# auth.md

> Lauro Sport supports agentic registration and public catalog discovery.
> **Resource server:** https://www.laurosport.store
> **Authorization server:** https://www.laurosport.store

Agents should read the structured Protected Resource Metadata (PRM) first, then the Authorization Server metadata including the `agent_auth` block.

## Discovery

1. **Protected Resource Metadata (RFC 9728):** https://www.laurosport.store/.well-known/oauth-protected-resource
2. **Authorization Server (RFC 8414):** https://www.laurosport.store/.well-known/oauth-authorization-server
3. **Agent manual:** https://www.laurosport.store/agents.md

On `401 Unauthorized` responses from protected endpoints, look for:

```http
WWW-Authenticate: Bearer resource_metadata="https://www.laurosport.store/.well-known/oauth-protected-resource"
```

## Supported flows

### Public catalog (no registration required)

The storefront catalog, search, product feed, policies, and discovery files are **public**. No OAuth token or agent registration is required for:

- `GET /api/catalog`
- `GET /api/search?q={query}`
- `GET /api/products-feed.json`
- `GET /agents.md`, `GET /llms.txt`, `GET /openapi.json`

### Anonymous agent registration (reserved)

For future scoped agent credentials, this service advertises anonymous registration at `POST /agent/auth`. Endpoints are reserved for agent-readiness; registration is not required for public read-only access today.

## Scopes

| Scope | Description |
|-------|-------------|
| `catalog:read` | Read the product catalog (`GET /api/catalog`) |
| `products:read` | Read the AI product feed (`GET /api/products-feed.json`) |
| `search:read` | Search products (`GET /api/search`) |

## Registration (anonymous)

```http
POST /agent/auth HTTP/1.1
Host: www.laurosport.store
Content-Type: application/json

{
  "type": "anonymous",
  "requested_credential_type": "api_key"
}
```

Success response (when enabled):

```json
{
  "credential": "ls_agent_…",
  "credential_type": "api_key",
  "scopes": ["catalog:read", "products:read", "search:read"]
}
```

## Claim (optional)

Email-based claim for scope upgrade:

- Start: `POST /agent/auth/claim`
- Complete: `POST /agent/auth/claim/complete`

## Revocation

Revoke agent credentials: `POST /agent/auth/revoke`

## Policies

- Privacy: https://www.laurosport.store/pages/privacy-policy
- Terms: https://www.laurosport.store/pages/termini-e-condizioni
- Shipping: https://www.laurosport.store/pages/spedizioni
- Returns: https://www.laurosport.store/pages/resi-e-rimborsi
- FAQ: https://www.laurosport.store/pages/faq

## Contact

Integration questions: info@lauro.store