Per User Oauth

Protected Resource Metadata (RFC 9728)

Returns the OAuth 2.0 Protected Resource Metadata document per RFC 9728.

MCP clients fetch this after receiving a 401 response from /mcp (with a WWW-Authenticate: Bearer resource_metadata=".../.well-known/oauth-protected-resource" header). The response tells the client which authorization server(s) protect the /mcp resource so it can proceed with discovery.

Returns 404 when no MCP clients are configured with auth_type: per_user_oauth.

GET
/.well-known/oauth-protected-resource
AuthorizationBearer <token>

Bearer token authentication. Use your MPilot virtual-key JWT or admin JWT. Virtual keys (prefixed with sk-bf-) can also be passed here.

In: header

Response Body

curl -X GET "https://loading/{AI_GATEWAY_URL}/.well-known/oauth-protected-resource"
{
  "resource": "https://your-bifrost-domain.com/mcp",
  "authorization_servers": [
    "https://your-bifrost-domain.com"
  ],
  "scopes_supported": [
    "mcp:read",
    "mcp:write"
  ],
  "bearer_methods_supported": [
    "header"
  ]
}
"string"
On this page

On this page

No Headings