Tue 07 Jul 2026 / 14:17 ET
Kernel
Long Reads 3 min read

WorkOS proposes auth.md for agent-run user registration

The open protocol lets apps publish machine-readable sign-up instructions for agents using OAuth-based flows, according to WorkOS.

Theo Lindgren

By Theo Lindgren / Columnist

WorkOS proposes auth.md for agent-run user registration
img: auth.md

WorkOS has introduced auth.md, a proposed open protocol that lets software agents register users with apps without pushing those users through a normal sign-up form. The company describes it as a Markdown file that an application hosts on its own domain, usually at /auth.md, so an agent can discover how registration works for that service.

The pitch is aimed at a very specific problem: agent platforms increasingly act on behalf of users, but most app registration flows still assume a human is clicking through a web form. WorkOS says auth.md gives apps a way to publish supported registration flows, available scopes, and the steps required to issue credentials to an agent.

That is plumbing, not magic. An app publishes the file. An agent fetches it. The agent chooses one of the supported flows. If the app accepts the request, it issues a scoped access token tied to the user. WorkOS says those tokens are short-lived and revocable, and that issuance happens over standard OAuth so apps can reuse their existing API authorization setup.

Two registration paths

WorkOS describes two flows in the initial protocol: agent verified and user claimed.

In the agent verified flow, an agent presents a verified identity assertion. WorkOS says the agent's identity provider vouches for the user, so the registration can happen without the user manually confirming a code during that flow.

In the user claimed flow, the agent does not need an identity provider. Instead, the agent shows the user a code, the user signs in to the app, and the user confirms that code. WorkOS says apps can support both approaches and let the agent pick a compatible option.

The distinction matters because it puts the policy decision with the application. WorkOS says app operators choose which flows to accept and what credentials to issue. That means auth.md is a discovery and registration mechanism, while the app still controls trust requirements, scopes, and token issuance.

Open protocol, WorkOS AuthKit hook

WorkOS says auth.md is open rather than a feature locked to WorkOS infrastructure. The company says it authors the protocol, but any app can publish an auth.md file and any agent can read one without a WorkOS account. The protocol is available on GitHub.

The company says the protocol composes existing OAuth standards, including Protected Resource Metadata and ID-JAG identity assertions. WorkOS is also offering an AuthKit path for customers that want to enable auth.md through its own authentication product, with early access handled by email.

For developers, WorkOS is splitting the documentation into two tracks: an apps guide for services that want agents to register users, and a provider guide for platforms whose agents act on behalf of users. The useful test will be adoption. A machine-readable registration file only helps if apps publish it and agent providers agree to read it consistently.

This story draws on original reporting from auth.md.

More Long Reads/

view all ↗