# 停了没 auth.md

This document describes the current third-party AI agent authentication boundary for 停了没.

## Current status

- 停了没 does not currently offer third-party agent registration.
- Public agents may read public discovery documents and public browsing surfaces only.

## Public unauthenticated discovery

- Homepage: https://0.0.0.0:3000/
- robots.txt: https://0.0.0.0:3000/robots.txt
- Sitemap: https://0.0.0.0:3000/sitemap.xml
- LLM summary: https://0.0.0.0:3000/llms.txt
- LLM full context: https://0.0.0.0:3000/llms-full.txt
- API catalog: https://0.0.0.0:3000/.well-known/api-catalog
- MCP server card: https://0.0.0.0:3000/.well-known/mcp/server-card.json
- Agent skills: https://0.0.0.0:3000/.well-known/agent-skills/index.json

## Public read API boundary

The public API catalog advertises discovery and read endpoints only. It must not be interpreted as permission to perform authenticated user actions.

- GET /api/status: All 22 counties closure + weather alert status (JSON)
- GET /api/status?county={CODE}: Single county status by 3-letter code (e.g. KHH)
- GET /api/forecast?county={CODE}: Weather forecast (free: 2d; paid: 16d + 48h past) + CWA alerts from DB
- GET /api/history?county={CODE}: Plus only: 30-day closure signals + events history (auth required)
- GET /api/townships?county={CODE}: Township list for a county (368 total across 22 counties)

## Protected actions

Private user actions, billing, admin operations, and write APIs require first-party authentication. Third-party agents should not request user credentials or automate protected actions unless an explicit authorization flow is published.