GMOPlus
WorkOS Launches Auth.md — an Open Protocol for Agent Registration
ONLINEEN

WorkOS Launches Auth.md — an Open Protocol for Agent Registration

WorkOS introduces Auth.md, an open protocol letting AI agents programmatically discover OAuth metadata and authenticate with services via a simple Markdown file.

17 Haziran 2026·5 dk okuma

WorkOS Launches Auth.md: The Open Protocol That Lets AI Agents Register with Services

The web was built for humans. Sign-up forms, login pages, consent screens — every layer of the modern authentication stack assumes there is a person on the other end of the request, sitting at a keyboard, clicking buttons in a browser. But we are rapidly entering an era where that assumption no longer holds. AI agents are browsing the web, calling APIs, and interacting with services on behalf of users in ways that no legacy authentication flow was designed to handle. WorkOS, one of the leading enterprise identity platforms, is stepping in to solve this problem with a deceptively simple but powerful new open protocol: Auth.md.

What Is Auth.md and Why Does It Matter?

Auth.md is an open protocol introduced by WorkOS that defines a standardized, machine-readable way for AI agents to discover how to register and authenticate with a web service. The core idea is elegant: a service exposes a single Markdown file at its root — auth.md — and any AI agent that needs to interact with that service can read it to understand the authentication requirements automatically.

That file contains critical metadata: OAuth Protected Resource Metadata, required permission scopes, endpoint URLs, and other structured information that an agent needs before it can authenticate. Instead of scraping a sign-up page, guessing at OAuth flows, or requiring manual developer configuration for every new service, an AI agent can simply fetch the auth.md file and get everything it needs in one clean, parseable document.

It is, in essence, a robots.txt for the age of agentic AI — a lightweight, widely deployable convention that reduces friction between autonomous software and the services it needs to access.

The Problem Auth.md Is Solving

To appreciate why Auth.md is significant, it helps to understand the gap it is filling. Traditional OAuth flows were designed around human interaction. A user clicks "Sign in with Google," gets redirected, reviews permissions, and grants access. The browser handles the redirects, the human handles the consent, and the tokens land in a cookie jar or local storage.

AI agents do not work that way. They operate programmatically, often without a browser context, and frequently need to register with or authenticate against services they have never encountered before — dynamically, at runtime, without human intervention at every step. There has been no standardized way for a service to say, "Here is how a machine can get authorized to talk to me." Until now, every integration required custom code, manual OAuth app registration, or platform-specific SDKs.

Auth.md solves this by giving services a universal, low-overhead way to publish their authentication requirements, and giving agents a universal, low-overhead way to read them.

How Auth.md Works in Practice

The protocol is built around simplicity and convention. Here is the basic flow an AI agent would follow when encountering a service that supports Auth.md:

  • Discovery: The agent makes an HTTP request to the well-known location of the auth.md file at the service's root domain.
  • Parsing: The agent reads the Markdown file, which contains structured metadata including OAuth endpoints, required scopes, and registration details formatted for machine consumption.
  • Authentication: Using the parsed metadata, the agent dynamically constructs its OAuth request, registers with the service if needed, and obtains the access tokens required to proceed.
  • Interaction: With valid credentials in hand, the agent can now interact with the service's APIs just as a human-authenticated client would — securely and with appropriate permissions.

The choice of Markdown as the file format is both practical and philosophically interesting. Markdown is human-readable enough that developers can write and review it without special tooling, yet structured enough that parsers can extract machine-readable metadata reliably. It sits at the sweet spot between documentation and data, which is exactly where a protocol like this needs to live.

Native Support in WorkOS AuthKit

WorkOS has not just published a spec and walked away. Auth.md ships with native support built directly into WorkOS AuthKit, the company's drop-in authentication product. This means developers who are already using AuthKit can implement the Auth.md protocol out of the box, without building custom infrastructure or writing bespoke discovery logic from scratch.

For teams building AI-powered products or services that expect to be accessed by AI agents — and that category is growing fast — this is a meaningful accelerant. Instead of spending engineering cycles figuring out how to make your service agent-compatible, you can lean on an open standard backed by a mature identity platform and get there in a fraction of the time.

Auth.md in the Broader Agentic Ecosystem

Auth.md was introduced on stage at the MCP Night: Agent Night keynote, a signal that it is positioned squarely within the emerging ecosystem of Model Context Protocol (MCP) and agentic tooling. As AI frameworks like MCP, LangGraph, AutoGen, and others become more capable of orchestrating multi-step, multi-service workflows, the authentication layer becomes one of the most critical unsolved problems. An agent that cannot reliably authenticate with the services it needs to use is an agent that cannot reliably get its job done.

By open-sourcing the protocol and publishing it as a community standard rather than a proprietary WorkOS feature, the company is making a clear bet: they want Auth.md to become the default convention across the industry, not just a competitive differentiator. That approach mirrors how other foundational web conventions — like sitemap.xml, robots.txt, and /.well-known/ endpoints — were established. Publish the standard, build the best implementation, and grow the ecosystem around it.

Getting Started with Auth.md

If you are a developer building a service that AI agents will need to access, the path forward is straightforward. WorkOS has published full documentation for the Auth.md protocol, covering the file format specification, the metadata fields your auth.md file should expose, and how to integrate with WorkOS AuthKit to get native support running quickly. The on-stage keynote introduction is also available to watch and provides a clear walkthrough of the protocol's design philosophy and real-world use cases.

Whether you are building a SaaS product, an API platform, or an internal tool that increasingly needs to work with AI agents rather than just human users, Auth.md offers a practical, standards-based way to make that happen without reinventing the wheel every time.

The Bottom Line

Auth.md is one of those ideas that feels obvious in retrospect — of course there should be a machine-readable file that tells AI agents how to authenticate with a service. Of course it should be simple and open and deployable by anyone. The fact that it did not exist before now is more a reflection of how quickly the agentic AI landscape has evolved than of any oversight in web standards design. WorkOS has moved fast to fill a real gap, and the choice to do so with an open protocol rather than a locked-down product is the right call for an ecosystem that needs shared infrastructure to mature. Keep an eye on Auth.md — it has the hallmarks of a convention that sticks.

Auth.mdWorkOSAI agent registrationopen protocolOAuthAuthKitAI authenticationMCPagent protocolmachine-readable