# auth.md

This site supports agent registration discovery through Auth.md and OAuth metadata.

## Audience

AI agents and automated clients that need to discover how to authenticate with this site's APIs.

## Discovery

- OAuth Authorization Server Metadata: https://lebanonscafe.com/.well-known/oauth-authorization-server
- OAuth Protected Resource Metadata: https://lebanonscafe.com/.well-known/oauth-protected-resource
- JWKS: https://lebanonscafe.com/oauth/jwks.json

Agents should read the `agent_auth` block from the Authorization Server metadata. The Protected Resource Metadata also mirrors the block for scanners and agents that begin there.

## Registration

- Registration endpoint: https://lebanonscafe.com/agent/auth
- Claim endpoint: https://lebanonscafe.com/agent/auth/claim
- Revocation endpoint: https://lebanonscafe.com/agent/auth/revoke

## Supported methods

### identity_assertion + id-jag or verified_email

```http
POST /agent/auth HTTP/1.1
Content-Type: application/json

{
  "type": "identity_assertion",
  "assertion_type": "urn:ietf:params:oauth:token-type:id-jag",
  "assertion": "AGENT_ASSERTION",
  "scopes": ["agent:read", "catalog:read"]
}
```

Successful responses can issue `access_token` or `api_key` credentials.

### anonymous

```http
POST /agent/auth HTTP/1.1
Content-Type: application/json

{
  "type": "anonymous",
  "scopes": ["agent:read"]
}
```

Anonymous registrations can receive a limited pre-claim credential and use the claim endpoint later.

## Credential use

Agents should request scopes from `scopes_supported` in the protected resource metadata and send bearer access tokens in the HTTP `Authorization` header.