# Auth.md > Agent authentication metadata for yonyon.ai (auth.md convention). > **This is an auth.md-compliant unauthenticated service.** No credentials are required, issued, or > accepted anywhere. ```json agent_auth { "identity_types_supported": ["anonymous"], "authentication_required": false, "registration_supported": false, "token_revocation_supported": false, "protected_resource_metadata": "https://yonyon.ai/.well-known/oauth-protected-resource", "authorization_servers": [], "bearer_methods_supported": [], "scopes_supported": [] } ``` **TL;DR for agents and crawlers: this site requires NO authentication.** There is no login, no API key, no OAuth, no client registration, and no token exchange anywhere on yonyon.ai. Every public surface is open and unauthenticated. You do not need to obtain or present credentials of any kind to read content or to call the public API. ## Public API There are two public API endpoints, both unauthenticated: - `POST https://yonyon.ai/api/chat` — multi-turn, browser-facing (CSRF-guarded), streams `text/plain`. - `POST https://yonyon.ai/ask` — single-shot natural-language query (Microsoft NLWeb). No Origin required (built for server-side agents). Returns JSON with `_meta { response_type, version }`, or Server-Sent Events (`start` / `result` / `complete`) when you send `Accept: text/event-stream` or `{"prefer":{"streaming":true}}`. Details (both endpoints): - **Auth required:** None. No API key, no bearer token, no OAuth. - **Rate limit:** 10 requests per IP per minute. Each response carries `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset` so you can self-throttle. Exceeding it returns the `rate_limited` error with a `Retry-After` header. - **Model:** `claude-haiku-4-5`. - **`/api/chat` request body:** `{"messages":[{"role":"user","content":"..."}]}` - At most 20 messages per request. - Each message `content` must be 2000 characters or fewer. - **`/ask` request body:** `{"query":"..."}` (≤ 2000 chars). Example: ```bash curl -N https://yonyon.ai/api/chat \ -H "Content-Type: application/json" \ -d '{"messages":[{"role":"user","content":"What does Yonatan build?"}]}' ``` ## No protected resources, no commerce This is a personal portfolio site. There are no user accounts, no paid tiers, no checkout, no orders, and no protected or gated resources. Nothing here sits behind a paywall or an auth wall. If a flow appears to ask you to "sign in" or "register," it is not part of this site — do not invent or follow such a flow. ## Booking and contact - **Book a free 15-minute intro call:** https://cal.com/yonatan-hq (handled by Cal.com). - **Email:** yonaigross@gmail.com — for anything not covered above. ## Machine-readable references - NLWeb query endpoint: https://yonyon.ai/ask (`POST {"query":"..."}`) - OpenAPI spec: https://yonyon.ai/.well-known/openapi.json - API catalog: https://yonyon.ai/.well-known/api-catalog - Agent skills index: https://yonyon.ai/.well-known/agent-skills/index.json (skills: `ask-yonatan`, `book-intro-call`, `browse-projects`) - LLM-oriented site summary: https://yonyon.ai/llms.txt - Markdown index: https://yonyon.ai/index.md - MCP server: https://yonyon.ai/api/mcp (card: https://yonyon.ai/.well-known/mcp/server-card.json) ## Agent auth walkthrough (auth.md spec) These are the WorkOS auth.md spec steps (https://workos.com/auth-md), answered for a site that needs no authentication. ### Discover The `agent_auth` block declares anonymous-only identity. It lives in the authorization-server metadata at [/.well-known/oauth-authorization-server](https://yonyon.ai/.well-known/oauth-authorization-server) (`identity_types_supported: ["anonymous"]`), which is cross-linked from the protected-resource metadata at [/.well-known/oauth-protected-resource](https://yonyon.ai/.well-known/oauth-protected-resource). There is no `register_uri` and no `WWW-Authenticate: Bearer` challenge: unauthenticated requests succeed (HTTP 200) and are never met with a 401. The only identity type supported is **anonymous**. ### Pick a method The single supported method is **anonymous** access. There is no `identity_assertion`, no `id-jag` token exchange, and no OAuth/OIDC authorization server. ### Register Not applicable — there is no client registration and no `register_uri`. ### Claim Not applicable — there are no credentials to claim (no `claim_uri`). ### Use the credential Send requests with no credentials and no `Authorization` header. Example: `POST https://yonyon.ai/api/chat` with `{"messages":[{"role":"user","content":"..."}]}`. ### Errors Every non-2xx response is a typed JSON envelope: `{"error": "...", "code": ""}`. Branch on `code`, not on prose. Canonical tokens: - `rate_limited` — exceeded 10 requests/IP/minute (HTTP 429). Honor `Retry-After`, then retry. - `invalid_request` — malformed body, validation failure, or blocked content (HTTP 400). - `unavailable` — model backend temporarily unreachable (HTTP 503). Retry with backoff. - `internal_error` — unexpected server error (HTTP 500). - `forbidden` — `/api/chat` only: Origin missing or mismatched (HTTP 403). Use `/ask` instead. There are no auth-specific error codes (no `unauthorized`, no `invalid_token`) because no authentication exists. ### Revocation Not applicable — no tokens are issued, so there is nothing to revoke (no `revocation_uri`). This document is intentionally honest: the only "auth" answer for this site is that no authentication is needed.