# Auth.md

## Agent Registration

To register your agent to access TAKARA Vietnam APIs, please contact our security team at **security@takaratech.com** with:
- Agent name and description
- Intended use case
- Required API scopes

We will provide client credentials via encrypted email.

## Authorization Server

| Endpoint | URL |
|----------|-----|
| Discovery | `/.well-known/oauth-authorization-server` |
| Token | `/.well-known/oauth-authorization-server/token` |
| JWKS | `/.well-known/oauth-authorization-server/jwks` |

## Security Best Practices

- **HTTPS required** for all API calls
- **Token lifetime:** 1 hour (refresh token available)
- **Secret rotation:** Every 90 days
- **PKCE required** for authorization code flow
- **Rate limiting:** 100 requests/minute per client

## Security Contact

**Email:** `security@takaratech.com`
**Response time:** < 24 hours

---
*This file follows the Auth.md specification (WorkOS) and is machine-readable for AI Agents.*