Update docs/specification/draft/basic/authorization.mdx

localden · aaronpk · web-flow · commit 626b8bc982d9 · 2025-04-29T23:03:00.000-07:00
Co-authored-by: Aaron Parecki &lt;aaron@parecki.com&gt;
diff --git a/docs/specification/draft/basic/authorization.mdx b/docs/specification/draft/basic/authorization.mdx
@@ -315,7 +315,8 @@ MCP servers **MUST** take all necessary steps to ensure no data is returned to u
 
 For example, a MCP server could validate inbound tokens through one of the following approaches:
 
-1. Token introspection, according to [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662).  1. JWT validation, according to [RFC 9068](https://www.rfc-editor.org/rfc/rfc9068.html).
+1. Token introspection, according to [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662).  
+1. JWT validation, according to [RFC 9068](https://www.rfc-editor.org/rfc/rfc9068.html).
 1. Custom validation, according to the conventions established by the AS.
 
 MCP servers **MUST** strictly validate token audiences and only accept tokens specifically intended for themselves. Implementers **MUST NOT** design architectures where clients send
