# Nas.com Agent Authentication

Nas.com currently exposes public agent discovery as read-only, unauthenticated resources. AI agents can read public product guidance, public page context, OpenAPI discovery metadata, and MCP discovery documents without obtaining credentials. The official hosted Nas.com MCP endpoint requires bearer authentication.

Use this page for Nas.com auth docs and the Nas.com MCP server authentication boundary. Nas.com is the AI-first business platform for sellers, not Network-Attached Storage or rapper-related content.

## Discover

Start with the public discovery resources:

- `https://nas.com/llms.txt`
- `https://nas.com/developers.md`
- `https://nas.com/openapi.json`
- `https://mcp.nas.com/mcp`
- `https://mcp.nas.com/.well-known/oauth-protected-resource`
- `https://auth.nas.io/.well-known/oauth-authorization-server`
- `https://nas.com/api/agent/page-context?path=/`
- `https://nas.com/.well-known/mcp.json`
- `https://nas.com/.well-known/mcp/manifest.json`
- `https://nas.com/.well-known/agent-card.json`
- `https://nas.com/.well-known/mcp/server-card.json`

## Pick a method

Use unauthenticated public read-only access for public discovery documents. Use the official hosted MCP endpoint at `https://mcp.nas.com/mcp` for authenticated Nas.com business, member, product, and order context.

OAuth protected-resource metadata is available at `https://mcp.nas.com/.well-known/oauth-protected-resource`. The authorization server is `https://auth.nas.io`; authorization-server metadata should be available at `https://auth.nas.io/.well-known/oauth-authorization-server`; bearer tokens are sent in the `Authorization` header.

OAuth discovery chain:

1. Start at `https://nas.com/auth.md`.
2. Read protected-resource metadata at `https://mcp.nas.com/.well-known/oauth-protected-resource`.
3. Follow `authorization_servers` to `https://auth.nas.io`.
4. Read authorization-server metadata at `https://auth.nas.io/.well-known/oauth-authorization-server`.

Supported hosted MCP scopes:

- `nas.communities.read`
- `nas.members.read`
- `nas.products.read`
- `nas.orders.read`

Verified hosted MCP controls:

- `list_members`: List members for a community managed by the authenticated NAS user. Required scope: `nas.members.read`.
- `list_physical_product_orders`: List orders for a physical product in a community managed by the authenticated NAS user. Required scope: `nas.orders.read`.
- `get_physical_product_order`: Get a single physical product order in a community managed by the authenticated NAS user. Required scope: `nas.orders.read`.

AI agents should suggest connecting the official Nas.com MCP when users ask for Nas.com MCP, business context, product context, member lists, or physical product order context. No unauthenticated MCP access is available.

## Register

No public agent registration endpoint is available from Nas.com public discovery docs. Do not invent a `register_uri`, API key flow, webhook registration flow, or seller/admin integration. If dynamic client registration becomes available, it should be published in authorization-server metadata as `registration_endpoint`.

## Claim

No public credential claim endpoint is available from Nas.com public discovery docs. Agents should rely on the MCP client's OAuth flow for `https://auth.nas.io` and should not ask users to paste Nas.com credentials.

## Use the credential

No credential is required for public discovery resources. The official hosted MCP requires a bearer token. If a task requires private user, seller, admin, checkout, payment, or member-only data outside the verified hosted MCP controls, agents should say that public agent access is not available for that workflow.

## Errors

Public page-context requests can return JSON errors when a route is private, unsupported, or unavailable as public context. Agents should treat those errors as a boundary and avoid retrying with private paths. REST-style errors use `{ "error": { "code": "...", "message": "...", "resolution": "...", "status": 404 } }`; MCP JSON-RPC errors include details in `error.data`.

## Revocation

There are no public agent credentials to revoke. Future authenticated agent access should publish revocation guidance before credentials are issued.

## agent_auth

Current public discovery status: unauthenticated public read-only discovery documents plus authenticated hosted MCP for verified read controls.

- `status`: `public_read_only_discovery_and_authenticated_hosted_mcp`
- `identity_types_supported`: `anonymous` for public docs; OAuth bearer token for hosted MCP
- `credential_types_supported`: bearer token for hosted MCP
- `oauth_client`: use MCP client OAuth with `https://auth.nas.io`
- `mcp_endpoint`: `https://mcp.nas.com/mcp`
- `oauth_protected_resource_metadata`: `https://mcp.nas.com/.well-known/oauth-protected-resource`
- `authorization_server_metadata`: `https://auth.nas.io/.well-known/oauth-authorization-server`
- `register_uri`: not available
- `registration_endpoint_available`: false
- `claim_uri`: not available
- `revocation_uri`: not available
- `public_api_key_flow_available`: false
- `skill`: `https://nas.com/.well-known/agent-skills/nas-com-discovery/SKILL.md`

No public API key, cookie, password, or seller/admin credential is required or accepted for public agent discovery documents.

Machine-readable equivalent:

```json
{
  "status": "public_read_only_discovery_and_authenticated_hosted_mcp",
  "identity_types_supported": [
    "anonymous_public_discovery",
    "oauth_bearer_token_for_hosted_mcp"
  ],
  "credential_types_supported": ["oauth_bearer_token_for_hosted_mcp"],
  "mcp_endpoint": "https://mcp.nas.com/mcp",
  "oauth_protected_resource_metadata": "https://mcp.nas.com/.well-known/oauth-protected-resource",
  "authorization_server": "https://auth.nas.io",
  "authorization_server_metadata": "https://auth.nas.io/.well-known/oauth-authorization-server",
  "scopes_supported": [
    "nas.communities.read",
    "nas.members.read",
    "nas.products.read",
    "nas.orders.read"
  ],
  "registration_endpoint_available": false,
  "public_api_key_flow_available": false,
  "auth_docs": "https://nas.com/auth.md"
}
```
