---
name: oauth-protected-resource
description: Publish OAuth Protected Resource metadata (RFC 9728)
---

# OAuth Protected Resource Metadata (RFC 9728)

Publish `/.well-known/oauth-protected-resource` describing how agents obtain tokens for your protected APIs.

## Requirements

- Serve `/.well-known/oauth-protected-resource` with HTTP 200
- Content-Type: `application/json`
- Body includes:
  - `resource` — resource identifier URL
  - `authorization_servers` — array of OAuth/OIDC issuer URLs that can issue tokens
  - `scopes_supported` — scopes the resource recognizes

## Example

```json
{
  "resource": "https://api.example.com",
  "authorization_servers": ["https://auth.example.com"],
  "scopes_supported": ["read", "write"],
  "bearer_methods_supported": ["header"]
}
```

## References

- [RFC 9728 — OAuth 2.0 Protected Resource Metadata](https://www.rfc-editor.org/rfc/rfc9728)