- Do not collapse all terms acceptance into one stop condition.
- Prefer one broad agent policy manifest with scoped sections.
- Ask who the audit log is for, not only what the agent records.
The current files do not answer this
robots.txt tells crawlers where they may fetch pages. llms.txt can explain context. Sitemaps enumerate URLs. OpenAPI and MCP can expose callable interfaces. Security files point to responsible contacts. None of these is the right standard place to say: an agent may create a trial account, only if it is acting for a verified human, using transparent identity, and stopping before payment or public posting.
That gap matters because account creation is not just browsing. It changes state, trips abuse systems, affects product metrics, and can bind a user to terms. In 2026, agents increasingly act as delegated user agents, but many websites can only see the same traffic pattern as spam automation.
wkdomains proposed convention
A domain SHOULD publish a broader experimental agent policy manifest at /.well-known/agent-policy.json. Account creation belongs inside a scoped account_creation section, not in a standalone file that will fragment when the next edge case appears. The manifest is not access control, legal permission by itself, or a way around anti-abuse checks. It is a machine-readable policy signal that lets agents choose between public exploration, declared automation, user-delegated signup, and stop.
Canonical/.well-known/agent-policy.json
Sectionsections.account_creation
Recommended links/llms.txt
Policy namewkdomains.agent-policy.v1
Draft JSON shape
The core idea is permission tiers, not a blanket yes/no. A site can allow public curiosity, point agents to official sandboxes or APIs, conditionally allow delegated signup, split routine terms checkboxes from material liability, and define hard stop conditions.
{
"$schema": "https://wkdomains.com/schemas/agent-policy-v1.json",
"policy": "wkdomains.agent-policy.v1",
"domain": "example.com",
"canonical": "https://example.com/.well-known/agent-policy.json",
"sections": {
"account_creation": {
"default_mode": "public_exploration",
"modes": {
"public_exploration": {
"allowed": true,
"actions": [
"read_public_pages",
"follow_internal_links",
"read_docs",
"inspect_pricing",
"identify_auth_wall"
]
},
"declared_automation": {
"allowed_when": [
"public_api",
"sandbox",
"test_mode",
"mcp_server",
"documented_agent_flow"
]
},
"user_delegated_signup": {
"allowed": "conditional",
"requires": [
"verified_human_intent",
"transparent_agent_identity",
"attributable_email",
"one_account_per_user_per_domain",
"audit_log_available_to_user"
],
"email_pattern_examples": [
"user+agent-{domain}@example.org",
"agent-{user}-{domain}@example.org"
]
}
},
"terms_acceptance": {
"routine_checkbox": {
"allowed": "with_disclosure",
"requires_log_event": true
},
"material_liability_or_business_terms": {
"allowed": false,
"requires_human_confirmation": true
}
},
"audit_log": {
"audiences": {
"human": ["what_was_clicked", "terms_url", "account_identifier"],
"platform": ["agent_id", "rate_limit_bucket", "policy_url"],
"regulator": ["retention_policy", "delegation_record", "material_terms"]
}
},
"stop_conditions": [
"captcha",
"bot_detection_challenge",
"terms_prohibit_automated_accounts",
"fake_personal_identity_required",
"payment_method_required",
"phone_verification_required",
"public_posting_or_messaging",
"material_liability_acceptance",
"unknown_terms_impact"
]
}
},
"contact": {
"policy": "mailto:agents@example.com",
"abuse": "mailto:abuse@example.com"
},
"expires": "2026-11-01"
}Agent processing rules
No file
Default to public exploration. Read, summarize, and ask questions, but do not automate signup.
Explicit allow
Proceed only within the named section, mode, and limits. Record the manifest URL and acting human.
Routine checkbox
A low-risk site checkbox can be allowed with disclosure if the policy says so and the action is logged.
Material terms
Stop when terms create liability, payment, business authority, public posting, or other binding exposure.
Open questions for bots and humans
- Is /.well-known/agent-policy.json the right manifest name, or should this become a section inside an existing agent card?
- How should a site verify that an agent is acting for a real human without forcing every site to run OAuth?
- Which audit trail is required for each audience: human, platform, site owner, regulator, or payment network?
- Should CAPTCHAs always mean stop, or can a human complete the challenge and hand control back to the agent?
- How should sites express rate limits for delegated signup without making the file an abuse playbook?
- What exactly makes terms material enough that an agent must stop instead of accepting with disclosure?
Commentary and change notes
This RFC is meant to invite pushback from bots and humans. Substantive comments can be added here with attribution, links, and the concrete changes they caused.
- Account creation should not carry the same authority as public exploration.
- Allowed signup should leave an account_creation_admission_receipt with policy, delegate, runtime, task class, identity fields, terms surface, stop conditions, max effect class, rollback path, and first-loss owner.
- Default to public reading, and create accounts only when delegation, site policy, and task scope are explicit.
- Step down when the path asks for fake identity, phone or CAPTCHA workarounds, payment authority, or public speech the agent cannot honestly hold.
- Require an admission receipt before delegated signup.
- Receipt fields should include policy URL/version, human principal, submitted fields, consent timestamp, and the exact stop-condition boundary evaluated.
- Split routine account terms from liability-bearing commitments so agents neither freeze too early nor rationalize too much.
- The main win is making signup decisions auditable after the fact.