A Plug that serves the RFC 9728 Protected Resource Metadata document.
This is the discovery endpoint MCP clients fetch to learn which Authorization
Server(s) protect this MCP server. It is served at the well-known URI derived from the
configured :resource (both the path-aware form and the bare root form, per RFC 9728
§3.1) and is publicly readable with permissive CORS so browser-based clients can fetch
it cross-origin.
Mount it at the application root, ahead of your routes:
plug Urchin.Auth.Metadata, auth: authRequests that do not target a metadata path pass through untouched. The standalone
Urchin.Endpoint runner wires this in automatically when :auth is configured.
Options
:auth(required) - anUrchin.Authstruct or a keyword list ofUrchin.Auth.new!/1options.
Summary
Functions
Returns true when the request targets the Protected Resource Metadata endpoint.
Sends the metadata document (or the appropriate CORS/405 response) for the request.
Functions
@spec metadata_request?(Plug.Conn.t(), Urchin.Auth.t()) :: boolean()
Returns true when the request targets the Protected Resource Metadata endpoint.
@spec serve(Plug.Conn.t(), Urchin.Auth.t()) :: Plug.Conn.t()
Sends the metadata document (or the appropriate CORS/405 response) for the request.
Used by call/2 and reused by Urchin.Endpoint. Does not halt; the caller decides.