Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Remote MCP server, well known protected endpoint missing

Nick Koukounakis
Nick Koukounakis
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
January 28, 2026

Hey we are building an MCP client.

According to the mcp spec
MCP servers MUST implement one of the following discovery mechanisms to provide authorization server location information to MCP clients:

  1. WWW-Authenticate Header: Include the resource metadata URL in the WWW-Authenticate HTTP header under resource_metadata when returning 401 Unauthorized responses, as described in RFC9728 Section 5.1.
  2. Well-Known URI: Serve metadata at a well-known URI as specified in RFC9728. This can be either:



We tried the discovery mechanism but nothing worked in your mcp server. 
Is this something that is not supported yet on your mcp server? 

```

curl -i https://mcp.atlassian.com/v1/mcp
HTTP/2 401
date: Wed, 28 Jan 2026 13:25:02 GMT
content-type: application/json
content-length: 79
cf-ray: 9c50d040ac62dbe2-FRA
www-authenticate: Bearer realm="OAuth", error="invalid_token", error_description="Missing or invalid access token"
server: AtlassianEdge
ge-edge-trusted-cloudflare-proxy: bWNwLWNsb3VkZmxhcmUK
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
atl-traceid: 50af456a5ad64df6a3006acfadbcdfa0
atl-request-id: 50af456a-5ad6-4df6-a300-6acfadbcdfa0
strict-transport-security: max-age=63072000; preload
report-to: {"endpoints": [{"url": "https://dz8aopenkvv6s.cloudfront.net"}], "group": "endpoint-1", "include_subdomains": true, "max_age": 600}
nel: {"failure_fraction": 0.01, "include_subdomains": true, "max_age": 600, "report_to": "endpoint-1"}
server-timing: atl-edge;dur=21,atl-edge-internal;dur=2,atl-edge-upstream;dur=19,atl-edge-pop;desc="aws-eu-central-1"

{"error":"invalid_token","error_description":"Missing or invalid access token"}%
```

Both
* https://mcp.atlassian.com/.well-known/oauth-protected-resource and
* https://mcp.atlassian.com/.well-known/oauth-protected-resource/v1/mcp
returns 404

So the MCP server does NOT fully conform to the MCP authorization specification. It lacks the required OAuth 2.0 Protected Resource Metadata (RFC 9728) implementation. While it provides the Authorization Server Metadata, at https://mcp.atlassian.com/.well-known/oauth-authorization-server.

Clients cannot use the spec-compliant discovery. 

Answer
Watch
Like Be the first to like this
36 views

0 answers

Suggest an answer

Log in or Sign up to answer
Rovo Atlassian Intelligence
Rovo
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2026 Atlassian
    Privacy Policy Notice at Collection Terms Security