# Authentication

אילה עטיה (https://ayala-attia.co.il) is a **public, anonymous, read-only** website. No
authentication, API key, OAuth flow, or account is required to access any
content. Agents may read every page freely.

```json
{
  "auth_required": false,
  "identity_types_supported": ["anonymous"],
  "access": "public-read-only",
  "rate_limits": "none (static content)"
}
```

## How an agent should consume this site

1. Read `/llms.txt` for a concise, structured summary.
2. Read the homepage JSON-LD (`application/ld+json`) for machine-readable identity.
3. Discover capabilities via `/.well-known/agent-card.json`.
4. To act on a visitor's behalf, use the published contact / booking channels
   listed in the agent card and `/developers.md`.

There is nothing to authenticate against because there is no API to protect —
this declaration exists so agents can confirm the open posture programmatically.

## Programmatic surface (round 3)

The public API (`/api/v1/*`), the NLWeb `/ask` endpoint, and the MCP server
(`/api/mcp`) are all **anonymous** — no key, token, or OAuth flow. The RFC 8414
descriptor at `/.well-known/oauth-authorization-server` carries an `agent_auth`
block declaring `identity_types_supported: ["anonymous"]`; the RFC 9728
protected-resource metadata points its `authorization_servers` at this same
origin so the walkthrough resolves end-to-end and confirms: nothing to
authenticate against.

```bash
curl https://ayala-attia.co.il/.well-known/oauth-authorization-server | jq .agent_auth
```
