protectedResourceMetadata property

Map<String, dynamic>? get protectedResourceMetadata

Spec 2025-06-18 (RFC 9728): metadata for the server as an OAuth 2.0 Protected Resource. Returns null until configureProtectedResource has been called.

The route deliberately doesn't require enableAuthentication to have been called — the streamable HTTP transport may enforce auth via its own config.authToken (a static bearer) instead of the _authMiddleware, and clients query this route precisely to learn where to obtain a token, so it makes no sense to gate it on the auth middleware that protects the other routes.

Implementation

Map<String, dynamic>? get protectedResourceMetadata {
  if (_protectedResource == null) return null;
  final m = _protectedResource!;
  return <String, dynamic>{
    'resource': m.resource,
    'authorization_servers': m.authorizationServers,
    if (m.scopesSupported != null) 'scopes_supported': m.scopesSupported,
    if (m.bearerMethodsSupported != null)
      'bearer_methods_supported': m.bearerMethodsSupported,
    if (m.resourceDocumentation != null)
      'resource_documentation': m.resourceDocumentation,
  };
}