auth.md
Enable agents to register users without the sign-up form. Auth.md provides secure agent registration that any app can implement.
Self-serve agent discovery
Publish auth.md at your domain with the flows, scopes, and endpoints an agent needs to register.
Choose the flows you support
Allow trusted identity assertions, OTP-based claim flows, or anonymous access.
Credentials you control
Issue scoped API keys or access tokens tied to users — auditable, expirable, revocable.
Get started
Make your app agent-ready
For services that want agents to register users on behalf of their customers.
Become an identity provider
For platforms whose agents act on behalf of users.
FAQs
- A Markdown file an application hosts at its domain — typically
https://yourapp.com/auth.md— that tells agents how to register on behalf of a user. It includes which flows are supported, which scopes exist, and how to register for the service. See the file format. - The agent fetches your
auth.md, picks a supported flow, and either presents a verified identity assertion (agent verified flow) or walks the user through an OTP-based claim (user claimed flow). You stay in control of which flows you accept and what credentials get issued. Read the apps guide. - Agent verified is agent-attested — the agent's identity provider vouches for the user, no human interaction required. User claimed is OTP-based — the agent triggers a code, the human confirms, the account is claimed. Most apps support both and let the agent pick the right one for the situation. Agent verified · User claimed.
- Your service decides whether to return a scoped API key or access token tied to the user. This allows for re-use of your existing API auth methods.
- It's open. WorkOS authors the protocol, but
auth.mdisn't tied to WorkOS infrastructure — it composes existing OAuth standards (Protected Resource Metadata, ID-JAG identity assertions) and any app can publish or any agent can read one with no WorkOS account required. See the protocol on GitHub.