diff --git a/Config/McpDiscoveryOptions.cs b/Config/McpDiscoveryOptions.cs
index ffaef1f..3a1aef3 100644
--- a/Config/McpDiscoveryOptions.cs
+++ b/Config/McpDiscoveryOptions.cs
@@ -1,8 +1,8 @@
 namespace GiteaMcp.Config;
 
 /// <summary>
-/// /.well-known/oauth-authorization-server 端点返回的静态元数据，
-/// 字段由 Mcp:OAuthDiscovery:* 配置项驱动。
+/// /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource
+/// 端点返回的元数据，字段由 Mcp:OAuthDiscovery:* 配置项驱动。
 /// </summary>
 public class McpDiscoveryOptions
 {
@@ -12,4 +12,11 @@ public class McpDiscoveryOptions
     public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize";
     public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token";
     public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register";
+
+    /// <summary>
+    /// 本资源服务的标识符（RFC 9728 PRM 的 `resource` 字段，必须与 nas-auth
+    /// resources.json 里 gitea 条目的 resource_url 完全一致）。
+    /// 留空时 PRM 端点回退用请求的 `scheme://host`。
+    /// </summary>
+    public string ResourceUrl { get; set; } = string.Empty;
 }
diff --git a/Endpoints/DiscoveryEndpoints.cs b/Endpoints/DiscoveryEndpoints.cs
index c28d5e9..efd9ef0 100644
--- a/Endpoints/DiscoveryEndpoints.cs
+++ b/Endpoints/DiscoveryEndpoints.cs
@@ -4,9 +4,11 @@ using Microsoft.Extensions.Options;
 namespace GiteaMcp.Endpoints;
 
 /// <summary>
-/// OAuth 2.0 Authorization Server Metadata（RFC 8414）端点。
-/// Claude.ai 在接入 custom connector 时会先访问 /.well-known/oauth-authorization-server，
-/// 根据返回的元数据找到 nas-auth 的 authorize / token / register 端点。
+/// 两个 well-known 端点：
+/// 1. /.well-known/oauth-authorization-server (RFC 8414)：指向 nas-auth。
+/// 2. /.well-known/oauth-protected-resource (RFC 9728)：声明本资源的 identifier
+///    + 指向哪个 AS。Claude.ai 读到 PRM 后会在 /authorize 请求里带
+///    resource=<identifier>，满足 nas-auth 的 RFC 8707 校验。
 /// </summary>
 public static class DiscoveryEndpoints
 {
@@ -28,6 +30,21 @@ public static class DiscoveryEndpoints
             });
         });
 
+        app.MapGet("/.well-known/oauth-protected-resource", (HttpContext ctx, IOptions<McpDiscoveryOptions> opts) =>
+        {
+            var o = opts.Value;
+            var resourceUrl = string.IsNullOrWhiteSpace(o.ResourceUrl)
+                ? $"{ctx.Request.Scheme}://{ctx.Request.Host}"
+                : o.ResourceUrl;
+            return Results.Ok(new
+            {
+                resource = resourceUrl,
+                authorization_servers = new[] { o.Issuer },
+                scopes_supported = new[] { "read:gitea" },
+                bearer_methods_supported = new[] { "header" },
+            });
+        });
+
         return app;
     }
 }