# auth.md for VibeDrop

VibeDrop agent authentication and registration metadata.

VibeDrop uses API keys for agent and CLI access.

## Get a credential

Run:

```sh
npx @vibedrop/cli deploy ./dist
```

The CLI can create an anonymous API key for the first deploy. It stores that key locally and prints a claim URL so the user can attach the deployed sites to an account.

Trusted partners can also provision a key for a verified email address with:

```http
POST https://api.vibedrop.cc/v1/integrations/issue-key
Authorization: Bearer <partner-secret>
Content-Type: application/json

{"email":"user@example.com"}
```

## Use a credential

Send the API key as a bearer token when calling the API:

```http
Authorization: Bearer vd_...
```

Protected API resource: https://api.vibedrop.cc

Discovery metadata:

- API catalog: https://vibedrop.cc/.well-known/api-catalog
- Authorization server metadata: https://vibedrop.cc/.well-known/oauth-authorization-server
- Protected resource metadata: https://vibedrop.cc/.well-known/oauth-protected-resource
- Skill instructions: https://vibedrop.cc/skill.md
- API health: https://api.vibedrop.cc/health

## Supported identity and credential types

- Anonymous CLI registration: API key credential, claim URL shown by the CLI.
- Trusted partner verified-email registration: API key credential, issued by the partner endpoint.
- Credential use: HTTP bearer header.

For registration, provisioning, or key revocation help, email hello@vibedrop.cc.