# Auth.md - YOKESEN Agent Authentication

YOKESEN supports Google sign-in for people using AI YOKESEN. Authentication is handled by the YOKESEN platform API and creates a secure, 90-day first-party session cookie for the ".yokesen.com" domain.

## Human sign-in

- Start URL: https://api.yokesen.com/auth/google/start
- Session status: https://api.yokesen.com/auth/me
- Sign out: https://api.yokesen.com/auth/logout
- Public authentication status: https://api.yokesen.com/auth/status

## Agent and API access

Anonymous agents may read public YOKESEN pages, Markdown companions, llms.txt, llms-full.txt, the sitemap, API catalog, and public skill documents without credentials.

Agents can create scoped OAuth clients through the dynamic registration endpoint. Machine-to-machine clients use the client credentials grant; human-delegated agents use Authorization Code with PKCE (S256). Registration does not grant access beyond the scopes explicitly returned by the authorization server.

- Authorization server: https://api.yokesen.com/.well-known/oauth-authorization-server
- Dynamic registration: https://api.yokesen.com/oauth/register
- Authorization endpoint: https://api.yokesen.com/oauth/authorize
- Token endpoint: https://api.yokesen.com/oauth/token
- Claims endpoint: https://api.yokesen.com/oauth/claims
- Revocation endpoint: https://api.yokesen.com/oauth/revoke

```agent_auth
register_uri: https://api.yokesen.com/oauth/register
identity_types_supported: anonymous, verified_email, identity_assertion
credential_types: client_secret, authorization_code_pkce
claims_uri: https://api.yokesen.com/oauth/claims
revocation_uri: https://api.yokesen.com/oauth/revoke
scopes: public:read, diagnosis:start, profile:read
```

Never send credentials, access tokens, private customer data, or internal evidence through public chat.

## Public boundaries

AI YOKESEN provides directional business diagnosis. It does not replace licensed legal, tax, accounting, or other regulated professional advice. Public access does not grant permission to retrieve private repositories, infrastructure, customer records, or internal knowledge.
