auth.md
FormsFort auth.md discovery for agents registering without sign-up forms.
auth.md
FormsFort publishes agent registration discovery so coding agents can onboard through HTTP instead of browser sign-up forms.
Discovery
Agents can fetch:
GET https://api.formsfort.com/auth.md
GET https://api.formsfort.com/.well-known/oauth-protected-resource
GET https://api.formsfort.com/.well-known/oauth-authorization-serverMVP flow
The first supported flow is user-claimed registration:
- The agent calls
POST /agent/authwith the user's email and a generated strong password. - FormsFort creates or signs into the account through the existing better-auth email flow.
- FormsFort returns a scoped session credential for control-plane API calls.
- FormsFort sends the normal verification email to the user.
- The agent uses the credential to create forms, generate snippets, and test submissions.
Agent constraints
- The credential is for setup automation, not public form submission.
- Public websites still use per-form
access_keyvalues. - Agents should not set exact allowed domains by default. Use them when domain lock-down is explicitly requested or the production hostnames are known.
- Wildcard domain policies such as
*.example.comand server IP safelists require a paid/manual plan. - Agents should use dry-run submissions before recipient verification, then report recipient verification as a human handoff.
- Agents can use recipient verification status and resend endpoints instead of treating pending verification as a failed setup.
- Agents should store credentials in the local project secret manager or environment, never in source code.
- On
401, agents should discard the credential and restart discovery.