> ## Documentation Index > Fetch the complete documentation index at: https://docs.dzap.io/llms.txt > Use this file to discover all available pages before exploring further. # Auth # DZap Agent Authentication DZap publishes this `auth.md` document so AI agents can discover how to obtain and use credentials without scraping JavaScript-rendered docs. The Fuse API is public and per-IP rate-limited. The Trade API supports bearer API keys for partners that need higher rate limits, route configuration, usage analytics, or production support. ## Discover Agents should first read: * Protected resource metadata: `https://docs.dzap.io/.well-known/oauth-protected-resource` * Authorization server metadata: `https://docs.dzap.io/.well-known/oauth-authorization-server` * API catalog: `https://docs.dzap.io/.well-known/api-catalog` * OpenAPI contract: `https://docs.dzap.io/openapi.yaml` Unauthenticated API probes should expect a `WWW-Authenticate` hint shaped like: ```text theme={null} WWW-Authenticate: Bearer resource_metadata="https://docs.dzap.io/.well-known/oauth-protected-resource" ``` ## agent\_auth ```json theme={null} { "agent_auth": { "skill": "https://docs.dzap.io/auth.md", "register_uri": "https://docs.dzap.io/.well-known/agent-auth/register", "claim_uri": "https://docs.dzap.io/.well-known/agent-auth/claim", "revocation_uri": "https://docs.dzap.io/.well-known/agent-auth/revoke", "identity_types_supported": ["anonymous", "identity_assertion"], "anonymous": { "credential_types_supported": ["api_key"] }, "identity_assertion": { "assertion_types_supported": ["urn:ietf:params:oauth:token-type:id-jag"], "credential_types_supported": ["api_key", "bearer"] } } } ``` ## Pick a method Use anonymous credentials for public prototyping and basic rate-limit identification. Use `identity_assertion` when a production integration can present an identity assertion such as `id-jag` and needs a partner credential. ## Register Register through `register_uri` with project name, contact email, expected request volume, intended endpoints, production domain, and integration category. Human review may be required before a production key is issued. ## Claim Claim credentials through `claim_uri` after DZap approves the integration. Agents should store credentials only in server-side secret storage and never expose keys in browser code, prompts, logs, screenshots, or public repos. ## Use the credential Send bearer credentials in the HTTP `Authorization` header: ```bash theme={null} curl -X POST https://api.dzap.io/v1/quotes \ -H "Content-Type: application/json" \ -H "Authorization: Bearer dzap_xxxxxxxxxxxxxxxxxxxxxxxx" \ -H "Idempotency-Key: 0191f4fd-8a33-7bb4-8f71-4ccfa53db31b" \ -d '{ "data": [] }' ``` ## Errors Credential errors use stable JSON error codes such as `UNAUTHORIZED`, `FORBIDDEN`, and `RATE_LIMITED`. Rate-limit responses include `retryAfter` and rate-limit headers. Agents should retry with exponential backoff only when the error is retryable. ## Revocation Use `revocation_uri` when a credential is compromised or no longer needed. DZap can rotate partner keys with an overlap window when requested through `support@dzap.io`.