# Kadai auth.md

Kadai uses Better Auth sessions for browser users and Convex-issued JWTs for protected API calls.

## Agent Audience

Agents may read public discovery documents and guide users through browser-based login, signup, and storefront navigation.
Protected tenant operations require an authenticated Kadai user session and explicit user intent.

## Registration

Agents should register users through https://kadai.site/signup and ask the user to authenticate through the browser when
protected access is needed. Kadai supports verified-email identity assertions for agent-assisted registration.

## Agent Auth Metadata

```json
{
  "agent_auth": {
    "skill": "https://kadai.site/auth.md",
    "register_uri": "https://kadai.site/signup",
    "identity_types_supported": ["identity_assertion"],
    "claim_uri": "https://kadai.site/verify-email",
    "identity_assertion": {
      "assertion_types_supported": ["verified_email"],
      "credential_types_supported": ["access_token", "browser_session"]
    }
  }
}
```

## Discovery Documents

- Authorization server metadata: https://kadai.site/.well-known/oauth-authorization-server
- OpenID configuration: https://kadai.site/.well-known/openid-configuration
- Protected resource metadata: https://kadai.site/.well-known/oauth-protected-resource
- API catalog: https://kadai.site/.well-known/api-catalog
- API documentation: https://kadai.site/docs/api

## Credential Use

- Public metadata: no credential required.
- Browser flows: user authenticates at https://kadai.site/login.
- Protected API calls: use a valid Kadai session or bearer token issued for the authenticated user.