRequestShould
+    {
+        [Fact]
+        public void HaveCorrectMessageTypeAndVersion()
+        {
+            var request = new LtiSubmissionReviewRequest();
+
+            Assert.True(request.TryGetValue(
+                "https://purl.imsglobal.org/spec/lti/claim/message_type", out var messageType));
+            Assert.Equal("LtiSubmissionReviewRequest", messageType);
+
+            Assert.True(request.TryGetValue(
+                "https://purl.imsglobal.org/spec/lti/claim/version", out var version));
+            Assert.Equal("1.3.0", version);
+        }
+
+        [Fact]
+        public void RoundTripForUserClaim()
+        {
+            var request = new LtiSubmissionReviewRequest
+            {
+                ForUser = new ForUserClaimValueType
+                {
+                    UserId = "abc-123",
+                    Name = "Jane Doe",
+                    Email = "jane@example.edu"
+                }
+            };
+
+            Assert.Equal("abc-123", request.ForUser.UserId);
+            Assert.Equal("Jane Doe", request.ForUser.Name);
+        }
+
+        [Fact]
+        public void ParseValidLtiSubmissionReviewRequest()
+        {
+            var referenceJson = TestUtils.LoadReferenceJsonFile("LtiSubmissionReviewRequest");
+            var request = JsonSerializer.Deserialize<LtiSubmissionReviewRequest>(referenceJson);
+            var requestJson = JsonSerializer.Serialize(request);
+            JsonAssert.Equal(referenceJson, requestJson);
+        }
+    }
+}