# Fix: OAuth Protected Resource Metadata published (RFC 9728)

> Web-audit fix skill for the `oauth-protected-resource` check (Agent discovery & auth, MAY).

## Goal

Publish RFC 9728 protected-resource metadata for your authenticated MCP server.

## Fix

For an authenticated MCP server, publish `/.well-known/oauth-protected-resource` (RFC 9728) so
a client can discover which authorization servers issue tokens for your resource. Expected
absent for an open, no-auth server.

## Resources

- [RFC 9728](https://www.rfc-editor.org/rfc/rfc9728)

## Copy-paste prompt

Paste this into your coding agent, replacing the Issue line with the Result line from [your audit](https://anc.dev/web-audit):

```text
Goal: Publish RFC 9728 protected-resource metadata for your authenticated MCP server
Issue: <the audit's finding for this check>
Fix: For an authenticated MCP server, publish `/.well-known/oauth-protected-resource` (RFC 9728) so a client can discover which authorization servers issue tokens for your resource. Expected absent for an open, no-auth server.
Skill: https://anc.dev/web-audit/skill/oauth-protected-resource
Docs: https://www.rfc-editor.org/rfc/rfc9728
```

## Verify

Re-run the audit at [https://anc.dev/web-audit](https://anc.dev/web-audit) or call the `audit_website` MCP tool; the `oauth-protected-resource` check should report `pass`.
