# Citedy Agent Authentication

Citedy supports WorkOS auth.md-compatible agent registration for API keys.

## Discovery

- Protected resource metadata: https://www.citedy.com/.well-known/oauth-protected-resource
- Authorization server metadata: https://www.citedy.com/.well-known/oauth-authorization-server
- Agent API credential: `Authorization: Bearer citedy_agent_*`

## Supported V1 Flow

Citedy supports email-required user claims:

1. Agent calls `POST https://www.citedy.com/agent/auth`.
2. Citedy emails the user a claim link and returns a `claim_token` to the agent.
3. User opens the email link and gets a short OTP/code.
4. Agent calls `POST https://www.citedy.com/agent/auth/claim/complete` with `claim_token + otp`.
5. Citedy returns one canonical `citedy_agent_*` API key exactly once.

No API key or free credits are issued before the verified claim completes.

## Register

```json
{
  "type": "identity_assertion",
  "assertion_type": "verified_email",
  "assertion": "user@example.com",
  "requested_credential_type": "api_key",
  "agent_name": "ContentBot"
}
```

## Complete Claim

```json
{
  "claim_token": "clm_...",
  "otp": "123456"
}
```

## Unsupported In V1

- Anonymous pre-claim credentials.
- Provider-verified ID-JAG assertions.
- Provider revocation events.

Contact: support@citedy.com
