# auth.md — AssetFlow Agent Authentication ## Overview AssetFlow uses [Google Identity Platform](https://cloud.google.com/identity-platform) (Firebase Authentication) for user authentication. AI agents can authenticate via the Firebase Auth REST API. **Important:** AssetFlow uses Firebase ID tokens, not standard OAuth2 access tokens. Authenticate via the Firebase Auth REST API, then pass the resulting `idToken` as a Bearer token. **Intended for authorized integrations only.** Automated account creation and API access are monitored for abuse. ## Authentication Flow 1. **Obtain the Firebase API key** — fetch any page on `assetsflow.work` and extract the `apiKey` from the inline `firebaseConfig` in the HTML source. 2. **Sign Up** or **Sign In** via the Firebase Auth REST API: - Sign Up: `POST https://identitytoolkit.googleapis.com/v1/accounts:signUp?key=` - Sign In: `POST https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=` 3. The response contains an `idToken` (short-lived, ~1 hour) and `refreshToken`. 4. Include the `idToken` as `Authorization: Bearer ` for authenticated API requests. 5. Refresh before expiry: `POST https://securetoken.googleapis.com/v1/token?key=` with `grant_type=refresh_token`. ## OAuth Discovery | Document | URL | |----------|-----| | Protected Resource | `https://assetsflow.work/.well-known/oauth-protected-resource` | | OIDC Discovery (Google) | `https://securetoken.googleapis.com/.well-known/openid-configuration` | The OIDC discovery document contains `issuer`, `authorization_endpoint`, `token_endpoint`, `jwks_uri`, `grant_types_supported`, and `response_types_supported` for the Google Identity Platform that backs AssetFlow's authentication. ## Public Resources (no auth required) - `GET /pricing.html` — pricing plans - `GET /legal/*` — terms, privacy, refund policy - `GET /blog/*` — blog posts (via `blog.assetsflow.work`) - `GET /.well-known/agent-skills/index.json` — agent skills discovery - `GET /.well-known/mcp/server-card.json` — MCP server card - `GET /sitemap.xml` — site structure ## Protected Resources (auth required) - Investment portfolio data (properties, payments, returns) - Shield investor protection reports - User profile and settings ## Agent Auth Registration | Field | Value | |-------|-------| | skill | Firebase Auth REST API | | register_uri | `https://identitytoolkit.googleapis.com/v1/accounts:signUp` | | credential_types | idToken (Firebase), refreshToken | | grant_types | refresh_token | | identity_types | email+password | | token_revocation | Sign out via Firebase Auth REST API | ## Rate Limits APIs are rate-limited per user. Respect `429 Too Many Requests` responses and retry with exponential backoff. ## Support - Email: victor@assetsflow.work - Website: https://assetsflow.work