Auth-required server advertises RFC 9728 protected-resource metadata

Only applies when the server signals that authentication is required (HTTP 401/403). Excluded from the score on public servers.

RFC 9728 was added to the MCP Authorization spec specifically to remove the out-of-band step from client onboarding — a server that signals 'authentication required' but neither hints `resource_metadata=` nor publishes the well-known PRM document forces every client integration to be hand-wired and signals incomplete spec adoption. A 401 response with a bare `WWW-Authenticate: Bearer` is technically valid auth; it isn't usable RFC 9728 discovery.

Auth was required and either (a) the `WWW-Authenticate` challenge included `resource_metadata=<url>` or (b) at least one PRM document was fetched and parsed successfully.

Auth was required but the `WWW-Authenticate` challenge omitted `resource_metadata=` and no PRM document was discoverable.

When the rule fails, the report records evidence in roughly this shape:

• {"authRequired": true, "resourceMetadataHint": false, "prmDiscovered": false}

Either return `WWW-Authenticate: Bearer realm="…", resource_metadata="https://your-host/.well-known/oauth-protected-resource"` on 401/403 responses, or publish the RFC 9728 document at `/.well-known/oauth-protected-resource` on the endpoint host. Both is best.

This rule belongs to the Auth discovery posture dimension. When authorization is required, whether the server cooperates with the standards-based discovery chain — RFC 9728 protected resource metadata, RFC 8414 authorization server metadata, validated issuers, and safe grant types.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.