Authentication

CounterAgent supports multiple authentication methods to integrate with your agent framework.

API Key (Recommended for Getting Started)

Include your API key in the Authorization header:

Authorization: Bearer ca_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

API keys are scoped to read or write access. Generate keys at Settings > API Keys.

OAuth 2.0

For production integrations, use OAuth 2.0 with PKCE. Discovery document: /.well-known/oauth-authorization-server

POST https://auth.counteragent.io/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=your_client_id
&client_secret=your_client_secret
&scope=read detect

GNAP (Next-Generation Authorization)

CounterAgent is an early adopter of GNAP (RFC 9635) for fine-grained agent authorization. Discovery: /.well-known/gnap-as

POST https://auth.counteragent.io/gnap/grant
Content-Type: application/json

{
  "access_token": {
    "access": [
      { "type": "counteragent-api", "actions": ["read", "detect"] }
    ]
  },
  "client": {
    "key": {
      "proof": "httpsig",
      "jwk": { "kty": "EC", "crv": "P-256", ... }
    }
  }
}

MCP Authentication

For MCP server integration, use a bearer token in the initial connection. See MCP discovery document for the token endpoint.

Agent Identity (AID)

Agents with an Agent Identity Document can authenticate using their cryptographic identity. This enables zero-trust agent-to-agent communication.

Scopes

Scope	Description
`read`	Read agent directory and signatures
`detect`	Submit detection requests
`write`	Submit new fingerprints
`admin`	Manage webhooks and settings
`mcp`	MCP tool execution

Rate Limits

See Rate Limits for details. Free tier: 1,000 requests/day. Authenticated: 10,000 requests/hour.