# Auth.md — agent authentication for Blinkof.ai

Blinkof.ai exposes a small REST API so agents and CI can run deep scans
programmatically. Access is by **bearer API token** (not OAuth).

## Get a token
1. Sign in at https://blinkof.ai/app (Google or GitHub).
2. Verify ownership of the site you want to scan (dashboard -> your app -> Verify).
3. Create an API token in the dashboard under "Developers - API tokens for CI".

A token is scoped to your account and can only scan hosts your account has verified.
A paid plan is required for API scans.

## Authenticate
Send the token as a bearer credential on every request:

    Authorization: Bearer <token>

## Endpoints
- `POST https://blinkof.ai/api/v1/scans` — body `{ "url": "https://yourapp.com" }`; returns `202 { id, status, result_url, report_url }`.
- `GET https://blinkof.ai/api/v1/scans/{id}` — poll until `status` is `done`; returns the score and findings.

## MCP server
Prefer MCP? The same capabilities are exposed at `https://blinkof.ai/mcp`
(streamable HTTP, stateless). `check_agent_ready` needs no auth; `run_blink_test`
and `get_scan_report` use the same bearer token on the HTTP connection.

## More
- Machine-readable API: https://blinkof.ai/api/v1/openapi.json
- Capability catalog: https://blinkof.ai/.well-known/api-catalog
- Skill index: https://blinkof.ai/.well-known/agent-skills/index.json
- MCP server card: https://blinkof.ai/.well-known/mcp/server-card.json
