# Fix: OAuth/OIDC discovery metadata published

> Web-audit fix skill for the `oauth-discovery` check (Agent discovery & auth, MAY).

## Goal

Publish OAuth/OIDC discovery metadata if agents authenticate to your service.

## Fix

If agents authenticate to your service, publish OAuth/OIDC discovery metadata at
`/.well-known/openid-configuration` or `/.well-known/oauth-authorization-server` (RFC 8414 /
OIDC Discovery). Absent metadata is expected for an open server; present metadata is required
for an authenticated one.

## Resources

- [RFC 8414](https://www.rfc-editor.org/rfc/rfc8414)

## Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from [your audit](https://anc.dev/web-audit):

```text
Goal: Publish OAuth/OIDC discovery metadata if agents authenticate to your service
Issue: <the audit's finding for this check>
Fix: If agents authenticate to your service, publish OAuth/OIDC discovery metadata at `/.well-known/openid-configuration` or `/.well-known/oauth-authorization-server` (RFC 8414 / OIDC Discovery). Absent metadata is expected for an open server; present metadata is required for an authenticated one.
Skill: https://anc.dev/web-audit/skill/oauth-discovery
Docs: https://www.rfc-editor.org/rfc/rfc8414
```

## Verify

Re-run the audit at [https://anc.dev/web-audit](https://anc.dev/web-audit) or call the `audit_website` MCP tool; the `oauth-discovery` check should report `pass`.
