# auth.md

Cambio Figuritas uses Supabase Auth for user authentication in the PWA at https://cambiofiguritas.com/app/.

## Audience

This metadata is for automated agents that need to understand how protected app APIs are authenticated. Public website pages do not require authentication.

## Protected resource

- Resource: https://cambiofiguritas.com/
- Protected app: https://cambiofiguritas.com/app/
- OAuth protected resource metadata: https://cambiofiguritas.com/.well-known/oauth-protected-resource

## Authorization server

- Issuer: https://cambiofiguritas.com
- Supabase issuer: https://fqofsmwyxgjzmzpslitg.supabase.co/auth/v1
- Authorization metadata: https://cambiofiguritas.com/.well-known/oauth-authorization-server
- OpenID metadata: https://cambiofiguritas.com/.well-known/openid-configuration

## Agent registration

Automated agent registration is not self-service yet. Agents that need delegated access should contact soporte@cambiofiguritas.com with the application name, purpose, redirect URIs, and requested scopes.

## agent_auth

```json
{
  "agent_auth": {
    "skill": "https://cambiofiguritas.com/auth.md",
    "register_uri": "mailto:soporte@cambiofiguritas.com",
    "identity_types_supported": [
      "anonymous"
    ],
    "anonymous": {
      "credential_types_supported": [
        "none"
      ]
    },
    "claim_uri": "https://cambiofiguritas.com/auth.md"
  }
}
```

## Supported authentication

- Bearer tokens in the Authorization header.
- Supabase-issued JWT access tokens.
- Scopes: openid, email, profile.