# Xquik auth.md

Xquik supports agent registration for MCP access through OAuth 2.1 Dynamic Client Registration.

## Discovery

- OAuth protected resource metadata: https://xquik.com/.well-known/oauth-protected-resource
- OAuth authorization server metadata: https://xquik.com/.well-known/oauth-authorization-server
- MCP manifest: https://xquik.com/.well-known/mcp.json
- Agent index: https://xquik.com/.well-known/agent-index.json

## Register an OAuth client

Agents can register an anonymous OAuth client at:

```http
POST https://xquik.com/api/oauth/register
Content-Type: application/json
```

Use the returned client id with Authorization Code + PKCE. The user claims access during authorization.

## Request access

Authorize the registered client with scope `mcp:tools`, then exchange the authorization code for an access token.

- Authorization endpoint: https://xquik.com/api/oauth/authorize
- Token endpoint: https://xquik.com/api/oauth/token
- Revocation endpoint: https://xquik.com/api/oauth/revoke

Send MCP access tokens with the HTTP `Authorization: Bearer <token>` header.

## REST API keys

REST API access uses Xquik API keys created by a signed-in user from the dashboard or authenticated API key endpoint. Agents that need REST API access should ask the user to provision an API key.

## Identity methods

Xquik currently supports anonymous OAuth client registration for agent access. Other agent registration profiles are outside the current public contract.