OAuth 2.1 Resource Server enforcement (basic/authorization). When
auth.validator is set, every MCP request must present a valid
Authorization: Bearer token: the transport validates it (and its RFC 8707
audience), returns 401 with a WWW-Authenticate: Bearer header carrying
the resource_metadata URL on failure, returns 403 insufficient_scope
when a required scope is missing, and serves the RFC 9728 Protected
Resource Metadata document at /.well-known/oauth-protected-resource.
Validated token info is surfaced to handlers via RequestContext.auth.
When unset (the default) the transport performs no token checks.
OAuth 2.1 Resource Server enforcement (basic/authorization). When auth.validator is set, every MCP request must present a valid Authorization: Bearer token: the transport validates it (and its RFC 8707 audience), returns 401 with a WWW-Authenticate: Bearer header carrying the resource_metadata URL on failure, returns 403 insufficient_scope when a required scope is missing, and serves the RFC 9728 Protected Resource Metadata document at /.well-known/oauth-protected-resource. Validated token info is surfaced to handlers via RequestContext.auth. When unset (the default) the transport performs no token checks.