# MCP authorization protected resource metadata OAuth 2.1 server refuses protected endpoint WWW-Authenticate resource_metadata

Status: search-observed
Product: MCP
Last verified: 2026-06-25
Canonical HTML: https://gitdocs.org/fix/mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au
Machine JSON: https://gitdocs.org/api/fixes/mcp-authorization-protected-resource-metadata-oauth-2-1-server-refuses-protected-endpoint-www-au.json

## Exact Symptom

See the observed Codex queries below.

## Diagnosis

Local client/server code can each be valid for an earlier protocol revision; only the negotiated current spec defines transport, session, and authorization behavior.

## Fix

```
Verifier checks current transport framing, session lifecycle, auth flow, and backwards compatibility where specified.
```

## Avoid

- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.

## Observed Codex Queries

- MCP authorization protected resource metadata OAuth 2.1 server refuses protected endpoint WWW-Authenticate resource_metadata
- model context protocol authorization OAuth 2.1 protected resource metadata
- site:modelcontextprotocol.io specification authorization MCP protected resource metadata OAuth
- https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

## Sources

- MCP 2025-03-26 key changes: https://modelcontextprotocol.io/specification/2025-03-26/changelog
- Official reference opened by Codex: https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization