# Dominion Observatory — auth.md

Runtime trust scores, liveness checks and signed receipts for MCP servers.
Verify a server before your agent calls it. This file tells your agent how to
register for a key with no human in the loop.

## Supported flow

- `anonymous` — claim a sandboxed trial key instantly, no email, no browser.
  Rate-limited and capped; meant for an agent to start verifying right away.

(ID-JAG / verified-email flows are not offered yet. Only `anonymous` works today.)

## Discover

- Protected Resource Metadata: `https://www.dominionobservatory.com/.well-known/oauth-protected-resource`
- Authorization Server Metadata: `https://www.dominionobservatory.com/.well-known/oauth-authorization-server`

## Register (one call)

```http
POST https://www.dominionobservatory.com/agent/auth
Content-Type: application/json

{ "type": "anonymous", "requested_credential_type": "api_key" }
```

Response:

```json
{ "api_key": "do_dev_...", "credential_type": "api_key",
  "scopes": ["trust:read"], "trial_limit": 50, "credential_expires": null }
```

## Use

```http
GET https://www.dominionobservatory.com/agent-query/<server-name-or-url>
Authorization: Bearer do_dev_...
```

Returns a trust verdict (PASS / UNCERTAIN / FAIL), score, latency and a signed
receipt id you can verify at `https://www.dominionobservatory.com/v1/verify-receipt`.

## Coverage (honest)

We index 22,561 MCP servers; 117 have any behavioral record and 18 are
independently verifiable at runtime today. Where we have no runtime evidence the
verdict says so rather than guessing. Current numbers: https://www.dominionobservatory.com/atlas/report

## Limits & terms

- Anonymous keys: 50 free trust checks (trial), 5 registrations/hour per IP.
- Pricing for higher volume: https://www.dominionobservatory.com/get-started
- Onboarding skill for agents: https://www.dominionobservatory.com/agent-onboarding/SKILL.md