# PitchIntel auth.md

Agent and API access for **PitchIntel** (World Cup tactical intelligence).

## Public API

All `GET /api/*` routes listed in [`/docs/api`](/docs/api) are **public** and require **no authentication**.

Use standard HTTPS `GET` requests with `Accept: application/json`.

## Admin API {#admin-api-key}

Routes under `/api/admin/*` require a static API key header:

```
X-Admin-Token: <secret>
```

Tokens are **provisioned out-of-band** (not self-service). See [agent registration](#agent-registration).

## Agent registration {#agent-registration}

PitchIntel supports **anonymous agent registration** for admin API access:

| Field | Value |
|-------|-------|
| Register URI | `/auth.md#agent-registration` |
| Credential type | `api_key` (header `X-Admin-Token`) |
| Identity | Anonymous — request provisioning via GitHub issue or contact below |
| OAuth PRM | `/.well-known/oauth-protected-resource` |
| OAuth AS | `/.well-known/oauth-authorization-server` |

Agents should read OAuth Protected Resource Metadata and Authorization Server metadata before calling protected routes.

## Agent discovery

| Resource | URL |
|----------|-----|
| API catalog | `/.well-known/api-catalog` |
| OpenAPI | `/.well-known/openapi.json` |
| Protected resource metadata | `/.well-known/oauth-protected-resource` |
| Authorization server | `/.well-known/oauth-authorization-server` |
| OpenID configuration | `/.well-known/openid-configuration` |
| MCP server card | `/.well-known/mcp/server-card.json` |
| Agent skills index | `/.well-known/agent-skills/index.json` |
| DNS-AID template | `/.well-known/dns-aid.json` |

## Contact

Built by Cuong Le Sy — [LinkedIn](https://www.linkedin.com/in/sycule/) · [GitHub](https://github.com/sycu8/)