# OAuth Protected Resource

Category: API / Auth / MCP

## Goal
Publish /.well-known/oauth-protected-resource (per RFC 9728) with your `resource` identifier, `authorization_servers` (the list of OAuth/OIDC issuer URLs that can issue tokens for this resource), and `scopes_supported`. This tells agents which auth server to obtain access tokens from and which scopes to request.

## Validation
- Use public machine-readable artifacts where the standard expects them.
- Confirm content types, payload shape, and discoverability from the public web surface.
- Keep the implementation read-only from the scanner perspective.

## Copyable Fix Prompt
```text
Fix the OAuth Protected Resource gap for https://example.com.

Requirements:
- Publish /.well-known/oauth-protected-resource (per RFC 9728) with your `resource` identifier, `authorization_servers` (the list of OAuth/OIDC issuer URLs that can issue tokens for this resource), and `scopes_supported`. This tells agents which auth server to obtain access tokens from and which scopes to request.
- Preserve existing product behavior and do not do UI work.
- Use machine-readable public artifacts under /.well-known/ or response headers when appropriate.
- Add or update automated tests covering the new behavior.
- Validate the final response shape and content types.
```