Protocol transport/auth evolution
MCP authorization protected resource metadata OAuth 2.1 server refuses protected endpoint WWW-Authenticate resource_metadata
A remote MCP server works without auth locally but the current client refuses its protected endpoint.
Agent Quick Fix
Repair against the current MCP contract, then keep the change narrow and source-backed.
Product: MCP
Current-contract area: OAuth 2.1 authorization metadata absent
Likely root cause: A remote MCP server works without auth locally but the current client refuses its protected endpoint.
Repair direction: Verifier checks current transport framing, session lifecycle, auth flow, and backwards compatibility where specified.Symptom
A remote MCP server works without auth locally but the current client refuses its protected endpoint.
Why This Happens
Local client/server code can each be valid for an earlier protocol revision; only the negotiated current spec defines transport, session, and authorization behavior.
Common Wrong Fixes
- Changing local code without checking the current external contract.
- Retrying the same install, build, or API call with no version/source change.
- Applying a broad unsafe bypass when a narrow compatibility fix is available.
Codex Search Keywords
These are the search terms observed in a neutral Codex validation run for this failure shape.
MCP authorization protected resource metadata OAuth 2.1 server refuses protected endpoint WWW-Authenticate resource_metadata
model context protocol authorization OAuth 2.1 protected resource metadata
site:modelcontextprotocol.io specification authorization MCP protected resource metadata OAuth
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization