# Unitiraf Agent Authentication

Unitiraf supports agent authentication via OAuth 2.1 / OpenID Connect, backed by Supabase Auth.
This document follows the [auth.md](https://workos.com/auth-md) specification for agent registration.

## Service

- **Name:** Unitiraf
- **Homepage:** https://unitiraf.com
- **Contact:** hello@unitiraf.com

## Discovery

- Authorization Server Metadata: https://unitiraf.com/.well-known/oauth-authorization-server
- OpenID Configuration: https://unitiraf.com/.well-known/openid-configuration
- Protected Resource Metadata: https://unitiraf.com/.well-known/oauth-protected-resource
- API Catalog: https://unitiraf.com/.well-known/api-catalog
- MCP Server Card: https://unitiraf.com/.well-known/mcp/server-card.json

## Registration

Dynamic Client Registration (RFC 7591) is not currently exposed publicly.
Agent developers may request a client credential by emailing **hello@unitiraf.com**
with the following information:

- Agent / product name
- Homepage URL
- Redirect URIs
- Requested scopes
- Contact email for security disclosures

- **register_uri:** mailto:hello@unitiraf.com?subject=Agent%20Client%20Registration
- **claim_uri:** mailto:hello@unitiraf.com?subject=Account%20Claim
- **revocation_uri:** https://jcfvskkkkvpxyrprbylu.supabase.co/auth/v1/logout

## Identity types

| Type             | Supported | Notes                                                |
| ---------------- | --------- | ---------------------------------------------------- |
| user             | yes       | End-user (student) account                           |
| agent            | yes       | OAuth client acting on behalf of a user              |
| service_account  | planned   | Server-to-server tokens (contact us for early access)|

## Credential types

- `oauth2_access_token` (Bearer JWT, short-lived)
- `oauth2_refresh_token` (rotated on use)
- `id_token` (OIDC, RS256)

## Supported grants

- `authorization_code` with PKCE (S256) — recommended
- `refresh_token`
- `password` (first-party clients only)

## Scopes

| Scope     | Description                          |
| --------- | ------------------------------------ |
| openid    | OIDC sign-in                         |
| email     | Read end-user email                  |
| profile   | Read end-user profile                |

## Endpoints

- **Authorization:** https://jcfvskkkkvpxyrprbylu.supabase.co/auth/v1/authorize
- **Token:** https://jcfvskkkkvpxyrprbylu.supabase.co/auth/v1/token
- **JWKS:** https://jcfvskkkkvpxyrprbylu.supabase.co/auth/v1/.well-known/jwks.json
- **Revocation / Sign-out:** https://jcfvskkkkvpxyrprbylu.supabase.co/auth/v1/logout

## Bearer usage

Send the access token in the `Authorization` header:

```
Authorization: Bearer <access_token>
```

## Security disclosures

Report vulnerabilities to **hello@unitiraf.com**. We acknowledge reports within 72 hours.