# auth.md

UTM Builder (https://utm.queueforge.dev) — agent registration and API access.

## Audience

AI agents, MCP clients, and automated tools that consume public discovery APIs or build UTM campaign URLs.

## Protected resource metadata

- **PRM:** https://utm.queueforge.dev/.well-known/oauth-protected-resource
- **Resource:** `https://utm.queueforge.dev/api`
- **Documentation:** https://utm.queueforge.dev/ai-overview

## Agent registration

<a id="anonymous-registration"></a>

### Anonymous access (default)

No signup, email, or API key is required for public **GET** endpoints.

1. Read https://utm.queueforge.dev/llms.txt and https://utm.queueforge.dev/.well-known/api-catalog.
2. Fetch https://utm.queueforge.dev/api/site-context or https://utm.queueforge.dev/api/mcp/tool-definition.
3. Generate UTM links in the browser UI at https://utm.queueforge.dev or implement `build_utm_campaign_url` locally using the tool schema.

**Claim URI:** https://utm.queueforge.dev/api/mcp/context

**Credential:** none — do not send `Authorization` headers for public discovery routes.

### Supported identity types

| Type | Description |
|------|-------------|
| `anonymous` | Read-only discovery; no token issued |

This service does **not** support agent-verified (ID-JAG) or user-claimed (OTP) flows because it does not operate a user directory.

## OAuth authorization server

- **Issuer:** https://utm.queueforge.dev
- **Metadata:** https://utm.queueforge.dev/.well-known/oauth-authorization-server
- **Registration:** https://utm.queueforge.dev/auth.md#anonymous-registration

Bearer tokens are not issued. `agent_auth` in authorization-server metadata describes anonymous provisioning.

## Scopes (informational)

| Scope | Access |
|-------|--------|
| `context:read` | Site and tool JSON |
| `metadata:read` | Page metadata index |

## Public endpoints

| Path | Method |
|------|--------|
| /api/site-context | GET |
| /api/metadata | GET |
| /api/mcp/context | GET |
| /api/mcp/tool-definition | GET |
| /api/health | GET |
| /api/openapi.json | GET |

## DNS-AID

Agent DNS discovery (when published on the zone):

- `_index._agents.utm.queueforge.dev`
- `_a2a._agents.utm.queueforge.dev`

See repository `docs/DNS-AID.md` for Cloudflare setup.

## Operator

QueueForge — [Legal notice](https://queueforge.dev/impressum)