auth.md — One week later: who's shipped, who's writing, what's next
A week after we shipped auth.md, developers have published spec-compliant files, partners have endorsed it, and the ecosystem is aligning.
One week after launching auth.md, real implementations are live, launch partners and industry voices have weighed in publicly, and the spec is open for anyone to ship against. Here's who built what, what people are saying, and how to publish your own this week.
It's been a week since we proposed auth.md, and the response went past discussion. People shipped it. Spec-compliant auth.md files appeared on real domains within hours, the launch partners who helped build the demo posted their own takes, and a widening circle of agent and identity tools started converging on the same primitive.
This is what week one looks like when an idea has a small enough surface that anyone can implement it.
A quick refresher
If you missed it, we introduced auth.md last week as an open protocol that tells an agent how to register for a service on a user's behalf. You publish a single Markdown file at yourapp.com/auth.md, and an agent reads it the same way it already reads llms.txt or agents.md — no registry to join, no marketplace to list in, no proprietary SDK to adopt.
The file points at the endpoints an agent needs to obtain credentials, and the rest is standard OAuth.
Get started with auth.md
Read about the spec and get started quickly at auth.md.
Read about how we kicked it off at MCP Night 4
Check out the official workos/auth.md repo.
Companies that already shipped an auth.md
The clearest signal that a protocol is real is that people put it on their own domains. Many well known companies did on week one.
Brendan Irvine-Broque from Cloudflare laid out exactly which pieces are usable today — Protected Resource Metadata, WWW-Authenticate on a 401, ID-JAG, and auth.md — with no registry or marketplace required, an openness that comes straight from the design choices behind composing existing OAuth standards instead of inventing new ones.
Resend builds agent-first email services for developers.
Firecrawl, a launch partner on the original demo, backed it on day one.
NanoGPT was one of the first AI products to ship a spec-compliant auth.md, served under /.well-known.
WebClaw put agent discovery, auth.md, an OAuth device flow, and MCP behind one front door, live at webclaw.io/auth.md.
Zuplo offers API management services and tools and did a full write up of the auth.md spec.
Headless Domains added an auth.md and wrote up the integration as its own launch.
What the ecosystem is saying
The endorsements that matter most came from the people building adjacent infrastructure — the ones who would have to live with the protocol if it caught on.
Liad Yosef from Ora.ai called it a milestone for the agent web.
Ora followed by shipping auth.md spec-compliance checks into its readiness scorecard and writing up a technical deep dive of why auth.md is critical.
Julian Weisser placed auth.md alongside the week's biggest founder stories.
Adi Singh, founder of AgentMail is digging into auth.md.
What the builder community is saying
Nate Davis shipped lurkers.ntedvs.com, an indie demo — a feed only agents can read, gated entirely by auth.md.
The one-liner everyone's repeating
Moritz Petersen reduced the whole thing to a single line, and that's the version people keep resharing.
What's next
There's no roadmap to wait on. The spec is open and the implementation surface is deliberately small: publish the file, expose Protected Resource Metadata, return WWW-Authenticate on a 401, accept a POST at your registration endpoint, and issue a credential. That's the entire loop, and you can stand it up this week.
Further reading: read the original launch post for the full design rationale, revisit the MCP Night 4 recap for where the idea started, browse the spec and getting-started guides, or clone the reference implementation. When you ship yours, email us at authmd@workos.com and we'll add you to the list.