Fix: OAuth Protected Resource Metadata published (RFC 9728)

Web-audit fix skill for the oauth-protected-resource check (Agent discovery & auth, MAY).

Goal

Publish RFC 9728 protected-resource metadata for your authenticated MCP server.

Fix

For an authenticated MCP server, publish /.well-known/oauth-protected-resource (RFC 9728) so a client can discover which authorization servers issue tokens for your resource. Expected absent for an open, no-auth server.

Resources

Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from your audit:

Verify

Re-run the audit at https://anc.dev/web-audit or call the audit_website MCP tool; the oauth-protected-resource check should report pass.