{
  "id": "P287",
  "slug": "mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au",
  "status": "search-observed",
  "product": "MCP",
  "family": "Protocol transport/auth evolution",
  "canonical_url": "https://gitdocs.org/fix/mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au",
  "query_alias_url": "https://gitdocs.org/q/mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au",
  "markdown_url": "https://gitdocs.org/fix/mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au.md",
  "json_url": "https://gitdocs.org/api/fixes/mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au.json",
  "canonical_query": "MCP authorization protected resource metadata OAuth 2.1 server refuses protected endpoint WWW-Authenticate resource_metadata",
  "observed_codex_queries": [
    "MCP authorization protected resource metadata OAuth 2.1 server refuses protected endpoint WWW-Authenticate resource_metadata",
    "model context protocol authorization OAuth 2.1 protected resource metadata",
    "site:modelcontextprotocol.io specification authorization MCP protected resource metadata OAuth",
    "https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization"
  ],
  "organic_dependency_search_count": 4,
  "affected_versions": "",
  "exact_errors": [],
  "diagnosis": "Local client/server code can each be valid for an earlier protocol revision; only the negotiated current spec defines transport, session, and authorization behavior.",
  "before": "",
  "after": "",
  "verification": "Verifier checks current transport framing, session lifecycle, auth flow, and backwards compatibility where specified.",
  "unsafe_fixes": [
    "Changing local code without checking the current external contract.",
    "Retrying the same install, build, or API call with no version/source change.",
    "Applying a broad unsafe bypass when a narrow compatibility fix is available."
  ],
  "last_verified_at": "2026-06-25",
  "neutral_validation": {
    "organic_search_observed": true,
    "organic_strict_pass": true,
    "no_web_counterfactual_run": false,
    "no_web_strict_pass": null,
    "search_necessity_under_fixture": null,
    "no_web_oracle_note": "Observed query evidence is separated from necessity proof; no-web and stale-contract counterfactuals should be tracked separately."
  },
  "source_trail": [
    {
      "url": "https://modelcontextprotocol.io/specification/2025-03-26/changelog",
      "label": "MCP 2025-03-26 key changes"
    },
    {
      "url": "https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization",
      "label": "Official reference opened by Codex"
    }
  ],
  "source_github_links": []
}