# `AshAuthentication.Phoenix.Oauth2Server.BearerPlug`
[🔗](https://github.com/team-alembic/ash_authentication_oauth2_server/blob/v0.1.0/lib/ash_authentication_phoenix/oauth2_server/bearer_plug.ex#L5)

Resource-server side bearer token validation.

Validates an `Authorization: Bearer <jwt>` header against the configured
authorization server. On success, loads the user via `Ash.get/3` on the
configured `user_resource` and sets it as the conn's actor.

## Usage

    pipeline :mcp_protected do
      plug AshAuthentication.Phoenix.Oauth2Server.BearerPlug,
        oauth2_server: MyApp.Oauth2Server
    end

## Options

  * `:oauth2_server` (required) — your `Oauth2Server` config module
  * `:required?` (default `true`) — when `false`, missing/invalid tokens
    pass through unchanged instead of returning 401. Useful for routes
    that should serve unauthenticated users with a different (e.g.
    session-based) signal.

## Failure behavior

Per RFC 6750 §3, a missing or invalid token results in `401` with a
`WWW-Authenticate: Bearer resource_metadata="..."` header pointing at
the protected-resource metadata endpoint, so MCP-style clients can
auto-discover the authorization server.

---

*Consult [api-reference.md](api-reference.md) for complete listing*