auth.md — One week later: who's shipped, who's writing, what's next
A week after we shipped auth.md, developers have published spec-compliant files, partners have endorsed it, and the ecosystem is aligning.
One week after launching auth.md, real implementations are live, launch partners and industry voices have weighed in publicly, and the spec is open for anyone to ship against. Here's who built what, what people are saying, and how to publish your own this week.
It's been a week since we proposed auth.md, and the response went past discussion. People shipped it. Spec-compliant auth.md files appeared on real domains within hours, the launch partners who helped build the demo posted their own takes, and a widening circle of agent and identity tools started converging on the same primitive.
This is what week one looks like when an idea has a small enough surface that anyone can implement it.
A quick refresher
If you missed it, we introduced auth.md last week as an open protocol that tells an agent how to register for a service on a user's behalf. The service publishes a single Markdown file at yourapp.com/auth.md, and an agent reads it the same way it already reads llms.txt or agents.md — no registry to join, no marketplace to list in, no proprietary SDK to adopt.
The file points at the endpoints an agent needs to obtain credentials, and the rest is standard OAuth. The spec, the reference implementation, and the conversations that kicked it off at MCP Night 4 all live on the auth.md site and in the workos/auth.md repo.
Companies that already shipped an auth.md
The clearest signal that a protocol is real is that people put it on their own domains. Four did, in week one.
NanoGPT was one of the first AI products to ship a spec-compliant auth.md, served under /.well-known.
webclaw.io put agent discovery, auth.md, an OAuth device flow, and MCP behind one front door, live at webclaw.io/auth.md.
Headless Domains added an auth.md and wrote up the integration as its own launch.
Nate Davis shipped lurkers.ntedvs.com, an indie demo — a feed only agents can read, gated entirely by auth.md.
What the ecosystem is saying
The endorsements that matter most came from the people building adjacent infrastructure — the ones who would have to live with the protocol if it caught on. The launch partners went first.
Firecrawl, a launch partner on the original demo, backed it on day one.
Brendan Irvine-Broque from Cloudflare laid out exactly which pieces are usable today — Protected Resource Metadata, WWW-Authenticate on a 401, ID-JAG, and auth.md — with no registry or marketplace required, an openness that comes straight from the design choices behind composing existing OAuth standards instead of inventing new ones.
Liad Yosef from Ora.ai called it a milestone for the agent web.
Ora followed by shipping auth.md spec-compliance checks into its readiness scorecard.
Julian Weisser placed auth.md alongside the week's biggest founder stories.
The one-liner everyone's repeating
Moritz Petersen reduced the whole thing to six words, and that's the version people keep resharing.
What's next
There's no roadmap to wait on. The spec is open and the implementation surface is deliberately small: publish the file, expose Protected Resource Metadata, return WWW-Authenticate on a 401, accept a POST at your registration endpoint, and issue a credential. That's the entire loop, and you can stand it up this week.
Further reading: read the original launch post for the full design rationale, revisit the MCP Night 4 recap for where the idea started, browse the spec and getting-started guides, or clone the reference implementation. When you ship yours, email us at authmd@workos.com and we'll add you to the list.