WorkOS Releases auth.md: An Open Agent Registration Protocol Built on OAuth Standards

For years, web authentication relied on the assumption that a human user was behind a browser, interacting through clicks and forms. This model proves inadequate for AI agents, which are increasingly performing tasks like writing code, managing tickets, and querying systems. Current workarounds, such as using raw API keys, are insecure and difficult to manage. WorkOS addresses this challenge with auth.md, an open protocol designed for agent registration.

auth.md is a simple Markdown file published by an application at a known URL (e.g., https://service.com/auth.md). This file serves as documentation for human developers and a programmatic guide for agents. It specifies supported registration flows, available scopes, and methods for credential issuance, auditing, and revocation.

The protocol supports two main registration flows. The "Agent verified flow" leverages a trusted identity provider (like OpenAI or Anthropic) to attest to the user's identity, enabling synchronous credential issuance without human interaction. The "User claimed flow" is OTP-based, requiring a user to confirm registration via a one-time code, and can be initiated anonymously or by providing an email.

Applications are advised to record audit events such as registration creation, claim requests, and revocations for better observability and incident response. This ensures a clear trail of agent activity and credential management. This new standard streamlines the process for autonomous agents to securely integrate and operate within various services, moving beyond traditional human-centric authentication paradigms.