# Auth.md

Git.Top exposes public read-only discovery, REST, and MCP surfaces for agents. Public endpoints do not require user login, OAuth, API keys, or cookies.

## Public No-Auth Surfaces

- `GET /openapi.json` and `GET /api/openapi.json` describe the public REST contract.
- `GET /mcp` returns MCP discovery, tool schemas, examples, and public integration metadata.
- `POST /mcp` accepts public JSON-RPC MCP calls for `initialize`, `notifications/initialized`, `tools/list`, and `tools/call`.
- `GET /llms.txt`, `GET /llms-full.txt`, `GET /api/agent-map`, `GET /api/quickstart`, `GET /api/recipes`, `GET /api/examples`, `GET /api/journeys`, `GET /api/trust`, `GET /api/benchmark`, and `GET /api/quality` are public.

## Agent Registration

- Public REST and MCP integrations require no agent registration; agents can start from `/openapi.json`, `/mcp`, `/llms.txt`, or `/.well-known/agent-skills/index.json` immediately.
- Git.Top does not publish OAuth dynamic client registration for public read-only endpoints because no OAuth credential is required.
- Protected operator endpoints under `/api/admin/*` are internal maintenance surfaces and do not support public self-service agent registration.
- For a private operator integration request, contact `security@git.top` with the intended agent identity, use case, callback/contact channel, and required endpoint scope.

## Protected Operator Surfaces

- `/api/admin/*` endpoints are operator-only and require an internal bearer token derived from `SYNC_SECRET`.
- Admin endpoints are not part of the public agent integration path and are intentionally omitted from no-auth quickstarts.

## Agent Trust Guidance

- Agents should call `GET /api/health` and `GET /api/trust` before high-confidence production recommendations.
- Agents can pass `require_d1=true` on REST reads or `require_d1: true` in MCP tool arguments when seed fallback should fail closed.
- Public project records include metadata and evidence fields so agents can explain recommendations without private credentials.

## Contacts

- Security contact: `security@git.top`
- Security policy: https://git.top/.well-known/security.txt
- Integration guide: https://git.top/integrations
