# auth.md You are an agent reading Toolbound Stack. This service publishes an agent-readable setup and handoff surface. Important status: automated agent credential registration is not enabled yet. Do not attempt to register for API credentials. Use the public setup and handoff resources below, then ask the user to connect services in their own account. Resource server: `https://toolbound.dev` Authorization server: `https://toolbound.dev` ## Step 1 - Discover Fetch the Protected Resource Metadata: ```http GET https://toolbound.dev/.well-known/oauth-protected-resource ``` Then fetch the Authorization Server metadata: ```http GET https://toolbound.dev/.well-known/oauth-authorization-server ``` The `agent_auth.status` field is currently `not_enabled`. Treat the metadata and this file as discovery and documentation, not as a credential issuing flow. ## Step 2 - Pick a method No agent credential registration methods are currently accepted. Supported today: - Read setup status at `https://toolbound.dev/setup`. - Read and copy the agent handoff prompt at `https://toolbound.dev/handoff`. - Use the buyer-owned repo docs after purchase: `FIRST_RUN.md`, `START_HERE.md`, `AGENTS.md`, `CLAUDE.md`, and `docs/codebase-map.md`. Unsupported today: - `identity_assertion + id-jag` - `identity_assertion + verified_email` - `anonymous` - OTP claim ceremony - API key issuing - access token issuing ## Step 3 - Register Registration is not enabled. If you need to help a user configure Toolbound Stack, direct them to: ```text https://toolbound.dev/setup https://toolbound.dev/handoff ``` Do not ask the user to paste secrets into chat. Real keys belong in `.env.local` locally and in the deployment host's secret manager for production. ## Step 4 - Claim ceremony No claim ceremony is supported yet. ## Step 5 - Use the credential No agent credential is issued yet. When automated registration is implemented, credentials will be presented as: ```http Authorization: Bearer ``` Until then, operate through the buyer-owned repo and public setup/handoff pages. ## Errors | Code | Where | What to do | | --- | --- | --- | | `registration_not_enabled` | any future `/agent/auth` endpoint | Stop and use `/setup` or `/handoff`. | | `unsupported_registration_method` | discovery / registration | Do not retry. No registration methods are enabled yet. | | `missing_user_context` | setup assistance | Ask the user what product they are building before changing the repo. | | `secret_in_chat` | setup assistance | Tell the user to move secrets to `.env.local` or deployment secrets. | ## Operational resources - Setup dashboard: https://toolbound.dev/setup - Agent handoff prompt: https://toolbound.dev/handoff - LLM context file: https://toolbound.dev/llms.txt - Toolbound service manifest: https://toolbound.dev/.well-known/toolbound.json - Product page: https://toolbound.dev/ - Support: hello@toolbound.dev ## Security notes - Toolbound is a boilerplate and buyer-owned codebase, not managed hosting. - Buyers own their API keys, deployment, customer data, and compliance obligations. - Agents should preserve Stripe signature verification, webhook idempotency, Postgres persistence, Resend delivery, usage metadata, operational events, and setup checks. - Run `npm run verify` before shipping changes.