The auth.md protocol

Everything an agent — or your backend — touches is plain HTTP under https://noform.dev/a/<slug> (or your custom domain). This page is the human-readable reference; agents read the same contract from your hosted auth.md.

Discovery — three static files

Agents find your app through three public files. Host them yourself or let NoForm serve them at /a/<slug>:

GET {BASE}/auth.md — the markdown contract: identity model, scopes, and the signup steps.
GET {BASE}/.well-known/oauth-protected-resource — RFC 9728 resource metadata.
GET {BASE}/.well-known/oauth-authorization-server — AS metadata plus an agent_auth block advertising the register / claim / complete / revoke / verify endpoints.

The user-claimed ceremony

Four POSTs take a human from “never heard of your app” to an email-verified account. The agent drives; the human only reads one code from their inbox.

1 · register

POST {BASE}/agent/auth
{ "email"?: "user@acme.com", "agent_platform"?: "claude" }

→ 201 { "credential", "claim_token", "scopes", "expires_at" }   (anonymous)
→ 201 { "claim_token", "expires_at" }                           (email-required)

2 · claim — sends the one-time code

POST {BASE}/agent/auth/claim
{ "claim_token": "…", "email": "user@acme.com" }

→ 200 { "ok": true }   // 6-digit code emailed; 3/h per inbox, 10/h per IP

3 · complete — verify the code

POST {BASE}/agent/auth/claim/complete
{ "claim_token": "…", "otp": "123456" }

→ 200 { "status": "active", "scopes": ["read","write"] }

4 · revoke (any time)

POST {BASE}/agent/auth/revoke
{ "credential": "nf_live_…" }

If you configure a post-signup login link, the register response also returns login_url with the credential already embedded — one clickable link for the agent to hand the user.

Introspection — your backend's one call

When the user arrives at your /welcome handler with a credential, validate it server-side with your API key:

introspect

POST {BASE}/agent/auth/introspect
Authorization: Bearer <your nf_live_ API key>
{ "credential": "nf_live_…" }

→ 200 { "active": true, "email": "user@acme.com", "scopes": [...], "sub", "expires_at" }
→ 200 { "active": false }      // unknown / expired / revoked
→ 401                          // missing or invalid API key

active: truemeans a real, email-verified human — start your own session and you're done.

Agent-verified (ID-JAG) — Builder+

Trust specific agent platforms cryptographically and skip the human step. Configure the issuer and its JWKS URI in the dashboard; the platform then provisions accounts with a signed JWT:

verified

POST {BASE}/agent/auth/verified
Authorization: Bearer <jwt with iss, aud, sub, exp, jti>

→ 201 { "credential": "nf_live_…", "status": "active" }
→ 409                          // replayed jti — each token is single-use

Error mapping

Condition	HTTP
Unknown app / claim / registration	404
Rate limit or monthly cap hit	429
Cross-app token (SCOPE_MISMATCH) / forbidden	403
Bad OTP, disposable email, malformed body	400
Missing or invalid bearer token	401
Replayed jti (agent-verified)	409
Plan limit reached	402

Events & webhooks

Every protocol action lands in your audit log: registration.created, claim.requested, claim.confirmed, verified.accepted, registration.revoked, ratelimit.blocked, cap.blocked, abuse.flagged and more. Subscribe a webhook in the dashboard and each delivery is signed with HMAC-SHA256 in the X-NoForm-Signature header. Failed deliveries (timeout or non-2xx) are recorded as webhook.failed in the audit log.

FAQ

Do my users need a NoForm account?

No. Your end-users are records in your app, not NoForm users. An agent registers them against your auth.md, they verify their email with a one-time code, and your backend validates the credential with one introspect call.

What stops an agent from creating fake accounts?

Email verification. An agent can't complete a signup without a 6-digit code that lands in a real inbox — plus per-IP and per-email rate limits, disposable-domain blocking, monthly caps, and velocity scoring across the network.

Which agents can use it?

Any agent that can read a URL and make HTTP POSTs — ChatGPT, Claude, or your own. auth.md is plain markdown plus two standard .well-known files; there is no SDK and nothing to install on the agent side.

Do I have to change my auth system?

No. NoForm hands you a verified email and a credential; you start a session in your own system exactly as if the user had filled in your form. Sessions, MFA, and billing stay yours.

What happens if I go over my monthly cap?

Agents get a 429 cap_exceeded and no new accounts are created until the cap resets or you raise it. Existing users are unaffected.

Can I serve auth.md from my own domain?

Yes — Builder and Scale plans can point a custom domain (CNAME) at NoForm and the same paths are served from your domain root, de-branded.

Ready to make your app sign-up-able by agents?

Create an app, run “Test it live”, and ship three static files.

Start free →