Serves Protected Resource Metadata per RFC 9728.

This plug serves the /.well-known/oauth-protected-resource endpoint, allowing clients to discover which authorization servers protect this resource and what scopes are supported.

Usage

plug ExMCP.Plugs.ProtectedResourceMetadata,
  resource: "https://mcp.example.com",
  authorization_servers: ["https://auth.example.com"],
  scopes_supported: ["mcp:tools:list", "mcp:tools:execute"],
  bearer_methods_supported: ["header"]

Options

• :resource (required) - The resource identifier URI.
• :authorization_servers (required) - List of authorization server issuer URIs.
• :scopes_supported - List of supported OAuth scopes. Defaults to MCP standard scopes.
• :bearer_methods_supported - How bearer tokens can be presented. Defaults to ["header"].
• :resource_signing_alg_values_supported - Supported signing algorithms.
• :resource_documentation - URL to human-readable documentation.
• :extra_metadata - Additional metadata fields as a map.