# CanAgentUse Agent Authentication

CanAgentUse accepts agent registration through OAuth/OIDC discovery metadata and account API keys.

## Register an agent

1. Create or sign in to a CanAgentUse account at https://canagentuse.com/account.
2. Generate an API key from https://canagentuse.com/account/api-keys for server-to-server scan access, or use OAuth authorization code with PKCE for delegated user access.
3. Discover OAuth metadata at https://canagentuse.com/.well-known/oauth-authorization-server.
4. Discover protected resource metadata at https://canagentuse.com/.well-known/oauth-protected-resource.
5. Send account API keys as `Authorization: Bearer <key>` or `x-api-key: <key>`.

## Agent auth metadata

- Register URI: https://canagentuse.com/auth.md
- Supported identity types: human_delegated, service_agent
- Credential types: oauth2_authorization_code_pkce, api_key_bearer
- Claims URL: https://canagentuse.com/.well-known/oauth-protected-resource
- Revocation URL: https://canagentuse.com/api/auth/logout

Use the least-privileged scope required for the task. Current public scopes are `scan:read` and `scan:write`.