# BUREAU auth.md

BUREAU exposes public discovery metadata for agents that need to read public
resources or request access to protected Studio and diagnostic workflows.

## Audience

Agents acting for fashion houses, buyers, market researchers, press teams, or
operators may use the public BUREAU resources without authentication:

- `GET /openapi.json`
- `GET /.well-known/api-catalog`
- `GET /api/agenda/public`
- `POST /api/requests`

Protected diagnostic shares, Studio workspace APIs, and backoffice APIs require
user authentication and role checks.

## OAuth Discovery

- Protected resource metadata: `/.well-known/oauth-protected-resource`
- Authorization server metadata: `/.well-known/oauth-authorization-server`
- OpenID Connect metadata: `/.well-known/openid-configuration`

BUREAU uses Supabase Auth for user login when `NUXT_PUBLIC_SUPABASE_URL` is
configured. Agents should use the advertised authorization server metadata and
request only the scopes required for the task.

## Agent Registration

Self-service agent registration is not open. Agents that need protected access
must contact BUREAU and identify:

- the human or organization they act for,
- the intended BUREAU resource,
- the requested scopes,
- the redirect URI or credential flow they intend to use.

Registration contact: `app@bureau.house`

## Credential Use

Use bearer tokens only over HTTPS and send them with the `Authorization` header:

```http
Authorization: Bearer <access-token>
```

Do not send bearer tokens in query strings or logs.
