# Auth.md

# Campaign Desk — Agent Authentication

Campaign Desk is a UK election campaign management platform. Programmatic access for AI agents and third-party integrations is available on Pro and Enterprise plans using long-lived, SHA-256-hashed API keys.

## How agents authenticate

1. A human campaign administrator signs in at <https://campaigndesk.uk/login>.
2. They generate an API key for the agent at <https://campaigndesk.uk/api-keys>.
3. The agent sends the key on every request:

   ```
   Authorization: Bearer <api-key>
   ```

## Discovery metadata

- Protected resource metadata: <https://campaigndesk.uk/.well-known/oauth-protected-resource>
- API catalog: <https://campaigndesk.uk/.well-known/api-catalog>
- Agent skills index: <https://campaigndesk.uk/.well-known/agent-skills/index.json>
- Human-readable agent guide: <https://campaigndesk.uk/agent-guide>

## OAuth / OIDC

Campaign Desk does not currently operate an OAuth 2.0 authorization server for third-party agents. API-key auth is the only supported credential type. When OAuth becomes available we will publish `/.well-known/oauth-authorization-server` and `/.well-known/openid-configuration` and link them from this file.

## Agent registration

There is no automated agent registration endpoint. A human on the campaign must explicitly provision an API key. This is intentional — campaigns are responsible (under GDPR / PPERA) for every agent that touches their data.

## Contact

- Support: <mailto:info@campaigndesk.uk>
- Data protection (ICO ZC103293): <mailto:info@campaigndesk.uk>