# Dynamoi auth.md

Dynamoi publishes separate agent surfaces for public discovery, paid machine-readable data, and authenticated user tools.

## Step 1 - Discover

Fetch these public documents first:

```http
GET https://dynamoi.com/auth.md
GET https://dynamoi.com/.well-known/api-catalog
GET https://dynamoi.com/.well-known/oauth-protected-resource
GET https://dynamoi.com/.well-known/oauth-protected-resource/mcp
GET https://uihohqhbowcrgsjhdmrc.supabase.co/auth/v1/.well-known/oauth-authorization-server
GET https://dynamoi.com/openapi.json
GET https://dynamoi.com/.well-known/openapi/data-mpp.json
GET https://dynamoi.com/.well-known/dynamoi-data.json
GET https://dynamoi.com/data/catalog.json
GET https://dynamoi.com/.well-known/mcp.json
GET https://dynamoi.com/.well-known/mcp/server-card.json
```

## Step 2 - Pick the right surface

Use OAuth for the Dynamoi MCP server at `https://dynamoi.com/mcp` when acting for a logged-in Dynamoi user.

Use Stripe Machine Payments for paid machine data endpoints under `https://dynamoi.com/api/data/mpp/v1/`. Paid data endpoints do not require a user OAuth token; they return HTTP 402 with MPP payment instructions.

Use public static pages, feeds, samples, schemas, and catalogs without authentication.

## Step 3 - OAuth for MCP

The protected resource metadata is:

```http
GET https://dynamoi.com/.well-known/oauth-protected-resource
GET https://dynamoi.com/.well-known/oauth-protected-resource/mcp
```

The canonical authorization server metadata is:

```http
GET https://uihohqhbowcrgsjhdmrc.supabase.co/auth/v1/.well-known/oauth-authorization-server
```

Dynamoi uses Supabase OAuth 2.1 for MCP user authorization. The Dynamoi root `.well-known` OAuth and OIDC URLs redirect to the canonical Supabase issuer metadata so clients can validate the returned `issuer` exactly. The authorization server supports PKCE, dynamic client registration, and standard scopes such as `openid`, `profile`, `email`, and `phone`. Request only the scopes needed by the MCP server card and tool call.

## Step 4 - Paid machine data

Read the data catalog and schema before paying:

```http
GET https://dynamoi.com/data/catalog.json
GET https://dynamoi.com/data/schemas/streaming-royalties-rpm.json
GET https://dynamoi.com/data/samples/streaming-royalties-rpm.jsonl
```

The primary paid endpoint is:

```http
GET https://dynamoi.com/api/data/mpp/v1/datasets/streaming-royalties-rpm/snapshot?format=jsonl
```

Unpaid requests return HTTP 402 with `WWW-Authenticate: Payment` challenges. The OpenAPI document at `https://dynamoi.com/openapi.json` includes `x-payment-info` with supported payment methods, amount, currency, and intent.

## Current registration support

Dynamoi does not currently expose the WorkOS auth.md `/agent-auth`, `/agent-auth/claim`, or `/agent-auth/claim/complete` registration endpoints. Agents should use OAuth discovery for user-authorized MCP access and MPP discovery for paid data access.

## Revocation and recovery

For OAuth failures, refresh through the authorization server metadata and retry once. If the MCP server returns `401` with a protected resource challenge, re-run OAuth for the requested resource and scope.

For paid data failures, do not scrape around the endpoint. Re-read the catalog, schema, and license, then repeat the MPP flow for the requested snapshot.