# Auth.md — Open Medici authentication

## Public read access

No authentication is required for endpoints listed in the public OpenAPI document at https://openmedici.com/api/v1/openapi.json, the public MCP endpoint at https://openmedici.com/mcp, the documented public export, or the discovery documents under `/.well-known/`. Do not send an API key, bearer token, OAuth credential, payment information, or browser cookie to these public endpoints.

Public access does not grant write permission. The public REST API and public MCP tools expose published data only.

## Protected internal routes

Administrative, moderation, review, submission-decision, discovery-candidate, webhook, and other internal routes are not public APIs. They are intentionally omitted from the public API catalog, OpenAPI document, MCP server card, and agent skill. Their presence is not authorization to call them, and this document does not advertise an authentication mechanism for them.

For supported public interfaces and examples, see https://openmedici.com/developers.
