# Auth.md — Alpha Governance Group Auth.md is the machine-readable agent registration and authentication manifest for `https://www.alpha.ac`, served per the [Auth.md proposal](https://workos.com/auth-md). ## Authentication required None. Alpha's public website does not currently require authentication for agent access. All marketing, research, and methodology content is openly readable by AI agents, search crawlers, and humans alike, subject to the preferences declared in `/robots.txt` (Content-Signal: `search=yes`, `ai-input=yes`, `ai-train=no`). ## Agent registration - **Registration URL**: https://www.alpha.ac/.well-known/agent-registration - **Registration contact**: hello@alpha.ac - **Identity types supported**: identity_assertion, anonymous - **Credential types supported**: api_key (issued out of band), oauth2_client_credentials (when partner APIs launch) - **Claim URL**: https://www.alpha.ac/.well-known/agent-registration - **Revocation URL**: https://www.alpha.ac/.well-known/agent-registration - **Public key rotation policy**: https://www.alpha.ac/.well-known/jwks-rotation - **Status**: open registration, manual review, response within 5 business days Agents should fetch the Registration URL, then send the requested identity assertion or anonymous registration context, intended scopes, use case, and callback contact to hello@alpha.ac. Alpha reviews requests manually and issues credentials out of band when partner APIs are available. ### agent_auth (machine-readable) The same metadata is also embedded as a fenced JSON block per the Auth.md proposal so agents can parse it directly from this file without a second fetch. ```json agent_auth { "skill": "https://www.alpha.ac/auth.md", "register_uri": "https://www.alpha.ac/.well-known/agent-registration", "registration_documentation": "https://www.alpha.ac/auth.md", "identity_endpoint": "https://www.alpha.ac/.well-known/agent-registration", "claim_uri": "https://www.alpha.ac/.well-known/agent-registration", "claim_endpoint": "https://www.alpha.ac/.well-known/agent-registration", "revocation_uri": "https://www.alpha.ac/.well-known/agent-registration", "revocation_endpoint": "https://www.alpha.ac/.well-known/agent-registration", "identity_types_supported": ["identity_assertion", "anonymous"], "supported_identity_types": ["identity_assertion", "anonymous"], "credential_types_supported": ["api_key", "oauth2_client_credentials"], "supported_credential_types": ["api_key", "oauth2_client_credentials"], "identity_assertion": { "assertion_types_supported": ["urn:ietf:params:oauth:token-type:id-jag", "verified_email"], "credential_types_supported": ["api_key", "oauth2_client_credentials"] }, "anonymous": { "credential_types_supported": ["api_key"] }, "events_endpoint": "https://www.alpha.ac/.well-known/agent-registration", "events_supported": ["https://schemas.workos.com/events/agent/auth/identity/assertion/revoked"], "contact": "mailto:hello@alpha.ac", "policy_uri": "https://www.alpha.ac/.well-known/jwks-rotation", "key_rotation_policy_uri": "https://www.alpha.ac/.well-known/jwks-rotation", "review_window": "5 business days", "status": "open registration, manual review" } ``` ## Discovery endpoints - API catalog: `/.well-known/api-catalog` (RFC 9727, `application/linkset+json`) - Agent skills index: `/.well-known/agent-skills/index.json` - A2A Agent Card: `/.well-known/agent-card.json` - MCP server card: `/.well-known/mcp/server-card.json` - OpenID configuration: `/.well-known/openid-configuration` (issuer, `jwks_uri`, `op_policy_uri`) - OAuth authorization server: `/.well-known/oauth-authorization-server` (RFC 8414, includes `agent_auth` block with `register_uri`, supported identity and credential types, claim and revocation URLs) - OAuth protected resource: `/.well-known/oauth-protected-resource` (RFC 9728, mirrors the `agent_auth` block) - Agent registration: `/.well-known/agent-registration` (HTTPS registration, claim, and revocation instructions for the `agent_auth` block) - JWKS: `/.well-known/jwks.json` (empty until signing keys are provisioned) - Web Bot Auth signature directory: `/.well-known/http-message-signatures-directory` - JWKS rotation and expiration policy: `/.well-known/jwks-rotation` - DNS-AID records and registrar steps: `/.well-known/dns-aid.md` - Site overview for agents: `/llms.txt` - Sitemap: `/sitemap.xml` - Health: `/api/public/health` - Agent-readiness status report: `/api/public/agent-readiness` (includes the exact computed header set served for every well-known asset, including CSP, HSTS, COOP/COEP/CORP, X-Frame-Options, Permissions-Policy, and CORS preflight headers) ## MCP and protected APIs Alpha publishes a Model Context Protocol server card at `/.well-known/mcp/server-card.json` for the `https://mcp.alpha.ac/mcp` endpoint. Public discovery tools are available for read-only Alpha governance lookups. Alpha Terminal premium tools are pre-launch, limited to approved partners, and require an Alpha-issued API key. Alpha does not currently publish self-service OAuth protected APIs. The `/.well-known/oauth-authorization-server` document already advertises the `agent_auth` block (`skill`, `register_uri`, `identity_types_supported`, `credential_types_supported`, `claim_uri`, `revocation_uri`) so agents can discover the HTTPS registration surface and request manual review today. When partner or institutional APIs launch, the `authorization_endpoint`, `token_endpoint`, and `registration_endpoint` will be promoted from reserved placeholders to live URLs and announced here. ## Contact For partner integrations, agent registration, or programmatic access inquiries: hello@alpha.ac