Longevity.haus agent authentication

How AI agents, scanners, and integrators talk to Longevity.haus.

TL;DR

• Public read endpoints: no auth. Hit /api/mcp, /openapi.yaml, /api/treatments.json, /llms.txt, and the /.well-known/* family directly.
• Rate limits: 60 requests / minute / IP, enforced at the Cloudflare edge. Responses advertise this via RateLimit-Policy / X-RateLimit-* headers on public API paths.
• Programmatic API tokens: not issued today. User accounts use Better Auth session cookies (human-oriented OAuth via Google/GitHub).
• Partner access (write, analytics, bulk data): email [email protected] — we'll mint a scoped credential against whatever auth model we settle on.

Public endpoints (no auth)

All agent-facing read surfaces are intentionally unauthenticated. The data is the same data that powers the public web UI and is meant to be indexed, quoted, and presented by AI assistants. There is no value we gain from gating it and a real cost to agents that try to integrate.

Preferred: MCP

curl -X POST https://longevity.haus/api/mcp \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Seven tools: list_treatments, get_clinic, get_treatment, search_clinics, get_price_index, search, fetch. Server card at /.well-known/mcp/server-card.json.

Alternative: OpenAPI + direct JSON

curl https://longevity.haus/api/treatments.json
curl https://longevity.haus/api/search-data
curl https://longevity.haus/api/exchange-rates

Full spec at /openapi.yaml, browsable at /docs/api.

Content-negotiated markdown

Send Accept: text/markdown on certain pages and you'll get a data-sourced markdown rendering instead of HTML. Supported paths: /, /provider/{slug}, /best/{treatment}/{city}, /{treatment}, /{treatment}/{country}/{city}.

curl -H "Accept: text/markdown" https://longevity.haus/provider/super-young-melbourne

User accounts (Better Auth)

Human users sign in via Better Auth, which supports Google and GitHub OAuth and issues session cookies scoped to longevity.haus. This is not suitable for programmatic / headless agent use — cookies aren't portable and there's no public token-exchange endpoint. If you need to act on a user's behalf, contact us and we'll design a proper delegated flow.

Content policy

Per /robots.txt:

Content-Signal: ai-train=no, search=yes, ai-input=yes

Please don't train new models on Longevity.haus content. Real-time indexing and answer generation are welcome.

Also useful

• /llms.txt — short LLM reference
• /llms-full.txt — consolidated single-fetch reference
• /.well-known/api-catalog — RFC 9727 linkset of all API endpoints
• /.well-known/agent-card.json — A2A agent card
• /.well-known/security.txt — security contact
• /agent.json — JSON view of the platform (canonical; /?mode=agent is an alias)

Questions? [email protected] or /contact.