radar

DEEP_DIVE_STORY.LNK

howtonotcode.com // protocol_active
arrow_back_ios RETURN_TO_FEED
READ_TIME 0:36_MIN
LIVE_REDACTION
MODEL-CONTEXT-PROTOCOL-MCP PUB_DATE: 2026.05.03

SHIP OAUTH PROTECTED RESOURCE METADATA ON YOUR MCP SERVERS

MCP servers are starting to publish OAuth 2.0 Protected Resource Metadata so clients can auto-discover auth without custom runbooks. A team running MCP on Supa...

Ship OAuth Protected Resource Metadata on your MCP servers

MCP servers are starting to publish OAuth 2.0 Protected Resource Metadata so clients can auto-discover auth without custom runbooks.

A team running MCP on Supabase Edge Functions shipped a discovery endpoint at /.well-known/oauth-protected-resource, following RFC 9728, so agent clients can learn auth servers, JWKS, scopes, and audience rules on the fly why and how. Their guard handles scope shape drift (all, tool:, ) and checks audience via RFC 8707 resource indicators.

If your MCP tools still rely on pasted bearer tokens or per-client docs, this pattern replaces that glue with a standard JSON doc clients fetch at runtime. It lines up with the current MCP authorization draft and cuts integration friction across Claude Desktop, Cursor, Continue, and similar clients duplicate post mirror.

[ WHY_IT_MATTERS ]
01.

Standard discovery removes per-client auth recipes and reduces breakage when you rotate keys, scopes, or issuers.

02.

It aligns MCP authorization with OAuth specs, making cross-client onboarding predictable and auditable.

[ WHAT_TO_TEST ]
  • terminal

    Stand up /.well-known/oauth-protected-resource on a staging MCP server and validate discovery with multiple clients (Claude Desktop, Cursor, Continue).

  • terminal

    Exercise scope variants and audience checks (RFC 8707) and rotate JWKS to verify clients recover without manual changes.

[ BROWNFIELD_PERSPECTIVE ]

Legacy codebase integration strategies...

  • 01.

    Add the metadata endpoint behind your existing gateway and map legacy scope names to a canonical set without breaking callers.

  • 02.

    Log and compare requested audience/scope vs. issued tokens to surface drift across older clients before enforcing stricter checks.

[ GREENFIELD_PERSPECTIVE ]

Fresh architecture paradigms...

  • 01.

    Adopt RFC 9728 from day one; define stable tool URNs and scope taxonomy and publish JWKS/authorization_servers centrally.

  • 02.

    Design a multi-tool "hub" MCP service that advertises per-tool scopes and resource indicators through one discovery surface.

Enjoying_this_story?

Get daily MODEL-CONTEXT-PROTOCOL-MCP + SDLC updates.

  • Practical tactics you can ship tomorrow
  • Tooling, workflows, and architecture notes
  • One short email each weekday

FREE_FOREVER. TERMINATE_ANYTIME. View an example issue.

arrow_back
PREVIOUS_DATA_LOG
Mistral Vibe gets remote cloud agents, powered by open‑weight Medium 3.5
Initialize_Return_to_Core
LINK_STATUS: 127.0.0.1 (SECURE)
NEXT_DATA_LOG
arrow_forward
GET_DAILY_EMAIL
AI + SDLC // 5 MIN DAILY
FREE_FOREVER. TERMINATE_ANYTIME.