# auth.md — NURO Agent Authentication

> Machine-readable companion: `/.well-known/oauth-authorization-server`
> Protected resource metadata: `/.well-known/oauth-protected-resource`
> OIDC discovery: `/.well-known/openid-configuration`

NURO is, Inc. operates a client portal at `https://www.nuro.is/portal` that
requires authenticated access. The public marketing site
(`https://www.nuro.is/`) is fully open to AI agents and crawlers — see
`/.well-known/ai.txt` for crawler disclosure and `/llms.txt` for the
agent-readable site description.

## Authorization server

The portal delegates authentication to a Supabase Auth (GoTrue) issuer.
Agents and clients SHOULD fetch the live discovery document rather
than hard-coding endpoints.

- **Issuer**: `https://adbtuyojsyguznmrgbth.supabase.co/auth/v1`
- **Discovery**: `https://www.nuro.is/.well-known/openid-configuration`
- **JWKS**: `https://adbtuyojsyguznmrgbth.supabase.co/auth/v1/.well-known/jwks.json`

## Protected resource

- **Resource identifier**: `https://www.nuro.is/portal`
- **Bearer methods**: `Authorization: Bearer <token>` header
- **Scopes**: `openid profile email phone`
- **Token signing**: RS256, HS256, ES256

## Supported identity types

| Type | Description |
| --- | --- |
| `human_delegated` | A human NURO portal user delegates access to an agent acting on their behalf. Standard OIDC authorization-code flow with PKCE. |
| `service_account` | A machine identity issued by NURO for an agent operating without an end-user. Issued case-by-case after registration. |

## Supported credential types

- `oauth2_client_credentials` — service-account flow, requires registration below
- `oidc_id_token` — human-delegated flow, standard OIDC

## Agent registration

NURO does not yet expose self-service dynamic client
registration (RFC 7591). To register an agent today:

1. Contact `chase@nuro.is` from a domain you control with subject
   "Agent credential request" and include:
   - Agent name and the operator behind it
   - Intended scopes and the data the agent expects to read or write
   - Expected request volume and rate
2. NURO will provision a `client_id` and `client_secret`
   (or register a public key for private_key_jwt) and reply with the
   token endpoint and any redirect-URI allowlist.
3. The first 30 days are observation mode — every request is logged
   under the Decision Log so we can verify behavior before promoting
   the credential to standing access.

A short-form registration intake also lives at
`https://www.nuro.is/contact?intent=agent-registration`.

## Claims, audit, and revocation

- Every authenticated request is recorded against the NURO Decision
  Log — timestamp, identity, scopes, request, response. Audit access
  is available to the agent's operator on request.
- To revoke a credential, email `chase@nuro.is` with subject
  "Agent credential revocation" and the `client_id`. Revocation is
  applied within one business hour.
- Claims metadata, including the Decision Log policy and Truth
  Boundaries that constrain NURO agents responding to
  agent traffic, is described at `https://www.nuro.is/ai-compliance`.

## agent_auth (machine-readable)

The block below is the canonical `agent_auth` metadata for
NURO. It mirrors the `agent_auth` extension inside
`/.well-known/oauth-authorization-server` so agents that fetch
`/auth.md` alone still get everything they need.

```json agent_auth
{
  "agent_auth": {
    "skill": "https://www.nuro.is/auth.md",
    "identity_endpoint": "https://www.nuro.is/contact?intent=agent-registration",
    "claim_endpoint": "https://www.nuro.is/contact?intent=agent-registration",
    "events_endpoint": "mailto:chase@nuro.is?subject=Agent%20credential%20event",
    "identity_types_supported": ["identity_assertion", "service_auth"],
    "identity_assertion": {
      "assertion_types_supported": [
        "urn:ietf:params:oauth:token-type:id-jag"
      ]
    },
    "events_supported": [
      "https://schemas.workos.com/events/agent/auth/identity/assertion/revoked"
    ],
    "register_uri": "https://www.nuro.is/contact?intent=agent-registration",
    "registration_contact": "mailto:chase@nuro.is?subject=Agent%20credential%20request",
    "supported_identity_types": ["human_delegated", "service_account"],
    "supported_credential_types": ["oauth2_client_credentials", "oidc_id_token"],
    "grant_types_supported": ["authorization_code", "refresh_token", "client_credentials"],
    "scopes_supported": ["openid", "profile", "email", "phone"],
    "token_endpoint_auth_methods_supported": [
      "client_secret_basic",
      "client_secret_post",
      "none"
    ],
    "claims_uri": "https://www.nuro.is/auth.md",
    "claims_documentation": "https://www.nuro.is/ai-compliance",
    "revocation_uri": "mailto:chase@nuro.is?subject=Agent%20credential%20revocation",
    "revocation_sla_hours": 1,
    "audit": {
      "decision_log": true,
      "description": "Every authenticated agent request is recorded in the NURO Decision Log — timestamp, identity, scopes, request, response — and made available to the agent's operator on request."
    },
    "issuer": "https://adbtuyojsyguznmrgbth.supabase.co/auth/v1",
    "resource": "https://www.nuro.is/portal",
    "authorization_servers": [
      "https://adbtuyojsyguznmrgbth.supabase.co/auth/v1"
    ],
    "discovery": {
      "openid_configuration": "https://www.nuro.is/.well-known/openid-configuration",
      "oauth_authorization_server": "https://www.nuro.is/.well-known/oauth-authorization-server",
      "oauth_protected_resource": "https://www.nuro.is/.well-known/oauth-protected-resource"
    },
    "contact": "chase@nuro.is",
    "operator": "NURO is, Inc."
  }
}
```

## Contact

- Email: `chase@nuro.is`
- Phone: `+1-813-547-6876`
- Operator: NURO is, Inc., Fort Myers, FL, US
