Builds an Express router that serves the two OAuth discovery documents an MCP server acting purely as a Resource Server needs to expose:
/.well-known/oauth-protected-resource[/<path>]
/.well-known/oauth-authorization-server
Mount this router at the application root:
app.use(mcpAuthMetadataRouter({ oauthMetadata, resourceServerUrl })); Copy
app.use(mcpAuthMetadataRouter({ oauthMetadata, resourceServerUrl }));
Pair with requireBearerAuth on your /mcp route and pass getOAuthProtectedResourceMetadataUrl as its resourceMetadataUrl so unauthenticated clients can discover the AS from the 401 challenge.
requireBearerAuth
/mcp
getOAuthProtectedResourceMetadataUrl
resourceMetadataUrl
Builds an Express router that serves the two OAuth discovery documents an MCP server acting purely as a Resource Server needs to expose:
/.well-known/oauth-protected-resource[/<path>]— RFC 9728 Protected Resource Metadata, derived from the supplied options./.well-known/oauth-authorization-server— RFC 8414 Authorization Server Metadata, passed through verbatim from AuthMetadataOptions.oauthMetadata.Mount this router at the application root:
Pair with
requireBearerAuthon your/mcproute and passgetOAuthProtectedResourceMetadataUrlas itsresourceMetadataUrlso unauthenticated clients can discover the AS from the 401 challenge.