Whether auth enforcement is active.
The RFC 9728 metadata document this server publishes.
The scope hint to surface in a WWW-Authenticate challenge so clients know which scopes to request (basic/authorization §Protected Resource Metadata Discovery Requirements / §Scope Selection Strategy). Prefers the concrete requiredScope; otherwise falls back to the space-joined scopesSupported. Empty when the operator configured neither.
Opt out of mandatory RFC 8707 audience binding when resource is empty. Default false, so a validator with no resource fails closed per the spec MUST. Set true only when the audience is asserted elsewhere (e.g. the validator itself rejects wrong-audience tokens) or for local dev/tests — it disables the SDK's audience check and is NOT spec compliant on its own.
The authorization server issuer URLs advertised in the metadata document and (first entry) ignored by validation — they are informational for clients discovering where to obtain a token.
A scope every request must carry, enforced after token validation. Empty means no scope requirement.
The canonical resource identifier for this server (RFC 8707). When set, the transport enforces that a validated token's audience includes it, and publishes it as resource in the metadata document.
The scopes advertised in the metadata document.
Validates a presented bearer token. Required to enable auth; when null the transport performs no token checks (back-compatible default).
Server-side OAuth 2.1 Resource Server configuration (RFC 6750 / 8707 / 9728). When validator is set on the Streamable HTTP transport, every MCP request must carry a valid Authorization: Bearer token; otherwise the transport replies 401 with a WWW-Authenticate header pointing at the Protected Resource Metadata document, which it serves at /.well-known/oauth-protected-resource.