# auth.md

The Peptide Watch APIs are **public and require no authentication**. There is no login, API key, OAuth flow, or agent registration.

## Endpoints
- `POST https://thepeptidewatch.com/api/check-coa`, analyse a certificate-of-analysis image. No credentials. Rate-limited to 30 requests/day per IP (HTTP 429 when exceeded).
- `GET https://thepeptidewatch.com/data/vendors.json`, full audit dataset. No credentials. Licensed CC BY 4.0 (attribute "The Peptide Watch").
- `POST https://thepeptidewatch.com/mcp`, Model Context Protocol server (Streamable HTTP, JSON-RPC 2.0). No credentials.

## Agent audience
Open to any AI agent or automated client. Please send a descriptive `User-Agent`. The only control is the per-IP daily rate limit above; there is no way, and no need, to authenticate.

## Agent registration
**No registration is required.** Agents do not need to register, provision credentials, request access, or complete any onboarding before use, begin calling the endpoints above immediately. There is no registration endpoint, no client-registration step, no approval, and no identity or credential types to supply. New agents are welcome by default.

## Supported methods & credential use
Supported method: none (anonymous public access). Credential types: none. Do not send `Authorization` headers, they are ignored. There is no token issuance, refresh, or revocation because no tokens exist.

Contact: info@thepeptidewatch.com
