# Auth.md — Tashkeel Agent Authentication

> Machine-readable registration & authentication instructions for AI agents.
> Spec: https://github.com/workos/auth.md

**Service:** Tashkeel (تَشْكِيلٌ) — 3D printing platform, Egypt
**Site:** https://tashkeel.pro
**Support:** support@tashkeel.pro

---

## agent_auth

```json
{
  "register_uri": "https://tashkeel.pro/auth",
  "login_uri": "https://tashkeel.pro/auth",
  "documentation_uri": "https://tashkeel.pro/auth.md",
  "revocation_uri": "https://cfvunxcoomhbgkodpxhe.supabase.co/auth/v1/logout",
  "authorization_server": "https://tashkeel.pro/.well-known/oauth-authorization-server",
  "protected_resource": "https://tashkeel.pro/.well-known/oauth-protected-resource",
  "openid_configuration": "https://tashkeel.pro/.well-known/openid-configuration",
  "jwks_uri": "https://cfvunxcoomhbgkodpxhe.supabase.co/auth/v1/.well-known/jwks.json",
  "supported_identity_types": ["human"],
  "supported_credential_types": ["password", "oauth_google", "bearer_jwt", "api_key_anon"],
  "claims_supported": ["sub", "email", "email_verified", "role", "aud", "exp", "iat"],
  "scopes_supported": ["openid", "email", "profile"],
  "grant_types_supported": ["password", "refresh_token", "authorization_code"],
  "token_endpoint_auth_methods_supported": ["client_secret_post", "none"],
  "code_challenge_methods_supported": ["S256"],
  "machine_registration": false,
  "contact": "support@tashkeel.pro"
}
```



## Identity types supported

- `human` — end users (customers, partners, admins) authenticated via Supabase Auth.

Autonomous machine/agent accounts are **not currently issued**. Agents must act on
behalf of a human user using that user's credentials or an OAuth-issued bearer token.

## Credential types supported

| Type             | Description                                                          |
| ---------------- | -------------------------------------------------------------------- |
| `password`       | Email + password via Supabase Auth.                                  |
| `oauth_google`   | Google OAuth (managed via Lovable Cloud auth bridge).                |
| `bearer_jwt`     | Supabase-issued JWT, sent as `Authorization: Bearer <token>`.        |
| `api_key_anon`   | Public anon key for read-only, RLS-restricted endpoints. Embedded in the SPA bundle and exposed under `apikey` header. |

## Registration

- **Human signup:** https://tashkeel.pro/auth
- **Login:** https://tashkeel.pro/auth
- **Password reset:** https://tashkeel.pro/forgot-password
- **Partner application (manual review):** https://tashkeel.pro/become-partner

There is no public, programmatic agent-registration endpoint.

## OAuth & OpenID Connect

- Discovery: https://tashkeel.pro/.well-known/openid-configuration
- Authorization server metadata: https://tashkeel.pro/.well-known/oauth-authorization-server
- Protected resource metadata: https://tashkeel.pro/.well-known/oauth-protected-resource

Issuer: `https://cfvunxcoomhbgkodpxhe.supabase.co/auth/v1`

## Public API

- OpenAPI: https://tashkeel.pro/.well-known/openapi.json
- API catalog: https://tashkeel.pro/.well-known/api-catalog
- Agent skills: https://tashkeel.pro/.well-known/agent-skills/index.json

Public endpoints (materials, pricing, marketplace, instant quote) accept the
anon API key alone. All write operations and user-scoped reads require a
bearer JWT issued by Supabase Auth.

## Revocation

Sessions can be revoked by the user from their profile, or by signing out:
`POST https://cfvunxcoomhbgkodpxhe.supabase.co/auth/v1/logout`

## Contact

For abuse reports, agent-registration questions, or partnership inquiries:
**support@tashkeel.pro**