Update authorization.mdx

localden · localden · commit cf931b256c94 · 2025-04-23T11:43:16.000-07:00
diff --git a/docs/specification/draft/basic/authorization.mdx b/docs/specification/draft/basic/authorization.mdx
@@ -90,6 +90,12 @@ The specific use of `authorization_servers` is beyond the scope of this specific
 the [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13) documentation for
 guidance on implementation details.
 
+Protected Resource Metadata documents can define multiple authorization servers. Most MCP server
+implementations will only require a single authorization server entry.
+
+The responsibility for selecting which authorization server to use lies with the MCP client, following the guidelines specified in
+[RFC9728 Section 7.6 "Authorization Servers"](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13#name-authorization-servers).
+
 MCP servers **MUST** use the HTTP header `WWW-Authenticate` when returning a _401 Unauthorized_ to indicate the location of the resource server metadata URL
 as described in [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13).
 
