docs: fix markdownlint in auth multiprotocol docs

Author: nypdmax

docs/authorization-multiprotocol.md

@@ -58,7 +58,7 @@ Discovery answers: *Which auth protocols does this resource support, and where i
 - For the protocol list: if the PRM has `mcp_auth_protocols`, use it (priority 1). Otherwise try path-relative `/.well-known/authorization_servers{path}`, then root `/.well-known/authorization_servers`. If both fail and the PRM has `authorization_servers`, use OAuth fallback.
 - Merge the protocol list with WWW-Authenticate `auth_protocols` if present, then select one via `AuthProtocolRegistry.select_protocol(available, default_protocol, preferences)`.
 
-**Relationship between authorization URL endpoints**
+#### Relationship between authorization URL endpoints
 
 There are three distinct URL trees involved:
 
@@ -70,9 +70,9 @@ There are three distinct URL trees involved:
 | **MCP Resource Server (RS)** | `/.well-known/authorization_servers` | RS | Unified protocol discovery (MCP extension): `protocols`, `default_protocol`, `protocol_preferences` |
 | **MCP Resource Server (RS)** | `/{resource_path}` (e.g. `/mcp`) | RS | Protected MCP endpoint |
 
-**URL tree (example: AS on 9000, RS on 8002)**
+#### URL tree (example: AS on 9000, RS on 8002)
 
-```
+```text
 OAuth Authorization Server (http://localhost:9000)
 ├── /.well-known/oauth-authorization-server   ← OAuth AS metadata
 ├── /authorize
@@ -87,7 +87,7 @@ MCP Resource Server (http://localhost:8002)
 └── /mcp                                      ← Protected MCP endpoint
 ```
 
-**Client discovery order**
+#### Client discovery order
 
 1. On 401, read `resource_metadata` from WWW-Authenticate (e.g. `http://localhost:8002/.well-known/oauth-protected-resource/mcp`).
 2. If absent, try the path-based URL: `{origin}/.well-known/oauth-protected-resource{resource_path}` (e.g. `http://localhost:8002/.well-known/oauth-protected-resource/mcp`).
@@ -184,9 +184,9 @@ The server exposes protected MCP endpoints and declares supported auth methods v
 2. **Unified discovery** — `create_authorization_servers_discovery_routes(protocols, default_protocol, protocol_preferences)` registers `/.well-known/authorization_servers`. The handler returns `{ "protocols": [ AuthProtocolMetadata, ... ] }` plus optional default and preferences.
 3. **401 responses** — Middleware (e.g. RequireAuthMiddleware) returns 401 with WWW-Authenticate including at least Bearer (and optionally `resource_metadata`, `auth_protocols`, `default_protocol`, `protocol_preferences`).
 
-**Configuration and URL tree — requirements by server type**
+#### Configuration and URL tree — requirements by server type
 
-**Authorization Server (AS) — configuration requirements**
+#### Authorization Server (AS) — configuration requirements
 
 | Item | Description |
 |------|-------------|
@@ -198,7 +198,7 @@ The server exposes protected MCP endpoints and declares supported auth methods v
 
 No changes to the AS are required for multi-protocol itself; the AS need only support standard OAuth 2.0 and (optionally) DPoP-bound tokens.
 
-**MCP Resource Server (RS) — configuration requirements**
+#### MCP Resource Server (RS) — configuration requirements
 
 | Item | Description |
 |------|-------------|
@@ -355,13 +355,15 @@ If you use `OAuthClientProvider` or `simple-auth-client` and want to add multi-p
 #### Step 2: Client — switch to MultiProtocolAuthProvider
 
 **Before (OAuth only):**
+
 ```python
 from mcp.client.auth.oauth2 import OAuthClientProvider
 provider = OAuthClientProvider(...)
 client = httpx.AsyncClient(auth=provider)
 ```
 
 **After (multi-protocol):**
+
 ```python
 from mcp.client.auth.multi_protocol import MultiProtocolAuthProvider, TokenStorage
 from mcp.client.auth.registry import AuthProtocolRegistry
@@ -388,6 +390,7 @@ provider._http_client = client
 - Alternatively, use `OAuthTokenStorageAdapter` to wrap storage that supports only OAuthToken.
 
 **If you add API Key:**
+
 ```python
 async def get_tokens(self) -> AuthCredentials | OAuthToken | None:
     return self._creds  # may be OAuthToken or APIKeyCredentials
@@ -399,6 +402,7 @@ async def set_tokens(self, tokens: AuthCredentials | OAuthToken) -> None:
 #### Step 4: Server — add MultiProtocolAuthBackend and PRM extensions
 
 **Before (OAuth only):**
+
 ```python
 # Single OAuth verifier
 token_verifier = TokenVerifier(...)
@@ -407,6 +411,7 @@ oauth_verifier = OAuthTokenVerifier(token_verifier)
 ```
 
 **After (multi-protocol):**
+
 ```python
 from mcp.server.auth.verifiers import (
     MultiProtocolAuthBackend,

examples/README.md

@@ -8,17 +8,17 @@ for real-world servers.
 
 - **Server**: [simple-auth-multiprotocol](servers/simple-auth-multiprotocol/) — RS with OAuth, API Key, DPoP, and Mutual TLS (placeholder).
 
-**API Key**
+### API Key
 
 - Use `MCP_API_KEY` on the client; start RS with `--api-keys=...` (no AS required).
 - One-command test (from repo root): `MCP_AUTH_PROTOCOL=api_key ./scripts/run_phase2_multiprotocol_integration_test.sh`
 
-**OAuth + DPoP**
+### OAuth + DPoP
 
 - Start AS and RS with `--dpop-enabled`; client: `MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1`.
 - One-command test (from repo root): `./scripts/run_phase4_dpop_integration_test.sh` (use `MCP_SKIP_OAUTH=1` to skip manual OAuth step).
 
-**Mutual TLS (placeholder)**
+### Mutual TLS (placeholder)
 
 - mTLS is a placeholder (no client cert validation). Script: `MCP_AUTH_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`
 - mTLS is a placeholder (no client cert validation). Script: `MCP_AUTH_PROTOCOL=mutual_tls ./scripts/run_phase2_multiprotocol_integration_test.sh`

examples/servers/simple-auth-multiprotocol/README.md

@@ -24,11 +24,13 @@ MCP Resource Server example that supports **OAuth 2.0** (introspection), **API K
 You can run the Resource Server **without** the Authorization Server when using API Key authentication:
 
 1. **Start the Resource Server** (from this directory):
+
    ```bash
    uv run mcp-simple-auth-multiprotocol-rs --port=8002 --api-keys=demo-api-key-12345
    ```
 
 2. **Run the client** from `examples/clients/simple-auth-multiprotocol-client`:
+
    ```bash
    MCP_SERVER_URL=http://localhost:8002/mcp MCP_API_KEY=demo-api-key-12345 uv run mcp-simple-auth-multiprotocol-client
    ```
@@ -47,14 +49,17 @@ DPoP (Demonstrating Proof-of-Possession, RFC 9449) binds the access token to a c
    `uv run mcp-simple-auth-as --port=9000`
 
 2. **Start this Resource Server with DPoP enabled** (from this directory):
+
    ```bash
    uv run mcp-simple-auth-multiprotocol-rs --port=8002 --auth-server=http://localhost:9000 --api-keys=demo-api-key-12345 --dpop-enabled
    ```
 
 3. **Run the client** with OAuth and DPoP from `examples/clients/simple-auth-multiprotocol-client`:
+
    ```bash
    MCP_SERVER_URL=http://localhost:8002/mcp MCP_USE_OAUTH=1 MCP_DPOP_ENABLED=1 uv run mcp-simple-auth-multiprotocol-client
    ```
+
    Complete OAuth in the browser, then at `mcp>` run `list`, `call get_time {}`, `quit`. Server logs should show "Authentication successful with DPoP".
 
 **One-command verification** (from repo root):  
@@ -72,7 +77,7 @@ Mutual TLS is a **placeholder** in this example: the server accepts the `mutual_
 ## Options
 
 - `--port`: RS port (default 8002).
-- `--auth-server`: AS URL (default http://localhost:9000).
+- `--auth-server`: AS URL (default <http://localhost:9000>).
 - `--api-keys`: Comma-separated valid API keys (default demo-api-key-12345).
 - `--oauth-strict`: Enable RFC 8707 resource validation.
 - `--dpop-enabled`: Enable DPoP proof verification (RFC 9449); use with OAuth.

tests/PHASE1_OAUTH2_REGRESSION_TEST_PLAN.md

@@ -47,7 +47,7 @@ Run existing tests to ensure no regressions. Phase 1 does not change call sites:
 
 - **RequireAuthMiddleware**
   - Instantiate with only `(app, required_scopes, resource_metadata_url)`.
-  - WWW-Authenticate must still start with `Bearer ` and include `error`, `error_description`, and optionally `resource_metadata`; no requirement for `auth_protocols` / `default_protocol` / `protocol_preferences`.
+  - WWW-Authenticate must still start with `Bearer` and include `error`, `error_description`, and optionally `resource_metadata`; no requirement for `auth_protocols` / `default_protocol` / `protocol_preferences`.
 - Existing tests in `tests/server/auth/middleware/test_bearer_auth.py` (e.g. `TestRequireAuthMiddleware`) must pass.
 
 ### 3.4 Commands
@@ -72,12 +72,14 @@ Manual (or script-assisted) run to confirm the full OAuth2 flow still works with
 
 1. **Start Authorization Server (AS)**  
    From `examples/servers/simple-auth`:
+
    ```bash
    uv run mcp-simple-auth-as --port=9000
    ```
 
 2. **Start Resource Server (RS)**  
    In another terminal, from `examples/servers/simple-auth`:
+
    ```bash
    uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000 --transport=streamable-http
    ```
@@ -90,6 +92,7 @@ Manual (or script-assisted) run to confirm the full OAuth2 flow still works with
 
 4. **Run client**  
    From `examples/clients/simple-auth-client`:
+
    ```bash
    MCP_SERVER_PORT=8001 MCP_TRANSPORT_TYPE=streamable-http uv run mcp-simple-auth-client
    ```