[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-78421":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":9,"pushedAt":9,"updatedAt":26,"readmeContent":27,"aiSummary":28,"trendingCount":15,"starSnapshotCount":15,"syncStatus":29,"lastSyncTime":30,"discoverSource":31},78421,"auth.md","workos\u002Fauth.md","workos","An open protocol that lets agents register for services on behalf of users — discoverable through a Markdown file at your domain.",null,"TypeScript",420,37,6,5,0,4,82,358,31,82.7,"MIT License",false,"main",true,[],"2026-06-12 04:01:23","# auth.md\n\nA reference implementation of **agentic registration** — a protocol for agents to authenticate to services on behalf of users. Three roles: an **agent** acting for a user, an **agent provider** that mints identity assertions (ID-JAGs), and a **service** that accepts those assertions, when available, and issues credentials. If the agent is not associated with a user identity, or the agent provider does not support ID-JAGs, the service uses an OTP-based claim flow to authenticate the agent instead.\n\nThis repo includes sample implementations for both the agent provider and agent service side of agentic registration, and includes a sample [`AUTH.md`](AUTH.md) file, which the agent service would host, instructing agents how to authenticate with the service.\n\n## Layout\n\n```\n.\n├── AUTH.md            ← skill manifest agents read\n├── agent-services\u002F    ← sample resource server + authorization server\n├── agent-providers\u002F   ← sample agent IdP that mints ID-JAGs\n└── shared\u002F            ← shared workspace package (ports, types)\n```\n\n## Where to go next\n\n- **You're an agent or want an auth.md template** → [AUTH.md](AUTH.md) — procedural recipe (discover → register → claim → use → handle revoke).\n- **You're implementing a service** → [agent-services\u002FREADME.md](agent-services\u002FREADME.md) — full implementation guide, sequence diagrams, error tables.\n- **You're implementing an IdP** → [agent-providers\u002FREADME.md](agent-providers\u002FREADME.md) — minting ID-JAGs, publishing JWKS, sending revocation events.\n\n## Quickstart\n\n```sh\npnpm install\npnpm dev\n```\n\nService at \u003Chttp:\u002F\u002Flocalhost:8000>, provider at \u003Chttp:\u002F\u002Flocalhost:4000>. The service home page walks the three registration flows interactively. Use `pnpm dev:service` or `pnpm dev:provider` to run one side at a time.\n\n## System Flows\n\nThree registration flows share the `\u002Fagent\u002Fauth` endpoint. Pick the one that matches what the agent has on hand.\n\n### Discovery\n\nHosted at `\u002F.well-known\u002Foauth-authorization-server`:\n\n```json\n{\n  \"resource\": \"https:\u002F\u002Fapi.service.com\u002F\",\n  \"authorization_servers\": [\"https:\u002F\u002Fauth.service.com\u002F\"],\n  \"scopes_supported\": [\"api.read\", \"api.write\"],\n  \"bearer_methods_supported\": [\"header\"],\n  \"agent_auth\": {\n    \"skill\": \"https:\u002F\u002Fservice.com\u002Fauth.md\",\n    \"register_uri\": \"https:\u002F\u002Fauth.service.com\u002Fagent\u002Fauth\",\n    \"claim_uri\": \"https:\u002F\u002Fauth.service.com\u002Fagent\u002Fauth\u002Fclaim\",\n    \"revocation_uri\": \"https:\u002F\u002Fauth.service.com\u002Fagent\u002Fauth\u002Frevoke\",\n    \"identity_types_supported\": [\"anonymous\", \"identity_assertion\"],\n    \"anonymous\": {\n      \"credential_types_supported\": [\"api_key\"]\n    },\n    \"identity_assertion\": {\n      \"assertion_types_supported\": [\n        \"urn:ietf:params:oauth:token-type:id-jag\",\n        \"verified_email\"\n      ],\n      \"credential_types_supported\": [\"access_token\", \"api_key\"]\n    },\n    \"events_supported\": [\n      \"https:\u002F\u002Fschemas.workos.com\u002Fevents\u002Fagent\u002Fauth\u002Fidentity\u002Fassertion\u002Frevoked\"\n    ]\n  }\n}\n```\n\n### Identity Assertion (ID-JAG)\n\n```mermaid\nsequenceDiagram\n    actor User\n    participant Agent\n    participant Provider as Agent Provider\n    participant Service\n\n    Agent->>Service: GET \u002Fapi\u002Fresource\n    Service-->>Agent: 401 Unauthorized\u003Cbr\u002F>WWW-Authenticate: Bearer resource_metadata=\"...\"\n\n    Agent->>Service: GET \u002F.well-known\u002Foauth-protected-resource\n    Service-->>Agent: 200 OK (PRM with authorization_servers)\n    Agent->>Service: GET \u002F.well-known\u002Foauth-authorization-server\n    Service-->>Agent: 200 OK (AS metadata with agent_auth block)\n\n    Agent->>User: Consent to assert identity to audience?\n    User-->>Agent: Consent granted\n\n    Agent->>Provider: Request audience-specific ID-JAG\n    Provider-->>Agent: 200 OK (ID-JAG)\n\n    Agent->>Service: POST \u002Fagent\u002Fauth\u003Cbr\u002F>{ type: identity_assertion, assertion: ID-JAG }\n    Service->>Provider: GET \u002F.well-known\u002Fjwks.json\n    Provider-->>Service: 200 OK (JSON Web Key Set)\n    Service->>Service: Verify signature + claims, match user\n    Service-->>Agent: 200 OK (credentials)\n```\n\n### Verified-Email Identity Assertion\n\n```mermaid\nsequenceDiagram\n    actor User\n    participant Agent\n    participant Service\n\n    Agent->>Service: POST \u002Fagent\u002Fauth\u003Cbr\u002F>{ type: identity_assertion, assertion_type: verified_email, assertion: email }\n    Service->>User: Send claim-view email (one-time URL)\n    Service-->>Agent: 200 OK (claim_token, no credential)\n    User->>Service: GET \u002Fagent\u002Fauth\u002Fclaim\u002Fview?token=...\n    Service-->>User: 6-digit OTP page\n    User-->>Agent: Reads OTP back\n    Agent->>Service: POST \u002Fagent\u002Fauth\u002Fclaim\u002Fcomplete\u003Cbr\u002F>{ claim_token, otp }\n    Service-->>Agent: 200 OK (credential)\n```\n\n### Anonymous Registration with OTP Claim\n\n```mermaid\nsequenceDiagram\n    actor User\n    participant Agent\n    participant Service\n\n    Agent->>Service: POST \u002Fagent\u002Fauth\u003Cbr\u002F>{ type: anonymous, requested_credential_type: api_key }\n    Service->>Service: Create agent principal, scoped API key, claim record\n    Service-->>Agent: 200 OK (api_key, claim_token)\n\n    Note over Agent: Agent operates with pre-claim scopes\n\n    User-->>Agent: Wants to take ownership\n    Agent->>Service: POST \u002Fagent\u002Fauth\u002Fclaim\u003Cbr\u002F>{ claim_token, email }\n    Service->>User: Send claim-view email (one-time URL)\n    User->>Service: GET \u002Fagent\u002Fauth\u002Fclaim\u002Fview?token=...\n    Service-->>User: 6-digit OTP page\n    User-->>Agent: Reads OTP back\n    Agent->>Service: POST \u002Fagent\u002Fauth\u002Fclaim\u002Fcomplete\u003Cbr\u002F>{ claim_token, otp }\n    Service->>Service: Swap API key perms (pre-claim → post-claim)\n    Service-->>Agent: 200 OK { status: claimed }\n```\n","auth.md 是一个开放协议，允许代理为用户注册服务并通过在您的域名下托管的Markdown文件进行发现。项目核心功能包括支持代理代表用户向服务进行身份验证，定义了代理、代理提供者和服务三个角色，其中代理提供者生成身份断言（ID-JAGs），服务则基于这些断言发放凭证或采用一次性密码流来验证未关联用户身份的代理。此项目适合需要实现自动化代理身份验证的服务场景使用，如API访问控制等。它提供了代理提供者和代理服务端的示例实现，并附带详细的开发指南，帮助开发者快速上手。使用TypeScript编写，遵循MIT许可协议。",2,"2026-06-11 03:56:49","CREATED_QUERY"]