AI agents can pay, discover tools, and talk to each other. They still can't sign up for your product

0xaron — Fri, 13 Feb 2026 16:28:08 +0000

Try signing up for any SaaS product right now. You'll click buttons, fill forms, verify your email, maybe solve a CAPTCHA. Takes 30 seconds, no big deal.

Now imagine you're an AI agent. You don't have a browser. You don't have fingers. You don't have an email inbox. That 30-second flow? It's a wall.

This is the state of the agentic internet in 2026. Agents can discover tools via MCP. They can pay for things via x402. They can talk to each other via A2A. But the most basic thing — signing up for a product — still requires pretending to be a human with a browser.

So I built AgentDoor.

What it actually does

AgentDoor is a drop-in middleware that adds a machine-readable front door to your API. When an AI agent hits your service, instead of navigating a human signup flow, it does this:

Agent                              Your API (with AgentDoor)
  │                                         │
  │── GET /.well-known/agentdoor.json ────▶│  Discovery (~50ms)
  │── POST /agentdoor/register ───────────▶│  Register (~100ms)
  │── POST /agentdoor/register/verify ────▶│  Verify (~200ms)
  │── GET /api/data (Bearer token) ───────▶│  Ready. Done.

Total time: under 500ms. No browser. No CAPTCHA. No form fields.

The agent discovers what your API offers, registers with an Ed25519 public key, signs a cryptographic challenge to prove it owns that key, and gets credentials. The private key never leaves the agent.

Why should you care

If you're building an API or SaaS product, you already have agent traffic. You just might not know it. Agents are hitting your endpoints through hacky browser automation, scraping your docs, and reverse-engineering your auth flows.

AgentDoor gives them a legitimate path. You get to define what agents can access, how much it costs, and what rate limits apply — instead of having them sneak in through the front door disguised as humans.

The integration

Three lines. I'm not exaggerating.

npm install @agentdoor/express

const express = require("express");
const agentdoor = require("@agentdoor/express");

const app = express();

app.use(agentdoor({
  scopes: [
    { id: "data.read", description: "Read data", price: "$0.001/req" },
    { id: "data.write", description: "Write data", price: "$0.01/req" }
  ]
}));

// Your existing routes — now agent-ready
app.get("/api/data", (req, res) => {
  if (req.isAgent) {
    console.log(`Agent ${req.agent.id} requesting data`);
  }
  res.json({ data: "hello" });
});

That app.use(agentdoor({...})) line does everything: auto-generates a /.well-known/agentdoor.json discovery endpoint, sets up registration and auth routes, and adds middleware that tags agent requests with req.isAgent.

It works with Express, Next.js, Hono, Fastify, FastAPI, and Cloudflare Workers.

How it sits alongside your existing auth

This is the part people ask about first: "Does it replace Clerk / Auth0 / Supabase Auth?"

No. AgentDoor sits next to your human auth. Think of it like this:

Clerk → handles humans (email, OAuth, magic links)
AgentDoor → handles agents (keypair, signed challenge)
Same API, two doors.

There are companion plugins for Clerk, Auth0, Firebase, Supabase, and NextAuth that make agent accounts show up in your existing dashboard.

The auth under the hood

AgentDoor uses Ed25519 challenge-response. If you've worked with SSH keys, the concept is familiar:

Agent generates a keypair locally
Sends the public key to your API during registration
Your API sends back a random nonce
Agent signs the nonce with its private key and sends back the signature
Your API verifies the signature and issues a JWT

The private key never leaves the agent. Compare that to OAuth where tokens fly back and forth through browser redirects. And unlike API keys sitting in a dashboard, there's no shared secret to leak.

Token refresh works the same way — sign a timestamp, prove you still have the key, get a new JWT. The SDK handles this automatically. You never think about it.

The discovery protocol

When you add AgentDoor, it auto-generates a /.well-known/agentdoor.json endpoint. This is how agents find out what your API does before they register:

{
  "agentdoor_version": "1.0",
  "service_name": "Your API",
  "registration_endpoint": "/agentdoor/register",
  "auth_endpoint": "/agentdoor/auth",
  "scopes_available": [
    {
      "id": "data.read",
      "description": "Read data",
      "price": "$0.001/req",
      "rate_limit": "1000/hour"
    }
  ],
  "auth_methods": ["ed25519-challenge"],
  "payment": {
    "protocol": "x402",
    "network": "base",
    "currency": "USDC"
  }
}

One GET request and the agent knows: what scopes exist, what they cost, how to register, and how to pay. It also auto-generates a Google A2A agent card so agents using that protocol can discover you too.

Think of it as robots.txt for the agent era.

Why not just OAuth?

I get asked this a lot. OAuth 2.1 is great — for humans. It was designed around the assumption that a person is sitting at a browser, clicking "Authorize", and getting redirected back. Agents don't have browsers.

	OAuth 2.1	AgentDoor
Browser required	Yes	No
Round-trips	5+	2
Onboarding time	30-60s	<500ms
Consent screen	Required	None needed
Secret exposure	Token sent every request	Private key never transmitted
Agent-native	No	Yes

OAuth solves a different problem (delegated authorization for humans). AgentDoor solves the problem that comes before OAuth even starts: how does a machine get credentials in the first place?

The agent side

If you're building an agent that needs to consume AgentDoor-enabled APIs, there's an SDK for that too:

import { AgentDoor } from "@agentdoor/sdk";

const agent = new AgentDoor({
  keyPath: "~/.agentdoor/keys.json"
});

const session = await agent.connect("https://api.example.com");
const data = await session.get("/api/data");

One call to connect() handles discovery, registration, and authentication. The SDK manages keypair generation, token refresh, everything.

There's also a Python SDK:

pip install agentdoor

Detect before you commit

Not sure if you even have agent traffic? Start with detection mode:

const { detect } = require("@agentdoor/detect");

app.use(detect({
  webhook: "https://hooks.yoursite.com/agent-traffic"
}));

This classifies requests based on user-agent strings, missing browser headers, behavioral patterns, and self-identification. No auth changes, no registration flow — just visibility into what's already happening.

When you're ready, the upgrade path is: Detect → Register → Bill → Dashboard.

Technical details people ask about

Dependencies: Zero native deps. Pure JS crypto via tweetnacl (8KB, audited). Works everywhere Node 18+ runs.

Performance: <5ms auth verification, <2ms middleware overhead per request, <50KB SDK.

Storage: Pluggable. In-memory for dev, SQLite or Postgres for production.

Payments: Optional x402 integration. Agents can pay per-request with USDC on Base. There's a Stripe bridge that reconciles x402 payments as Stripe invoices if you want to keep your existing billing.

What I'm building next

AgentDoor is MIT licensed and fully open source. The roadmap includes a hosted registry where agents can discover AgentDoor-enabled services, analytics dashboards for tracking agent usage, and more framework adapters.

If you're building APIs that AI agents will consume — and in 2026, that's increasingly all APIs — I'd love your feedback.

Links:

🔗 GitHub
🌐 Landing page
📦 npm install @agentdoor/express
📦 pip install agentdoor

Star it if this resonates. Open issues if it doesn't. Both help.

Forem: 0xaron