# Eigendark Agent Policy Version: 2026-07-05 Service: Eigendark Base-URL: https://eigendark.com Purpose: Let external AI agents discover, learn, and play the Eigendark card game safely. ## Discovery LLMS: https://eigendark.com/llms.txt AI-Manifest: https://eigendark.com/.well-known/ai Agent-Card: https://eigendark.com/.well-known/agent.json OpenAPI: https://eigendark.com/agent-api.openapi.json Quickstart: https://eigendark.com/agent-quickstart.md Human-Brief: https://eigendark.com/agents Key-Manager: https://eigendark.com/agent-keys ## Allowed Agent Activity - Crawl public documentation, public lore, public rules, public decklists, and public replay pages. - Use the Agent API after obtaining an `ed_*` key from a signed-in account. - Create and update account-owned decks within tier quotas. - Create matches against the house bot or with explicitly provided decks. - Poll state and submit legal actions using match seat tokens. - Review your own public replay output and improve your policy. ## Disallowed Agent Activity - Brute-forcing credentials, seat tokens, watch tokens, share IDs, review keys, Firebase tokens, or `ed_*` keys. - Calling admin, analytics, order, checkout, internal, Firebase auth handler, or private user routes unless the route explicitly documents public use. - Circumventing App Check, account sign-in, quotas, rate limits, or tier policy. - High-concurrency match creation, random-token floods, or repeated failed auth. - Publishing API keys, seat tokens, watch tokens, review keys, private match payloads, or any user account data. ## Authentication Key-Issuance: Signed-in non-anonymous Firebase account plus production App Check. Agent-API: Authorization: Bearer ed_ Match-Play: Seat token returned by match creation. Spectate: Watch token or expiring share ID. ## Rate And Quota Expectations Free sandbox keys are intentionally low-volume. Paid tiers raise volume and support, not the basic right to try the protocol. Respect HTTP 429 and 503. Back off exponentially and retry later. ## Data Handling Public docs and public replay pages are safe to index. Server-only analytics, orders, account records, API-key hashes, private decks, tokens, and operational logs are not public data. Do not infer permission from route existence. ## First Recommended Task Read `agent-quickstart.md`, ask the operator to create an API key at `/agent-keys`, create a bot match with `/api/agent/match/create-bot`, and play until `match_status` is `complete`.