diff --git a/src/server/auth/handlers/metadata.test.ts b/src/server/auth/handlers/metadata.test.ts
index 32feb6429..bdaa45b15 100644
--- a/src/server/auth/handlers/metadata.test.ts
+++ b/src/server/auth/handlers/metadata.test.ts
@@ -29,7 +29,7 @@ describe('Metadata Handler', () => {
         const response = await supertest(app).post('/.well-known/oauth-authorization-server').send({});
 
         expect(response.status).toBe(405);
-        expect(response.headers.allow).toBe('GET');
+        expect(response.headers.allow).toBe('GET, OPTIONS');
         expect(response.body).toEqual({
             error: 'method_not_allowed',
             error_description: 'The method POST is not allowed for this endpoint'
diff --git a/src/server/auth/handlers/metadata.ts b/src/server/auth/handlers/metadata.ts
index d8ca0e62d..e0f07a99b 100644
--- a/src/server/auth/handlers/metadata.ts
+++ b/src/server/auth/handlers/metadata.ts
@@ -10,7 +10,7 @@ export function metadataHandler(metadata: OAuthMetadata | OAuthProtectedResource
     // Configure CORS to allow any origin, to make accessible to web-based MCP clients
     router.use(cors());
 
-    router.use(allowedMethods(['GET']));
+    router.use(allowedMethods(['GET', 'OPTIONS']));
     router.get('/', (req, res) => {
         res.status(200).json(metadata);
     });