A delegate the server calls to validate a presented bearer token. It receives the raw token string (the value after Bearer ) and returns a TokenInfo. Returning TokenInfo with valid == false (or throwing) rejects the request with HTTP 401.
The kind of authorization failure, mapped to an HTTP status + WWW-Authenticate error parameter by the transport (RFC 6750 §3.1).
Decide whether a request bearing authHeader is authorized under cfg, returning the failure kind (AuthFailure.none on success) and, on success, the validated TokenInfo. Pure of HTTP concerns so it can be unit-tested and reused by any transport.
Extract the token from an Authorization header value, or null when the header is absent or not a Bearer credential. The scheme match is case-insensitive per RFC 7235.
Percent-encode any byte that is illegal inside an RFC 7230 quoted-string before it is interpolated into a WWW-Authenticate auth-param value. A double-quote would close the quoted-string early (letting a client-controlled value such as a reflected Host header append spurious auth-params), and CR/LF/control bytes have no legal representation, so every such byte is rendered as %XX. This is defence in depth: callers SHOULD also reject untrusted input upstream, but the header builder must never emit a value that can break out of its quoted-string.
Build the WWW-Authenticate header value for an auth failure (RFC 6750 §3 / RFC 9728 §5.1). Always carries the resource_metadata URL when known, plus an error/scope for token/scope failures. Every interpolated value is passed through quoteParamValue so a client-controlled component (notably a reflected Host header in the metadata URL) can never break out of its quoted-string.
Server-side OAuth 2.1 Resource Server configuration (RFC 6750 / 8707 / 9728). When validator is set on the Streamable HTTP transport, every MCP request must carry a valid Authorization: Bearer token; otherwise the transport replies 401 with a WWW-Authenticate header pointing at the Protected Resource Metadata document, which it serves at /.well-known/oauth-protected-resource.
The result of validating a bearer access token. A token validator returns this to the transport: valid gates the request, scopes/subject/claims describe the principal and are surfaced to tool handlers via RequestContext.auth, and audience lets the transport enforce the RFC 8707 resource binding ("tokens were issued specifically for them").