# auth.md — Meta-analysis360

Audience: AI agents, integrators, and automation authors.

## Protected Resource Metadata

- RFC 9728: https://meta-analysis360.com/.well-known/oauth-protected-resource
- Resource identifier: https://meta-analysis360.com/api

## Access model (today)

Meta-analysis360 is a **human-in-the-loop** systematic review workspace. Researchers sign in through a **web browser** (Google, GitHub, or email magic link). The server issues a **session cookie** (NextAuth). There is **no bearer-token or OAuth authorization-server flow** for third-party agents to call research APIs programmatically.

## What agents may call without sign-in

Only the **public** endpoints documented in our API catalog:

- API catalog (RFC 9727): https://meta-analysis360.com/.well-known/api-catalog
- OpenAPI (public surface): https://meta-analysis360.com/.well-known/openapi.json
- Human API overview: https://meta-analysis360.com/docs/api
- Health check: https://meta-analysis360.com/api/health
- Agent skills index: https://meta-analysis360.com/.well-known/agent-skills/index.json

Do **not** send study libraries, protocols, abstracts, or personal data to these endpoints.

## Protected APIs

Routes under `/api/projects`, `/api/agent`, `/api/account`, and `/api/billing` require an authenticated human session. Unauthenticated requests receive **401** with `WWW-Authenticate` pointing to Protected Resource Metadata. Cross-tenant access is denied server-side.

## Agent registration

### Supported methods

| Method | Status | How it works |
| --- | --- | --- |
| Public API (anonymous) | **Available** | Call health/status/waitlist without registration |
| Human browser session | **Available** | User signs in at /login; session cookie for workspace APIs |
| OAuth bearer / agent_auth | **Not available** | No automated token issuance for agents today |
| Enterprise API partnership | **By invitation** | Contact support after waitlist or email |

### Registration / provisioning endpoints

- **Partnership waitlist (JSON):** `POST https://meta-analysis360.com/api/waitlist`
  - Body: `{ fullName, email, institution, useCase }` — describe your agent integration in `useCase`
- **Human sign-in (browser):** https://meta-analysis360.com/login
- **Operator email:** mailto:noreply@meta-analysis360.com?subject=Agent%20API%20partnership

There is **no** `POST /agent/auth` or other unattended agent registration endpoint.

### Credential use

- **Public endpoints:** no credential required
- **Research APIs:** NextAuth session cookie after human sign-in — not suitable for unattended agents
- **Future bearer tokens:** will be advertised in `authorization_servers` when available

## Related discovery

- Product summary for crawlers: https://meta-analysis360.com/llms.txt
- Security contact: https://meta-analysis360.com/.well-known/security.txt
- OAuth PRM path: /.well-known/oauth-protected-resource

