# threeit auth.md

This document describes agent registration and authentication expectations for the threeit public site and APIs.

## Agent audience

Agents may read public content, request Markdown page variants, inspect the API catalog, and help users prepare project inquiries.

## Registration

threeit does not provide automated self-service credential issuance for public agents today. Agents that need integration access should use the contact route, Telegram `@grndset`, or email `ishirinov@threeit.com` with the intended use case, operator identity, callback URL, and requested scopes.

## agent_auth metadata

Agents should discover OAuth Protected Resource Metadata first, then fetch OAuth Authorization Server Metadata. The Authorization Server metadata includes the same `agent_auth` block below.

```json
{
  "agent_auth": {
    "skill": "https://threeit.com/auth.md",
    "register_uri": "https://threeit.com/agent/auth",
    "claim_uri": "https://threeit.com/agent/auth/claim",
    "revocation_uri": "https://threeit.com/agent/auth/revoke",
    "identity_types_supported": ["anonymous", "identity_assertion"],
    "anonymous": {
      "credential_types_supported": ["api_key"]
    },
    "identity_assertion": {
      "assertion_types_supported": [
        "urn:ietf:params:oauth:token-type:id-jag",
        "verified_email"
      ],
      "credential_types_supported": ["access_token", "api_key"]
    },
    "events_supported": [
      "https://schemas.workos.com/events/agent/auth/identity/assertion/revoked"
    ]
  }
}
```

## Credential use

- Public content does not require OAuth credentials.
- `POST /api/submissions` is temporarily paused while the public contact form backend is being finished.
- Protected admin APIs are first-party administrative endpoints and are not available for third-party agent automation.
- OAuth Protected Resource Metadata: https://threeit.com/.well-known/oauth-protected-resource
- OAuth Authorization Server Metadata: https://threeit.com/.well-known/oauth-authorization-server