7.1 What you need ¶

For every modern OAuth-capable MCP client:

• Your OwnSona endpoint URL, e.g. https://ownsona.example.com/mcp. This is the only piece of information you give the client. OwnSona advertises the rest (AS endpoints, JWKS, dynamic registration) via the discovery documents at /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server.
• Your OWNSONA_LOGIN_USERNAME and OWNSONA_LOGIN_PASSWORD from application.ini. You type these into a browser tab the client opens during the first OAuth login — never into the client’s connector configuration UI.
• Confirmation the server is healthy. Without an access token, the auth wall responds 401 with a discovery challenge:

curl -sS -i -X POST https://<your-host>/mcp \
    -H "Content-Type: application/json" \
    -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{}}'

Should return HTTP 401 with a WWW-Authenticate: Bearer ..., resource_metadata="..." header. That header is the client-side hook into the OAuth flow; if it’s missing or the response is anything other than 401, the server isn’t healthy — fix that first (see Troubleshooting).