CONCEPT Cited by 1 source

OAuth Protected Resource Metadata¶

Definition¶

OAuth Protected Resource Metadata (RFC 9728) is a well-known document published at /.well-known/oauth-protected-resource that tells a client where to find the authorization server for this resource, what scopes it supports, and associated OAuth 2.0 metadata.

From an agent's perspective: "I hit this URL and got a 401 — now I know where the authorization server is and can drive my human through a proper OAuth consent flow."

Why it matters for agents¶

Before RFC 9728, agents lacking session context had two options for authenticated sites:

Ask the human to paste a token — negates autonomy; tokens need refresh logic; humans often paste too-broad tokens.
Reuse the user's browser session — the "use the logged-in browser" workaround. Agents effectively impersonate the human everywhere; there's no per-agent consent, no scope limitation, no audit of "what did the agent do on my behalf." Unsafe at scale.

RFC 9728 enables a third option:

Drive the human through an OAuth consent flow scoped to this agent, this resource — per-agent token with per-scope grants, revocable without logging the user out globally, audit logs showing which agent accessed what.

Cloudflare's framing:

"sites that support OAuth can tell agents where to find the authorization server, allowing agents to send humans through an OAuth flow, where they can choose to properly grant access to the agent."

Cloudflare Access support¶

Announced Agents Week 2026: Cloudflare Access fully supports the RFC 9728 OAuth flow. The named demo scenario has OpenCode receiving a protected URL from a user, getting 401, discovering the authorization server via RFC 9728, and sending the user through the Cloudflare Access OAuth screen — agents integrate with zero-trust-protected resources without anyone sharing a user session blob.

Agent Readiness Score scope¶

Checked by Agent Readiness Score but its position in scoring is not specified in the 2026-04-17 post; covered alongside Access Rules / Agent Actions as part of the overall "safe cooperation with agents" scan.

Relationship to other well-known endpoints¶

Another member of the /.well-known/ cluster for agent- ergonomic web standards:

Friendly-bot auth → /.well-known/http-message-signatures-directory (Web Bot Auth).
Classical-API discovery → /.well-known/api-catalog (RFC 9727).
MCP discovery → /.well-known/mcp/server-card.json (concepts/mcp-server-card).
Agent Skills → /.well-known/agent-skills/index.json (concepts/agent-skills-discovery).
OAuth server discovery → /.well-known/oauth-protected-resource (this concept).

Captured in patterns/well-known-endpoint-discovery.

Seen in¶

sources/2026-04-17-cloudflare-introducing-the-agent-readiness-score-is-your-site-agent-ready — canonical wiki instance; Cloudflare Access fully supports the RFC 9728 flow as of Agents Week 2026.

systems/cloudflare-access — reference-implementation authorization server that speaks RFC 9728.
concepts/well-known-uri — substrate convention.
concepts/sso-authentication — parent SSO concept; OAuth is one of its delivery mechanisms.
concepts/agent-readiness-score — where this is checked.
patterns/well-known-endpoint-discovery — umbrella pattern.