WorkOS Introduces auth.md — An Open Protocol for AI Agent Registration

Most web applications lack a structured way for an AI agent to register and gain access. WorkOS has proposed a solution: auth.md — an open OAuth-based protocol that simplifies agent integration without manual form filling.

The Problem auth.md Solves

Currently, when a developer wants to connect an AI agent to an application, they must manually fill out a registration form, specify permissions, and obtain an API key. The agent cannot do this automatically — there is no standard way to discover what flows the service supports, what permissions are required, and how to obtain credentials tied to a real user. This becomes a bottleneck at scale: each new agent requires manual configuration, developers must write custom integrations for each application, and maintain documentation up to date.

auth.md changes this approach. It's a standard Markdown file that an application publishes on its domain (for example, example.com/auth.md). The file contains all the information an agent needs to register independently:

• Supported methods (OAuth 2.0, API keys, mTLS, and others)
• Required scopes and permissions for different use cases
• Endpoints for obtaining credentials and long-lived tokens
• Code examples and recommendations for quick start
• Information about rate-limit restrictions, quotas, and token expiration

How It Works in Practice

When an AI agent needs to integrate with an application, it visits its domain, finds auth.md, and reads the instructions. Then it automatically initiates the required registration process, requests the necessary permissions, and obtains a token or API key tied to a real user. Humans don't need to fill anything out manually — the entire process happens programmatically.

For example, if an agent connects to an email service, it can request only the permissions it needs (reading emails, sending replies) without access to other features (deleting emails, changing account settings). Each permission is explicitly listed in auth.md, users can see what the agent requests, and can approve or reject it.

WorkOS chose Markdown over JSON or XML because this format is easy to read and edit for both developers and AI agents. Additionally, Markdown files are convenient to version in git, track changes, add comments, and update without redeploying the application.

What This Means for the Ecosystem

auth.md is a step toward standardizing AI agent integration in the web ecosystem. If the protocol gains sufficient support among major services, AI agents will be able to register independently in hundreds of applications without manual developer intervention. This will significantly accelerate the automation of routine tasks. However, new security questions arise: how to prevent unauthorized access through agents? How to manage permissions if registration is fully automatic? WorkOS expects that open standardization will facilitate discussion of these questions in the community and help develop best practices for secure automatic agent registration.