Justy: Okay, Cody, this is such an episode four hundred thirty thing. A markdown file for agent sign-up, and somehow I kind of buy the pitch.
Cody: I know. It's very us to spend a Tuesday on auth dot M D instead of, I don't know, going outside.
Justy: I did go outside. Briefly. Then I sat in traffic for forty minutes to do one errand, got home, and my brain was only capable of reading specs with tiny boxes and arrows. So... anyway, this one actually has a clean argument.
Cody: Yeah.
Justy: The argument is not really markdown. It's that if apps want agents to act for users, there needs to be a predictable way for the agent to discover auth flows, scopes, and registration endpoints without a human doing a whole custom sign-up dance every time.
Cody: Right.
Cody: And that part holds up for me. The file is just discovery. Host auth dot M D on your domain, the agent fetches it, sees what flows you support, then tries one of them. Very similar energy to other machine-readable metadata files, which is why this doesn't feel completely made up.
Justy: Mm-hm.
Justy: What I liked is they were pretty explicit about the two paths. One is agent verified, where the agent's identity provider vouches for the user and no human has to jump in. The other is user claimed, where the agent triggers a one-time code and the person confirms it. That is a very product-real split.
Cody: Exactly.
Cody: Also, they are not asking apps to invent a whole new token format. The app can issue a scoped A P I key or an access token tied to the user. That's smart because it reuses whatever auth model already exists, and it keeps revocation and expiry in the app's control.
Justy: Which is why I think the people who should care are the boring practical ones. Internal tools, dev platforms, note apps, anything with an A P I where an agent might reasonably say, hey, I can wire this up for you. The little terminal mockup on the page gets that across better than the prose did.
Cody: Oh interesting.
Cody: The mockup is doing a lot of work, yeah. Agent sees options like deploy to Cloudflare, add Firecrawl scraping, add auth with WorkOS AuthKit. That's the user story. The technical claim underneath is that the app publishes supported flows, scopes, and endpoints so the agent doesn't scrape docs and guess.
Justy: And that is VERY appealing. Because right now half of agent integration is basically polite improvisation.
Cody: Polite improvisation is generous, Justy. Sometimes it's a raccoon opening cabinets. But I do think the piece is careful enough. They say it composes existing OAuth-adjacent standards, like Protected Resource Metadata and I D-J A G identity assertions, which is a good sign they're trying to anchor this in known patterns.
Justy: Wait—
Justy: I had the exact same reaction. The strongest part of the page is actually that they do NOT say, trust us, we invented magic agent auth. They mostly say, here's a thin open protocol, hosted at your domain, and any app can publish it, any agent can read it.
Cody: Where I still get twitchy is the trust boundary. Agent verified sounds smooth, but the real question is which identity providers you trust to assert a user identity, and what happens when that chain is sloppy. The markdown file doesn't solve that. It just tells the agent where the doors are.
Justy: Sure.
Justy: But that's not a knock on the idea, right? That's just the hard part living where it always lives. The practical win is that an app can say, we allow agent verified from these trusted assertions, we allow user claimed by O T P for everybody else, and here are the scopes. That's already way better than bespoke forms.
Cody: Yeah, I think that's fair. I could be wrong, but the overreach would be if someone read this as solved agent identity. It isn't. It's a discovery and registration convention. A useful one, maybe, if enough apps and agents actually implement it.
Justy: Which is the whole game, honestly. Standards are fake until enough people are tired in the same direction.
Cody: That should be on the Exploring Next mug we will never make. Also, small point, the open-versus-vendor thing matters here. They do say the protocol is on GitHub and not tied to a WorkOS account, even though they obviously want AuthKit to be the easy button.
Justy: Yeah. So my read is, if you're building an app that could plausibly be operated by an agent in the next year, this changes planning more than implementation today. You probably don't drop everything, but you do start thinking about scopes, issuance, revocation, and whether O T P claim is your safety net.
Cody: And if you're not in that category, you can wait. No need to become spiritually invested in a markdown file. That's my calm and measured take for once, Justy.
Justy: I appreciate this rare season of emotional stability. Okay, that's enough auth dot M D for one kitchen-table Wednesday, Cody.