agentfit · audit a site · rubric · webmcp · browse

MCP server check beta

Emerging standard · detection is a beta, non-scoring signal

A remote MCP server (Model Context Protocol) is an HTTPS endpoint that speaks JSON-RPC over the Streamable HTTP transport, which a client like Claude can discover and securely connect to. An ideal one is an OAuth 2.1 resource server: it advertises how to authenticate via standard metadata so an agent can onboard with zero manual setup. AgentFit checks that advertised surface and reports it as a beta badge on the audit report.

What "ideal" means

When an agent hits a protected MCP endpoint without a token, the server returns 401 with a WWW-Authenticate: Bearer challenge pointing at its Protected Resource Metadata (RFC 9728) at /.well-known/oauth-protected-resource. That document names one or more authorization servers, which publish their own metadata (RFC 8414 or OpenID Connect Discovery) advertising PKCE with S256 (RFC 7636). The server binds every token to its own audience using Resource Indicators (RFC 8707), so a token issued for one service can't be replayed against another, and offers zero-friction client onboarding — Dynamic Client Registration (RFC 7591) or, as of the November 2025 spec, Client ID Metadata Documents.

The discovery chain

1. agent → POST /mcp            → 401 + WWW-Authenticate: Bearer resource_metadata="…"
2. agent → GET  /.well-known/oauth-protected-resource   → { resource, authorization_servers }
3. agent → GET  <AS>/.well-known/oauth-authorization-server → { …, code_challenge_methods: ["S256"] }
4. agent → register client → PKCE authorize (resource=…) → token (audience-bound)
5. agent → POST /mcp  (Authorization: Bearer …)          → tools available

What AgentFit checks (beta)

From an unauthenticated probe of the OAuth .well-known surface we grade, among others:

• Protected Resource Metadata present, with a public authorization_servers entry (RFC 9728).
• 401 challenge with a Bearer + resource_metadata hint.
• Authorization Server Metadata reachable, advertising S256 PKCE (RFC 8414 / RFC 7636).
• Client onboarding advertised — DCR or CIMD.
• HTTPS everywhere, least-privilege scopes.

We report a tier: oauth-mcp (a clean OAuth-protected MCP discovery surface), partial (found, but missing or unreachable pieces), or endpoint-only (an MCP endpoint with no OAuth metadata).

What we can't check from the outside

AgentFit verifies the advertised discovery and metadata surface, not runtime enforcement. Whether a server actually validates token audience (RFC 8707), refuses token passthrough, rejects plain PKCE at the token endpoint, or hardens its consent screen is invisible to an unauthenticated auditor — those require a real OAuth flow. The MCP authorization spec is also still evolving (two material revisions in 2025), so this is a beta signal and does not affect the 0–100 score. See the 26-criteria rubric for what is scored.

Audit your API →

agentfit · browse · rubric · privacy · terms · cookies · cookie settings · bot

© 2026 Stanislav Gumeniuk · All rights reserved