# auth.md

This file documents agent access for Aurelle.

## Anonymous public access

Public browsing resources do not require credentials:

- https://aurelle.shop/
- https://agent.aurelle.shop/llms.txt
- https://agent.aurelle.shop/agents.md
- https://agent.aurelle.shop/.well-known/api-catalog
- https://agent.aurelle.shop/openapi.json
- https://aurelle.shop/.well-known/ucp

Agents can fetch public catalogue, fit, review, policy, and discovery metadata anonymously.

## Registration

Aurelle does not currently issue public API credentials. The registration endpoint at https://agent.aurelle.shop/api/agent/register returns public-read-only metadata.

## Commerce actions

Checkout and payment are handled by Shopify/UCP and require explicit buyer approval. Agents must not complete checkout, payment, or order placement automatically.

## OAuth metadata

- Protected resource metadata: https://agent.aurelle.shop/.well-known/oauth-protected-resource
- Authorization server metadata: https://agent.aurelle.shop/.well-known/oauth-authorization-server

## Revocation

No public bearer credentials are issued, so there is no active public credential revocation flow.
