# auth.md

Agent authentication manifest for **andrewmayes.com**. Short version:
this is a personal site — every public API is anonymous, and there is
nothing to register for.

## Step 1 — Discover

- Protected Resource Metadata: [/.well-known/oauth-protected-resource](/.well-known/oauth-protected-resource)
- API catalog (RFC 9727): [/.well-known/api-catalog](/.well-known/api-catalog)
- OpenAPI: [/docs/openapi.json](/docs/openapi.json) · Docs: [/docs/api/](/docs/api/)
- Skills: [/.well-known/agent-skills/index.json](/.well-known/agent-skills/index.json)
- There is **no authorization server** and no
  `/.well-known/oauth-authorization-server` — that is intentional,
  not an oversight.

## Step 2 — Pick a method

`anonymous` — the only method offered.

- `GET /api/wait-times`, `/api/publish-status`, `/api/linkedin-status`,
  `/api/instagram`, `/api/location` — call them directly, no credentials.
- `POST /api/contact` — anonymous JSON `{name, email, message}`; send
  only genuine messages intended for Andrew.

## Step 3 — Register

No registration flow exists. The single protected endpoint,
`POST /api/location`, uses a bearer token provisioned manually to the
site owner's phone; it is not registrable, claimable, or exchangeable.
Agents should use `GET /api/location` only.

## Errors

- `401` from `POST /api/location` — expected for everyone but Andrew.
- `404 {"error":"unknown park"}` from `/api/wait-times` — check slugs
  in the [park-wait-times skill](/.well-known/agent-skills/park-wait-times/SKILL.md).
- `503` from `POST /api/contact` — email is unconfigured; use the
  mailto on [/#contact](/#contact).

## Revocation

Nothing to revoke — no tokens are ever issued to third parties.

## Etiquette

Responses are cached five minutes; don't poll faster. Wait-time data
must credit [queue-times.com](https://queue-times.com/).
