Per User Oauth
Protected Resource Metadata (RFC 9728)
Returns the OAuth 2.0 Protected Resource Metadata document per RFC 9728.
MCP clients fetch this after receiving a 401 response from /mcp (with a
WWW-Authenticate: Bearer resource_metadata=".../.well-known/oauth-protected-resource"
header). The response tells the client which authorization server(s) protect the
/mcp resource so it can proceed with discovery.
Returns 404 when no MCP clients are configured with auth_type: per_user_oauth.
AuthorizationBearer <token>
Bearer token authentication. Use your MPilot virtual-key JWT or admin JWT.
Virtual keys (prefixed with sk-bf-) can also be passed here.
In: header
Response Body
curl -X GET "https://loading/{AI_GATEWAY_URL}/.well-known/oauth-protected-resource"{
"resource": "https://your-bifrost-domain.com/mcp",
"authorization_servers": [
"https://your-bifrost-domain.com"
],
"scopes_supported": [
"mcp:read",
"mcp:write"
],
"bearer_methods_supported": [
"header"
]
}"string"