# `Urchin.Auth.Metadata`
[🔗](https://github.com/urth-inc/urchin/blob/v0.4.0/lib/urchin/auth/metadata.ex#L1)

A `Plug` that serves the RFC 9728 Protected Resource Metadata document.

This is the discovery endpoint MCP clients fetch to learn which Authorization
Server(s) protect this MCP server. It is served at the well-known URI derived from the
configured `:resource` (both the path-aware form and the bare root form, per RFC 9728
§3.1) and is publicly readable with permissive CORS so browser-based clients can fetch
it cross-origin.

Mount it at the application root, ahead of your routes:

    plug Urchin.Auth.Metadata, auth: auth

Requests that do not target a metadata path pass through untouched. The standalone
`Urchin.Endpoint` runner wires this in automatically when `:auth` is configured.

## Options

  * `:auth` (required) - an `Urchin.Auth` struct or a keyword list of `Urchin.Auth.new!/1`
    options.

# `metadata_request?`

```elixir
@spec metadata_request?(Plug.Conn.t(), Urchin.Auth.t()) :: boolean()
```

Returns true when the request targets the Protected Resource Metadata endpoint.

# `serve`

```elixir
@spec serve(Plug.Conn.t(), Urchin.Auth.t()) :: Plug.Conn.t()
```

Sends the metadata document (or the appropriate CORS/405 response) for the request.

Used by `call/2` and reused by `Urchin.Endpoint`. Does not halt; the caller decides.

---

*Consult [api-reference.md](api-reference.md) for complete listing*