@spec append_resource_metadata(String.t(), String.t()) :: String.t()

Append resource_metadata to a WWW-Authenticate challenge.

@spec authorization_server(
  Attesto.Config.t(),
  keyword()
) :: %{required(String.t()) => term()}

Build the authorization-server metadata document by delegating to Attesto.

@spec protected_resource(keyword()) :: %{required(String.t()) => term()}

Build an RFC 9728 protected-resource metadata document.

Required options:

• :resource - the protected resource identifier, usually the canonical MCP server URI such as "https://mcp.example.com/mcp".
• :authorization_servers - a non-empty list of issuer identifiers.

Common options include :scopes_supported, :bearer_methods_supported, :dpop_signing_alg_values_supported, and :tls_client_certificate_bound_access_tokens.

@spec protected_resource(Plug.Conn.t(), String.t(), keyword()) :: %{
  required(String.t()) => term()
}

Build protected-resource metadata from a Plug connection and resource path.

resource_path is the path of the MCP endpoint, for example "/mcp" or "/mcp/admin". The resource identifier is the current request origin joined with that path. :authorization_servers defaults to the same origin.

@spec protected_resource_url(String.t(), String.t()) :: String.t()

@spec protected_resource_url(Plug.Conn.t(), String.t()) :: String.t()

Build the well-known metadata URL for an MCP resource path.

iex> AttestoMCP.Metadata.protected_resource_url("https://mcp.example.com", "/mcp")
"https://mcp.example.com/.well-known/oauth-protected-resource/mcp"

A Plug connection can also be passed as the first argument.

@spec resource_metadata_param(String.t()) :: String.t()

Build the WWW-Authenticate auth-param value for RFC 9728 metadata discovery.