# auth.md

IBretake supports agent discovery for public documentation and integration planning.
Self-service OAuth token issuance for autonomous agents is not currently enabled.

## Registration

Agents that need access beyond public discovery documents should contact
support@ibretake.com with:

- operator name and domain
- intended workflow
- callback or documentation URL
- verified technical contact email

The current registration URI is https://ibretake.com/auth.md.

## agent_auth

```json
{
  "register_uri": "https://ibretake.com/auth.md",
  "identity_types_supported": ["identity_assertion"],
  "credential_types_supported": ["oauth2_authorization_code", "session_cookie"],
  "claim_uri": "https://ibretake.com/auth.md#registration",
  "identity_assertion": {
    "assertion_types_supported": ["verified_email"],
    "credential_types_supported": ["oauth2_authorization_code"],
    "claim_uri": "https://ibretake.com/auth.md#registration"
  }
}
```

## Supported identity type

- `verified_email`: agents must provide a verified operator email during review.

## Supported credential types

- `session_cookie`: human-reviewed student and coordinator app sessions.
- `oauth2_authorization_code`: advertised for discovery; token issuance is not self-service.

## Metadata

- Protected resource metadata: https://ibretake.com/.well-known/oauth-protected-resource
- Authorization server metadata: https://ibretake.com/.well-known/oauth-authorization-server
- API catalog: https://ibretake.com/.well-known/api-catalog

## Boundaries

IBretake does not allow agents to create student or coordinator accounts,
submit paid searches, send school messages, or access private school data
without explicit human authorization.