refactor(examples/bearer-auth): drop unused mcpAuthMetadataRouter + oauthMetadata

[felixweinberger]

The metadata router was mounted but never hit by the example's own client (which supplies the token directly). The story's point is requireBearerAuth + OAuthTokenVerifier + ctx.authInfo; the full RS+AS discovery flow lives in examples/oauth/.

Types of changes

• Bug fix
• New feature
• Breaking change
• Documentation update

Checklist

• My code follows the repository's style guidelines
• New and existing tests pass locally

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0b66942

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@2373

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/codemod@2373

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@2373

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server-legacy@2373

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@2373

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@2373

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@2373

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@2373

commit: 0b66942

[claude]

LGTM — example-only simplification; the dropped metadata router wasn't exercised by the example's client, and resourceMetadataUrl is optional on requireBearerAuth, so the 401 + WWW-Authenticate assertion still holds.

Extended reasoning...

Overview

The PR touches only examples/bearer-auth/ (server.ts and README.md). It removes the mcpAuthMetadataRouter mount, the placeholder oauthMetadata object, and the resourceMetadataUrl option from requireBearerAuth, narrowing the example to its stated point: requireBearerAuth + OAuthTokenVerifier + ctx.authInfo in front of createMcpHandler. README and the file's doc comment are updated to match, and they correctly redirect readers to examples/oauth/ for the full RS+AS discovery flow.

Security risks

None. No SDK or middleware code changes; only an example loses an unused metadata endpoint. resourceMetadataUrl is an optional field on BearerAuthMiddlewareOptions (packages/middleware/express/src/auth/bearerAuth.ts:28), and the WWW-Authenticate challenge is still emitted on 401/403 without it, so the example's client assertion (401 + /Bearer/) continues to pass. The example client supplies demo-token directly and never performs metadata discovery, confirming the removed router was dead weight.

Level of scrutiny

Low — example/documentation-only change, no public API surface, no protocol or transport logic, no behavior change to anything outside the example. This aligns with the repo's minimalism principle (examples should isolate one story; the discovery flow already lives in examples/oauth/).

Other factors

No changeset is needed for an example-only change (the changeset bot warning is expected). No bugs were found by the bug hunting system, and the removal is internally consistent across the diff (imports, comments, README all updated).