# Investment Bets auth.md

This document describes the authentication model for agents and automated clients.

## Resource

- Web app: `https://investment-bets.com`
- API resource server: `https://api.investment-bets.com`

## Supported Authentication

Investment Bets currently uses first-party email/password accounts and JWT sessions stored in an HttpOnly cookie named `auth_token`.

OAuth, OIDC, dynamic client registration, bearer-token provisioning, and machine-to-machine API keys are not currently supported.

## Account Flow

1. Register with `POST https://api.investment-bets.com/register`. This only creates the account; it does not set a session cookie.
2. Log in with `POST https://api.investment-bets.com/login`.
3. Preserve cookies from the login response.
4. Send subsequent API requests with credentials/cookies included.
5. End the session with `POST https://api.investment-bets.com/logout`.

## Agent Rules

- Only create accounts, log in, open bets, close bets, follow users, manage billing, or link Telegram after explicit user instruction.
- Never ask users to paste the HttpOnly cookie.
- Do not call Stripe or Telegram webhook endpoints.
- For read-only discovery, prefer `/llms.txt`, `/openapi.json`, and `/.well-known/api-catalog`.

## Scopes

No OAuth scopes are defined. Authorization is based on the authenticated user session.