OAuth metadata endpoint returns 404 after upgrading to MCP 1.17+

[jlowin]

Problem

After upgrading to MCP 1.17+, OAuth clients fail to discover protected resource metadata, resulting in 404 errors when accessing /.well-known/oauth-protected-resource.

Cause

MCP 1.17 introduced a breaking change to implement RFC 9728 properly. OAuth protected resource metadata endpoints are now registered at path-aware locations instead of always at the root.

Example

If your MCP server is mounted at /mcp:

Before (MCP 1.16):

GET /.well-known/oauth-protected-resource  # ✅ 200 OK

After (MCP 1.17+):

GET /.well-known/oauth-protected-resource      # ❌ 404 Not Found
GET /.well-known/oauth-protected-resource/mcp  # ✅ 200 OK

Solution

Until FastMCP 2.13 is released, users should manually install mcp<=1.16.

Workaround

If you cannot upgrade immediately, clients should check the resource_metadata parameter in the WWW-Authenticate header from 401 responses to discover the correct metadata URL.

See PR #2122 for full details.

[jlowin]

Closed with https://github.com/jlowin/fastmcp/releases/tag/v2.12.5, further addressed in 2122