The agent URL we probed.
OptionalresourceResource URL the agent advertises in its WWW-Authenticate / PRM (RFC 9728).
OptionalresourceURL of the protected-resource-metadata document (from WWW-Authenticate: resource_metadata=…).
OptionalauthorizationFirst authorization_servers[0] from the protected-resource metadata.
OptionalauthorizationAll authorization_servers advertised by the PRM, in declaration order.
The walker only probes [0] (PRM preference order — see RFC 9728 §3.3);
the full list is exposed so callers can surface multi-issuer deployments
in diagnostics. A length > 1 is uncommon and worth flagging to the
operator — typically a federation partner or a staged migration.
Optionalauthorizationauthorization_endpoint from the authorization-server metadata (RFC 8414).
Optionaltokentoken_endpoint from the authorization-server metadata.
Optionalregistrationregistration_endpoint if the AS supports RFC 7591 dynamic client registration.
OptionalscopesScopes advertised by the AS (RFC 8414 scopes_supported).
Optionalgrantgrant_types_supported advertised by the AS (RFC 8414). undefined when
the AS didn't publish the field — per RFC 8414 that defaults to
["authorization_code", "implicit"]. Clients should treat absence as
"unknown, try your grant and see," not as proof the grant is unsupported.
OptionalmetadataTrue when the AS metadata came from the OIDC fallback URL rather than RFC 8414.
OptionalchallengeScope hinted in the WWW-Authenticate challenge's scope auth-param.
Raw parsed challenge the agent returned on the 401.
Structured description of what an agent's authorization server requires before it will accept a
tools/call. Produced by discoverAuthorizationRequirements.