HTTP Sequence Mockup

Discovery Flow

GET / HTTP/1.1
Host: mcp.example.com

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource"

GET /.well-known/oauth-protected-resource
Host: mcp.example.com

HTTP/1.1 200 Ok
Content-type: application/json

{
  "authorization_servers": ["https://auth.example.com/"],
  ...
}

GET /.well-known/oauth-authorization-server
Host: auth.example.com

HTTP/1.1 200 Ok
Content-type: application/json

{
  "issuer": "https://auth.example.com/",
  "authorization_endpoint": "https://auth.example.com/oauth/authorize",
  "token_endpoint": "https://auth.example.com/oauth/token",
  ...
}

Dynamic Client Registration (DCR)

POST /oauth/register HTTP/1.1
Host: auth.example.com
Content-Type: application/json

{
  "client_name": "Claude",
  "logo_uri": "https://claude.ai/logo.png",
  "redirect_uris": ["https://auth.example.com/redirect"]
  ...
}

HTTP/1.1 201 Created
Content-Type: application/json

{
  "client_id": "ad2669221ba94de0ee0",
  "client_secret": "6a58a307937e98c459be3bfe8e19af3a",
  ...
}

Cross App Access

POST /oauth2/token HTTP/1.1
Host: acme.okta.com
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:id-jag
&audience=https://auth.slack.com/
&subject_token=eyJraWQiOiJzMTZ0cVNtODhwREo4VGZCXzdrSEtQ...
&subject_token_type=urn:ietf:params:oauth:token-type:id_token
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0...

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "issued_token_type": "urn:ietf:params:oauth:token-type:id-jag",
  "access_token": "eyJhbGciOiJIUzI1NiIsI...",
  "token_type": "N_A",
  "expires_in": 300
}

POST /oauth2/token HTTP/1.1
Host: auth.slack.com
Authorization: Basic yZS1yYW5kb20tc2VjcmV0v3JOkF0XG5Qx2

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
assertion=eyJhbGciOiJIUzI1NiIsI...

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store

{
  "token_type": "Bearer",
  "access_token": "2YotnFZFEjr1zCsicMWpAA",
  "expires_in": 86400
}