diff --git a/CHANGELOG.md b/CHANGELOG.md
index 217ff3015..be97ecdca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+# v0.4.11
+
+FEATURE: The `zrok reserve` command now incorporates the `--json-output|-j` flag, which outputs the reservation details as JSON, rather than as human-consumable log messages. Other commands will produce similar output in the future (https://github.com/openziti/zrok/issues/422)
+
+FIX: Include `--oauth-provider` and associated flags for the `zrok reserve` command, allowing reserved shares to specify OAuth authentication (https://github.com/openziti/zrok/issues/421)
+
 # v0.4.10
 
 CHANGE: The public frontend configuration has been bumped from `v: 2` to `v: 3`. The `redirect_host`, `redirect_port` and `redirect_http_only` parameters have been removed. These three configuration options have been replaced with `bind_address`, `redirect_url` and `cookie_domain`. See the OAuth configuration guide at `docs/guides/self-hosting/oauth/configuring-oauth.md` for more details (https://github.com/openziti/zrok/issues/411)
diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go
index a5f0173cf..69e6ecf55 100644
--- a/cmd/zrok/reserve.go
+++ b/cmd/zrok/reserve.go
@@ -1,12 +1,14 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/tui"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"time"
 )
 
 func init() {
@@ -14,10 +16,14 @@ func init() {
 }
 
 type reserveCommand struct {
-	basicAuth         []string
-	frontendSelection []string
-	backendMode       string
-	cmd               *cobra.Command
+	basicAuth          []string
+	frontendSelection  []string
+	backendMode        string
+	jsonOutput         bool
+	oauthProvider      string
+	oauthEmailDomains  []string
+	oauthCheckInterval time.Duration
+	cmd                *cobra.Command
 }
 
 func newReserveCommand() *reserveCommand {
@@ -27,9 +33,15 @@ func newReserveCommand() *reserveCommand {
 		Args:  cobra.ExactArgs(2),
 	}
 	command := &reserveCommand{cmd: cmd}
-	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
 	cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share")
 	cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, <tcpTunnel, udpTunnel>, caddy}")
+	cmd.Flags().BoolVarP(&command.jsonOutput, "json-output", "j", false, "Emit JSON describing the created reserved share")
+	cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
+	cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]")
+	cmd.Flags().StringArrayVar(&command.oauthEmailDomains, "oauth-email-domains", []string{}, "Allow only these email domains to authenticate via OAuth")
+	cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry")
+	cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider")
+
 	cmd.Run = command.run
 	return command
 }
@@ -45,10 +57,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 	case "proxy":
 		v, err := parseUrl(args[1])
 		if err != nil {
-			if !panicInstead {
-				tui.Error("invalid target endpoint URL", err)
-			}
-			panic(err)
+			tui.Error("invalid target endpoint URL", err)
 		}
 		target = v
 
@@ -70,10 +79,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 
 	env, err := environment.LoadRoot()
 	if err != nil {
-		if !panicInstead {
-			tui.Error("error loading environment", err)
-		}
-		panic(err)
+		tui.Error("error loading environment", err)
 	}
 
 	if !env.IsEnabled() {
@@ -89,16 +95,29 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 	if shareMode == sdk.PublicShareMode {
 		req.Frontends = cmd.frontendSelection
 	}
+	if cmd.oauthProvider != "" {
+		if shareMode != sdk.PublicShareMode {
+			tui.Error("--oauth-provider only supported for public shares", nil)
+		}
+		req.OauthProvider = cmd.oauthProvider
+		req.OauthEmailDomains = cmd.oauthEmailDomains
+		req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval
+	}
 	shr, err := sdk.CreateShare(env, req)
 	if err != nil {
-		if !panicInstead {
-			tui.Error("unable to create share", err)
-		}
-		panic(err)
+		tui.Error("unable to create share", err)
 	}
 
-	logrus.Infof("your reserved share token is '%v'", shr.Token)
-	for _, fpe := range shr.FrontendEndpoints {
-		logrus.Infof("reserved frontend endpoint: %v", fpe)
+	if !cmd.jsonOutput {
+		logrus.Infof("your reserved share token is '%v'", shr.Token)
+		for _, fpe := range shr.FrontendEndpoints {
+			logrus.Infof("reserved frontend endpoint: %v", fpe)
+		}
+	} else {
+		out, err := json.Marshal(shr)
+		if err != nil {
+			tui.Error("error emitting JSON", err)
+		}
+		fmt.Println(string(out))
 	}
 }
diff --git a/sdk/model.go b/sdk/model.go
index fa0310eb4..cefb1eb0e 100644
--- a/sdk/model.go
+++ b/sdk/model.go
@@ -31,8 +31,8 @@ type ShareRequest struct {
 }
 
 type Share struct {
-	Token             string
-	FrontendEndpoints []string
+	Token             string   `json:"token"`
+	FrontendEndpoints []string `json:"frontend_endpoints"`
 }
 
 type AccessRequest struct {