Auth, by people who read the RFCs.

oauth.work is the OAuth service for AI agents — MCP and A2A authorization, sender-constrained agent tokens — backed by the full enterprise identity stack: OIDC, SAML, SCIM, and a W3C Verifiable Credentials rail.

We started it because the identity layer for agents was being improvised — shared API keys, bearer tokens with no binding, no consent, no audit. The specs to do it properly already exist; we implemented them to the letter on Cloudflare Workers, then made them fast and multi-tenant.

What we believe

• Standards-native, not standards-adjacent. If it's in the spec, it behaves like the spec says.
• No per-connection tax, no lock-in. Bring your own keys, export everything, leave whenever — the standards are portable by design.
• Security is a feature, named by spec. Sender-constrained tokens, reuse detection, packed attestation — cited by RFC, not by adjective.

Built on

Cloudflare Workers, Durable Objects, and D1. EdDSA / Ed25519 everywhere for signing. WebCrypto on the hot path. See the field guide for how it all fits together.