Service Docs
Item API Documentation
Discovery and workflow endpoints exposed by the Item design portal. Machine-readable discovery is available through /.well-known/api-catalog and /openapi.json.
Auth Model
Interactive sign-in uses email OTP plus NextAuth session cookies. For agents, the site publishes a first-party OAuth 2.0 authorization server with Authorization Code + PKCE and a bearer-protected agent API rooted at /api/agent.
Endpoints
| Method | Path | Auth | Summary |
|---|---|---|---|
| GET | /.well-known/oauth-authorization-server | public | OAuth 2.0 authorization server metadata for Authorization Code + PKCE. |
| GET | /.well-known/oauth-protected-resource | public | OAuth 2.0 protected resource metadata for the bearer-token agent API. |
| GET | /api/health | public | Health status for automated availability checks. |
| GET | /api/registry | public | Combined component registry manifest served to clients. |
| POST | /api/chat | public | Brand-guideline assistant chat endpoint. |
| POST | /api/send-otp | public | Start email OTP login flow. |
| POST | /api/verify | public | Verify OTP and mint a session token. |
| POST | /api/request-access | public | Submit an access request for non-approved email domains. |
| GET | /api/approve-access | operator | Operator approval link for pending access requests. |
| POST | /api/business-card-request | public | Submit a business card request workflow. |
| GET | /api/agent/me | oauth | Return the authenticated agent principal and granted scopes. |
| GET | /api/agent/guidelines | oauth | Return public guideline summaries through a bearer-protected API. |
| GET | /oauth/authorize | session | Render or complete the OAuth 2.0 authorization step. |
| POST | /oauth/token | public | Exchange an authorization code and PKCE verifier for a bearer token. |
| GET | /oauth/jwks.json | public | Publish the JSON Web Key Set used to verify issued access tokens. |
| POST | /mcp | public | Read-only MCP endpoint for public discovery tools. |