# TianJi Health auth.md

This document describes the current third-party AI agent authentication boundary for TianJi Health.

## Audience

This policy is for **third-party AI agents** (tool-calling assistants, MCP clients, automated browsers) that want to discover or use this site programmatically.

## Current status

- TianJi Health does **not** offer third-party agent registration or OAuth client onboarding.
- There is **no** public `register_uri` and **no** agent credential issuance endpoint.
- Public agents may read public discovery documents and public browsing surfaces only.
- First-party human users authenticate through the site login/register UI (session cookies), not via agent OAuth.

## Agent registration

| Topic | Status |
|---|---|
| Third-party agent registration | **Not available** |
| OAuth / OIDC authorization server metadata | **Not published** (no agent OAuth AS on this origin) |
| OAuth protected resource metadata | **Not published** (no agent-facing protected API surface advertised for third parties) |
| Supported identity types for agents | **None** (anonymous public read only) |
| Credential types for agents | **None** |

If agent registration is added later, this document will list the `register_uri`, supported identity types, credential types, and claim/revocation URLs. Until then, agents must not attempt to create accounts or request user credentials.

## Public unauthenticated discovery

- Homepage: http://tianji-health.com/
- robots.txt: http://tianji-health.com/robots.txt
- Sitemap: http://tianji-health.com/sitemap.xml
- LLM summary: http://tianji-health.com/llms.txt
- LLM full context: http://tianji-health.com/llms-full.txt
- This auth boundary: http://tianji-health.com/auth.md
- API catalog: http://tianji-health.com/.well-known/api-catalog
- MCP server card: http://tianji-health.com/.well-known/mcp/server-card.json
- Agent skills: http://tianji-health.com/.well-known/agent-skills/index.json

## Content negotiation

Homepage requests that include `Accept: text/markdown` may receive a Markdown briefing (`Content-Type: text/markdown`) instead of HTML. HTML remains the default for browsers.

## Public read API boundary

TianJi Health does not currently advertise public read API endpoints for third-party agents.

## Protected actions

Private user actions, billing, admin operations, and write APIs require first-party authentication. Third-party agents should not request user credentials or automate protected actions unless an explicit authorization flow is published in this document and the matching OAuth metadata endpoints.

## Contact

Human operators: http://tianji-health.com/contact
