# auth.md

> How an AI agent registers with and authenticates to Mitosis (mitosislabs.ai).

Mitosis is the infrastructure for AI agent replication. This document tells an
agent — or the operator running one — how to obtain credentials and call the
Mitosis APIs on a user's behalf.

## Audience

`https://mitosislabs.ai` — the Mitosis dashboard and API. Protected resources live under
`https://mitosislabs.ai/api` (for example the Backups API at `https://mitosislabs.ai/api/snapshots`).

## Discovery

Start from the machine-readable metadata; everything below is derived from it:

- Authorization server: `https://mitosislabs.ai/.well-known/oauth-authorization-server`
  (RFC 8414, includes the `agent_auth` block for agent registration flows)
- Protected resource: `https://mitosislabs.ai/.well-known/oauth-protected-resource` (RFC 9728)
- OpenID configuration: `https://mitosislabs.ai/.well-known/openid-configuration`
- Agent card (A2A): `https://mitosislabs.ai/.well-known/agent-card.json`
- Agent skills index: `https://mitosislabs.ai/.well-known/agent-skills/index.json`
- Service docs for agents: `https://mitosislabs.ai/llms.txt` and `https://mitosislabs.ai/llms-full.txt`

## Identity types supported

- `service_auth` — an operator registers an account, provisions an agent, and
  receives a scoped credential (API key / JWT) used as a Bearer token.
- `anonymous` — public discovery documents and read-only agent endpoints are
  reachable with no credential.

## Register (service_auth)

1. An operator creates an account at `https://mitosislabs.ai/signup` (the `register_uri`).
2. From the dashboard, provision an agent. The agent is issued a scoped
   credential (API key / JWT) bound to that operator's offices and agents.
3. Store the credential securely. It is the agent's bearer token.

Programmatic access uses the Mitosis SDK:

```bash
npm install -g @mitosislabs/sdk
```

## Use (Bearer token)

Send the credential as an HTTP `Authorization` header. `header` is the only
`bearer_methods_supported` value advertised by the protected-resource metadata:

```http
GET https://mitosislabs.ai/api/snapshots
Authorization: Bearer <token>
```

## Scopes

`backups:read`, `backups:write`, `backups:admin`, plus the OIDC scopes
`openid`, `profile`, `email`. See `scopes_supported` in the authorization
server metadata for the authoritative list.

## Revocation

Credentials are revoked from the operator's dashboard. A revoked token fails
closed: protected endpoints return `401 Unauthorized`. Re-register (provision a
new agent credential) to obtain a fresh token.

## Anonymous access

The discovery documents above and any read-only agent endpoints require no
credential. No claim ceremony is needed to read them.
