Building a consent-preserving auth.md skill for OpenClaw agents

No Form — Sat, 06 Jun 2026 07:45:28 +0000

Signup forms were designed for humans with browsers. AI agents get a 401 and have nowhere to go.

auth.md (WorkOS, MIT) changes that: a tiny Markdown file at your domain tells any agent how to register — what flows you support, what endpoints to hit, what scopes it’ll get.

I just shipped an OpenClaw skill that implements the user-claimed flow end-to-end:

openclaw skills install auth-md-signup

The flow in 90 seconds

Agent sees 401 WWW-Authenticate: Bearer resource_metadata="…"
Two-hop discovery: PRM → AS metadata → agent_auth block
POST anonymous registration → gets claim_token
Asks you for your email in-channel
Service emails OTP → you paste it back
POST claim/complete → scoped, revocable credential stored

Why the OTP step is non-negotiable

The agent can’t complete signup without you. No silent account creation, no credential exfiltration. The human OTP step is the consent gate — remove it and you remove the accountability that makes delegated signup trustworthy.

The reference implementation uses NoForm — which hosts auth.md infrastructure for services that don’t want to build it themselves. The skill works with any auth.md-compliant service.

Error handling built in

Code	What happens
`otp_invalid`	Ask user to retry (max 3x)
`otp_expired`	Offer to re-send OTP
`claim_expired`	Restart anonymous registration
`previously_claimed`	Tell user, stop
`anonymous_not_enabled`	Tell user, stop

Revocation

One call to revocation_uri with the token. Agent deletes it locally. Your account stays intact.

DEV Community: No Form

Building a consent-preserving auth.md skill for OpenClaw agents

The flow in 90 seconds

Why the OTP step is non-negotiable

Error handling built in

Revocation

Links