# AAuth Registry

> A directory of AAuth resources. The registry is itself an AAuth resource:
> listing requires an agent token (access_mode: agent-token), so access can
> be attributed and curated. Direct resource URLs always work without the
> registry — it is discovery convenience, not a gatekeeper.

## Endpoints

- [Resource metadata](https://registry.aauth.dev/.well-known/aauth-resource.json): registry self-description
- [JWKS](https://registry.aauth.dev/.well-known/jwks.json): public signing key
- GET https://registry.aauth.dev/resources — list all registered AAuth resources (agent token required)
- GET https://registry.aauth.dev/resources/{host} — fetch a single entry by host (agent token required)
- POST https://registry.aauth.dev/resources — submit a resource. Body: {"issuer":"https://host"}. The
  registry fetches and validates the host's /.well-known/aauth-resource.json, then adds it.
  Responses: 201 added, 200 already_present, 422 metadata_invalid (agent token required).

## Notes

Each entry caches the resource's name, description, and access_mode; full,
current metadata is always at the resource's own /.well-known/aauth-resource.json.