Public discovery metadata for session auth, widget access, and health checks. This app uses anonymous access codes with secure browser cookies today.
Anonymous access codes create secure browser sessions with HttpOnly JWT cookies.
/auth/signup
Create an anonymous account and set session cookies.
/auth/login
Exchange an access code for session cookies.
/auth/logout
Clear session cookies.
/auth/refresh
Refresh the access cookie from the refresh cookie.
/auth/me
Return the current authenticated user.
The public widget flow uses short-lived widget tokens; readiness probes stay public.
/dashboard/api/widget/token
Mint a one-hour widget token from an access code.
/dashboard/api/widget
Read widget data with Authorization: Bearer or X-Widget-Token.
/health
Plain-text health check.
/readyz
Database-backed readiness status.
Machine-readable metadata for agents and API clients.
/.well-known/api-catalog
RFC 9727 API catalog in application/linkset+json.
/.well-known/openapi.json
OpenAPI 3.1 service description covering public and agent-relevant endpoints.
/.well-known/agent-skills/index.json
Agent Skills discovery index with digests for each published SKILL.md artifact.
/.well-known/llms.txt
High-level model-facing project summary.
This site does not publish OAuth/OIDC discovery metadata or an MCP server card yet.
https://tracker.unclelyh.me/auth
Authentication is access-code plus cookie based today, not OAuth 2.0 or OpenID Connect.
https://tracker.unclelyh.me
Browser-side WebMCP tools are exposed on public pages; there is no standalone MCP server transport yet.