auth-md
Installation
SKILL.md
auth-md
Generate, validate, and explain the auth.md protocol — the open standard that lets AI agents register for services on behalf of users, without signup forms.
Protocol Context
auth.md is a Markdown file published at a service's root (typically https://service.com/auth.md) that instructs agents on how to register. It works simultaneously as human-readable documentation and as a discoverable runtime artifact for agents.
The protocol extends RFC 9728 (OAuth 2.0 Protected Resource Metadata) with an agent_auth block in the Authorization Server metadata. Registration returns an identity_assertion (service-signed JWT) that the agent exchanges at /oauth2/token for an access_token. Three registration methods are supported:
| Flow | Mechanism | When to use |
|---|---|---|
| identity_assertion | Provider signs an ID-JAG (with auth_time) asserting user identity. Service verifies JWKS, returns identity_assertion. Agent exchanges at /oauth2/token. |
Service does JIT provisioning from OIDC/SAML; wants zero-friction registration. |
| service_auth | Email hint + browser-based ceremony. Agent receives user_code + verification_uri; user signs in and types code. Agent polls /oauth2/token. |
Agents on platforms that can't mint ID-JAGs; self-serve without trust list. |
| anonymous | No identity upfront. Immediate identity_assertion with pre-claim scopes. Optional deferred claim for scope upgrade. |
Agent needs basic access immediately; human ownership binding deferred. |