# auth.md — Agent Registration for C2XCEL This document tells AI agents how to authenticate against C2XCEL APIs and protected resources. It complements the machine-readable discovery documents at `/.well-known/`. - Site: https://c2xcel.com - Owner: C2XCEL (Jim McNeese, Founder) - Contact: info@c2xcel.com - Last Updated: 2026-06-10 ## Discovery Endpoints | Purpose | URL | | --- | --- | | OAuth 2.0 Authorization Server Metadata (RFC 8414) | https://c2xcel.com/.well-known/oauth-authorization-server | | OAuth 2.0 Protected Resource Metadata (RFC 9728) | https://c2xcel.com/.well-known/oauth-protected-resource | | OpenID Connect Discovery 1.0 | https://c2xcel.com/.well-known/openid-configuration | | API Catalog (RFC 9727) | https://c2xcel.com/.well-known/api-catalog | | MCP Server Descriptor | https://c2xcel.com/.well-known/mcp.json | | Web Bot Auth Directory | https://c2xcel.com/.well-known/http-message-signatures-directory | | Service Documentation | https://c2xcel.com/llms-full.txt | The OAuth Authorization Server metadata includes an `agent_auth` block with `skill`, `register_uri`, `claim_uri`, `revocation_uri`, `identity_types_supported`, `credential_types_supported`, `identity_assertion`, and `events_supported` fields. Treat the Protected Resource Metadata as authoritative if it conflicts with this document. ## Authorization Server - Issuer: `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1` - Authorization endpoint: `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1/authorize` - Token endpoint: `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1/token` - Revocation endpoint: `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1/logout` - JWKS: `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1/.well-known/jwks.json` - Grant types: `authorization_code`, `refresh_token`, `urn:ietf:params:oauth:grant-type:device_code` - PKCE: required (`S256`) - Scopes: `openid`, `email`, `profile`, `offline_access` ## Agent Registration C2XCEL does not currently expose a public Dynamic Client Registration (RFC 7591) endpoint. To register an autonomous agent for programmatic access: 1. Email **info@c2xcel.com** with the subject line `Agent Registration — auth.md`. 2. Include the following: - Agent name, vendor, and homepage - Operator / responsible party (legal entity + human contact) - Intended scopes (`openid`, `email`, `profile`, `offline_access`) - Redirect URIs (HTTPS only) or device-flow declaration - Identity proofing material — one of: - **Web Bot Auth** key thumbprint published in your own `/.well-known/http-message-signatures-directory` - **mTLS** client certificate (PEM, issued by a public CA or your enterprise CA) - **Verified domain** with a DNS TXT record proving control - Rate limits requested and expected request volume 3. C2XCEL will respond within 3 business days with a `client_id`, the agreed credential type, and any per-agent claim or revocation URL. ## Supported Identity Types - `service` — non-human agent acting on its own behalf - `delegated` — agent acting on behalf of an authenticated C2XCEL user - `enterprise` — agent operated by a partner organization under contract ## Supported Credential Types - `client_secret_basic` (HTTP Basic at token endpoint) - `client_secret_post` - `private_key_jwt` (RFC 7523) — preferred for service identities - `tls_client_auth` (RFC 8705) — preferred for enterprise identities - `web_bot_auth` (HTTP Message Signatures, draft-ietf-webbotauth) — preferred for crawler/agent identities ## Claims ID tokens and userinfo responses use the standard OpenID Connect claims: `sub`, `iss`, `aud`, `exp`, `iat`, `email`, `email_verified`, `role`. Per-agent custom claims (for example `agent_id`, `agent_vendor`) are issued during registration and documented in the registration response. - Claims endpoint: `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1/user` ## Revocation - Programmatic: POST to `https://udwjbckgrkxxidhaverp.supabase.co/auth/v1/logout` with the access token in the `Authorization: Bearer` header. - Out-of-band: email **info@c2xcel.com** with the subject line `Agent Revocation — ` and we will revoke within one business day. ## Acceptable Use Agents must respect: - `/robots.txt` Content-Signal directives (`ai-train=no`, `search=yes`, `ai-input=no`) - Site Terms at https://c2xcel.com/terms - Privacy Policy at https://c2xcel.com/privacy - Rate limits issued at registration time Abusive or unregistered automated traffic may be blocked at the edge without notice.