Metadata Discovery displays wrong URL for OAuth Protected Resource fetch #1166
Description
Bug
The Metadata Discovery panel says it fetched the OAuth Protected Resource metadata from:
https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource
However, the response displayed contains "resource": "https://staging.mcp.cloudflare.com/mcp", which is the response from a different URL:
https://staging.mcp.cloudflare.com/.well-known/oauth-protected-resource/mcp
The Inspector is appending the MCP endpoint path (/mcp) to the .well-known/oauth-protected-resource URL when making the request, but displaying the base .well-known URL in the UI.
Evidence
The two URLs return different resource values:
GET /.well-known/oauth-protected-resource (what the UI claims to fetch):
{
"resource": "https://staging.mcp.cloudflare.com",
"authorization_servers": ["https://staging.mcp.cloudflare.com"],
"bearer_methods_supported": ["header"],
"resource_name": "Cloudflare API MCP Server"
}GET /.well-known/oauth-protected-resource/mcp (what is actually fetched):
{
"resource": "https://staging.mcp.cloudflare.com/mcp",
"authorization_servers": ["https://staging.mcp.cloudflare.com"],
"bearer_methods_supported": ["header"],
"resource_name": "Cloudflare API MCP Server"
}The displayed response matches the second URL, proving the Inspector is querying /.well-known/oauth-protected-resource/mcp while displaying /.well-known/oauth-protected-resource.
Screenshot
Expected Behavior
The UI should display the actual URL that was used to fetch the metadata (i.e., /.well-known/oauth-protected-resource/mcp).
MCP Server
- URL:
https://staging.mcp.cloudflare.com/mcp