Try signing up for any SaaS product right now. You'll click buttons, fill forms, verify your email, maybe solve a CAPTCHA. Takes 30 seconds, no big deal. Now imagine you're an AI agent. You don't have a browser. You don't have fingers. You don't have an email inbox. That 30-second flow? It's a wall. This is the state of the agentic internet in 2026. Agents can discover tools via MCP. They can pay for things via x402. They can talk to each other via A2A. But the most basic thing — signing up for a product — still requires pretending to be a human with a browser. So I built AgentDoor. AgentDoor What it actually does AgentDoor is a drop-in middleware that adds a machine-readable front door to your API. When an AI agent hits your service, instead of navigating a human signup flow, it does this: Agent Your API (with AgentDoor) │ │ │── GET /.well-known/agentdoor.json ────▶│ Discovery (~50ms) │── POST /agentdoor/register ───────────▶│ Register (~100ms) │── POST /agentdoor/register/verify ────▶│ Verify (~200ms) │── GET /api/data (Bearer token) ───────▶│ Ready. Done. Agent Your API (with AgentDoor) │ │ │── GET /.well-known/agentdoor.json ────▶│ Discovery (~50ms) │── POST /agentdoor/register ───────────▶│ Register (~100ms) │── POST /agentdoor/register/verify ────▶│ Verify (~200ms) │── GET /api/data (Bearer token) ───────▶│ Ready. Done. Total time: under 500ms. No browser. No CAPTCHA. No form fields. The agent discovers what your API offers, registers with an Ed25519 public key, signs a cryptographic challenge to prove it owns that key, and gets credentials. The private key never leaves the agent. Why should you care If you're building an API or SaaS product, you already have agent traffic. You just might not know it. Agents are hitting your endpoints through hacky browser automation, scraping your docs, and reverse-engineering your auth flows. AgentDoor gives them a legitimate path. You get to define what agents can access, how much it costs, and what rate limits apply — instead of having them sneak in through the front door disguised as humans. The integration Three lines. I'm not exaggerating. npm install @agentdoor/express npm install @agentdoor/express const express = require("express"); const agentdoor = require("@agentdoor/express"); const app = express(); app.use(agentdoor({ scopes: [ { id: "data.read", description: "Read data", price: "$0.001/req" }, { id: "data.write", description: "Write data", price: "$0.01/req" } ] })); // Your existing routes — now agent-ready app.get("/api/data", (req, res) => { if (req.isAgent) { console.log(`Agent ${req.agent.id} requesting data`); } res.json({ data: "hello" }); }); const express = require("express"); const agentdoor = require("@agentdoor/express"); const app = express(); app.use(agentdoor({ scopes: [ { id: "data.read", description: "Read data", price: "$0.001/req" }, { id: "data.write", description: "Write data", price: "$0.01/req" } ] })); // Your existing routes — now agent-ready app.get("/api/data", (req, res) => { if (req.isAgent) { console.log(`Agent ${req.agent.id} requesting data`); } res.json({ data: "hello" }); }); That app.use(agentdoor({...})) line does everything: auto-generates a /.well-known/agentdoor.json discovery endpoint, sets up registration and auth routes, and adds middleware that tags agent requests with req.isAgent. app.use(agentdoor({...})) /.well-known/agentdoor.json req.isAgent It works with Express, Next.js, Hono, Fastify, FastAPI, and Cloudflare Workers. How it sits alongside your existing auth This is the part people ask about first: "Does it replace Clerk / Auth0 / Supabase Auth?" No. AgentDoor sits next to your human auth. Think of it like this: next to Clerk → handles humans (email, OAuth, magic links) AgentDoor → handles agents (keypair, signed challenge) Same API, two doors. Clerk → handles humans (email, OAuth, magic links) Clerk AgentDoor → handles agents (keypair, signed challenge) AgentDoor Same API, two doors. Same API, two doors. There are companion plugins for Clerk, Auth0, Firebase, Supabase, and NextAuth that make agent accounts show up in your existing dashboard. The auth under the hood AgentDoor uses Ed25519 challenge-response. If you've worked with SSH keys, the concept is familiar: Agent generates a keypair locally Sends the public key to your API during registration Your API sends back a random nonce Agent signs the nonce with its private key and sends back the signature Your API verifies the signature and issues a JWT Agent generates a keypair locally Sends the public key to your API during registration Your API sends back a random nonce Agent signs the nonce with its private key and sends back the signature Your API verifies the signature and issues a JWT The private key never leaves the agent. Compare that to OAuth where tokens fly back and forth through browser redirects. And unlike API keys sitting in a dashboard, there's no shared secret to leak. Token refresh works the same way — sign a timestamp, prove you still have the key, get a new JWT. The SDK handles this automatically. You never think about it. The discovery protocol When you add AgentDoor, it auto-generates a /.well-known/agentdoor.json endpoint. This is how agents find out what your API does before they register: /.well-known/agentdoor.json { "agentdoor_version": "1.0", "service_name": "Your API", "registration_endpoint": "/agentdoor/register", "auth_endpoint": "/agentdoor/auth", "scopes_available": [ { "id": "data.read", "description": "Read data", "price": "$0.001/req", "rate_limit": "1000/hour" } ], "auth_methods": ["ed25519-challenge"], "payment": { "protocol": "x402", "network": "base", "currency": "USDC" } } { "agentdoor_version": "1.0", "service_name": "Your API", "registration_endpoint": "/agentdoor/register", "auth_endpoint": "/agentdoor/auth", "scopes_available": [ { "id": "data.read", "description": "Read data", "price": "$0.001/req", "rate_limit": "1000/hour" } ], "auth_methods": ["ed25519-challenge"], "payment": { "protocol": "x402", "network": "base", "currency": "USDC" } } One GET request and the agent knows: what scopes exist, what they cost, how to register, and how to pay. It also auto-generates a Google A2A agent card so agents using that protocol can discover you too. Think of it as robots.txt for the agent era. robots.txt Why not just OAuth? I get asked this a lot. OAuth 2.1 is great — for humans. It was designed around the assumption that a person is sitting at a browser, clicking "Authorize", and getting redirected back. Agents don't have browsers. OAuth 2.1 AgentDoor Browser required Yes No Round-trips 5+ 2 Onboarding time 30-60s <500ms Consent screen Required None needed Secret exposure Token sent every request Private key never transmitted Agent-native No Yes OAuth 2.1 AgentDoor Browser required Yes No Round-trips 5+ 2 Onboarding time 30-60s <500ms Consent screen Required None needed Secret exposure Token sent every request Private key never transmitted Agent-native No Yes OAuth 2.1 AgentDoor OAuth 2.1 OAuth 2.1 AgentDoor AgentDoor Browser required Yes No Browser required Browser required Yes Yes No No Round-trips 5+ 2 Round-trips Round-trips 5+ 5+ 2 2 Onboarding time 30-60s <500ms Onboarding time Onboarding time 30-60s 30-60s <500ms <500ms Consent screen Required None needed Consent screen Consent screen Required Required None needed None needed Secret exposure Token sent every request Private key never transmitted Secret exposure Secret exposure Token sent every request Token sent every request Private key never transmitted Private key never transmitted Agent-native No Yes Agent-native Agent-native No No Yes Yes OAuth solves a different problem (delegated authorization for humans). AgentDoor solves the problem that comes before OAuth even starts: how does a machine get credentials in the first place? The agent side If you're building an agent that needs to consume AgentDoor-enabled APIs, there's an SDK for that too: import { AgentDoor } from "@agentdoor/sdk"; const agent = new AgentDoor({ keyPath: "~/.agentdoor/keys.json" }); const session = await agent.connect("https://api.example.com"); const data = await session.get("/api/data"); import { AgentDoor } from "@agentdoor/sdk"; const agent = new AgentDoor({ keyPath: "~/.agentdoor/keys.json" }); const session = await agent.connect("https://api.example.com"); const data = await session.get("/api/data"); One call to connect() handles discovery, registration, and authentication. The SDK manages keypair generation, token refresh, everything. connect() There's also a Python SDK: pip install agentdoor pip install agentdoor Detect before you commit Not sure if you even have agent traffic? Start with detection mode: const { detect } = require("@agentdoor/detect"); app.use(detect({ webhook: "https://hooks.yoursite.com/agent-traffic" })); const { detect } = require("@agentdoor/detect"); app.use(detect({ webhook: "https://hooks.yoursite.com/agent-traffic" })); This classifies requests based on user-agent strings, missing browser headers, behavioral patterns, and self-identification. No auth changes, no registration flow — just visibility into what's already happening. When you're ready, the upgrade path is: Detect → Register → Bill → Dashboard. Technical details people ask about Dependencies: Zero native deps. Pure JS crypto via tweetnacl (8KB, audited). Works everywhere Node 18+ runs. Dependencies: tweetnacl Performance: <5ms auth verification, <2ms middleware overhead per request, <50KB SDK. Performance: Storage: Pluggable. In-memory for dev, SQLite or Postgres for production. Storage: Payments: Optional x402 integration. Agents can pay per-request with USDC on Base. There's a Stripe bridge that reconciles x402 payments as Stripe invoices if you want to keep your existing billing. Payments: What I'm building next AgentDoor is MIT licensed and fully open source. The roadmap includes a hosted registry where agents can discover AgentDoor-enabled services, analytics dashboards for tracking agent usage, and more framework adapters. If you're building APIs that AI agents will consume — and in 2026, that's increasingly all APIs — I'd love your feedback. Links: Links: 🔗 GitHub 🌐 Landing page 📦 npm install @agentdoor/express 📦 pip install agentdoor 🔗 GitHub GitHub 🌐 Landing page Landing page 📦 npm install @agentdoor/express npm install @agentdoor/express 📦 pip install agentdoor pip install agentdoor Star it if this resonates. Open issues if it doesn't. Both help.
