# Fish-Fish auth.md

This document describes the current third-party AI agent authentication boundary for Fish-Fish.

## Current status

- Fish-Fish does not currently offer third-party agent registration.
- Public agents may read public discovery documents and public browsing surfaces only.

## Public unauthenticated discovery

- Homepage: https://0.0.0.0:3000/
- robots.txt: https://0.0.0.0:3000/robots.txt
- Sitemap: https://0.0.0.0:3000/sitemap.xml
- LLM summary: https://0.0.0.0:3000/llms.txt
- LLM full context: https://0.0.0.0:3000/llms-full.txt
- API catalog: https://0.0.0.0:3000/.well-known/api-catalog
- MCP server card: https://0.0.0.0:3000/.well-known/mcp/server-card.json
- Agent skills: https://0.0.0.0:3000/.well-known/agent-skills/index.json

## Public read API boundary

Fish-Fish does not currently advertise public read API endpoints.

## Protected actions

Private user actions, billing, admin operations, and write APIs require first-party authentication. Third-party agents should not request user credentials or automate protected actions unless an explicit authorization flow is published.
