Live implementation of the auth.md open protocol — the emerging standard for AI agents to register with services without sign-up forms. Register anonymously, claim with email + OTP, then use the credential to call the MCP tools endpoint.
How it works
Register (anonymous_start)
Agent hits the registration endpoint. Receives a scoped Bearer token immediately — no email required.
Initiate claim (claim_init)
Agent binds the credential to an email. In production an OTP email is sent; here it's returned inline for the demo.
Complete claim (claim_complete)
Agent submits the OTP. Token is upgraded to a claimed (email-bound) credential with a 24-hour TTL.
Call MCP tools (authenticated)
Uses Authorization: Bearer <token> — the response includes auth_context confirming identity and scopes.
Why this matters
auth.md solves the "agent registration problem" — the missing primitive that forces developers to either expose raw API keys to agents or build bespoke onboarding flows per service. The protocol composes existing OAuth standards (RFC 9728 Protected Resource Metadata, ID-JAG identity assertions) with a discoverable Markdown file that any agent can parse.
This demo implements the user claimed flow — the agent initiates registration, the user confirms with an OTP, and the credential is bound to a real identity. The agent verified flow (where a trusted platform like Anthropic attests identity via ID-JAG) is the production path once agent providers publish JWKS endpoints.
Discovery: /auth.md · /.well-known/oauth-protected-resource · spec on GitHub