Rule catalog · Auth discovery posture

Authorization server advertises a token endpoint

auth_advertises_token_endpointlowweight 2Auth-required

Authored by Stanley Hong · AgentReserve (founder).

When authorization server metadata is discovered, it advertises a `token_endpoint`. Without one, clients cannot exchange authorization codes (or refresh tokens) for access tokens — the flow is inert.

When this rule runs

Only applies when the server signals that authentication is required (HTTP 401/403). Excluded from the score on public servers.

Why it matters

RFC 8414 makes `token_endpoint` REQUIRED unless only the implicit grant is supported (which is itself disallowed by RFC 9700). A discovered metadata document with no token endpoint is a broken flow.

Pass condition

At least one parsed authorization server metadata document advertises `token_endpoint`.

Fail condition

Authorization server metadata parsed but no `token_endpoint` was advertised.

Evidence examples

When the rule fails, the report records evidence in roughly this shape:

```
{"tokenEndpoints": []}
```

Remediation

Advertise `token_endpoint` in your authorization server metadata document.

Methodology

This rule belongs to the Auth discovery posture dimension. When authorization is required, whether the server cooperates with the standards-based discovery chain — RFC 9728 protected resource metadata, RFC 8414 authorization server metadata, validated issuers, and safe grant types.

Read the full methodology for how rules are aggregated into a score, how verdicts are decided, and how hard-fail rules override the aggregate.

← Back to rule catalog