# auxfirst — Agent Authentication

auxfirst does **not** currently provide public OAuth-based agent registration, protected agent APIs, or a live MCP tool server. We do not issue client credentials or scoped tokens.

This is deliberate and honest: we publish read-only discovery resources, not authenticated execution endpoints. (auxfirst's own discipline is that an agent should only claim the authority it actually has — so we don't advertise auth we haven't built.)

## Public, unauthenticated resources

All of the following are available without any credentials:

- LLM guide — https://auxfirst.com/llms.txt
- Capabilities — https://auxfirst.com/capabilities.json
- API catalog — https://auxfirst.com/.well-known/api-catalog
- OpenAPI (discovery) — https://auxfirst.com/openapi.json
- Agent skills index — https://auxfirst.com/.well-known/agent-skills/index.json
- MCP discovery card — https://auxfirst.com/.well-known/mcp/server-card.json
- Health — https://auxfirst.com/api/health.json
- Markdown canon — https://auxfirst.com/index.md, /services.md, /knowledge.md, /heuristics.md, /patterns.md, /manifesto.md

## When this will change

If and when auxfirst stands up a live MCP server or a protected API, this document will be replaced with real discovery metadata:

- `/.well-known/oauth-authorization-server`
- `/.well-known/oauth-protected-resource`
- `/.well-known/openid-configuration`

Until those exist, treat any such endpoint as absent.

## For partnership, consulting, or custom MCP / API access

Contact auxfirst through https://auxfirst.com/index.html#contact