Reference

GET /.well-known/oauth-protected-resource

The OAuth 2.0 protected-resource metadata document. Tells a client which authorization server guards a resource — used by MCP clients to discover the partner server's auth.

2 min read

GETHTTP method
NoneAuth
publicRing

Endpoint

MethodGET
Path/.well-known/oauth-protected-resource
Ringpublic (OAuth metadata)

Parameters

None. A discovery read.

Response

A JSON metadata document naming the authorization server(s) that protect a resource and the scopes it expects. MCP clients read it to discover how to authenticate against the partner MCP server: it points at the authorization-server metadata, which in turn points at the token endpoint. The chain lets an OAuth-aware client bootstrap the whole flow from one URL.

Errors

Cacheable and public.

Frequently asked questions

Why do MCP clients need this?

An MCP client hitting a token-gated server needs to know where to get a token. The protected-resource document names the authorization server and required scopes, so the client can fetch a token and authenticate without manual configuration.

How does it relate to the authorization-server document?

It points at it. Protected-resource says 'this resource is guarded by that authorization server'; the authorization-server document then describes the token endpoint and JWKS. Together they let a client self-configure.

Funding for UK limited companies

Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.