RFC 9728 — OAuth 2.0 Protected Resource Metadata
Spec: datatracker.ietf.org/doc/html/rfc9728Status: Planned
RFC 9728 defines a well-known URL where a protected resource (resource server / API) publishes metadata — most importantly, which authorization servers it trusts. It completes the discovery chain used by the Model Context Protocol: a client hits the resource, reads its oauth-protected-resource metadata to find the authorization server, then reads that server's RFC 8414 metadata and registers via CIMD or DCR.
Not yet implemented
AuthHero does not currently expose GET /.well-known/oauth-protected-resource. MCP clients that rely on Protected Resource Metadata to locate the authorization server must be pointed at the AuthHero authorization server directly until this is implemented.
The authorization server metadata and CIMD halves of the MCP discovery flow are implemented today.