# auth.md

Quantum uses CheFu Account OAuth/OIDC for agent and user authentication.

## Resource

- Resource: https://quantum.chefuinc.com
- Protected resource metadata: https://quantum.chefuinc.com/.well-known/oauth-protected-resource
- OpenID configuration: https://quantum.chefuinc.com/.well-known/openid-configuration
- API documentation: https://quantum.chefuinc.com/docs/api

## Authorization Server

- Issuer: https://api.chefuinc.com
- Authorization endpoint: https://api.chefuinc.com/oauth/authorize
- Token endpoint: https://api.chefuinc.com/oauth/token
- JWKS URI: https://api.chefuinc.com/oauth/jwks
- Account management: https://chefuinc.com

## OAuth Client

Use the public browser client `quantum-web` with Authorization Code + PKCE.

## Scopes

- `openid`
- `profile`
- `email`
- `quantum:chat`
- `quantum:read`

## Agent Registration

Agents should use the OAuth metadata above, request the minimum required scopes, and identify themselves clearly in the OAuth client/user-agent flow. Automated self-registration is not enabled from this document; agents that need persistent credentials should use the account management URL.
