Agent Mode: Solving the Agent Registration Problem with auth.md
YouTube
This video captures Michael Grinich, founder of WorkOS, speaking at the fourth MCP Night event. He discusses the rapid evolution of AI agents, moving from human-in-the-loop coding assistants to autonomous agentic software capable of long-running tasks. Grinich illustrates this shift through examples from leading tech companies like Ramp and Stripe, highlighting how these organizations are building internal 'code factories' that generate, debug, and deploy code independently. He introduces the concept of the 'Harness'—the necessary infrastructure surrounding a language model that provides it with the runtime, tools, and feedback loops required for effective operation.
A central focus of the presentation is the current barrier to agent adoption: the registration process. Most web services are designed to block automated behavior using CAPTCHAs and email verification, which are incompatible with autonomous agents. To solve this, WorkOS introduces auth.md, an open specification intended to facilitate agent-native registration. The talk includes a live demonstration where an agent autonomously registers for services like Cloudflare and Firecrawl using the auth.md protocol to deploy a website. Grinich concludes by predicting a future where agents become the primary consumers of software, necessitating a shift toward 'Agent Ready' applications.
This video features Michael Grinich, founder of WorkOS, at MCP Night, where he outlines the transition from human-led AI development to autonomous agentic software. The presentation introduces auth.md, a new open specification designed to solve the critical problem of how AI agents register for and authenticate with web services without human intervention. By exploring the architecture of the 'Agent Harness' and demonstrating live agentic registration with partners like Cloudflare and Firecrawl, the video provides a roadmap for developers to make their applications 'Agent Ready.'
Key Takeaways
Shift to Autonomy: AI agents are evolving from simple autocomplete tools to autonomous workers capable of running tasks for hours or days.
The Harness Concept: Effective agents require more than just an LLM; they need a 'harness' consisting of runtime, tools, context, feedback loops, and human review systems.
Registration Barriers: Existing sign-up flows (CAPTCHAs, email verification) are designed to block the very automated behavior that agents require.
auth.md Specification: A proposed open standard for agent-native registration that allows agents to identify themselves and provision accounts autonomously.
Timestamps
00:00
IntroductionMichael Grinich opens the fourth MCP Night and introduces the theme: Agent Mode.
01:21
The Rise of AgentsDiscussion on how agentic software is changing the world and the future of WorkOS.
02:40
Evolution of Coding with AgentsThe shift from human-in-the-loop autocomplete to autonomous long-running agents.
05:31
Case Studies: Ramp and StripeExamples of companies building autonomous internal code factories.
06:33
WorkOS HorizonIntroduction to WorkOS's internal autonomous engineering system.
08:01
Building the Agent HarnessThe five requirements for a functional agentic infrastructure.
10:57
The Agent Registration ProblemWhy traditional sign-up flows (CAPTCHAs, email) fail for AI agents.
14:44
Introducing auth.mdA new open specification for agent-native registration and authentication.
Target Audience
Software engineers, CTOs, product managers, and developers interested in the future of AI agents and machine-to-machine authentication protocols.
Use Cases
-Implementing agent-native registration flows for SaaS products
-Designing infrastructure 'harnesses' to support autonomous AI workers
-Developing autonomous PR generation and debugging systems
-Preparing APIs for a future where agents are the primary users
-Optimizing machine-to-machine identity verification using JWT-based assertions
Agent Ready is the New Enterprise Ready: As agents become primary users, businesses must move away from browser-centric UIs toward API-first, agent-friendly architectures.
The Evolution of Agentic Coding
Grinich explains that the software industry has undergone a radical transformation in a very short period. Initially, AI in coding acted as an advanced autocomplete system where the human remained firmly in the loop, steering every line of code. However, as models have improved, we have entered the era of 'long-running agents.' These systems can take a high-level prompt, decompose a project into smaller tasks, and work independently for hours to build entire features or applications.
Companies like Ramp and Stripe are already leveraging this through internal tools like 'Inspect' and 'Minions.' These systems don't just suggest code; they generate pull requests, run tests, and deploy to production autonomously. At WorkOS, a similar system called 'Horizon' handles internal engineering tasks, allowing the team to operate at a scale previously impossible for a human-only workforce.
Building the Agent Harness
For an agent to be effective, it cannot exist as a standalone model. Grinich introduces the 'Harness,' which he compares to the chassis and fuel of a car, while the LLM is the engine. A robust harness requires five key components:
Runtime: A secure, isolated environment where the agent can execute code.
Tools: Access to external services like GitHub, CI/CD pipelines, and databases.
Context: Deep knowledge of the codebase, product requirements, and previous team conversations.
Feedback Loops: The ability to test its own work, review errors, and iterate based on results.
Human Review: A mechanism for high-level oversight and final approval of intent and design decisions.
Solving the Registration Problem with auth.md
The most significant friction point identified in the video is 'Agent Registration.' Most websites are built to ensure users are human, utilizing CAPTCHAs, email verification links, and password managers—all of which act as roadblocks for autonomous agents. If an agent cannot sign up for a service, it cannot use it, which Grinich argues makes the service 'dead in the water' in the coming agentic economy.
WorkOS's solution, auth.md, is a markdown-based specification hosted at a well-known endpoint (e.g., yourservice.com/auth.md). It allows an agent to discover how to register, what identity proofs are required, and what scopes are available. Central to this is the ID-JAG (Identity Assertion JWT Authorization Grant), which allows a trusted identity provider (like WorkOS or a company's internal system) to vouch for an agent's identity, allowing a service provider like Cloudflare to provision an account instantly without a human ever seeing a login screen.
Practical Applications
Developers can begin applying these concepts by examining their current authentication and registration flows. To become 'Agent Ready,' teams should:
Adopt the auth.md spec: Hosting an auth.md file enables agents to discover and interact with your API autonomously.
Shift to API-first UI: Follow the lead of Salesforce’s 'Headless 360' where the API is treated as the primary user interface, ensuring all functionality is accessible via MCP or CLI.
Implement ID-JAG: Use JWT-based identity assertions to allow machine-to-machine account provisioning, reducing the need for manual API key generation.
Build Autonomous Code Factories: Create internal harnesses that allow AI agents to handle repetitive debugging and deployment tasks, freeing up human engineers for architectural design.
Frequently Asked Questions
What is the difference between MCP and auth.md?
While the Model Context Protocol (MCP) focuses on how agents exchange context and call tools, auth.md focuses specifically on the registration and authentication flow. MCP assumes an agent already has access; auth.md provides the mechanism for the agent to get that access autonomously.
Why can't we just use traditional OAuth for agents?
Traditional OAuth usually requires a 'User-Agent' (a browser) and a human to click 'Allow.' Autonomous agents often operate in head-less environments where no human is present to provide consent in real-time. Auth.md replaces this interactive consent with pre-delegated identity assertions.
Is auth.md a formal web standard?
Currently, auth.md is an open specification and a set of principles rather than a standard ratified by bodies like the IETF. Grinich describes it as a 'set of ideas' intended to be implemented and improved upon by the developer community to eventually form a standard for agentic registration.
How do agents handle payments if they sign up autonomously?
While the current focus of auth.md is on registration and free-tier access, the speaker notes that the next evolution will involve agents being able to transact and pay for services. This would likely involve the agent having access to a scoped digital wallet or corporate procurement account authorized through the same identity harness.
17:21
Live Demo: Agentic RegistrationA demonstration of an agent autonomously registering for Cloudflare and Firecrawl.
23:35
Agent Ready is the New Enterprise ReadyPredicting a shift where agents become the primary software consumers.