# Auth.md

# Agent Authentication — Pathfinder's Palette

This document tells AI agents and automated clients how to register and obtain credentials for our protected APIs.

## Identity & registration

- Human users: register at https://pathfinderspalette.com/auth (email/password or Google).
- Agents / services acting on behalf of a user must authenticate with that user's OAuth bearer token.
- Standalone agent accounts are not currently issued. Contact pathfinderspalette@zohomail.in to request agent credentials.

## OAuth metadata

- Protected resource metadata: https://pathfinderspalette.com/.well-known/oauth-protected-resource
- Authorization server metadata: https://pathfinderspalette.com/.well-known/oauth-authorization-server

## Supported credential types

- `bearer` — short-lived access token in `Authorization: Bearer <token>` header
- `oauth2_authorization_code` — interactive user consent flow
- `oauth2_refresh_token` — long-lived refresh

## Required scopes

| Scope          | Purpose                              |
| -------------- | ------------------------------------ |
| `openid`       | Authenticate the user                |
| `profile`      | Read display name and avatar         |
| `email`        | Read verified email                  |
| `trips:read`   | Read the user's saved trips          |
| `trips:write`  | Create or modify trips on behalf of the user |
| `events:read`  | Read public events and pilgrimages   |

## HTTP message signatures

When an agent operated by Pathfinder's Palette calls another site, it signs requests per RFC 9421. Our public keys are published at:

- https://pathfinderspalette.com/.well-known/http-message-signatures-directory

## Revocation

- Token revocation: POST https://aqwvwihgvqgrvdgitrvz.supabase.co/auth/v1/logout
- Account deletion / consent withdrawal: https://pathfinderspalette.com/settings

## Contact

Security and agent-onboarding inquiries: pathfinderspalette@zohomail.in
