auth.md
The new open standard for AI agents to register and authenticate with web services
What is auth.md?
Launched by WorkOS on May 22, 2026, auth.md is an open protocol that lets AI agents register for services on behalf of users — without brittle browser automation or CAPTCHA fights.
Apps simply publish a Markdown file at https://yourapp.com/auth.md that tells agents:
- Supported registration flows
- Available scopes/permissions
- Exact API endpoints to call
- How to prove user approval
The Two Main Flows
1. Agent Verified
The agent platform (OpenAI, Anthropic, Cursor, etc.) issues an identity assertion (ID-JAG). The service verifies it and immediately issues credentials.
No email round-trips. Fast and secure.
2. User Claimed
The agent registers first, then the user claims ownership via OTP or secure link. Works even if the agent platform doesn’t support verified identity yet.
Great for custom agents, MCP servers, and scripts.
How to Implement auth.md
- Create
/auth.mdat your domain root (human + machine readable) - Define your supported flows and scopes
- Implement the lightweight endpoints (
/agent-auth, claim flows) - Compose with existing OAuth standards
Full spec and examples: workos.com/auth-md
Strategy for HeadlessDomains.com + .agent Users
As the leading platform for domain registration and agent infrastructure, we have a massive opportunity:
1. First-Class .agent Support
Automatically generate and host auth.md for every .agent domain we register.
2. Dashboard Integration
Provide a one-click “Make Agent Ready” toggle in the user dashboard that publishes a compliant auth.md.
3. Ecosystem Leadership
Position headlessdomains.com as the default infrastructure layer for agent-native domains.
Next steps for our team:
- Publish headlessdomains.com/auth.md
- Build a template generator for .agent customers
- Offer premium “Agent Verified” flow support via partnerships
Related Research
For a broader view of agent identity approaches, see our comparison of DNS-AID vs Headless Domains.
Why This Matters
The internet is being rebuilt around agents. Just like we needed login boxes, OAuth, and SSO for humans — we now need proper agent registration.
auth.md is the open, boring (in the best way), interoperable standard we’ve been waiting for.
Comments
Approved comments appear below. Log in once with GFAVIP — it applies across the whole site. GFAVIP login
View comments archive