diff --git a/src/scenarios/client/auth/helpers/createAuthServer.ts b/src/scenarios/client/auth/helpers/createAuthServer.ts
index d7d1fc44..4dde4794 100644
--- a/src/scenarios/client/auth/helpers/createAuthServer.ts
+++ b/src/scenarios/client/auth/helpers/createAuthServer.ts
@@ -59,8 +59,10 @@ export interface AuthServerOptions {
    * Override the `issuer` value served in the AS metadata document. Used to
    * test that clients validate the metadata issuer against the issuer
    * identifier used to construct the well-known URL (RFC 8414 §3.3).
+   * Accepts a lazy getter for callers that don't know the server URL until
+   * after `start()`.
    */
-  metadataIssuer?: string;
+  metadataIssuer?: string | (() => string);
   tokenVerifier?: MockTokenVerifier;
   onTokenRequest?: (requestData: {
     scope?: string;
@@ -156,7 +158,10 @@ export function createAuthServer(
     });
 
     const metadata: any = {
-      issuer: metadataIssuer ?? `${getAuthBaseUrl()}${routePrefix}`,
+      issuer:
+        typeof metadataIssuer === 'function'
+          ? metadataIssuer()
+          : (metadataIssuer ?? `${getAuthBaseUrl()}${routePrefix}`),
       authorization_endpoint: `${getAuthBaseUrl()}${authRoutes.authorization_endpoint}`,
       token_endpoint: `${getAuthBaseUrl()}${authRoutes.token_endpoint}`,
       ...(!disableDynamicRegistration && {
diff --git a/src/scenarios/client/auth/march-spec-backcompat.ts b/src/scenarios/client/auth/march-spec-backcompat.ts
index 3e543882..48f9170a 100644
--- a/src/scenarios/client/auth/march-spec-backcompat.ts
+++ b/src/scenarios/client/auth/march-spec-backcompat.ts
@@ -25,8 +25,12 @@ export class Auth20250326OAuthMetadataBackcompatScenario implements Scenario {
     const authApp = createAuthServer(ctx, this.checks, this.server.getUrl, {
       // Disable logging since the main server will already have logging enabled
       loggingEnabled: false,
-      // Add a prefix to auth endpoints to avoid being caught by auth fallbacks
-      routePrefix: '/oauth'
+      // Keep auth endpoints off the 2025-03-26 fallback paths so a client that
+      // fetches metadata but ignores the advertised endpoints still 404s.
+      routePrefix: '/oauth',
+      // Metadata is served at the root well-known path, so per RFC 8414 §3.3
+      // the `issuer` must be the bare origin — not `<origin>/oauth`.
+      metadataIssuer: () => this.server.getUrl()
     });
     const app = createServer(
       ctx,