For an OAuth-protected Streamable HTTP MCP server, unauthenticated MCP endpoint requests should return HTTP 401 with a WWW-Authenticate: Bearer challenge that includes resource_metadata="<server>/.well-known/oauth-protected-resource[/mcp]" and the required scope. The server should also publish protected resource metadata containing the MCP resource URL, authorization_servers, scopes_supported, and supported bearer methods. This lets MCP clients discover the OAuth authorization server before retrying with a bearer token.