OAuth Discovery
A mechanism that allows AI agents to automatically discover a website's authentication endpoints.
OAuth Discovery refers to the mechanisms that allow AI agents and software to automatically find a web service's authentication endpoints. It uses standardized documents like .well-known/openid-configuration and .well-known/oauth-authorization-server.
Why is this relevant?
As AI agents become more autonomous, they need to securely authenticate with web services. OAuth Discovery makes this possible without manual configuration: the agent automatically discovers where to log in, which scopes are available, and how tokens are obtained.
OAuth Discovery and Agent Readiness
Offering OAuth Discovery endpoints is a signal of AI agent readiness. It shows your website is ready for automated, secure interaction with AI systems. The scanner checks for the presence of these endpoints.
Example: OpenID Connect Discovery response
// GET https://example.com/.well-known/openid-configuration
{
"issuer": "https://example.com",
"authorization_endpoint": "https://example.com/oauth/authorize",
"token_endpoint": "https://example.com/oauth/token",
"userinfo_endpoint": "https://example.com/oauth/userinfo",
"revocation_endpoint": "https://example.com/oauth/revoke",
"jwks_uri": "https://example.com/.well-known/jwks.json",
"scopes_supported": [
"openid",
"profile",
"email",
"read:products",
"read:orders"
],
"response_types_supported": [
"code",
"token",
"id_token",
"code id_token"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": ["public"],
"id_token_signing_alg_values_supported": ["RS256"]
}Example: OAuth Authorization Server Metadata
// GET https://example.com/.well-known/oauth-authorization-server
{
"issuer": "https://example.com",
"authorization_endpoint": "https://example.com/oauth/authorize",
"token_endpoint": "https://example.com/oauth/token",
"registration_endpoint": "https://example.com/oauth/register",
"scopes_supported": ["read", "write", "admin"],
"response_types_supported": ["code"],
"grant_types_supported": [
"authorization_code",
"client_credentials"
],
"code_challenge_methods_supported": ["S256"]
}How OAuth Discovery works for AI agents
- Discovery: the AI agent visits
/.well-known/openid-configurationor/.well-known/oauth-authorization-serverto discover available endpoints. - Registration: if dynamic client registration is available, the agent registers itself as an OAuth client.
- Authorization: the agent initiates the OAuth flow (typically authorization code with PKCE) to gain access.
- Token acquisition: after successful authorization, the agent receives an access token.
- API usage: the agent uses the token to call protected API endpoints.
What does our scanner check?
The scanner checks whether your website offers OAuth Discovery endpoints at the standard .well-known locations. This includes both OpenID Connect Discovery (/.well-known/openid-configuration) and OAuth Authorization Server Metadata (/.well-known/oauth-authorization-server). This is part of the Agent Readiness score.
Frequently asked questions
Does my website need OAuth Discovery?
If your website has secured functionality that AI agents would want to use (such as a customer portal, order history, or personalized data), then OAuth Discovery is valuable. For purely informational websites without user accounts, it's less relevant, but offering it demonstrates forward-thinking AI readiness.
What's the difference between OpenID Connect Discovery and OAuth Server Metadata?
OpenID Connect Discovery (RFC 8414) is an extension of OAuth 2.0 that also provides identity information (who is the user). OAuth Authorization Server Metadata (RFC 8414) only describes the authorization capabilities. For AI agents, OAuth Server Metadata is often sufficient, unless identity information is needed.
How do I implement OAuth Discovery in Laravel?
In Laravel, you can use Laravel Passport or Laravel Sanctum as a foundation. Passport provides OAuth2 server functionality and can be extended with a .well-known endpoint. You can also define a custom route that returns the discovery document as JSON. Ensure the response includes the correct Content-Type header (application/json) and CORS headers.
Is OAuth Discovery required for MCP — bibliotheekterm?
Not strictly required, but strongly recommended. MCP servers behind authentication use OAuth Discovery to let AI agents automatically follow the correct authentication flow. Without OAuth Discovery, authentication must be configured manually, which significantly reduces usability for AI agents.
