auth.md
peterhaddy.com is a public information resource on psychedelic-affirming psychotherapy by Dr. Peter H. Addy, LPC. All published content is freely accessible without authentication. Authenticated write access uses WordPress.com OAuth.
1. Discover
This site publishes standard OAuth discovery metadata. Fetch the documents directly or read the WWW-Authenticate header on a 401 response from any protected write endpoint.
Protected Resource Metadata
GET /.well-known/oauth-protected-resource HTTP/1.1
Host: peterhaddy.com
{
"resource": "https://peterhaddy.com",
"authorization_servers": ["https://public-api.wordpress.com/"],
"scopes_supported": ["global", "auth"],
"bearer_methods_supported": ["header"],
"resource_documentation": "https://developer.wordpress.org/rest-api/"
}
Authorization Server Metadata
GET /.well-known/oauth-authorization-server HTTP/1.1
Host: peterhaddy.com
The authorization server is hosted at https://public-api.wordpress.com/. Fetch the full metadata document from the URL above. Key fields: issuer, authorization_endpoint, token_endpoint, grant_types_supported.
2. Access Model
| Action | Auth required |
|---|---|
| Read pages, posts, media | None |
| WordPress REST API (GET) | None |
| WordPress REST API (write) | Bearer token — scope: global |
Read any published content without a credential:
GET /wp-json/wp/v2/posts HTTP/1.1
Host: peterhaddy.com
GET /wp-json/wp/v2/pages HTTP/1.1
Host: peterhaddy.com
REST API reference: https://developer.wordpress.org/rest-api/
3. Agent Registration
This site does not operate a custom agent registration endpoint. Write access requires the WordPress.com OAuth 2.0 authorization code flow:
- Authorization endpoint:
https://public-api.wordpress.com/oauth2/authorize - Token endpoint:
https://public-api.wordpress.com/oauth2/token - Scopes:
global(full access) orauth(authentication only) - Grant type:
authorization_code - Documentation: https://developer.wordpress.com/docs/oauth2/
Most agent use cases — reading content, searching posts, navigation — require no credentials.
4. Revocation
Tokens issued through WordPress.com OAuth can be revoked via the standard OAuth revocation endpoint at WordPress.com. Revocation of provider-issued tokens follows the provider’s revocation event flow.
Contact
For integration questions: [email protected]