Fix: OAuth Protected Resource Metadata published (RFC 9728)
Web-audit fix skill for the
oauth-protected-resourcecheck (Agent discovery & auth, MAY).
Goal
Publish RFC 9728 protected-resource metadata for your authenticated MCP server.
Fix
For an authenticated MCP server, publish /.well-known/oauth-protected-resource (RFC 9728) so a client can discover which authorization servers issue tokens for your resource. Expected absent for an open, no-auth server.
Resources
Copy-paste prompt
Paste this into your coding agent, replacing the Issue line with the Result line from your audit:
Verify
Re-run the audit at https://anc.dev/web-audit or call the audit_website MCP tool; the oauth-protected-resource check should report pass.