Missing PRM and JSON for MCP response #216
Description
Guys, what are we missing? Seems like the MCP server won't provide json response. Here is what we see -
Command: authprobe scan --explain --trace-failure https://gitmcp.io/docs
Scanning: https://gitmcp.io/docs
Scan time: Feb 12, 2026 06:13:46 UTC
Github: https://github.com/authprobe/authprobe
Funnel
[1] MCP probe (401 + WWW-Authenticate) [-] SKIP
auth not required
[2] MCP initialize + tools/list [X] FAIL
initialize error: context deadline exceeded (Client.Timeout or context
cancellation while reading body)
[3] PRM fetch matrix [X] FAIL
https://gitmcp.io/.well-known/oauth-protected-resource -> 200
https://gitmcp.io/.well-known/oauth-protected-resource/docs -> 200
PRM unreachable or unusable; OAuth discovery unavailable
[4] Auth server metadata [-] SKIP
auth not required
[5] Token endpoint readiness (heuristics) [-] SKIP
auth not required
[6] Dynamic client registration (RFC 7591) [-] SKIP
auth not required
Primary Finding (HIGH): MCP_INITIALIZE_FAILED (confidence 1.00)
Evidence:
initialize error: context deadline exceeded (Client.Timeout or context cancellation while
reading body)
MCP servers should accept the initialize JSON-RPC request and return a valid JSON response
per the MCP specification.
┌─────────────────────┤ RFC RATIONALE ├──────────────────────┐
Explain (RFC 9728 rationale)
1) MCP probe
- AuthProbe did not receive a 401 response that indicates authentication is required, so RFC 9728 PRM discovery is skipped.
┌───────────────────────┤ CALL TRACE ├───────────────────────┐
Call Trace Using: https://github.com/authprobe/authprobe
┌────────────┐ ┌────────────┐
│ authprobe │ │ MCP Server │
└─────┬──────┘ └─────┬──────┘
│ │
│ ╔═══ Step 1: MCP probe ═══════╪═══════════════════╗
│ GET https://gitmcp.io/docs
│ Reason: 401 + WWW-Authenticate discovery
│ Accept: text/event-stream
│ Host: gitmcp.io
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Access-Control-Allow-Headers: Content-Type, mcp-session-id
│ Access-Control-Allow-Methods: GET, POST, OPTIONS
│ Access-Control-Allow-Origin: *
│ Access-Control-Expose-Headers: mcp-session-id
│ Access-Control-Max-Age: 86400
│ Alt-Svc: h3=":443"; ma=86400
│ Cache-Control: no-cache
│ Cf-Ray: 9cc9f08cae0fdc3c-SJC
│ Content-Type: text/event-stream
│ Date: Thu, 12 Feb 2026 06:13:22 GMT
│ Server: cloudflare
│ Speculation-Rules: "/cdn-cgi/speculation"
│ Vary: Accept-Encoding
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ ╔═══ Step 2: MCP initialize ═══════╪═══════════════════╗
│ POST https://gitmcp.io/docs
│ Reason: Step 2: MCP initialize + tools/list (pre-init tools/list)
│ Accept: application/json, text/event-stream
│ Content-Type: application/json
│ Host: gitmcp.io
│ Mcp-Protocol-Version: 2025-11-25
├─────────────────────────────────────────────────────────────────►│
│ 400 Bad Request
│ Alt-Svc: h3=":443"; ma=86400
│ Cf-Ray: 9cc9f0be68a9dc3c-SJC
│ Content-Length: 110
│ Content-Type: text/plain;charset=UTF-8
│ Date: Thu, 12 Feb 2026 06:13:29 GMT
│ Server: cloudflare
│ Vary: Accept-Encoding
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ ╔═══ Step 3: PRM Discovery ═══════╪═══════════════════╗
│ GET https://gitmcp.io/.well-known/oauth-protected-resource
│ Reason: Step 3: PRM fetch matrix
│ Accept: application/json
│ Host: gitmcp.io
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Alt-Svc: h3=":443"; ma=86400
│ Cf-Ray: 9cc9f122bc86dc3c-SJC
│ Content-Type: text/html
│ Date: Thu, 12 Feb 2026 06:13:46 GMT
│ Server: cloudflare
│ Speculation-Rules: "/cdn-cgi/speculation"
│ Vary: Accept-Encoding
│◄─────────────────────────────────────────────────────────────────┤
│ │
│ GET https://gitmcp.io/.well-known/oauth-protected-resource/docs
│ Reason: Step 3: PRM fetch matrix
│ Accept: application/json
│ Host: gitmcp.io
├─────────────────────────────────────────────────────────────────►│
│ 200 OK
│ Alt-Svc: h3=":443"; ma=86400
│ Cf-Ray: 9cc9f122dceedc3c-SJC
│ Content-Type: text/html
│ Date: Thu, 12 Feb 2026 06:13:46 GMT
│ Server: cloudflare
│ Speculation-Rules: "/cdn-cgi/speculation"
│ Vary: Accept-Encoding
│◄─────────────────────────────────────────────────────────────────┤
▼ ▼
┌────────────────────┤ LLM EXPLANATION ├─────────────────────┐
The AuthProbe scan results indicate a valid and justified failure for the MCP initialize step and the subsequent PRM fetch matrix step. Below is a detailed, spec-grounded explanation referencing relevant standards (MCP 2025-11-25, RFC 9728, RFC 8414, JSON-RPC 2.0, and others where applicable):
Summary of Scan Outcome and Failures
-
Step [2] MCP initialize + tools/list
Failed with error:initialize error: context deadline exceeded (Client.Timeout or context cancellation while reading body)The server did not respond within the expected timeframe, and no valid JSON-RPC 2.0 response was received.
-
Step [3] PRM fetch matrix
The.well-known/oauth-protected-resourceendpoints returned HTTP 200 responses but were deemed unusable for OAuth discovery. This indicates either the resource matrix is not properly formatted or does not meet MCP or OAuth discovery expectations.
Detailed Explanation
1. MCP Initialize Failure
-
Requirement (MCP 2025-11-25 §4.2.3):
MCP servers MUST acceptinitializeJSON-RPC 2.0 requests and respond with a valid JSON-RPC 2.0 response within the allowed timeout to allow proper initialization of the OAuth server interface. -
JSON-RPC 2.0 (RFC 8259 / JSON-RPC 2.0 spec):
JSON-RPC requires that all requests be responded to with either a successful response or an error object, conforming to the JSON-RPC message format. Silent or timeout failures violate client/server interoperability requirements. -
Compliance Issue:
The context deadline exceeded error indicates the server did not send any response before timing out, equivalent to not fulfilling the minimal MCP requirement of returning a valid JSON-RPC 2.0 response to theinitializerequest. -
Correct Server Behavior:
The MCP server must accept theinitializemethod call per MCP specification, parse the request, and return the agreed-upon response format within the allowed timeframe. Failure to do so results in the high-severity finding for initialization failure.
2. PRM Fetch Matrix Failure
-
Reference (MCP 2025-11-25 §3.1 and RFC 9728 §5.1):
The Protected Resource Matrix (PRM) describes OAuth-protected resource URLs and their scopes. This matrix must be published at the.well-known/oauth-protected-resourcepath or a similar location as per RFC 9728. -
Observation:
Bothhttps://gitmcp.io/.well-known/oauth-protected-resource https://gitmcp.io/.well-known/oauth-protected-resource/docsrespond with HTTP 200 but the data returned is either malformed, inaccessible, or does not meet the expected PRM JSON format necessary for OAuth discovery.
-
RFC 9728 Compliance:
The PRM document must be a JSON object specifying resources, scopes, methods, and other metadata. Although the endpoints exist (return 200), if the JSON structure is missing or invalid, OAuth clients cannot discover OAuth resource protection rules. -
RFC 8414 (OAuth Authorization Server Metadata):
While