# OAuth discovery

Category: API / Auth / MCP

## Goal
If your site has protected APIs, publish /.well-known/openid-configuration (for OpenID Connect) or /.well-known/oauth-authorization-server (for OAuth 2.0) with `issuer`, `authorization_endpoint`, `token_endpoint`, `jwks_uri`, and `grant_types_supported`. This lets agents discover how to authenticate without parsing your docs.

## Validation
- Use public machine-readable artifacts where the standard expects them.
- Confirm content types, payload shape, and discoverability from the public web surface.
- Keep the implementation read-only from the scanner perspective.

## Copyable Fix Prompt
```text
Fix the OAuth discovery gap for https://example.com.

Requirements:
- If your site has protected APIs, publish /.well-known/openid-configuration (for OpenID Connect) or /.well-known/oauth-authorization-server (for OAuth 2.0) with `issuer`, `authorization_endpoint`, `token_endpoint`, `jwks_uri`, and `grant_types_supported`. This lets agents discover how to authenticate without parsing your docs.
- Preserve existing product behavior and do not do UI work.
- Use machine-readable public artifacts under /.well-known/ or response headers when appropriate.
- Add or update automated tests covering the new behavior.
- Validate the final response shape and content types.
```