# auth.md

Agent registration for **TeaserMe** — resource server `https://www.teaserme.com`, authorization server `https://www.teaserme.com`.

The public contact API accepts anonymous agent access. No user claim ceremony is required.

## 1. Discover

Fetch Protected Resource Metadata:

```http
GET /.well-known/oauth-protected-resource HTTP/1.1
Host: www.teaserme.com
```

Read `resource`, `authorization_servers`, `scopes_supported`, and `bearer_methods_supported`.

Fetch Authorization Server metadata from `authorization_servers[0]`:

```http
GET /.well-known/oauth-authorization-server HTTP/1.1
Host: www.teaserme.com
```

Read the `agent_auth` block: `register_uri`, `claim_uri`, `identity_types_supported`, and `anonymous.credential_types_supported`.

Discovery URLs:

- PRM: https://www.teaserme.com/.well-known/oauth-protected-resource
- AS metadata: https://www.teaserme.com/.well-known/oauth-authorization-server
- OpenAPI: https://www.teaserme.com/.well-known/openapi/contact.json

## 2. Pick a method

| You have | Method |
| --- | --- |
| No user identity (automated lead capture) | `anonymous` |

This service supports **anonymous** registration only. `identity_assertion` is not enabled.

## 3. Register

```http
POST /api/agent/auth HTTP/1.1
Host: www.teaserme.com
Content-Type: application/json

{"type":"anonymous"}
```

Success response:

```json
{
  "type": "anonymous",
  "credential_type": "access_token",
  "credential": "teaserme-public-anonymous",
  "credential_expires": "<ISO-8601, 86400 seconds after registration>",
  "scopes": ["contact:submit"]
}
```

Credential lifetime matches `expires_in` from `POST /api/oauth/token`: **86400 seconds (24h)**. Re-register or request a new token after expiry.

```http
POST /api/oauth/token HTTP/1.1
Host: www.teaserme.com
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&scope=contact:submit
```

## 4. Claim ceremony

Not required. `POST /api/agent/auth/claim` returns `claim_not_required`.

## 5. Use the credential

Submit leads to the contact API. Bearer token is **optional** — the endpoint remains public.

```http
POST /api/contact HTTP/1.1
Host: www.teaserme.com
Content-Type: application/json
Authorization: Bearer teaserme-public-anonymous

{
  "nome": "Example Agent",
  "email": "agent@example.com",
  "cargo": "Automation",
  "empresa": "Example Corp"
}
```

Leave the honeypot field `website` empty. Respect `/robots.txt` and avoid bulk submissions.

## 6. Errors

| Code | Endpoint | Action |
| --- | --- | --- |
| `unsupported_identity_type` | `POST /api/agent/auth` | Use `{"type":"anonymous"}` |
| `claim_not_required` | `POST /api/agent/auth/claim` | Skip claim; call `/api/contact` |
| `unsupported_grant_type` | `POST /api/oauth/token` | Use `client_credentials` |
| `invalid_scope` | `POST /api/oauth/token` | Request scope `contact:submit` |

## 7. Revocation

No agent-facing revocation endpoint. Public credentials are not tied to user identity.

Human sales handoff: https://www.teaserme.com/contato or **sergio.werner@teaserme.com**.

## Content policy

See `/robots.txt` — `Content-Signal: ai-train=no, search=yes, ai-input=yes`.