diff --git a/Config/McpDiscoveryOptions.cs b/Config/McpDiscoveryOptions.cs
index bf8fc7a..c816825 100644
--- a/Config/McpDiscoveryOptions.cs
+++ b/Config/McpDiscoveryOptions.cs
@@ -1,8 +1,8 @@
 namespace ObsidianMcp.Config;
 
 /// <summary>
-/// /.well-known/oauth-authorization-server 返回的元数据配置。
-/// 环境变量前缀 Mcp__OAuthDiscovery__，例如 Mcp__OAuthDiscovery__Issuer=...
+/// /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource
+/// 端点返回的元数据。环境变量前缀 Mcp__OAuthDiscovery__。
 /// </summary>
 public class McpDiscoveryOptions
 {
@@ -12,4 +12,11 @@ public class McpDiscoveryOptions
     public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize";
     public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token";
     public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register";
+
+    /// <summary>
+    /// 本资源服务的标识符（RFC 9728 PRM 的 `resource` 字段，必须与 nas-auth
+    /// resources.json 里 obsidian 条目的 resource_url 完全一致）。
+    /// 留空时 PRM 端点回退用请求的 `scheme://host`。
+    /// </summary>
+    public string ResourceUrl { get; set; } = string.Empty;
 }
diff --git a/Endpoints/DiscoveryEndpoints.cs b/Endpoints/DiscoveryEndpoints.cs
index db50b73..b4723f4 100644
--- a/Endpoints/DiscoveryEndpoints.cs
+++ b/Endpoints/DiscoveryEndpoints.cs
@@ -5,9 +5,11 @@ namespace ObsidianMcp.Endpoints;
 public static class DiscoveryEndpoints
 {
     /// <summary>
-    /// 注册 /.well-known/oauth-authorization-server 端点。
-    /// 返回静态 JSON 指向 nas-auth，让 Claude.ai 能自动发现授权服务器。
-    /// 所有字段从 McpDiscoveryOptions 读，不 hardcode。
+    /// 注册两个 well-known 端点：
+    /// 1. /.well-known/oauth-authorization-server (RFC 8414)：指向 nas-auth
+    /// 2. /.well-known/oauth-protected-resource (RFC 9728)：告诉客户端这个资源
+    ///    的 identifier 是什么 + 用哪个 AS。Claude.ai 读到 PRM 后会在
+    ///    /authorize 请求里带 resource=<identifier>，满足 nas-auth 的 RFC 8707 校验。
     /// </summary>
     public static void MapDiscoveryEndpoints(this WebApplication app)
     {
@@ -25,7 +27,23 @@ public static class DiscoveryEndpoints
                 scopes_supported = new[] { "read:obsidian", "write:obsidian" },
             });
         })
-        .AllowAnonymous() // well-known 端点不需要认证，Claude 在登录前就要访问它
+        .AllowAnonymous()
         .WithName("OAuthDiscovery");
+
+        app.MapGet("/.well-known/oauth-protected-resource", (HttpContext ctx, McpDiscoveryOptions opts) =>
+        {
+            var resourceUrl = string.IsNullOrWhiteSpace(opts.ResourceUrl)
+                ? $"{ctx.Request.Scheme}://{ctx.Request.Host}"
+                : opts.ResourceUrl;
+            return Results.Ok(new
+            {
+                resource = resourceUrl,
+                authorization_servers = new[] { opts.Issuer },
+                scopes_supported = new[] { "read:obsidian", "write:obsidian" },
+                bearer_methods_supported = new[] { "header" },
+            });
+        })
+        .AllowAnonymous()
+        .WithName("ProtectedResourceMetadata");
     }
 }