WorkOS launches auth.md, an open protocol for agent signups
Michael Grinich unveiled auth.md with early support from Cloudflare and Firecrawl, giving apps a standard way to onboard AI agents without brittle browser hacks.
By Ryan Merket · Published
Why it matters
Agent ecosystems are moving from demos to production. A standard way for agents to register and obtain scoped credentials could cut brittle automation, reduce fraud, and give app builders control.

WorkOS launched auth.md, an open protocol for AI agents to register for web services, in a thread on X from Michael Grinich (@grinich). Grinich said WorkOS is partnering with Cloudflare and Firecrawl as some of the first providers.
https://x.com/grinich/status/2057884407135187292
Grinich argues that the past two decades of signup flows were built for people clicking around a browser. Agents break those assumptions. Auth.md gives them a first-class path: an app publishes a simple Markdown file at its domain (for example, yourapp.com/auth.md) that declares supported registration flows, available scopes, and endpoints. It is human-readable and agent-readable, and is meant to be easy for developers to implement.
The spec defines two main flows. In an agent-verified flow, a trusted platform (such as an agent provider) attests to the user’s identity, and the service returns credentials without email loops or CAPTCHAs. In a user-claimed flow, the service gates capabilities until the user is verified. Crucially, apps stay in control: they choose which flows to accept, define scopes, and issue credentials tied to a user.

WorkOS authored the protocol but says auth.md is open and not tied to WorkOS infrastructure. Any app can publish one, any agent can read one, and any provider can implement verified identity assertions. "The internet is being rebuilt around agents. The winners will not just make something people want. They will make something agents want. And it all starts with auth," Grinich wrote on X.