Andrew Collins

+1 on this request. Maybe leveraging the [WWW-Authenticate header spec](https://www.rfc-editor.org/rfc/rfc6750.html#section-3) would make sense here to define the scope? There seemed to be [similar conversations](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/195) prior to publishing the WWW-Authenticate piece...

I imagined something along the lines of the MCP server responding with a 401 and a header like below. ``` WWW-Authenticate: Bearer resource_metadata="https://my-auth-server.com", scope="profile email" ``` Then grabbing the "scope"...

@TylerLeonhardt - Ah, ok. Yes, you are correct. My resource metadata was improperly defined, which led to it defaulting to my authorization server's full set of supported scopes, rather than...