Agent self-serve signup
╭────────────────────────────╮
│ 🤖 Agent signup │
│ API key → verify → MCP │
╰────────────────────────────╯
Agent self-serve signup lets an AI agent register itself with Molar and receive an org-scoped API key — without a pre-existing account, dashboard login, or manually minted PAT.
The agent names a human overseer (human_email). That person receives a verification email with a 6-digit code. Once they share the code, the agent's token is upgraded from restricted to full Free-tier MCP scopes and can connect to the remote MCP server.
When to use this vs human signup
| Situation | Recommended path |
|---|---|
| A coding agent (Cursor, Claude Code, Codex) should bootstrap itself without browser OAuth | Agent self-serve |
| You are a human engineer setting up CI, a team workspace, or billing | app.molar.it signup |
| Enterprise SSO/SCIM, seat management, GitHub App install | Human signup → invite agents via PAT |
| Air-gapped / local-only MCP with no cloud | molar mcp serve — no signup API needed |
| CI pipelines | Human-minted service token at Settings → API Tokens — not agent signup |
Human signup creates the org, billing profile, and member invites. Agent signup creates a pending org tied to the overseer's email; the human becomes owner on verify.
How it works
- Signup — unauthenticated
POST; returnsapi_key(shown once),org_id,agent_id,status: "unclaimed". - Limited use — agent can call read/run MCP tools within Free-tier caps while unclaimed.
- Verify — agent submits the 6-digit code with its API key; scopes expand to the full Free tier.
- MCP install — use the install URL from the verify response or mcp.molar.cloud/install.
Verification codes expire in 15 minutes. Request a new signup if the code expires (rate limits apply).
Capabilities: before vs after verification
Before verification (unclaimed) | After verification (claimed) | |
|---|---|---|
| MCP scopes | mcp:read, mcp:run only | Full Free tier: mcp:read, mcp:write, mcp:run, mcp:clone:write (local), mcp:trace:read |
| Blocked scopes | mcp:clone:write (cloud), mcp:debug, mcp:identity, mcp:explore, mcp:act | High-risk scopes (mcp:explore, mcp:act, mcp:identity) still require explicit OAuth consent or org policy |
| PR / prod runs | Free tier caps (50 PR runs/mo) | Same caps — upgrade plan at app.molar.it for more |
| Cloud Clones | No | Yes (within Free clone entitlements) |
Debugger AI (mcp:debug) | No | No on Free — Team+ or BYOK |
| Dashboard access | Agent token only | Human owner can sign in at app.molar.it with the same org |
Pre-verify tokens are intentionally limited so an unapproved agent cannot spawn cloud clones, burn debugger LLM budget, or provision disposable identities until a human attests.
Agent signup via API
Base URL: https://api.molar.it
1. Sign up (no API key needed)
curl -X POST "https://api.molar.it/api/v1/agent-signup" \
-H "Content-Type: application/json" \
-d '{
"human_email": "alex@example.com",
"display_name": "QA Assistant",
"note_to_human": "Hi Alex — I am your QA agent for the checkout repo. Please verify me so I can run scenarios.",
"harness": "claude-code"
}'
Request body
| Field | Required | Description |
|---|---|---|
human_email | Yes | Email of the human who approves the agent. Must be a deliverable address you control. |
display_name | Yes | Human-readable agent name (shown in verification email). |
note_to_human | No | Short message included in the verification email. |
harness | No | Runtime hint: cursor, claude-code, codex, windsurf, etc. Used for MCP install guidance after verify. |
Example response
{
"api_key": "molar_svc_agent_xxxxxxxxxxxxxxxx",
"org_id": "org_01HXXXX",
"agent_id": "agent_01HXXXX",
"status": "unclaimed",
"email_address": null
}
Store api_key securely — it is shown once. Use it as Authorization: Bearer for verify and status calls.
2. Verify with the 6-digit code
The human receives an email from Molar with a code like 483921.
curl -X POST "https://api.molar.it/api/v1/agent-signup/verify" \
-H "Authorization: Bearer molar_svc_agent_xxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"verification_code": "483921"}'
Example response
{
"status": "claimed",
"scopes_upgraded": [
"mcp:read",
"mcp:write",
"mcp:run",
"mcp:clone:write",
"mcp:trace:read"
],
"mcp_install_url": "https://mcp.molar.cloud/install?org=org_01HXXXX"
}
3. Check status
curl -X GET "https://api.molar.it/api/v1/agent-signup/status" \
-H "Authorization: Bearer molar_svc_agent_xxxxxxxxxxxxxxxx"
Example response (unclaimed)
{
"claim_status": "unclaimed",
"restrictions": {
"allowed_scopes": ["mcp:read", "mcp:run"],
"blocked_scopes": ["mcp:clone:write", "mcp:debug", "mcp:identity", "mcp:explore", "mcp:act"],
"mcp_calls_per_day": 200,
"guard_runs_per_month": 50
},
"entitlements": {
"plan": "free",
"mcp_install_ready": false
}
}
Example response (claimed)
{
"claim_status": "claimed",
"restrictions": {
"allowed_scopes": ["mcp:read", "mcp:write", "mcp:run", "mcp:clone:write", "mcp:trace:read"],
"blocked_scopes": ["mcp:debug", "mcp:identity", "mcp:explore", "mcp:act"],
"mcp_calls_per_day": 1000,
"guard_runs_per_month": 50
},
"entitlements": {
"plan": "free",
"mcp_install_ready": true
}
}
Agent signup via CLI
Requires @molar/cli (or npx molar-agent).
# 1. Sign up (no token needed)
molar agent signup \
--human-email alex@example.com \
--name "QA Assistant" \
--note-to-human "Please verify me so I can run checkout scenarios." \
--harness claude-code
# 2. Verify with the code the human received
molar agent signup verify --code 483921
# 3. Check claim status and restrictions anytime
molar agent signup status
The CLI stores the API key in ~/.config/molar/config.toml (same credential store as molar login). After signup it prints the MCP install URL; after verify it prints harness-specific hints (Cursor deeplink, Claude Code claude mcp add, etc.).
Export manually if needed:
export MOLAR_API_URL=https://api.molar.it
export MOLAR_TOKEN=molar_svc_agent_xxxxxxxxxxxxxxxx
MCP install after verify
Once claim_status is claimed:
- Open mcp.molar.cloud/install or the
mcp_install_urlfrom the verify response. - Choose your client (Cursor, Claude Desktop, Claude Code, Windsurf).
- Complete OAuth 2.1 + PKCE on first tool call — or use the agent API key with
molar mcp serve --cloud-accessfor local stdio.
Cursor
{
"mcpServers": {
"molar": { "url": "https://mcp.molar.cloud/mcp" }
}
}
Claude Code
claude mcp add --transport http molar https://mcp.molar.cloud/mcp
See MCP server setup for scopes, rate limits, and the tool catalog.
Security & abuse limits
| Control | Value |
|---|---|
| Signup rate limit | 5 signups per IP per hour |
| Verification attempts | 5 failed codes per agent → lockout until new signup |
| Code expiry | 15 minutes |
| Pre-verify scopes | Read/run only — no cloud clones, debugger, or identity tools |
Agents must not sign up with a human_email they do not intend to notify. Misuse (mass signups, credential stuffing) is subject to IP and org-level blocks.
FAQ
Can the agent use Molar before the human verifies?
Yes, with restrictions. Unclaimed agents can list scenarios, read runs, and trigger runs within Free-tier caps. They cannot use cloud Clones, Debugger AI, or identity provisioning until verified.
What if the human never verifies?
The org stays in unclaimed state. Restricted scopes and lower rate caps remain. The verification code expires after 15 minutes; run signup again if needed (subject to rate limits).
Can I use agent signup for CI?
No — prefer a service token minted by a human owner at Settings → API Tokens. Agent signup targets interactive coding agents bootstrapping themselves.
How does human verification work?
After signup, Molar emails the human_email you provided with a 6-digit code (valid for 15 minutes). The human shares that code with the agent. There is no dashboard approval UI yet — verification is via the code or molar agent signup verify.
What scopes do I get after verification?
Before verification: mcp:read and mcp:run. After verification: full Free tier — mcp:read, mcp:write, mcp:run, mcp:clone:write (local), and mcp:trace:read. High-risk scopes still require explicit OAuth consent or a higher plan. See the capabilities table above.
How do I connect to the MCP server?
After claim_status is claimed, open mcp.molar.cloud/install or the mcp_install_url from the verify response. See MCP server setup.
How does this relate to npx molar-agent init?
molar-agent init scaffolds a repo (.molar/, scenarios). Agent signup provisions cloud credentials. Typical flow: agent signs up → human verifies → agent runs molar init in the customer's repo → connects MCP.
Related
- Install & initialize — human-led signup path
- For agents — MCP, CLI, llms.txt
- MCP server setup — OAuth, scopes, install links
- OAuth & authentication — tokens, PATs, RBAC
- Billing at app.molar.it — plan limits in the dashboard