# Whagons Agent Auth

Whagons supports WorkOS auth.md-style user-claimed agent authentication.

## Supported flows

- service_auth: an agent starts a claim with a user email address, then the signed-in Whagons user approves it.
- anonymous pre-claim access: not supported.

## Endpoints

- Protected resource metadata: https://gon.whagons.com/.well-known/oauth-protected-resource
- Authorization server metadata: https://gon.whagons.com/.well-known/oauth-authorization-server
- Agent identity registration: https://gon.whagons.com/agent/identity
- Token exchange: https://gon.whagons.com/oauth2/token
- Token revocation: https://gon.whagons.com/oauth2/revoke

## Scopes

- ext:read: read tenant reference data and visible tasks.
- ext:tasks:write: create and update tasks allowed by the approving user's current Whagons permissions.

Agent credentials act on behalf of the signed-in Whagons user who claims them. Whagons records both the agent registration and the on-behalf-of user for auditability.
