FormsFort

auth.md

FormsFort auth.md discovery for agents registering without sign-up forms.

auth.md

FormsFort publishes agent registration discovery so coding agents can onboard through HTTP instead of browser sign-up forms.

Discovery

Agents can fetch:

GET https://api.formsfort.com/auth.md
GET https://api.formsfort.com/.well-known/oauth-protected-resource
GET https://api.formsfort.com/.well-known/oauth-authorization-server

MVP flow

The first supported flow is user-claimed registration:

  1. The agent calls POST /agent/auth with the user's email and a generated strong password.
  2. FormsFort creates or signs into the account through the existing better-auth email flow.
  3. FormsFort returns a scoped session credential for control-plane API calls.
  4. FormsFort sends the normal verification email to the user.
  5. The agent uses the credential to create forms, generate snippets, and test submissions.

Agent constraints

  • The credential is for setup automation, not public form submission.
  • Public websites still use per-form access_key values.
  • Agents should not set exact allowed domains by default. Use them when domain lock-down is explicitly requested or the production hostnames are known.
  • Wildcard domain policies such as *.example.com and server IP safelists require a paid/manual plan.
  • Agents should use dry-run submissions before recipient verification, then report recipient verification as a human handoff.
  • Agents can use recipient verification status and resend endpoints instead of treating pending verification as a failed setup.
  • Agents should store credentials in the local project secret manager or environment, never in source code.
  • On 401, agents should discard the credential and restart discovery.

On this page