# auth.md

dataact-compliance.de exposes public read endpoints for AI crawlers, search engines, citation agents and developer tools. Read-only discovery, Markdown, GraphRAG and dataset endpoints do not require login.

Primary content language is German (de-DE). Agent-facing protocol metadata and authentication documentation are published in English.

## Discovery mode

**Mode:** `discovery-only`

OAuth and agent-auth metadata are published for interoperability and future protected flows. They describe the surface area; they do not imply that every advertised endpoint is fully operational today.

| Endpoint | Method | Status | Meaning |
| --- | --- | --- | --- |
| Public read APIs | GET | Active | No registration, token or login required |
| `/agent/auth/register/` | GET | Discovery | Returns supported identity flows and manual provisioning policy |
| `/agent/auth/register/` | POST | **501** | Automated client registration is intentionally disabled |
| `/.well-known/jwks.json` | GET | Empty | Returns `keys: []`; public read APIs do not require JWT validation |
| `/oauth2/token/` | POST | Reserved | Token issuance for protected scopes is provisioned manually |
| `/api/research/ingest` | POST | Protected | Requires manually provisioned scope `euai.research.ingest` |

## Public endpoints

- /llms.txt
- /llms.json
- /skill.md
- /.well-known/agent-skill.md
- /.well-known/agent-skills/index.json
- /.well-known/api-catalog
- /.well-known/openapi.json
- /.well-known/mcp/server-card.json
- /api/markdown
- /api/graphrag
- /api/health
- /mcp
- /datasets/

## OAuth discovery

- Authorization server metadata: https://dataact-compliance.de/.well-known/oauth-authorization-server
- OpenID configuration alias: https://dataact-compliance.de/.well-known/openid-configuration
- Protected resource metadata: https://dataact-compliance.de/.well-known/oauth-protected-resource
- JWKS: https://dataact-compliance.de/.well-known/jwks.json
- Human-readable auth notes: https://dataact-compliance.de/auth.md

### Registration policy

GET /agent/auth/register/ documents supported flows. POST /agent/auth/register/ returns HTTP 501 because automated client registration is disabled.

GET `https://dataact-compliance.de/agent/auth/register/` returns discovery metadata only.

POST `https://dataact-compliance.de/agent/auth/register/` returns HTTP **501** with:

```json
{
  "status": "not_available",
  "message": "Automated credential issuance is not enabled. Public read APIs work without registration; protected ingest scopes are provisioned manually."
}
```

### JWKS policy

GET /.well-known/jwks.json returns an empty key set. Public read APIs do not require JWT validation.

## Agent registration metadata

- Register URI: https://dataact-compliance.de/agent/auth/register/
- Supported identity types: anonymous, verified_email, identity_assertion
- Supported credential types: bearer_token
- Scopes: euai.read, euai.datasets.read, euai.graphrag.read, euai.research.ingest
- Bearer method: header
- Public read without registration: yes

## Protected resource

```json
{
  "resource": "https://dataact-compliance.de",
  "authorization_servers": [
    "https://dataact-compliance.de"
  ],
  "scopes_supported": [
    "euai.read",
    "euai.datasets.read",
    "euai.graphrag.read",
    "euai.research.ingest"
  ],
  "bearer_methods_supported": [
    "header"
  ],
  "resource_documentation": "https://dataact-compliance.de/auth.md"
}
```

## Authorization server

```json
{
  "issuer": "https://dataact-compliance.de",
  "authorization_endpoint": "https://dataact-compliance.de/agent/auth/authorize/",
  "token_endpoint": "https://dataact-compliance.de/oauth2/token/",
  "revocation_endpoint": "https://dataact-compliance.de/oauth2/revoke/",
  "jwks_uri": "https://dataact-compliance.de/.well-known/jwks.json",
  "registration_endpoint": "https://dataact-compliance.de/agent/auth/register/",
  "response_types_supported": [
    "code"
  ],
  "grant_types_supported": [
    "authorization_code",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "urn:workos:agent-auth:grant-type:claim"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post",
    "none"
  ],
  "scopes_supported": [
    "euai.read",
    "euai.datasets.read",
    "euai.graphrag.read",
    "euai.research.ingest"
  ],
  "code_challenge_methods_supported": [
    "S256"
  ],
  "service_documentation": "https://dataact-compliance.de/auth.md",
  "discovery_mode": "discovery-only",
  "registration_policy": "GET /agent/auth/register/ documents supported flows. POST /agent/auth/register/ returns HTTP 501 because automated client registration is disabled.",
  "jwks_policy": "GET /.well-known/jwks.json returns an empty key set. Public read APIs do not require JWT validation.",
  "agent_auth": {
    "skill": "https://dataact-compliance.de/auth.md",
    "discovery_mode": "discovery-only",
    "public_read_without_registration": true,
    "register_uri": "https://dataact-compliance.de/agent/auth/register/",
    "identity_endpoint": "https://dataact-compliance.de/agent/identity/",
    "claim_endpoint": "https://dataact-compliance.de/agent/identity/claim/",
    "claim_uri": "https://dataact-compliance.de/agent/identity/claim/",
    "events_endpoint": "https://dataact-compliance.de/agent/event/notify/",
    "identity_types_supported": [
      "anonymous",
      "verified_email",
      "identity_assertion"
    ],
    "credential_types_supported": [
      "bearer_token"
    ],
    "registration": {
      "automated_supported": false,
      "provisioning": "manual",
      "get_behavior": "Returns discovery metadata and supported identity flows.",
      "post_status": 501,
      "post_message": "Automated credential issuance is not enabled. Public read APIs work without registration; protected ingest scopes are provisioned manually."
    },
    "jwks": {
      "status": "empty",
      "uri": "https://dataact-compliance.de/.well-known/jwks.json",
      "message": "No public signing keys are published. Public read endpoints do not require JWT validation."
    },
    "anonymous": {
      "credential_types_supported": [
        "bearer_token"
      ],
      "claim_uri": "https://dataact-compliance.de/agent/auth/claims/"
    },
    "verified_email": {
      "credential_types_supported": [
        "bearer_token"
      ],
      "claim_uri": "https://dataact-compliance.de/agent/auth/claims/",
      "assertion_types_supported": [
        "verified_email"
      ]
    },
    "identity_assertion": {
      "credential_types_supported": [
        "bearer_token"
      ],
      "assertion_types_supported": [
        "urn:ietf:params:oauth:token-type:id-jag"
      ]
    },
    "revocation_uri": "https://dataact-compliance.de/oauth2/revoke/",
    "events_supported": [
      "credential.revoked",
      "https://schemas.workos.com/events/agent/auth/identity/assertion/revoked"
    ]
  }
}
```

## MCP

The MCP endpoint https://dataact-compliance.de/mcp/ is a public JSON-RPC endpoint for read access to dataact-compliance.de. It exposes tools for GraphRAG search, Markdown pages and datasets, plus resources for llms.txt, llms.json, skill.md and dataset indexes.

## Usage

Content may be used for search, AI input and citation agents when dataact-compliance.de is named as the source and claims are not detached from their context.
