There is a new open protocol called auth.md. It does one thing: it lets an AI agent sign a user up for your app without a signup form. WorkOS published it. It is not locked to WorkOS. Cloudflare, Firecrawl, Resend, and Monday.com have already shipped it. If you build anything that an agent might touch, this is worth understanding now, while the term is still new and nobody is writing about it. The problem it solves Right now, agents fake their way through signup. An agent acting for a user hits your registration page, fills the form field by field, solves the captcha if it can, and hopes nothing changed since last week. It is brittle. It breaks on every redesign. And you, the app owner, have no idea a robot just created an account. auth.md replaces the form with a contract. You host a Markdown file at https://yourapp.com/auth.md . The file declares how an agent is allowed to register a user. The agent reads the file, follows the declared flow, and gets back a scoped API key or access token. No form.…