diff --git a/src/oauth2/formats/json.ts b/src/oauth2/formats/json.ts
index ef624d68..9b95c6df 100644
--- a/src/oauth2/formats/json.ts
+++ b/src/oauth2/formats/json.ts
@@ -1,33 +1,5 @@
 import { OAuth2Token } from '../types.js';
-import { resolve } from 'url';
-import { getGlobalOrigin } from '@curveball/kernel';
 
-export function metadata() {
-
-  return {
-    issuer: getGlobalOrigin(),
-    authorization_endpoint: '/authorize',
-
-    token_endpoint: '/token',
-    token_endpoint_auth_methods_supported: ['client_secret_basic'],
-    token_endpoint_auth_signing_alg_values_supported: ['RS256'],
-
-    jwks_uri: resolve(getGlobalOrigin(), '/.well-known/jwks.json'),
-
-    scopes_supported: ['openid'],
-
-    response_types_supported: ['token', 'code', 'code id_token'],
-    grant_types_supported: ['client_credentials', 'implicit', 'authorization_code', 'refresh_token'],
-    id_token_signing_alg_values_supported: ['RS256'],
-
-    service_documentation: getGlobalOrigin(),
-    ui_locales_supported: ['en'],
-    introspection_endpoint: '/introspect',
-    revocation_endpoint: '/revoke',
-    revocation_endpoint_auth_methods_supported: ['client_secret_basic'],
-  };
-
-}
 export function tokenResponse(token: OAuth2Token) {
   return {
     access_token: token.accessToken,
diff --git a/src/well-known/controller/oauth2-metadata.ts b/src/well-known/controller/oauth2-metadata.ts
index 62042381..81c98507 100644
--- a/src/well-known/controller/oauth2-metadata.ts
+++ b/src/well-known/controller/oauth2-metadata.ts
@@ -1,6 +1,6 @@
 import Controller from '@curveball/controller';
 import { Context } from '@curveball/core';
-import { metadata } from '../../oauth2/formats/json.js';
+import { metadata } from '../formats/json.js';
 
 class MetadataController extends Controller {
 
diff --git a/src/well-known/controller/openid-configuration.ts b/src/well-known/controller/openid-configuration.ts
index 62042381..81c98507 100644
--- a/src/well-known/controller/openid-configuration.ts
+++ b/src/well-known/controller/openid-configuration.ts
@@ -1,6 +1,6 @@
 import Controller from '@curveball/controller';
 import { Context } from '@curveball/core';
-import { metadata } from '../../oauth2/formats/json.js';
+import { metadata } from '../formats/json.js';
 
 class MetadataController extends Controller {
 
diff --git a/src/well-known/formats/json.ts b/src/well-known/formats/json.ts
new file mode 100644
index 00000000..859d601e
--- /dev/null
+++ b/src/well-known/formats/json.ts
@@ -0,0 +1,67 @@
+import { resolve } from 'url';
+import { getGlobalOrigin } from '@curveball/kernel';
+
+type AuthMethod = 'client_secret_basic';
+type SigningAlgs = 'RS256';
+
+type GrantType = 'client_credentials' | 'implicit' | 'authorization_code' | 'refresh_token';
+
+type ResponseType = 'token' | 'code' | 'code id_token';
+
+type MetaData = {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+
+  token_endpoint_auth_methods_supported: AuthMethod[];
+  token_endpoint_auth_signing_alg_values_supported: SigningAlgs[];
+
+  jwks_uri: string;
+  scopes_supported: string[];
+
+  response_types_supported: ResponseType[];
+  grant_types_supported: GrantType[];
+
+  id_token_signing_alg_values_supported: SigningAlgs[];
+
+  service_documentation: string;
+  ui_locales_supported: string[];
+
+  introspection_endpoint: string;
+  revocation_endpoint: string;
+  revocation_endpoint_auth_methods_supported: AuthMethod[];
+
+  // https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-00.html
+  authorization_challenge_endpoint: string;
+
+}
+
+export function metadata(): MetaData {
+
+  return {
+    issuer: getGlobalOrigin(),
+    authorization_endpoint: '/authorize',
+
+    token_endpoint: '/token',
+    token_endpoint_auth_methods_supported: ['client_secret_basic'],
+    token_endpoint_auth_signing_alg_values_supported: ['RS256'],
+
+    jwks_uri: resolve(getGlobalOrigin(), '/.well-known/jwks.json'),
+
+    scopes_supported: ['openid'],
+
+    response_types_supported: ['token', 'code', 'code id_token'],
+    grant_types_supported: ['client_credentials', 'implicit', 'authorization_code', 'refresh_token'],
+    id_token_signing_alg_values_supported: ['RS256'],
+
+    service_documentation: getGlobalOrigin(),
+    ui_locales_supported: ['en'],
+    introspection_endpoint: '/introspect',
+    revocation_endpoint: '/revoke',
+    revocation_endpoint_auth_methods_supported: ['client_secret_basic'],
+
+    authorization_challenge_endpoint: '/authorization-challenge',
+
+  };
+
+}