This page documents the public, non-admin endpoints FollowNow exposes for agents, integrators, and curious humans. The machine-readable contract lives at /openapi.json. Read-only agents can discover everything from /.well-known/api-catalog (RFC 9727 Linkset).
GET /robots.txt - crawl rules + Content-Signal directivesGET /sitemap.xml - every canonical public URLGET /llms.txt - AI / agent context documentGET /.well-known/api-catalog - RFC 9727 LinksetGET /openapi.json - OpenAPI 3.1 specGET /.well-known/agent-skills/index.json - listed, digest-verified Skill bundlesGET /api/health - minimal liveness probe. Returns { ok, service, version, environment, status }. Does not report supplier / database / admin readiness - use the auth-gated /api/admin/readiness route for that.POST /api/target-lookup - validate a public profile / post URL before checkout. No password ever required.POST /api/waitlist/signup - pre-launch waitlist insert. IP is hashed (SHA-256) before storage; raw IP is never persisted.GET /api/orders/{id} - public order tracking by opaque ord_xxx id. Returns a redacted view - no supplier ids, no audit log, no payment internals.Public HTML pages also serve a text/markdown representation when an agent requests it. Send Accept: text/markdown on any GET to /, a platform overview, a buy page, the blog, or a blog post. The response carries Vary: Accept so caches keep both representations distinct.
No published numeric limits today. Edge / function-level throttling applies; if your client gets a 429, back off with exponential delay. We'll publish formal limits when the public API surface grows beyond the discovery + lookup endpoints listed above.
Admin and supplier-routing endpoints (under /api/admin/* and the Vercel-Cron /api/admin/orders/poll-due path) are not public. They require a bearer token and are not documented here. Do not crawl or rely on their shape - it can change without notice.
FollowNow currently authenticates admin operations with static bearer tokens, not via an OAuth authorization server. We therefore do not publish /.well-known/openid-configuration, /.well-known/oauth-authorization-server, or /.well-known/oauth-protected-resource - publishing them without a working OAuth backend would lie to clients. The same logic applies to a Model Context Protocol (MCP) server card: we haven't deployed an MCP transport yet, so /.well-known/mcp/server-card.json is intentionally absent. Both are tracked as future work; they'll appear the moment we have real endpoints behind them.
Support: contact@follownow.io. Privacy: contact@follownow.io.