MCP Auth

# Scope Hints <EpicVideo url="https://www.epicai.pro/workshops/day-7-8-mcp-auth/scope-hints-p0c97" /> 👨‍💼 When users try to access our EpicMe journaling app without proper permissions, they need clear guidance on what scopes are available and required. Without this information, clients can't know what to request during the OAuth authorization flow, leading to failed authentication attempts and frustrated users. The solution is to provide a **scope hint** (called `scopes_supported`) in our OAuth protected resource metadata. This metadata tells clients exactly what scopes are supported and help them understand what permissions they could request from the authorization server. Here's how this works in practice. Imagine a smart home app that controls different devices: ```ts lines=6-11 // The protected resource metadata also lists supported scopes function handleOAuthProtectedResourceRequest(request: Request) { return Response.json({ resource: 'https://smarthome.example.com/api', authorization_servers: ['https://auth.smarthome.example.com'], scopes_supported: [ 'lights:read', 'lights:write', 'thermostat:read', 'security:admin', ], }) } ``` The `scopes_supported` in the protected resource metadata provides a complete list of all supported scopes across the entire system. 📜 For more details on OAuth scope parameters, see the [OAuth 2.0 Authorization Framework RFC](https://tools.ietf.org/html/rfc6749#section-3.3). Now, add the missing `scopes_supported` to help clients understand what permissions are available for our EpicMe journaling app.