From c2b5aeb5dcfc86e7e6e0197fdb120c25759c4712 Mon Sep 17 00:00:00 2001
From: Vaibhav Pandey <vaibhav@qrstuff.com>
Date: Sat, 14 Mar 2026 11:10:50 +0530
Subject: [PATCH] Document authPolicy map

---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index 651b881..5b19421 100644
--- a/README.md
+++ b/README.md
@@ -129,12 +129,25 @@ Example configuration:
   "defaultAgent": "cursor",
   "format": "text",
   "permissionMode": "approve-reads",
+  "authPolicy": "skip",
+  "auth": {},
   "agents": {
     "cursor": { "command": "agent", "args": ["acp"] }
   }
 }
 ```
 
+### Authentication
+
+Some agents advertise auth methods in their `initialize` response (e.g., API key, OAuth). codeye handles this after initialization:
+
+| Field         | Purpose                                                                 |
+| ------------- | ----------------------------------------------------------------------- |
+| **auth**      | Map of credential keys to values (e.g., `api_key`, `gemini-api-key`). Passed to the agent via env vars and used for the ACP `authenticate` call. |
+| **authPolicy**| `"skip"` (default): proceed without auth if no credentials found. `"fail"`: abort with an error when the agent advertises auth methods but no matching credentials exist. |
+
+Credentials are resolved from (in order): env vars `CODEYE_AUTH_<TOKEN>` or `<TOKEN>`, then the `auth` config map. Use `authPolicy: "fail"` in automation when the agent requires authentication; use `"skip"` for agents that work without it or already have cached creds.
+
 ## Automation & CI
 
 codeye is designed for headless, scriptable workflows: