2 min read
Endpoint
| Method | GET |
| Path | /.well-known/oauth-protected-resource |
| Ring | public (OAuth metadata) |
Parameters
None. A discovery read.
Response
A JSON metadata document naming the authorization server(s) that protect a resource and the scopes it expects. MCP clients read it to discover how to authenticate against the partner MCP server: it points at the authorization-server metadata, which in turn points at the token endpoint. The chain lets an OAuth-aware client bootstrap the whole flow from one URL.
Errors
Cacheable and public.
Frequently asked questions
Why do MCP clients need this?
An MCP client hitting a token-gated server needs to know where to get a token. The protected-resource document names the authorization server and required scopes, so the client can fetch a token and authenticate without manual configuration.
How does it relate to the authorization-server document?
It points at it. Protected-resource says 'this resource is guarded by that authorization server'; the authorization-server document then describes the token endpoint and JWKS. Together they let a client self-configure.
Related reading

GET /.well-known/oauth-authorization-server
The OAuth 2.0 authorization-server metadata document (RFC 8414). Advertises the token endpoint, JWKS URI,…
Read →
POST /partner/v1/mcp
The token-gated MCP server: the same JSON-RPC 2.0 protocol as the public server, behind an OAuth bearer…
Read →
POST /partner/v1/oauth/token
The OAuth 2.0 token endpoint. Exchange client credentials for a short-lived bearer access token scoped to the…
Read →Funding for UK limited companies
Credicorp lends to your company, not to you personally — short-term working capital with no personal guarantee. See what your business could access.