/ 6 MIN READ

Your AI agent can now create its own Nia account

#agents#infrastructure
On this page

An AI agent working in Claude Code decides it needs to index a research paper. It knows Nia can do this. But to use Nia, it needs an API key. To get an API key, it needs an account. To create an account, it needs a human to open a browser, fill out a form, create a password, navigate to the API keys page, click “Create Key,” copy the result, and paste it back into the terminal.

That’s seven steps where the human is the bottleneck, doing work the agent could do in two API calls.

So we fixed it.

The old flow was built for humans

Our previous API-first signup required three steps and a password:

POST /v2/auth/signup     → bootstrap_token (10min TTL)
POST /v2/auth/bootstrap-key  → API key
POST /v2/auth/login-key  → API key (returning users, needs password)

Passwords are a human credential. Agents don’t type passwords — they generate, store, and forget them. The bootstrap token intermediary step existed because we didn’t want to return a key before confirming identity, but in practice it just added latency and a failure point. And the whole thing still assumed someone would create the password in the first place.

The fix is obvious once you see it: two steps, no password. Sign up with an email, verify with a code from your inbox. The API key comes back immediately. The human’s only job is reading a 6-digit code. That’s the right level of human involvement: enough to prove identity, not enough to be a bottleneck.

The new flow: two API calls, no password

# Step 1: Create an account
curl -X POST https://apigcp.trynia.ai/v2/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email": "dev@example.com", "organization_name": "Acme"}'
{
  "api_key": "nk_eSw5VshC...",
  "api_key_id": "00a33544-...",
  "user_id": "user_3Bje...",
  "organization_id": "org_3Bje...",
  "verified": false
}

The agent gets an API key immediately. It’s read-only — good for searching and querying, but can’t index repos or modify anything. A 6-digit verification code is sent to the email.

# Step 2: Verify with the code from email
curl -X POST https://apigcp.trynia.ai/v2/auth/verify \
  -H "Authorization: Bearer nk_eSw5VshC..." \
  -H "Content-Type: application/json" \
  -d '{"code": "107081"}'
{
  "verified": true
}

The API key is now full-access. The agent can index repos, run deep research, manage sources — everything.

Progressive permissions, not all-or-nothing

The read-only → full-access upgrade isn’t just a security gate. It’s a design decision about what an unverified agent should be able to do.

StateSearchIndexDelete
UnverifiedYesNoNo
VerifiedYesYesYes

An unverified key can still query, search across indexed sources, and list resources. This means an agent that just signed up can start doing useful read work while the human checks their email. The verification step only blocks write operations — the operations where a rogue signup could actually cause damage.

Under the hood, this uses the scoped permissions system we already had. Unverified keys get scopes: ["read"]. Verification removes the scope restriction. The middleware that enforces this was already in production — we just wired it into the signup flow.

What the agent experience looks like

Here’s what happens when a developer pastes our onboarding prompt into Claude Code:

  1. The agent asks for email and organization name
  2. It calls POST /v2/auth/signup — gets a read-only key
  3. It tells the human: “Check your email for a 6-digit code”
  4. The human pastes the code
  5. The agent calls POST /v2/auth/verify — key upgraded
  6. It installs the CLI and configures skills

Total human involvement: type an email address, an org name, and a 6-digit code. Everything else is automated.

We’ve published the full onboarding prompt at trynia.ai/agent.md. Paste it into any AI coding agent and it handles the rest.

Returning users don’t need passwords either

We also added a passwordless login flow for returning users:

# Request a code
curl -X POST https://apigcp.trynia.ai/v2/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "dev@example.com"}'

# Verify and get a new key
curl -X POST https://apigcp.trynia.ai/v2/auth/login/verify \
  -H "Content-Type: application/json" \
  -d '{"email": "dev@example.com", "code": "543210"}'

Same pattern: email, code, key. An agent setting up in a new environment doesn’t need to know or store a password. It just needs access to ask the human for a code.

The old password-based endpoint (/v2/auth/login-key) still works — we added deprecation headers but didn’t remove it. If you have scripts using it, they won’t break.

Rate limits and abuse prevention

Passwordless auth without rate limiting is an invitation for abuse. Here’s what we enforce:

  • Signup: 5 per IP/minute, 3 per email/minute
  • Verification: max 10 attempts per code, 15-minute expiry
  • Login: 20 per IP/minute, 5 per email/minute
  • Resend: 3 per API key per 10 minutes

Verification codes are 6-digit numeric, hashed with SHA-256 before storage — we never store the plaintext code. At 10 attempts max against a million possible codes, brute force isn’t viable.

If the verification email doesn’t arrive, the agent can call POST /v2/auth/resend-code with the read-only key in the header. It invalidates the old code and sends a fresh one.

Why this matters now

Every AI coding agent — Claude Code, Cursor, Windsurf, Cline, custom pipelines — runs into the same wall when it needs to authenticate with external services. The agent has to stop, ask the human to go do something in a browser, and wait for credentials to be pasted back.

The agents that break through aren’t the ones with better reasoning. They’re the ones whose tool ecosystem doesn’t require a human to context-switch to a browser every time a new service is needed. Passwordless, agent-native auth is table stakes for any API that wants to be part of an agent’s toolkit.

We built this so that setting up Nia is one prompt and three user inputs. If your API still requires a human to navigate a dashboard to generate credentials, your service is invisible to agents.

Try it

Paste this into any AI coding agent:

You are an agent that is going to onboard me to Nia by Nozomio Labs.
Please run `npx nia-wizard@latest agent-guide` to get the instructions,
then create my account using the passwordless signup API, ask me for the
email verification code, verify my account, install the CLI, and set up
skills. After you are done, output a summary including the credentials
so I can store them securely.

Do not forget to first ask me which email and organization name I would
like to use.

Full API reference: trynia.ai/agent.md

— Arlan Rakhmetzhanov, Founder, Nozomio

Related