---
agent_auth:
  skill: https://aibizflowing.top/auth.md
  register_uri: https://aibizflowing.top/api/auth/agent/register
  identity_endpoint: https://aibizflowing.top/api/auth/agent/register
  identity_types_supported:
    - service_auth
  credential_types_supported:
    - bearer_token
  claim_uri: https://backend.aibizflowing.top/api/auth/agent/claims
  revocation_uri: https://backend.aibizflowing.top/api/auth/agent/revoke
---

# auth.md — AI BizFlowing Agent Authentication

You are an agent. This service supports **agentic registration** for AI agents to access the AI BizFlowing API on behalf of users. Follow the steps in order.

## Step 1 — Discover

Fetch the discovery documents to understand the auth surface:

```
GET /.well-known/oauth-protected-resource
GET /.well-known/oauth-authorization-server
GET /.well-known/api-catalog
```

The OAuth documents describe token endpoints, supported scopes, and the agent registration API. The API catalog lists available endpoints.

## Step 2 — Choose a method

AI BizFlowing supports two registration methods:

| Method | When to use |
|--------|-------------|
| **service_auth** | You have a verified email for the user. A claim ceremony links the registration to their account. |
| **anonymous** | You have no user identity. Limited pre-claim access, then optionally claim for full access. |

## Step 3 — Register

Send a registration request to the identity endpoint:

```http
POST /api/auth/agent/register
Content-Type: application/json

{
  "type": "service_auth",
  "login_hint": "user@example.com"
}
```

Response:

```json
{
  "registration_id": "reg_...",
  "registration_type": "service_auth",
  "claim_url": "https://backend.aibizflowing.top/api/auth/agent/claims",
  "claim_token": "clm_...",
  "claim_token_expires": "2026-07-10T00:00:00.000Z",
  "post_claim_scopes": ["api:read", "api:write"]
}
```

The service returns a `claim_token` and `claim_url`. The user must complete the claim ceremony before you receive credentials.

## Step 4 — Claim

Direct the user to authenticate and confirm:

1. Surface `claim_url` and the `claim_token` to the user
2. The user signs in at `https://aibizflowing.top/auth/google` (Google OAuth)
3. The user confirms the agent binding
4. Poll `POST /api/auth/token` with the claim grant until the ceremony completes

```http
POST /api/auth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:workos:agent-auth:grant-type:claim
&claim_token=<clm_...>
```

Response on success:

```json
{
  "access_token": "<token>",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "api:read api:write"
}
```

## Step 5 — Use the access_token

Present the access_token in subsequent API calls:

```http
GET /api/v1/health
Authorization: Bearer <access_token>
```

## Revocation

To revoke an access_token:

```http
POST /api/auth/agent/revoke
Content-Type: application/x-www-form-urlencoded

token=<access_token>
```

## Contact

For questions: support@aibizflowing.top
