# Codex Pets auth

## Public read endpoints

Public read endpoints, markdown docs, OpenAPI, llms.txt, sitemap, manifest routes, pet search routes, and the read-only MCP server do not require authentication.

## AppSessionCookie

AppSessionCookie is used by browser account flows for local profile, request attribution, and submission ownership.

## ProxyBasic

ProxyBasic is supported for deployments protected by a trusted reverse proxy.

## Agent access

Agents should use public read endpoints or the MCP server unless a human is explicitly completing a browser account flow. OAuth 2.0 is not currently available.

OAuth Protected Resource metadata is available at https://pets.ydb-qdrant.tech/.well-known/oauth-protected-resource and https://pets.ydb-qdrant.tech/.well-known/oauth-protected-resource/mcp. These documents intentionally do not advertise authorization_servers because Codex Pets does not operate an OAuth authorization server.