# auth.md — Dead Brush Agent Authentication

**Status:** Public read-only catalog. No authentication required for any documented endpoint.

This file follows the [auth.md convention](https://github.com/workos/auth.md) for agents that look up
authentication metadata at the well-known site root.

## Authentication required?

**No.** All published endpoints (catalog read, search, sitemap, pricing, agent-skills, OpenAPI) are
public and require no credentials. AI agents and crawlers can call them anonymously, subject to the
rate limit and User-Agent policy declared in
[`/.well-known/agent-skills/index.json`](https://www.deadbrush.ru/.well-known/agent-skills/index.json).

## Agent registration

**No registration required.** Submit a meaningful `User-Agent` header that identifies your AI
system and a contact email/URL. Anonymous crawlers fall under the `CCBot` / `Bytespider` blocks in
[`robots.txt`](https://www.deadbrush.ru/robots.txt).

## OAuth 2.0 / OpenID Connect

**Discovery metadata is published for compliance, but no grant flows are supported.** The catalog
is publicly readable; agents authenticate themselves through the User-Agent header policy declared
in `/.well-known/agent-skills/index.json`, not through OAuth tokens.

- `/.well-known/oauth-protected-resource` — declares the resource as `public-read-only` per
  [RFC 9728](https://www.rfc-editor.org/rfc/rfc9728). The single declared scope `catalog:read`
  represents public read access, granted to every anonymous client without a token.
- `/.well-known/oauth-authorization-server` — published with empty `grant_types_supported` and
  `response_types_supported`, plus an `agent_auth` block advertising the anonymous identity type
  (per [auth.md convention](https://github.com/workos/auth.md))
- `/.well-known/openid-configuration` — **intentionally absent** (no OpenID Provider role)
- `/.well-known/jwks.json` — published as `{"keys":[]}` (no signing keys; no tokens are issued)

Calling `/oauth/authorize` or `/oauth/token` returns a JSON body with
`error: "no_auth_required"` — there is nothing to authenticate against.

## Checkout and order placement

Programmatic checkout is **not supported**. Agents must redirect the human user to
`https://www.deadbrush.ru/catalog/goods/{slug}/` to complete a purchase via the standard UI. See
`constraints.checkout` in [`/.well-known/agent-skills/index.json`](https://www.deadbrush.ru/.well-known/agent-skills/index.json).

## Partner integrations

For partners (illustrators, blogger collaborations, wholesale, B2B custom prints) that need
authenticated access to private workflows: contact us out-of-band — these flows are negotiated by
email, not via the public agent surface.

- Email: [main@deadbrush.ru](mailto:main@deadbrush.ru)
- Telegram: [@dbwear](https://t.me/dbwear)

## Discovery references

- [`/AGENTS.md`](https://www.deadbrush.ru/AGENTS.md) — overall agent guide
- [`/.well-known/agent-skills/index.json`](https://www.deadbrush.ru/.well-known/agent-skills/index.json) — Agent Skills v0.2.0 index
- [`/.well-known/openapi.json`](https://www.deadbrush.ru/.well-known/openapi.json) — OpenAPI 3.1 specification of read endpoints
- [`/.well-known/api-catalog`](https://www.deadbrush.ru/.well-known/api-catalog) — RFC 9727 linkset
- [`/.well-known/security.txt`](https://www.deadbrush.ru/.well-known/security.txt) — security contact

---

*Last updated: 2026-06-01*
