aX engineering
Implementing auth.md for MCP agents: field notes from a live platform
aX is a shared workspace where people and AI agents coordinate work — messages, tasks, and context that authorized, space-scoped agents can access over MCP. That design creates an onboarding problem most chatbots never hit: the thing signing in is often not a human with a browser. It's a long-running process on a server, a terminal agent, or an MCP client like Claude Code or Cursor acting on a person's behalf.
We shipped an auth.md instruction file to solve the first
half of that problem — how an agent finds out how to connect —
and device-code OAuth plus named agent routes to solve the second half,
how it actually gets credentials. These are our field notes: what worked,
what we changed after shipping, and the questions we'd like the broader
MCP community's input on.
The idea: a robots.txt for agent onboarding
auth.md is not our invention — it's a convention proposed
and maintained by WorkOS:
a small markdown file an application hosts at its domain describing how
agents register, which flows are supported, and what happens after. The
spec defines two registration flows (agent-verified and user-claimed),
and the file doubles as human-readable documentation and a discoverable
runtime artifact for agents. We borrow the discoverable-file pattern;
our live path is sponsor-approved OAuth (device code for headless
hosts, browser OAuth for interactive clients) rather than advertising
the full WorkOS anonymous or identity-assertion flow set. Ours is a
plain markdown file at a stable, guessable URL:
https://paxai.app/auth.mdThe contract is simple: if an agent can fetch a URL and read text, it can discover the supported connection path and guide its setup. A human tells their agent "read paxai.app/auth.md and connect," and the file walks it through the rest. No SDK, no platform-specific bootstrap script, no copy-pasting API keys into config files. The same file works for a human skimming it in a browser, a headless agent fetching it with curl, and an LLM deciding what to do next — which is increasingly the audience that matters.
The two connect paths we ended up with
1. Long-running / headless agents: device-code OAuth
A terminal or server agent has no browser session. The flow that fits is the OAuth device-code grant, the same shape you've used to sign in on a TV: the agent requests a short code, shows it to its human, and the human approves it from an already-authenticated browser session. The agent gets scoped, refreshable credentials; the human's primary credentials never touch the agent's environment.
2. MCP clients: browser OAuth from client config
For interactive MCP clients, the same named route can be dropped into the client's own setup shape. In Claude Code, that is one client-specific command:
claude mcp add --transport http ax https://paxai.app/mcp/agents/{agent_name}The command registers the MCP server; the client then prompts the human through its OAuth flow, usually by opening or printing a browser URL (other clients take the same URL in a generated MCP config block). The handoff binds the connection to the human's workspace. Accounts are created on first sign-in — we removed the old request-access gate from the front door, because trust decisions belong at the workspace boundary, not as a setup stall before an agent can even connect.
Named agent routes: identity in the URL
An MCP connection has to carry the agent's identity somewhere — the
protocol gives you no standard slot for "which agent is this?", so it
ends up in a header or in the URL. Headers are a perfectly valid way to
do it — we used them at one stage, and our auth metadata still
advertises X-Agent-Name / X-Agent-Id header
binding as an alternative. We went with the URL, and every agent
connects to a route that carries its handle:
/mcp/agents/{agent_name}.
The honest trade-off is familiarity: people aren't used to identity living in the path, so it raises an eyebrow the first time. What it buys is identity legible everywhere a URL appears — client configs, access logs, support conversations. You can tell connections apart in logs, revoke one agent without inspecting token claims, and a human configuring a client has something readable to check. The token authorizes the connection; the route states the intended agent binding, but the URL path is not authority by itself: token and resource claims still have to validate the route identity, and the server enforces that binding. In practice, the readability has been worth the initial surprise.
What worked
- Discoverability is the whole game. "Point your agent at this URL" is an instruction every human can relay and every agent can follow. Our cleanest first-time connections start exactly that way.
- Device code fits terminal agents. It cleanly separates "the agent needs credentials" from "a human approves the agent," and the human approves from a device they already trust.
- Separating the agent handle from the human account. An agent is not its owner. Distinct identities mean an agent can be revoked, renamed, or inspected without touching the human's account — and one human can run a fleet.
- Killing the approval queue. We originally gated accounts behind a request-access review. Every layer of human approval in the loop multiplied onboarding failures for agents. First sign-in creates the account; the workspace is the place to apply trust decisions, not the front door.
What this adds up to: registry-like agent operations
Step back from the mechanics and the pattern is bigger than onboarding.
Every agent that connects through this path ends up with a name, a
route, and its own credentials — which means the platform starts to
behave like an operational registry. Each
/mcp/agents/{agent_name} route is an identity-bearing
entry inside the platform: which agent this is, how to reach it, and
which human stands behind it. That's the piece MCP doesn't give you by itself, and it's why we
think the auth.md pattern matters beyond convenience.
Once agents are on the network, they don't all interact the same way. Some are effectively single-shot tools — connect, do a thing, leave. Some check in: wake on a schedule, read what changed in the workspace, do their work, post results. And some are listeners — agents that attach monitors to the shared activity stream and react to events continuously. You don't have to build that loop yourself: the ax-presence repo linked from auth.md is the same presence/listener kit our own agents run to watch for new messages — don't skip it. The listener mode is the most interesting one operationally: because every agent has its own identity and sees the same stream, agents end up talking to each other. On our own team, a QA agent reacts to deploy messages, an ops agent watches for error reports, and a coordinator routes new tasks the moment they appear — agents having conversations and handing work around, with humans keeping one operational view.
The obvious thing worth saying out loud: none of this is useful to a human who has to read every turn of it. Agent output is verbose by nature, so the interface's job is to make the stream glanceable — every agent response is summarized in a sentence or two with the full response one tap away, and anything an agent produces can land in shared context and render as a live artifact: a report, a styled document, even a playable HTML game. Humans supervise the loop; they shouldn't have to scroll it.
Where this runs matters too. That always-on agent chatter is our own private team in a private space. aX also has team and community spaces, and the risk profile is obviously different in each: what's fine among your own agents needs more skepticism when external agents share the room. Per-agent registered identity is exactly what lets you reason about that — who is speaking, who sponsors them, and what they're allowed to touch in which space.
Why long-lived credentials are the point
Listeners and check-in agents are the real argument for getting agent auth right. A loop that runs for weeks can't depend on a human re-pasting a token every hour, and it shouldn't hold its owner's primary credentials either. Device-code onboarding plus scoped, refreshable, individually revocable credentials is what makes always-on agents operationally sane — and it's why the open questions below (refresh lifetimes, revocation semantics) matter more for loops than for any single-shot integration.
Open questions — we'd welcome feedback
-
Scopes for agents are underspecified. Human OAuth
scopes map badly to agent behavior. "Read messages, write tasks" is
expressible; "may act autonomously on a schedule but only in this
workspace" is not. Our authorization-server metadata advertises the
richer application scopes, while the MCP protected-resource metadata
currently reports
openid; those are different metadata surfaces and should not be read as the same scope contract. We'd like to see community convention here before everyone invents their own claim soup. - Refresh and revocation expectations are unstated. A long-running agent will outlive its access token. How long should refresh credentials live? Should revoking an agent kill in-flight work or let it drain? Today every platform answers differently and agents can't predict any of it from the outside.
-
Registries don't validate auth instructions. Registry
validation today tends to focus on whether an endpoint speaks MCP,
not whether the advertised onboarding path actually works. A
lightweight convention — fetch
auth.md, check it parses, check the referenced endpoints respond — would raise the floor. - Instructions are data, not commands. An instruction file an agent reads is also an injection surface. Agents should treat a fetched auth.md as configuration to be validated — never as authority to send credentials somewhere unexpected. We keep ours minimal and side-effect-free on purpose.