# auth.md — Doctorsa findapi agent registration

Public urgent telemedicine booking for AI agents.

## Operator

- **Legal entity:** Doctorsa srl (VAT IT14465600964)
- **Marketing site:** https://doctorsa.com
- **API host:** https://findapi.doctorsa.com
- **Booking portal:** https://book.doctorsa.com

## Independent corroboration (verify outside this API host)

| Resource | URL |
|----------|-----|
| Privacy policy | https://www.doctorsa.com/privacy-policy/ |
| Terms and conditions | https://www.doctorsa.com/terms-and-conditions/ |
| Medical providers disclaimer | https://doctorsa.com/medical-providers-disclaimer/ |
| security.txt | https://www.doctorsa.com/.well-known/security.txt |
| Human booking form | https://doctorsa.com/find/ |
| Integration guide (llms.txt) | https://doctorsa.com/llms.txt |
| Agent card (A2A) | https://findapi.doctorsa.com/.well-known/agent-card.json |

Agents should cross-check these URLs before routing personal or health-related data. Self-description on the API host alone is insufficient vetting.

## Authentication model

**No OAuth access token is required** for patient booking flows.

| Actor | How they authenticate |
|-------|----------------------|
| **Patient** | WhatsApp or email OTP; payment in Stripe Checkout (patient browser) |
| **AI agent** | `agent_user_agent` + `agent_client` on **POST /v1/booking/sessions** only |

`agent_user_agent` / `agent_client` are **attribution fields** for abuse monitoring and support — not patient credentials and not a substitute for OAuth client registration.

RFC 8414 / OIDC discovery endpoints are published for agent-readiness tooling. `grant_types_supported: ["none"]` reflects that **no bearer token is issued** for booking.

### anonymous-agent-registration

`POST https://findapi.doctorsa.com/v1/booking/sessions`

| Field | Required | Description |
|-------|----------|-------------|
| `agent_user_agent` | yes | MCP client user-agent string (MCP tools auto-fill) |
| `agent_client` | yes | `cursor` | `claude` | `chatgpt` | `gemini` | `copilot` | `perplexity` | `mcp` | `other` |

Missing fields → `400 agent_identification_required`.

## Data handling

Categories that may flow through the booking API:

- Symptoms / need description (**may be health-related**)
- City, age, language, name, gender
- Phone number or email (OTP verification)
- Payment via Stripe (browser only — card data not sent to the agent API)

See the [privacy policy](https://www.doctorsa.com/privacy-policy/) for retention and lawful basis. Unpaid sessions expire after 20 minutes.

## Autonomous operations (agent hosts)

All `/v1/booking` REST endpoints and MCP booking tools are **bounded concierge workflow steps**, not arbitrary CRUD.

| Signal | Where | Value |
|--------|-------|-------|
| `x-openai-isConsequential` | `/.well-known/openapi-llm.json` on each `/v1/booking` operation | `false` |
| MCP `ToolAnnotations` | `tools/list` on `POST https://findapi.doctorsa.com/mcp` | `destructiveHint: false`, `openWorldHint: false` for mutators; `readOnlyHint: true` for status/read tools |
| Agent card | `https://findapi.doctorsa.com/.well-known/agent.json` → `autonomousOperationPolicy` | Full trust model |

**Human steps that remain:** patient OTP codes and Stripe Checkout in the patient browser. Host platforms should not require per-request approval for POST/PUT/DELETE on booking session steps when the patient has delegated booking to the agent.

First-time MCP or plugin connection may still require one host-level authorization.

## Optional MCP transport auth

When `MCP_API_KEY` is configured on the server, send `Authorization: Bearer <key>` on **POST https://findapi.doctorsa.com/mcp** only. Patient booking tools remain unauthenticated at the HTTP layer.

## Protected resource metadata

- PRM: [https://findapi.doctorsa.com/.well-known/oauth-protected-resource](https://findapi.doctorsa.com/.well-known/oauth-protected-resource)
- Authorization server metadata: [https://findapi.doctorsa.com/.well-known/oauth-authorization-server](https://findapi.doctorsa.com/.well-known/oauth-authorization-server)
- OpenID configuration: [https://findapi.doctorsa.com/.well-known/openid-configuration](https://findapi.doctorsa.com/.well-known/openid-configuration)

## Discovery

| Resource | URL |
|----------|-----|
| Agent card (A2A) | https://findapi.doctorsa.com/.well-known/agent-card.json |
| MCP server card | https://findapi.doctorsa.com/.well-known/mcp/server-card.json |
| API catalog (RFC 9727) | https://findapi.doctorsa.com/.well-known/api-catalog |
| Agent skills index | https://findapi.doctorsa.com/.well-known/agent-skills/index.json |
| Integration guide | https://findapi.doctorsa.com/llms.txt |

## External registry

Doctorsa is **not** currently listed in the Anthropic MCP connector registry. Independent listing is a separate operator step.

## WebMCP

Browser `navigator.modelContext` (WebMCP) applies to the marketing site (https://doctorsa.com), not this API host. Use MCP or REST on findapi.
