Bug
The Metadata Discovery panel says it fetched the OAuth Protected Resource metadata from:
https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource
However, the response displayed contains "resource": "https://staging.mcp.cloudflare.com/mcp", which is the response from a different URL:
https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource/mcp
The Inspector is appending the MCP endpoint path (/mcp) to the .well-known/oauth-protected-resource URL when making the request, but displaying the base .well-known URL in the UI.
Evidence
The two URLs return different resource values:
GET /.well-known/oauth-protected-resource (what the UI claims to fetch):
{
"resource": "https://staging.mcp.cloudflare.com",
"authorization_servers": ["https://staging.mcp.cloudflare.com"],
"bearer_methods_supported": ["header"],
"resource_name": "Cloudflare API MCP Server"
}GET /.well-known/oauth-protected-resource/mcp (what is actually fetched):
{
"resource": "https://staging.mcp.cloudflare.com/mcp",
"authorization_servers": ["https://staging.mcp.cloudflare.com"],
"bearer_methods_supported": ["header"],
"resource_name": "Cloudflare API MCP Server"
}The displayed response matches the second URL, proving the Inspector is querying /.well-known/oauth-protected-resource/mcp while displaying /.well-known/oauth-protected-resource.
Screenshot
Expected Behavior
The UI should display the actual URL that was used to fetch the metadata (i.e., /.well-known/oauth-protected-resource/mcp).
MCP Server
- URL:
https://staging.mcp.cloudflare.com/mcp
Bug
The Metadata Discovery panel says it fetched the OAuth Protected Resource metadata from:
However, the response displayed contains
"resource": "https://staging.mcp.cloudflare.com/mcp", which is the response from a different URL:The Inspector is appending the MCP endpoint path (
/mcp) to the.well-known/oauth-protected-resourceURL when making the request, but displaying the base.well-knownURL in the UI.Evidence
The two URLs return different
resourcevalues:GET /.well-known/oauth-protected-resource(what the UI claims to fetch):{ "resource": "https://staging.mcp.cloudflare.com", "authorization_servers": ["https://staging.mcp.cloudflare.com"], "bearer_methods_supported": ["header"], "resource_name": "Cloudflare API MCP Server" }GET /.well-known/oauth-protected-resource/mcp(what is actually fetched):{ "resource": "https://staging.mcp.cloudflare.com/mcp", "authorization_servers": ["https://staging.mcp.cloudflare.com"], "bearer_methods_supported": ["header"], "resource_name": "Cloudflare API MCP Server" }The displayed response matches the second URL, proving the Inspector is querying
/.well-known/oauth-protected-resource/mcpwhile displaying/.well-known/oauth-protected-resource.Screenshot
Expected Behavior
The UI should display the actual URL that was used to fetch the metadata (i.e.,
/.well-known/oauth-protected-resource/mcp).MCP Server
https://staging.mcp.cloudflare.com/mcp