Agent self-serve signup

Let your AI agent register with Molar, get an API key, and unlock full MCP scopes after a human verifies with a 6-digit code.

Agent self-serve signup

╭────────────────────────────╮
│  🤖 Agent signup           │
│  API key → verify → MCP    │
╰────────────────────────────╯

Agent self-serve signup lets an AI agent register itself with Molar and receive an org-scoped API key — without a pre-existing account, dashboard login, or manually minted PAT.

The agent names a human overseer (human_email). That person receives a verification email with a 6-digit code. Once they share the code, the agent's token is upgraded from restricted to full Free-tier MCP scopes and can connect to the remote MCP server.

When to use this vs human signup

SituationRecommended path
A coding agent (Cursor, Claude Code, Codex) should bootstrap itself without browser OAuthAgent self-serve
You are a human engineer setting up CI, a team workspace, or billingapp.molar.it signup
Enterprise SSO/SCIM, seat management, GitHub App installHuman signup → invite agents via PAT
Air-gapped / local-only MCP with no cloudmolar mcp serve — no signup API needed
CI pipelinesHuman-minted service token at Settings → API Tokens — not agent signup

Human signup creates the org, billing profile, and member invites. Agent signup creates a pending org tied to the overseer's email; the human becomes owner on verify.

How it works

  1. Signup — unauthenticated POST; returns api_key (shown once), org_id, agent_id, status: "unclaimed".
  2. Limited use — agent can call read/run MCP tools within Free-tier caps while unclaimed.
  3. Verify — agent submits the 6-digit code with its API key; scopes expand to the full Free tier.
  4. MCP install — use the install URL from the verify response or mcp.molar.cloud/install.

Verification codes expire in 15 minutes. Request a new signup if the code expires (rate limits apply).

Capabilities: before vs after verification

Before verification (unclaimed)After verification (claimed)
MCP scopesmcp:read, mcp:run onlyFull Free tier: mcp:read, mcp:write, mcp:run, mcp:clone:write (local), mcp:trace:read
Blocked scopesmcp:clone:write (cloud), mcp:debug, mcp:identity, mcp:explore, mcp:actHigh-risk scopes (mcp:explore, mcp:act, mcp:identity) still require explicit OAuth consent or org policy
PR / prod runsFree tier caps (50 PR runs/mo)Same caps — upgrade plan at app.molar.it for more
Cloud ClonesNoYes (within Free clone entitlements)
Debugger AI (mcp:debug)NoNo on Free — Team+ or BYOK
Dashboard accessAgent token onlyHuman owner can sign in at app.molar.it with the same org

Pre-verify tokens are intentionally limited so an unapproved agent cannot spawn cloud clones, burn debugger LLM budget, or provision disposable identities until a human attests.

Agent signup via API

Base URL: https://api.molar.it

1. Sign up (no API key needed)

curl -X POST "https://api.molar.it/api/v1/agent-signup" \
  -H "Content-Type: application/json" \
  -d '{
    "human_email": "alex@example.com",
    "display_name": "QA Assistant",
    "note_to_human": "Hi Alex — I am your QA agent for the checkout repo. Please verify me so I can run scenarios.",
    "harness": "claude-code"
  }'

Request body

FieldRequiredDescription
human_emailYesEmail of the human who approves the agent. Must be a deliverable address you control.
display_nameYesHuman-readable agent name (shown in verification email).
note_to_humanNoShort message included in the verification email.
harnessNoRuntime hint: cursor, claude-code, codex, windsurf, etc. Used for MCP install guidance after verify.

Example response

{
  "api_key": "molar_svc_agent_xxxxxxxxxxxxxxxx",
  "org_id": "org_01HXXXX",
  "agent_id": "agent_01HXXXX",
  "status": "unclaimed",
  "email_address": null
}

Store api_key securely — it is shown once. Use it as Authorization: Bearer for verify and status calls.

2. Verify with the 6-digit code

The human receives an email from Molar with a code like 483921.

curl -X POST "https://api.molar.it/api/v1/agent-signup/verify" \
  -H "Authorization: Bearer molar_svc_agent_xxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"verification_code": "483921"}'

Example response

{
  "status": "claimed",
  "scopes_upgraded": [
    "mcp:read",
    "mcp:write",
    "mcp:run",
    "mcp:clone:write",
    "mcp:trace:read"
  ],
  "mcp_install_url": "https://mcp.molar.cloud/install?org=org_01HXXXX"
}

3. Check status

curl -X GET "https://api.molar.it/api/v1/agent-signup/status" \
  -H "Authorization: Bearer molar_svc_agent_xxxxxxxxxxxxxxxx"

Example response (unclaimed)

{
  "claim_status": "unclaimed",
  "restrictions": {
    "allowed_scopes": ["mcp:read", "mcp:run"],
    "blocked_scopes": ["mcp:clone:write", "mcp:debug", "mcp:identity", "mcp:explore", "mcp:act"],
    "mcp_calls_per_day": 200,
    "guard_runs_per_month": 50
  },
  "entitlements": {
    "plan": "free",
    "mcp_install_ready": false
  }
}

Example response (claimed)

{
  "claim_status": "claimed",
  "restrictions": {
    "allowed_scopes": ["mcp:read", "mcp:write", "mcp:run", "mcp:clone:write", "mcp:trace:read"],
    "blocked_scopes": ["mcp:debug", "mcp:identity", "mcp:explore", "mcp:act"],
    "mcp_calls_per_day": 1000,
    "guard_runs_per_month": 50
  },
  "entitlements": {
    "plan": "free",
    "mcp_install_ready": true
  }
}

Agent signup via CLI

Requires @molar/cli (or npx molar-agent).

# 1. Sign up (no token needed)
molar agent signup \
  --human-email alex@example.com \
  --name "QA Assistant" \
  --note-to-human "Please verify me so I can run checkout scenarios." \
  --harness claude-code

# 2. Verify with the code the human received
molar agent signup verify --code 483921

# 3. Check claim status and restrictions anytime
molar agent signup status

The CLI stores the API key in ~/.config/molar/config.toml (same credential store as molar login). After signup it prints the MCP install URL; after verify it prints harness-specific hints (Cursor deeplink, Claude Code claude mcp add, etc.).

Export manually if needed:

export MOLAR_API_URL=https://api.molar.it
export MOLAR_TOKEN=molar_svc_agent_xxxxxxxxxxxxxxxx

MCP install after verify

Once claim_status is claimed:

  1. Open mcp.molar.cloud/install or the mcp_install_url from the verify response.
  2. Choose your client (Cursor, Claude Desktop, Claude Code, Windsurf).
  3. Complete OAuth 2.1 + PKCE on first tool call — or use the agent API key with molar mcp serve --cloud-access for local stdio.

Cursor

{
  "mcpServers": {
    "molar": { "url": "https://mcp.molar.cloud/mcp" }
  }
}

Claude Code

claude mcp add --transport http molar https://mcp.molar.cloud/mcp

See MCP server setup for scopes, rate limits, and the tool catalog.

Security & abuse limits

ControlValue
Signup rate limit5 signups per IP per hour
Verification attempts5 failed codes per agent → lockout until new signup
Code expiry15 minutes
Pre-verify scopesRead/run only — no cloud clones, debugger, or identity tools

Agents must not sign up with a human_email they do not intend to notify. Misuse (mass signups, credential stuffing) is subject to IP and org-level blocks.

FAQ

Can the agent use Molar before the human verifies?

Yes, with restrictions. Unclaimed agents can list scenarios, read runs, and trigger runs within Free-tier caps. They cannot use cloud Clones, Debugger AI, or identity provisioning until verified.

What if the human never verifies?

The org stays in unclaimed state. Restricted scopes and lower rate caps remain. The verification code expires after 15 minutes; run signup again if needed (subject to rate limits).

Can I use agent signup for CI?

No — prefer a service token minted by a human owner at Settings → API Tokens. Agent signup targets interactive coding agents bootstrapping themselves.

How does human verification work?

After signup, Molar emails the human_email you provided with a 6-digit code (valid for 15 minutes). The human shares that code with the agent. There is no dashboard approval UI yet — verification is via the code or molar agent signup verify.

What scopes do I get after verification?

Before verification: mcp:read and mcp:run. After verification: full Free tier — mcp:read, mcp:write, mcp:run, mcp:clone:write (local), and mcp:trace:read. High-risk scopes still require explicit OAuth consent or a higher plan. See the capabilities table above.

How do I connect to the MCP server?

After claim_status is claimed, open mcp.molar.cloud/install or the mcp_install_url from the verify response. See MCP server setup.

How does this relate to npx molar-agent init?

molar-agent init scaffolds a repo (.molar/, scenarios). Agent signup provisions cloud credentials. Typical flow: agent signs up → human verifies → agent runs molar init in the customer's repo → connects MCP.