
    <div>
      <a href='/'>MENU</a>
    </div>
    <style>
    body {
      font-family: monospace;
    }
    </style>
    <style>
.shiki {
  padding: 12px 8px;
  border-radius: 8px;
}
</style>
    <pre>
  <pre><code>
# Data layer is JSON-RPC 2.0 messages
# Transport over HTTP + SSE (auth via HTTP headers) or stdio
# Agent can access tools/prompts/resources offered by the MCP server
# MCP server can also make calls to the agent:
  - sampling (AI completions)
  - elicitation/request (when the MCP server asks the agent user for confirmation or asks for more info)
  - logging (MCP server can send log messages to the agent log)

# SSE as primary transport was deprecated in MCP version 2025-03-26 (but it can still be optionally used). It has 3 drawbacks:
  - requires long lived sockets (painful at scale)
  - no support for resumable streams (not good when you have flaky wifi)
  - allows only server-&gt;client messages (unidirectional)

Launch MCP Inspector using:
npx @modelcontextprotocol/inspector

When MCP inspector is launched it:
* exposes a proxy server and prints a proxy session auth token
* exposes a webserver with a UI frontend for inspecting traffic that goes through the MCP proxy server
  - under the &quot;Configuration&quot; section you can input the proxy session auth token
  - another way is to open the UI frontend using an URL param containing the proxy session token

MCP auth uses these standards:
* Authorization Server Metadata (RFC8414)
  - .well-known/oauth-authorization-server
* Dynamic Client Registration (RFC7591)
* Protected Resource Metadata (RFC9728)
  - HTTP 401 from MCP server comes with special header:
    www-authenticate: Bearer resource_metadata=&quot;https://mcp.com/.well-known/oauth-protected-resource&quot;
  - .well-known/oauth-protected-resource lists the authorization_servers to use for this resource
* Resource Indicator (RFC8707)


When the MCP inspector does OAuth Discovery it makes requests to the following MCP server URLs:
catch all request for OPTIONS /.well-known/oauth-protected-resource/mcp
catch all request for GET /.well-known/oauth-protected-resource/mcp
catch all request for OPTIONS /.well-known/oauth-protected-resource
catch all request for GET /.well-known/oauth-protected-resource
catch all request for OPTIONS /.well-known/oauth-authorization-server
catch all request for GET /.well-known/oauth-authorization-server
catch all request for OPTIONS /.well-known/openid-configuration
catch all request for GET /.well-known/openid-configuration


</code></pre>