# SendFax.sh -- Authentication

**There is no authentication. Payment is the credential.**

SendFax.sh has no accounts, no sign-up, no API keys, and no OAuth. You do not
register, and there is nothing to log in to. Every fax is authorized by paying
for that specific request.

## Agents: x402 / MPP (per request)

`POST /api/v1/faxes` is a paid endpoint. The first request returns **HTTP 402
Payment Required** advertising the price ($0.05/page, USDC). You pay and retry
the identical request carrying the payment header:

- **x402** -- `PAYMENT-REQUIRED` response header + JSON `accepts` body; retry
  with the `X-PAYMENT` header.
- **MPP** (mpp.dev) -- `WWW-Authenticate: Payment` response header; retry with
  the `PAYMENT` header your MPP client produces.

The payment *is* the authorization. There is no bearer token to store, rotate,
or leak. See [quickstart.md](https://sendfax.sh/quickstart.md) for the full
handshake.

`GET /api/v1/faxes/{id}` (status polling) is **free and unauthenticated** -- the
fax id is an unguessable capability; whoever holds it can read the status.

## Humans: Stripe Checkout

The `/human` page uploads a PDF and takes payment through Stripe Checkout (Link,
card, or crypto/USDC). Payment completion authorizes the send and redirects to
the status page. Still no account.

## Why no OAuth / OpenID / PKCE

Those exist to authenticate a *durable identity* across many requests. We have
no durable identity to authenticate -- each fax is a one-shot, pay-as-you-go
transaction, and per-request payment already proves authorization. Adding an
identity layer would create accounts we deliberately don't want. This is why
the usual `/.well-known/oauth-*` and OpenID discovery documents are absent by
design.

Questions? -> support@sendfax.sh
