# auth.md

**MyDriverParis — agent authentication guide.**

MyDriverParis exposes two MCP endpoints:

- **Public (no auth)**: `https://mcp-mydriverparis.mydriverparis.workers.dev/mcp` — quotes, booking payment links, Meet & Greet, flight/location resolution, policies. Start here; booking a ride requires no account.
- **Authenticated**: `https://mcp-mydriverparis.mydriverparis.workers.dev/mcp/private` — live status of an existing booking (`get_booking_status`: schedule, assigned driver, tracking). Requires an OAuth 2.1 Bearer token scoped to one booking.

## Agent registration

Agents register via **anonymous dynamic client registration** (RFC 7591) — no manual approval, no API key. One complete registration method:

```json
{
  "agent_auth": {
    "skill": "https://www.mydriverparis.com/auth.md",
    "register_uri": "https://mcp-mydriverparis.mydriverparis.workers.dev/register",
    "identity_types_supported": ["anonymous"],
    "credential_types_supported": ["oauth2_authorization_code_pkce"],
    "registration_methods_supported": ["dynamic_client_registration"]
  }
}
```

To register: `POST https://mcp-mydriverparis.mydriverparis.workers.dev/register` with `{"client_name": "...", "redirect_uris": ["..."], "token_endpoint_auth_method": "none"}` → returns your `client_id`.

## OAuth endpoints (OAuth 2.1)

- Registration endpoint: `https://mcp-mydriverparis.mydriverparis.workers.dev/register`
- Authorization endpoint: `https://mcp-mydriverparis.mydriverparis.workers.dev/authorize`
- Token endpoint: `https://mcp-mydriverparis.mydriverparis.workers.dev/token`
- Full metadata: `https://mcp-mydriverparis.mydriverparis.workers.dev/.well-known/oauth-authorization-server`
- Supported: authorization_code + PKCE (S256), refresh tokens, public clients (`token_endpoint_auth_method: "none"`).
- Scope: `booking:read`

## Identity model

There are no user accounts. At the authorization screen, the **customer** proves ownership of a booking by entering their **booking reference** (e.g. `xi004273`, found in the confirmation email) and the **email used for the booking**. The issued token is read-only and scoped to that single booking.

## Typical agent flow

1. `POST /register` → `client_id`
2. Send the customer to `/authorize?...` (standard OAuth code + PKCE)
3. Customer enters booking reference + email → consent → code → token
4. `POST /mcp/private` (MCP streamable HTTP) → `tools/call get_booking_status`

Questions: contact@mydriverparis.com
