# auth.md — DGC Bazaar / DGC POS API

Agent-oriented authentication map for DGC Bazaar (buyers) and DGC POS (merchants).

## Audience

- **Agents / tools** calling public marketplace APIs (no auth required)
- **Buyer agents** acting for a shopper (Bazaar JWT)
- **Merchant agents** acting for a shop (POS JWT) — tenant-isolated by `account_id`

## Registration (agents)

1. Discover Protected Resource Metadata: `GET https://dgcbazaar.com/.well-known/oauth-protected-resource`
2. Load Authorization Server metadata: `GET https://dgcbazaar.com/.well-known/oauth-authorization-server`
3. Read `agent_auth` for `register_uri` / `skill` (this file)
4. Human or agent sign-up UI: https://dgcbazaar.com/newlogin
5. Obtain Bearer access token via documented buyer or merchant flows below
6. Call APIs with `Authorization: Bearer <token>`
7. Revoke: `POST https://api.dgcpos.net/api/auth/logout`

## Public (no auth)

- `GET https://api.dgcpos.net/api/health`
- `GET https://api.dgcpos.net/api/platform-status`
- `GET https://api.dgcpos.net/api/marketplace/public`
- `GET https://api.dgcpos.net/api/marketplace/public/shop-config`
- Guest checkout under `/api/marketplace/public/` and `/api/marketplace/guest/`

## Buyer (Bazaar)

- Registration / sign-in UI: https://dgcbazaar.com/newlogin
- Google credential or mobile OTP via `POST /api/auth/bazaar-shopper` and OTP routes on `https://api.dgcpos.net`
- Short-lived Bearer JWT (`aud=bazaar`) for marketplace actions only
- Refresh: `POST https://api.dgcpos.net/api/auth/refresh` (body or HttpOnly cookie)
- Credential use: `Authorization: Bearer <access_token>`

## Merchant (POS)

- Sign-in UI: https://app.dgcpos.net/login
- Token: `POST https://api.dgcpos.net/api/auth/login` with username/password
- Returns `token` (access JWT) + `refresh_token`
- Scope: tenant-isolated by `account_id` server-side
- Logout / revoke: `POST https://api.dgcpos.net/api/auth/logout` (`all_devices` supported)

## OAuth-style discovery (machine)

- Authorization Server metadata: https://dgcbazaar.com/.well-known/oauth-authorization-server
- Protected Resource metadata: https://dgcbazaar.com/.well-known/oauth-protected-resource
- API catalog: https://dgcbazaar.com/.well-known/api-catalog

## Do not

- Do not scrape authenticated POS dashboards
- Do not send Bazaar JWTs to merchant POS routes
- Do not embed long-lived secrets in client code

## Human docs

- Support: https://dgcpos.net/support
- Terms: https://dgcbazaar.com/legal/terms
- Privacy: https://dgcbazaar.com/legal/privacy
