# Agent Authentication — VertexScan

**The VertexScan API is public.** There is no OAuth/OIDC registration, no API key,
and no agent account to create.

## How access works
- **Endpoint:** `POST https://vertexelite.org/api/scan`
- **Anti-abuse, not authentication:** each request must carry a valid
  [Cloudflare Turnstile](https://www.cloudflare.com/products/turnstile/) token
  (`cfToken`) obtained from the widget on https://vertexelite.org/scan, and is
  **rate-limited per IP**. This is bot-mitigation, not identity.
- No bearer tokens, no `client_id`/`client_secret`, no `register_uri`.

## Why no OAuth discovery documents
Because the API is genuinely unauthenticated, we deliberately do **not** publish
`/.well-known/openid-configuration`, `/.well-known/oauth-authorization-server`, or
`/.well-known/oauth-protected-resource` — advertising OAuth endpoints that don't
exist would mislead agents. If a protected API is added later, those documents
will be published per RFC 8414 / RFC 9728.

## Discovery
- API catalog: `/.well-known/api-catalog` (RFC 9727)
- OpenAPI: `/.well-known/openapi.json`
- MCP server card: `/.well-known/mcp/server-card.json`
- Human + agent docs: `/docs/api`

## Responsible use
Scan only hosts you own or are authorized to test. Private/internal/reserved
targets are refused.
