Hey, thanks for another solid report. It’s clear you’ve really dug into this.
This is a confirmed bug from the same family as your previous thread MCP headers config ignored when server has OAuth discovery. The root cause is the same. The SDK always kicks off the full OAuth discovery flow on any 401 and doesn’t check for resource_metadata in WWW-Authenticate. Your link to RFC 9728 is spot on, that’s the behavior we should be implementing.
I’ve logged this part too, RFC 9728 compliance and checking resource_metadata, along with the main ticket.
Glad the workaround with /api/mcp worked. Have a great weekend!