# auth.md — El Mofeed EDU

> Machine-readable discovery: [Protected Resource Metadata](https://el-mofeed.com/.well-known/oauth-protected-resource) and [Authorization Server metadata](https://el-mofeed.com/.well-known/oauth-authorization-server) (includes `agent_auth`).

El Mofeed (منصة المفيد) is an Arabic-first e-learning platform for Saudi Qiyas (قدرات) and achievement (تحصيلي) exam preparation. This document tells AI agents how to register and obtain API credentials on behalf of users.

## Audience

- AI agents and agent providers integrating with El Mofeed on behalf of learners.
- Automated clients that must not drive the human sign-up UI at `/auth`.

## Discovery (preferred)

1. Fetch `https://el-mofeed.com/.well-known/oauth-protected-resource` (RFC 9728 Protected Resource Metadata).
2. Read `authorization_servers` and fetch `https://el-mofeed.com/.well-known/oauth-authorization-server`.
3. Use the `agent_auth` block (`register_uri`, `claim_uri`, `revocation_uri`, supported identity and credential types).

Do not probe registration endpoints during passive discovery scans.

## Resource

- **Resource identifier:** `https://el-mofeed.com/api/`
- **Authorization server:** `https://el-mofeed.com/`
- **Bearer:** `Authorization: Bearer <token>` header on `https://el-mofeed.com/api/` requests.

## Supported agent registration flows

### User claimed (anonymous identity)

For agents without a provider-issued identity assertion. The agent starts registration at `agent_auth.register_uri` with `type: "anonymous"`, then completes ownership via `agent_auth.claim_uri` (OTP / email claim flow).

### Verified email (identity assertion)

For agents that can present a `verified_email` identity assertion. Exchange at `agent_auth.register_uri` with `type: "identity_assertion"` and `assertion_type: "verified_email"`.

## Scopes

| Scope | Access |
| --- | --- |
| `api.read` | Read public and student-scoped API data permitted by the issued credential |
| `api.write` | Create or update student progress, answers, and related resources |
| `student` | Act as the matched student account |

## Credentials

- **access_token** — JWT bearer token (same family as `POST /api/Authentication/Login`).

## Human sign-in (non-agent)

- Web UI: `https://el-mofeed.com/auth`
- API login: `POST https://el-mofeed.com/api/Authentication/Login` (JSON body: username, password)

## Related discovery

- [Agent Skills index](https://el-mofeed.com/.well-known/agent-skills/index.json) — RFC v0.2.0 skills catalog (`el-mofeed-platform`, `el-mofeed-api`, `el-mofeed-auth`)
- [MCP Server Card](https://el-mofeed.com/.well-known/mcp/server-card.json) — SEP-1649 MCP discovery (Streamable HTTP at `/mcp`)
- [API catalog](https://el-mofeed.com/.well-known/api-catalog) — RFC 9727 linkset
- [ai.txt](https://el-mofeed.com/ai.txt) — Site summary for agents
- [OpenAPI](https://el-mofeed.com/api/swagger/v1/swagger.json) — REST surface (Bearer security scheme)

## Contact

- Website: https://el-mofeed.com
- Support: https://el-mofeed.com/contact-us