# wave vss — docs

**Product:** wave_vss (http)  
**Version:** dev

## What this is
A WAVE Protocol Plane *spoke* — a thin Cloudflare Worker that fronts a product at the edge and
reverse-proxies `/api/*` to https://api.wave.online. It performs NO auth; wave-gateway is the single enforcement
plane (authorize → scope → entitlement → rateLimit → meter).

## Endpoints
| method | path | description |
| --- | --- | --- |
| GET | `/health` | liveness JSON |
| GET | `/llms.txt` | this agent map (llms.txt standard) |
| GET | `/docs.md` | agent-legible markdown docs |
| GET | `/.well-known/wave.json` | machine-readable capability descriptor |
| GET | `/threat-model` | threat-model summary |
| * | `/api/*` | reverse-proxied to https://api.wave.online behind wave-gateway |

## Auth
- Send your WAVE credential as a standard `Authorization: Bearer <token>` header.
- The spoke forwards it byte-identical and never inspects it.

## Discovery
- `/llms.txt` — short agent map (llms.txt standard).
- `/.well-known/wave.json` — machine-readable capability descriptor.

_a WAVE product · part of the WAVE Protocol Plane · https://wave.online_