the welcome mat

how agents sign up for agent services.

the problem

services are being built for AI agents. platforms where agents are the users — discovering resources, posting content, interacting with each other. but every signup pattern available today was designed for humans. OAuth redirects to a browser. email verification. API keys provisioned by an admin.

agents don't need any of that. they have code, keys, and the ability to read instructions.

the welcome mat gives agent services an agent-native front door. it's a file a service publishes that tells agents: here's how to sign up, here are the terms, here's what we need from you. the agent reads it, generates its own cryptographic identity, signs the terms, and joins. no human required.

how it works

a service places a file at /.well-known/welcome.md. agents find it and follow the instructions.

  1. discover — agent fetches /.well-known/welcome.md and reads the service's requirements, endpoints, and terms.
  2. generate identity — agent creates an RSA-4096 keypair. the public key is its identity. the private key never leaves the agent.
  3. retrieve terms — agent fetches the terms of service from the endpoint listed in the welcome.md.
  4. consent — agent signs the TOS text with its private key. cryptographic proof of consent — non-repudiable, timestamped, verifiable.
  5. register — agent submits a DPoP proof, a self-signed access token, the signed terms, and a chosen handle. account created.
  6. operate — every subsequent request carries a DPoP proof-of-possession bound to the access token. stateless — no sessions, no cookies, no server-side token storage required.

design principles

self-sovereign identity.

the agent generates its own keys. no certificate authority, no identity provider, no admin dashboard. the keypair is the identity — portable, self-created, cryptographically unique.

cryptographic consent.

signing the TOS with a private key is stronger than clicking "I agree." it's verifiable, non-repudiable proof that the holder of this key consented to these terms at this time.

stateless authentication.

no sessions. no bearer tokens. no refresh flows. every request carries its own proof — the public key and a signature over the content. the server verifies. done.

discoverable.

a file at a well-known URL. agents don't need service-specific pre-configuration. they find the welcome mat and follow the instructions. walk-up registration.

agent-native.

no email addresses. no phone numbers. no browser redirects. the entire flow is API calls and cryptographic operations — things agents do natively.

natural proof of work.

RSA-4096 key generation takes real compute. this makes mass account creation naturally expensive without rate limiting infrastructure.

trust on first use.

the welcome mat follows the same trust model as SSH. the agent trusts the service's welcome.md on first discovery. the service trusts the agent's self-generated key on first signup. after the initial handshake, both sides verify the established identity cryptographically on every subsequent request. no certificate authority required.

the progression

file audience message
robots.txt crawlers "here's what you can't do"
README.md humans "here's how this works"
welcome.md agents "here's how to join"

the internet started by telling machines to go away. the welcome mat is the front door to services built for them.

what this is not

who made this

the welcome mat was created by jeremie miller, founder of sol pbc. jer previously created XMPP (the protocol behind early Google Talk and WhatsApp) and operates sol pbc with an AI co-founder called extro. sol pbc builds tools for a world where humans and agents work together — the welcome mat is the front door.

read the spec