# auth.md

doesmyemail.work exposes a public, free API and MCP server for AI agents. **No authentication is required.**

## Agent audience

Any AI agent or automated client that wants to check a domain's email authentication, SPF, DKIM, DMARC, and MX, using public DNS.

## Authentication

None. There are no credentials, tokens, accounts, or registration. Every endpoint is open.

Because there is no protected resource, no OAuth/OIDC authorization server, protected-resource metadata, or agent-registration endpoint is published. Attempting an OAuth flow is unnecessary and unsupported.

## Access and provisioning

No provisioning step. Call the endpoints directly:

- HTTP: `GET /api/v1/dns-scan/{domain}` (preferred; query-string form `GET /api/dns-scan?domain={domain}` also supported)
- MCP: `POST /mcp` (JSON-RPC 2.0, Streamable HTTP) — tool `scan_domain`
- API catalog: `/.well-known/api-catalog`
- OpenAPI: `/.well-known/openapi.json`
- Health: `GET /api/health`

## Supported methods

- Anonymous HTTP GET for the scan API.
- Anonymous MCP `tools/call` for `scan_domain`.

## Rate limits

The HTTP scan API allows 10 distinct domains per hour per IP. The MCP server is stateless and unauthenticated.

## Credential use

Not applicable. No credentials are issued, accepted, or required.