01. Metadata Discovery/03. Protected Resource (💪 problem)

Protected Resource

👨‍💼 For our journaling app it's crucial that clients can discover how to interact with our resource server in a standards-compliant way. The Model Context Protocol (MCP) and OAuth require that we expose a public metadata endpoint so that any client can learn how to authenticate and what endpoints are available. This endpoint must be accessible to everyone, without requiring authentication, because it's the first step in the OAuth discovery process.
But not all protected resources are the same! In a large system, you might have multiple APIs or services, each with its own protected data—think: user profiles, journal entries, or analytics. Each of these can be considered a separate "protected resource" in OAuth terms. To support this, the OAuth and MCP specifications allow for multiple resource metadata endpoints, each describing a different protected resource.
That's why, for EpicMe, our endpoint is:
/.well-known/oauth-protected-resource/mcp
The /mcp at the end uniquely identifies our journaling MCP endpoint as a specific protected resource. This makes it possible for clients to discover metadata for just the resource they want to access, even if the server hosts several different APIs. It also helps with future extensibility—if we add more protected resources later, each can have its own metadata endpoint under /.well-known/oauth-protected-resource/.
Here's how a client might discover resource server's metadata:
// Example: Discovering the MCP resource server's metadata
const response = await fetch(
	'https://api.example.com/.well-known/oauth-protected-resource/mcp',
)
if (response.ok) {
	const metadata = await response.json()
	// metadata.authorization_servers tells the client where to go next
} else {
	throw new Error('Could not discover resource server metadata.')
}
Here's an example of what the metadata content looks like:
{
	"resource": "https://api.example.com/mcp",
	"authorization_servers": ["https://auth.example.com"]
}
There are a some other fields you can supply, but these are the two most important for our purposes.
Here's the overall flow for a client discovering the resource server and then the authorization server:
Auth ServerEpicMeClientAuth ServerEpicMeClientGET /.well-known/oauth-protected-resource/mcpResource metadata (includes authorization_servers)GET /.well-known/oauth-authorization-serverAuthorization server metadata
🚦 The /.well-known/oauth-protected-resource/mcp endpoint must be accessible to all clients, without authentication. This is required by the OAuth and MCP specifications.
📜 For more details, see the OAuth 2.0 Protected Resource Metadata RFC.
The goal is to make EpicMe's resource server discoverable and easy to integrate with any standards-compliant client. Make sure your implementation exposes the correct metadata endpoint for the MCP resource, so clients can start the OAuth flow without any roadblocks.
Now, check that your /.well-known/oauth-protected-resource/mcp endpoint is public, returns the correct metadata, and helps clients discover how to connect to EpicMe securely!
Edit
problemsolutiondiffchat

Please set the playground first

Loading "Protected Resource"
Loading "Protected Resource"
Login to get access to the exclusive discord channel.
  • General
    Epic MCP server not initializing
    steve ⚡:
    I am attempting to configure the Epic MCP Server per Kent's instructions here: https://www.epicai.pr...
    • 2
     3 · 10 hours ago
  • General
    What will tomorrows MCP hosts look like?
    Paul 🚀:
    Hi Kent,

Thanks for putting together the course, I’m really enjoying it. Im interested if you have...
    • 1
     2 · 2 days ago
  • General
    VS Code Copilot and Epic Workshop MCP Server
    Alexandre 🚀:
    I might have missed something, but how do we install the Epic Workshop MCP Server so we can ask Copi...
    • 1
     3 · 3 days ago
  • 🐣MCP Fundamentals
    💪Adv. MCP Features
    🔐MCP Auth
    💻MCP UI
    What about the usage of MCP Servers for some kind of chat interacting with a local LLM?
    frankfullstack ⚡:
    I would like to raise a general question about the usage of MCP Servers and how we could interact fr...
    • 1
     5 · 8 days ago
  • 🐣MCP Fundamentals
    General
    It'd be really cool to have a basic deployment guide.
    BeyondLimits99 ⚡:
    The course has been amazing so far! I'd love to have a basic deployment guide just so I can practice...
    • 2
     3 · 5 days ago
  • General
    non-related question: how do you rollout updates?
    mark:
    I'm very curious to hear: How do you roll-out new updates? do you use some kind of libary?
    • 1
     5 · 10 days ago
  • 🐣MCP Fundamentals
    General
    How do you teach the LLMs to use ResourceTemplates and ResourceTemplatesList?
    frontendwizard:
    I'm playing around with building an mcp with claude and he has a tendency to go for json for everyth...
    • 1
     8 · 8 days ago
  • 🐣MCP Fundamentals
    General
    MCP to MCP
    Mahendra Hirapra ⚡:
    Does it possible one MCP sever connect to other MCP like chain? I would like to connect Figma MCP Se...
    • 1
     4 · 9 days ago
  • 🐣MCP Fundamentals
    General
    When does an MCP become overkill—that is, when should one avoid building one?
    Lax ⚡:
    Just wondering what scenarios to skip 🙂
    • 1
     2 · 9 days ago
  • 🐣MCP Fundamentals
    General
    💻MCP UI
    🔐MCP Auth
    Are the live sessions, Q&A's or will there be some lectures about concepts around MPC Stack?
    Handax ⚡:
    I’m interested in diving deeper into the Model Contexts Protocol (MCP) and was wondering if there wi...
    • 1
     1 · 9 days ago
  • General
    Lesson lengths
    ffkml ⚡:
    I’m excited for the class to kick off next week. Planning ahead, how long should we plan for lessons...
    • 👍3
    • 1
     1 · 14 days ago