Notifications
Clear all
Topic starter
22/06/2026 10:20 am
TL;DR: One week after auth.md was proposed, developers had already published spec-compliant files, launch partners had endorsed the model, and adjacent identity tools were converging on a small, open registration primitive according to WorkOS. The shift matters because it exposes where human-centred signup and credential flows stop being enough for agentic access, and that assumption will shape the next wave of identity governance.
NHIMG editorial — based on content published by WorkOS: auth.md one week later, who shipped, who is writing, and what's next
Questions worth separating out
Q: How should security teams govern agent registration flows that use public metadata?
A: Treat public registration metadata as part of the identity perimeter.
Q: Why do agent registration protocols create new IAM risk even when they use OAuth?
A: OAuth standardises the authorisation layer, but it does not remove the governance burden of deciding who or what is allowed to register, what scope is acceptable, and how the resulting credential will be controlled.
Q: What do IAM teams get wrong about machine-readable signup and onboarding?
A: They often treat machine-readable onboarding as a usability improvement rather than an identity control.
Practitioner guidance
- Inventory every agent registration surface Identify any public endpoint, metadata file, or discovery document that tells software how to obtain access on a user's behalf.
- Bind delegated access to policy checks Require scope validation, consent verification, and audit logging before any credential is issued to a software agent.
- Create a lifecycle model for machine-issued credentials Define how agent credentials are reviewed, rotated, and revoked after registration.
What's in the full article
WorkOS's full blog post covers the operational detail this post intentionally leaves for the source:
- A week-one implementation roundup showing which services actually published spec-compliant auth.md files.
- The exact registration loop described by WorkOS, including discovery metadata, OAuth-backed credential issuance, and the 401 challenge pattern.
- Community commentary and launch-partner reactions that show how adjacent tools are converging on the same agent-registration primitive.
- Examples of how builders are exposing agent-facing onboarding and access flows on real domains.
👉 Read WorkOS's week-one update on auth.md adoption and implementation →
auth.md for agents: what week one means for IAM teams?
Explore further
22/06/2026 11:11 am
auth.md is a governance primitive, not just a developer convenience. The article shows that once an agent can discover how to register itself, identity stops being a human-mediated onboarding event and becomes a machine-consumable workflow. That changes the control boundary for IAM and NHI teams because discovery, consent, and credential issuance now sit closer together than most enterprise programmes expect. Practitioners should treat this as a new registration surface, not a documentation pattern.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to GitGuardian & CyberArk.
A question worth separating out:
Q: How should organisations manage the lifecycle of agent-issued credentials after registration?
A: Place agent-issued credentials under the same review, rotation, and revocation discipline used for other non-human identities, but tie the timing to actual use and delegation status. The key is to prevent self-onboarded identities from becoming standing access that outlives the purpose for which they were created.
👉 Read our full editorial: auth.md and the agent registration layer entering week one
