Why does isitready.dev check /.well-known/oauth-protected-resource separately from /.well-known/oauth-authorization-server?

They serve different audiences. The authorization-server document describes the issuer (endpoints, supported flows). The protected-resource document describes the API itself: which issuers it trusts, which scopes it requires, and how to send the bearer token. Agents need both to use a protected API without guessing.

Do I need this if my API does not require auth?

No — this check is informational for fully public APIs. The scanner will not fail an unauthenticated API for missing protected-resource metadata.

Where is the spec for this file?

RFC 9728 — OAuth 2.0 Protected Resource Metadata. It defines the JSON schema, the well-known location, and the rel="oauth-protected-resource" Link relation used by the scanner.

AI Readiness

OAuth protected resource metadata

OAuth protected resource metadata is one of the public readiness signals included in isitready.dev reports.

Run a free audit Browse checks

What we check

How the scan observes this signal.

The scanner fetches /.well-known/oauth-protected-resource per RFC 9728, validates that it returns application/json with a 2xx status, and reports whether authorization_servers, resource, scopes_supported, and bearer_methods_supported are present and well-formed.

Why it matters

Why this shows up on the report card.

Protected-resource metadata tells agents which authorization servers issue tokens accepted by your APIs, so they avoid trial-and-error auth flows.

Sample evidence

What a passing row looks like.

GET /.well-known/oauth-protected-resource: 200 OK · application/json
authorization_servers: 1 issuer listed
scopes_supported: read, write
Link header on protected route: rel="oauth-protected-resource"

How to improve

Steps in the remediation brief.

Publish /.well-known/oauth-protected-resource on every API origin that requires OAuth tokens.
List every authorization_servers issuer URL whose tokens your API accepts, so agents can resolve the right /.well-known/oauth-authorization-server document.
Declare scopes_supported and bearer_methods_supported so clients know which scopes to request and how to send tokens.
Reference the document from a Link: <…/.well-known/oauth-protected-resource>; rel="oauth-protected-resource" header on protected API responses.

Common questions

Questions people ask about this check.

Why does isitready.dev check /.well-known/oauth-protected-resource separately from /.well-known/oauth-authorization-server?: They serve different audiences. The authorization-server document describes the issuer (endpoints, supported flows). The protected-resource document describes the API itself: which issuers it trusts, which scopes it requires, and how to send the bearer token. Agents need both to use a protected API without guessing.
Do I need this if my API does not require auth?: No — this check is informational for fully public APIs. The scanner will not fail an unauthenticated API for missing protected-resource metadata.
Where is the spec for this file?: RFC 9728 — OAuth 2.0 Protected Resource Metadata. It defines the JSON schema, the well-known location, and the rel="oauth-protected-resource" Link relation used by the scanner.

OAuth protected resource metadata

OAuth metadata discovery

API catalog discovery

MCP server card