# SYMONE API — Authentication & Authorization

## 1. Overview

All SYMONE public API endpoints are open and require **no authentication**. No API keys, OAuth tokens, or credentials are needed.

## 2. Protected Resource Metadata

SYMONE publishes RFC 9728 Protected Resource Metadata at:
`/.well-known/oauth-protected-resource`

The resource declares no authorization servers and no required scopes, confirming that all endpoints are publicly accessible.

## 3. Authentication Methods

**No authentication required.** The following methods are explicitly NOT required:

- No OAuth 2.0 / OIDC flow
- No Bearer token
- No API key (`Authorization` header, `X-API-Key`, query param)
- No mTLS
- No HTTP Basic Auth

All requests may be made anonymously.

## 4. Scopes & Permissions

No scopes are defined. All public endpoints return full data to any caller:

| Endpoint | Auth required | Scope |
|----------|--------------|-------|
| `GET /route/ai/search` | None | — |
| `GET /route/get/results` | None | — |
| `GET /route/cities-near` | None | — |
| `POST /route/ai/batch` | None | — |
| `POST /ask` | None | — |

## 5. Error Codes

| HTTP Status | Meaning |
|-------------|---------|
| `400` | Bad request — missing or invalid parameter |
| `404` | Not found — endpoint does not exist |
| `500` | Internal server error — retry with backoff |

All errors return JSON: `{ "error": "message" }`

No `401 Unauthorized` or `403 Forbidden` responses are returned by public endpoints.

## 6. Rate Limits

No hard rate limits enforced. Recommended: max 60 requests/minute per client IP.

Response headers on all endpoints:
- `X-RateLimit-Limit: 0` — no limit enforced
- `X-RateLimit-Remaining: 0` — no limit enforced
- `X-RateLimit-Reset: 0` — no limit enforced

On future rate limiting, a `429 Too Many Requests` response will be returned with a `Retry-After` header.

## 7. Agent Auth Registration

No agent registration required. AI agents and MCP clients may call all public endpoints directly without prior registration or token exchange.

For MCP integration:
```bash
npx @rosentte104/symone-mcp
```

For direct API access:
```bash
curl https://symone.fr/api-proxy/route/ai/search?depart=Paris&arrival=Marseille
```

## 8. Agent Authentication Declaration

```json
{
  "agent_auth": {
    "required": false,
    "registration": false,
    "token_exchange": false,
    "anonymous_access": true,
    "note": "All public API endpoints are open to any caller including AI agents, MCP clients, and automated scripts. No credentials, API keys, or prior registration required."
  }
}
```

This declaration is machine-readable and follows emerging agent identity standards. Agents MUST NOT attempt OAuth flows or credential injection before calling SYMONE endpoints.

## 9. Web Bot Auth (Ed25519 JWK)

SYMONE publishes an Ed25519 public key for bot identity verification at:
`/.well-known/http-message-signatures-directory`

This is informational only — verification is not required to call any endpoint.

## Contact

API issues: contact@symone.fr
Documentation: https://symone.fr/openapi.json