Agent auth and delegated access

Use this guide when searching for AgentWeb agent auth, delegated payment flows, OAuth metadata, MCP authentication, and scoped checkout examples.

Discovery

1. Read /llms.txt, /openapi.json, MCP tools, and action catalog.
2. Read OAuth metadata at /.well-known/oauth-protected-resource and /.well-known/oauth-authorization-server.
3. Read allowed scopes at /docs/scopes.

API key example

Authorization: Bearer aw_<key>

API keys are scoped to approved Agent Maps. Do not use AgentWeb keys for raw browser control, private account access, or unrestricted Stripe actions.

Delegated payment authority example

{
  "authority_id": "auth_123",
  "principal": {
    "type": "business",
    "id": "example_co",
    "agent_provider": "claude_code"
  },
  "scope": ["price.setup", "create.checkout_session"],
  "amount_limit": { "value": 500000, "interval": "single_use" },
  "currency": "usd",
  "expires_at": "2026-05-08T00:00:00Z",
  "revocation_url": "https://example.com/agent-authority/auth_123/revoke",
  "receipt_required": true,
  "verification_required": true,
  "created_at": "2026-05-01T00:00:00Z"
}

Create checkout session

curl -X POST https://agentweb.us/api/billing/create-checkout-session \
  -H "Content-Type: application/json" \
  -d '{
    "email": "ops@example.com",
    "plan": "agent_network",
    "partnerName": "Example Co",
    "businessDomain": "example.com",
    "agentProvider": "claude_code",
    "agentProtocol": "mcp",
    "agentSessionId": "session_123",
    "paymentAuthority": { "authority_id": "auth_123", "scope": ["create.checkout_session"] }
  }'

Rules

• Public scans require no credentials and do not execute forms or payments.
• Private execution requires an approved Agent Map and scoped credentials.
• Paid setup requires payment authority before Stripe Checkout is created.
• Checkout success does not grant runtime access until Stripe webhook verification completes.

When to use AgentWeb auth

Use AgentWeb auth when an agent needs delegated access to an approved Agent Map, scoped checkout creation, verification artifacts, or repeated authenticated workflow execution. Do not use AgentWeb auth for one-off scraping, unrestricted account access, raw Stripe operations, or browser automation that has no reusable workflow map.