RFC 8414 — OAuth 2.0 Authorization Server Metadata

Spec: datatracker.ietf.org/doc/html/rfc8414Status: Full

RFC 8414 defines a well-known URL where an OAuth 2.0 authorization server publishes its endpoints and capabilities. It is the OAuth-native counterpart to OpenID Connect Discovery, and is the document MCP clients fetch to learn how to authenticate.

Implemented

• Metadata endpoint — GET /.well-known/oauth-authorization-server returns the authorization server's metadata as JSON.
• Shared document — the response is identical to /.well-known/openid-configuration: same issuer, endpoints, supported grant types, response types, scopes, PKCE methods, and signing algorithms. Clients may use either URL.
• Custom domains — when the request arrives on a tenant's custom domain, all advertised URLs and the issuer reflect that domain.
• CIMD advertisement — when a tenant enables Client ID Metadata Documents, the metadata includes client_id_metadata_document_supported: true. See Client ID Metadata Documents.

Related AuthHero documentation

• OpenID Connect Discovery 1.0
• Client ID Metadata Documents (CIMD)
• RFC 9728 — Protected Resource Metadata
• API Endpoints