# auth.md — https://jesseg.io

Agent authentication and API access for jesseg.io surfaces.

## Audience

This document is for AI agents and automated clients that need to discover how to authenticate with jesseg.io APIs.

## Public APIs (https://jesseg.io)

The marketing site exposes a small public API surface. No authentication is required:

- `GET /api/health` — service health and binding check
- `GET /feed.xml`, `GET /sitemap.xml`, `GET /llms.txt`, `GET /entity.json`, `GET /entity.md`
- `GET /index.md`, `GET /*.md` — hand-authored markdown mirrors for marketing pages (Free-plan substitute for Cloudflare Markdown for Agents). Send `Accept: text/markdown` on HTML routes for content negotiation.
- `POST /api/analytics/collect` — first-party analytics (marketing hosts only)

Discovery:

- API catalog: `https://jesseg.io/.well-known/api-catalog`
- OpenAPI: `https://jesseg.io/openapi.json`
- Entity Graph v2 JSON: `https://jesseg.io/entity.json`
- Entity Graph v2 markdown: `https://jesseg.io/entity.md`
- MCP server: `https://jesseg.io/mcp`
- x402 manifest: `https://jesseg.io/.well-known/x402` (reports `configured: true` only when live)
- Playbook catalog: `GET https://jesseg.io/api/playbooks` (free)
- Premium playbooks: `GET https://jesseg.io/api/playbooks/{slug}` (x402 when configured)

## x402 playbook payments

When `GET https://jesseg.io/.well-known/x402` returns `configured: true`:

- `GET /api/playbooks` — free catalog (slug, price, preview URL, tags, relatedEndpoints)
- `GET /api/playbooks/{slug}` — full structured JSON; returns HTTP 402 until paid
- Slugs: phc-system-teardown, ai-citation-network, pdg-install-order, local-services-conversion, grow-a-cleaning-business, speed-to-lead-system, skillframe-practice-loop, shopify-appointments-stack, agent-safety-buyers-guide
- Buyer agents should fetch the manifest, verify facilitator/network/payTo/amount, then retry with `PAYMENT-SIGNATURE`
- Skill: `https://jesseg.io/.well-known/agent-skills/purchase-playbook/SKILL.md`

When `configured: false`, premium routes return 503 — do not claim live x402 support publicly.

## Protected APIs (health.jesseg.io, ops.jesseg.io)

Private health and ops APIs require **Cloudflare Access** authentication in production. Browser sessions are gated at the edge; API requests must include a valid Access session or approved Bearer fallback documented in the site README.

Protected resource metadata:

- Health: `https://health.jesseg.io/.well-known/oauth-protected-resource`
- Ops: `https://ops.jesseg.io/.well-known/oauth-protected-resource`

Authorization server metadata (Cloudflare Access OIDC):

- `https://jesseg.io/.well-known/oauth-authorization-server`
- `https://jesseg.io/.well-known/openid-configuration`

## Agent registration {#verified-email}

jesseg.io does not expose a public self-service agent registration endpoint. Access to protected APIs is provisioned manually via Cloudflare Zero Trust policies for verified email identities.

- Registration instructions: this document (`https://jesseg.io/auth.md`)
- OAuth Protected Resource Metadata: `https://jesseg.io/.well-known/oauth-protected-resource`
- Supported identity type: `verified_email`
- Credential type: `access_token` (Bearer header)

Agents should read `/.well-known/oauth-protected-resource` on the target host before calling protected endpoints.

## Related discovery

| Resource | URL |
|----------|-----|
| API catalog | `https://jesseg.io/.well-known/api-catalog` |
| Agent skills | `https://jesseg.io/.well-known/agent-skills/index.json` |
| MCP server card | `https://jesseg.io/.well-known/mcp/server-card.json` |
| Site context | `https://jesseg.io/llms.txt` |
| Entity Graph v2 JSON | `https://jesseg.io/entity.json` |
| Entity Graph v2 markdown | `https://jesseg.io/entity.md` |
| x402 manifest | `https://jesseg.io/.well-known/x402` |
| Playbook catalog | `https://jesseg.io/api/playbooks` |
