OAuth Protected Resource (RFC 9728) is an IETF standard for declaring metadata about an OAuth-protected resource at a well-known URL. Sites publish /.well-known/oauth-protected-resource with the authorization server, scopes and audience. Lets agents auto-discover the OAuth configuration needed to call protected APIs.
Without it, agents must hard-code OAuth endpoints, scopes and audience values. With it, an agent reads the metadata, fetches the matching OAuth Authorization Server metadata (RFC 8414), obtains a token and calls the API. Fully programmatic.
The authorization_servers array (URLs of the OAuth providers), supported scopes, accepted resource (audience) value, and any signing key references.
Publish /.well-known/oauth-protected-resource alongside the standard /.well-known/oauth-authorization-server. The Spacemen Digital AI Agent Readiness Check tests for both.
Run the free 50-signal AI Agent Readiness Check or book a free scoping call.
Score my site