diff --git a/ready.go b/ready.go
new file mode 100644
index 0000000..b1747c7
--- /dev/null
+++ b/ready.go
@@ -0,0 +1,11 @@
+package traefikoidc
+
+// Ready reports whether the middleware has completed at least one successful
+// OIDC provider metadata discovery. Used by external supervisors (e.g. the
+// oidcgate /readyz endpoint) to gate traffic until the IdP discovery doc
+// has been fetched and the authorization endpoint is known.
+func (t *TraefikOidc) Ready() bool {
+	t.metadataMu.RLock()
+	defer t.metadataMu.RUnlock()
+	return t.authURL != ""
+}
diff --git a/ready_test.go b/ready_test.go
new file mode 100644
index 0000000..3ebdf7f
--- /dev/null
+++ b/ready_test.go
@@ -0,0 +1,20 @@
+package traefikoidc
+
+import "testing"
+
+func TestReady_FalseBeforeMetadata(t *testing.T) {
+	tr := &TraefikOidc{}
+	if tr.Ready() {
+		t.Fatal("Ready() should be false before metadata discovery")
+	}
+}
+
+func TestReady_TrueAfterAuthURLSet(t *testing.T) {
+	tr := &TraefikOidc{}
+	tr.metadataMu.Lock()
+	tr.authURL = "https://idp.example/authorize"
+	tr.metadataMu.Unlock()
+	if !tr.Ready() {
+		t.Fatal("Ready() should be true once authURL is populated")
+	}
+}