# Acme — agent sign-up (auth.md)

This app is **agent-sign-up-able**. An agent can create an account for a human
user by following the steps below. No human fills out a form.

- Identity model: `user_claimed` (the agent registers, then claims for a human email)
- User-claimed modes supported: `anonymous`, `email_required`
- Scopes supported: `read`, `write`
- Pre-claim scopes: `read`

## Discovery
- Protected resource metadata: `https://noform.dev/a/acme/.well-known/oauth-protected-resource`
- Authorization server metadata: `https://noform.dev/a/acme/.well-known/oauth-authorization-server`

## Flow
1. **Register** — `POST https://noform.dev/a/acme/agent/auth`
   Body: `{ "email"?: string, "agent_platform"?: string }`.
   Anonymous returns `{ credential, claim_token, scopes, expires_at, login_url? }`.
   **If `login_url` is present, save it** — after step 3 succeeds, give the user
   that link (it already contains their credential) so they can finish in one click.
2. **Claim** — `POST https://noform.dev/a/acme/agent/auth/claim`
   Body: `{ "claim_token": string, "email": string }`. Sends a one-time code.
3. **Complete** — `POST https://noform.dev/a/acme/agent/auth/claim/complete`
   Body: `{ "claim_token": string, "otp": string }`. Upgrades to `active`.
4. **Revoke** — `POST https://noform.dev/a/acme/agent/auth/revoke`
   Body: `{ "credential": string }`.

## Notes
- The `claim_token` is scoped to THIS app. Using it against another app is rejected.
- Rate limited per IP and per tenant; monthly account caps apply.