# Kollectors Media Share auth.md

This service supports agentic registration using service_auth.

1. Fetch https://kollectors.org/.well-known/oauth-protected-resource.
2. Fetch https://kollectors.org/.well-known/oauth-authorization-server.
3. If the user does not have a Kollectors invite yet, request one with POST https://kollectors.org/agent/invite-requests:

```json
{ "email": "user@example.com" }
```

4. After the user is invited and creates an account from their invite link, register with POST https://kollectors.org/agent/identity using:

```json
{ "type": "service_auth", "login_hint": "user@example.com" }
```

5. Show the returned verification_uri and user_code to the user.
6. The user opens the verification_uri, signs in, and enters the user_code.
7. Poll https://kollectors.org/oauth2/token with grant_type=urn:workos:agent-auth:grant-type:claim and the returned claim_token.
8. Use the returned access_token as Authorization: Bearer <token>.

Accounts are invite-gated. The invite link verifies the account email during account setup. Verified accounts are required before agent claims, API keys, uploads, or share-link management are allowed.