The first 30 seconds of agent onboarding: a teardown of 20 SaaS signup flows
We ran the AgentGate Benchmark on nearly 2,000 SaaS companies. One of the seven categories we score is onboarding automation — how easily an AI agent can go from "I want to use this product" to "I have an API key."
The average score? 2.7 out of 15. That's an 18% pass rate on the most revenue-critical interaction your product has.
To understand why, we sent an AI agent (Playwright-based, running headless Chrome) to sign up for 20 of the most popular developer tools and SaaS products. We recorded every barrier it hit, every form field it filled, every wall it ran into. Then we graded each flow.
What follows is the teardown. Some companies make it embarrassingly easy. Most make it surprisingly hard. A few make it effectively impossible.
The grading rubric
We evaluate each signup flow on five dimensions, each scored 1–5:
| Dimension | What we measure | 5 (perfect) | 1 (failing) |
|---|---|---|---|
| Accessibility | Can an agent reach the signup form? | Direct URL, server-rendered HTML | SPA with no server rendering, or redirect loop |
| Friction | How many steps to create an account? | 1–2 fields, or OAuth only | 5+ fields, multi-step wizard, phone verification |
| CAPTCHA barrier | Does a CAPTCHA block the flow? | No CAPTCHA at all | reCAPTCHA v2 (image puzzles) on every step |
| Verification wall | What happens after form submission? | Instant access, or one-click email verification | Phone + email + manual review required |
| API key time-to-value | How fast can an agent get an API key? | Key on first dashboard load | Requires project setup, billing, team creation first |
Total possible: 25 points. We categorize results as:
- 21–25: Agent-ready — An AI agent can sign up and start using the product autonomously
- 16–20: Agent-possible — Needs workarounds but technically feasible
- 11–15: Agent-hostile — Significant barriers, most agents will fail
- 1–10: Agent-blocked — Effectively impossible without human intervention
The 20-company teardown
Tier 1: Agent-ready (21–25 points)
Supabase — 23/25 ⭐
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 5 | Clean server-rendered signup at /dashboard/sign-up |
| Friction | 5 | Two options: GitHub OAuth (1 click) or email + password (2 fields) |
| CAPTCHA | 5 | No CAPTCHA anywhere in the flow |
| Verification | 4 | Email confirmation required, but link-click only |
| API key TTV | 4 | Create project → keys on project settings page (~3 clicks post-signup) |
What Supabase gets right: The signup page renders as plain HTML with clear form elements. An agent can fill email + password fields and submit in under 2 seconds. GitHub OAuth is even faster. No CAPTCHA. No phone verification. The path from "new visitor" to "API keys in hand" takes under 60 seconds for an agent.
What could be better: Email verification is required before accessing the dashboard. A "skip for now" option during initial exploration would help agents that need to evaluate the product.
From our benchmark data, Supabase scored 75 overall with a 7/15 on onboarding automation — the highest among major developer tools.
Vercel — 22/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | SPA, but GitHub/GitLab/Bitbucket OAuth buttons render quickly |
| Friction | 5 | OAuth-only signup: one click with an existing GitHub account |
| CAPTCHA | 5 | No CAPTCHA |
| Verification | 4 | Email verification via OAuth provider (already verified) |
| API key TTV | 4 | Settings → Tokens → Create (3 clicks from dashboard) |
What Vercel gets right: By making OAuth the only signup method, Vercel eliminates the form-filling problem entirely. If your agent has GitHub credentials, signup is a single OAuth consent flow. No custom password policies, no CAPTCHA, no phone number.
The catch: The signup page is a client-side rendered SPA. A web_fetch request returns nothing useful — just "Skip to content." You need a browser automation framework to even see the buttons. This is the SPA rendering gap that trips up lighter-weight agents.
Linear — 22/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 3 | Pure SPA — web_fetch returns "Loading…" |
| Friction | 5 | Google OAuth or email magic link |
| CAPTCHA | 5 | No CAPTCHA |
| Verification | 5 | Magic link = verification built in |
| API key TTV | 4 | Settings → API → Personal access tokens |
What Linear gets right: Magic link authentication is brilliant for agents. One email, one link click, you're in. No password to generate and manage, no password policy to satisfy. The API key generation is straightforward once you're in the dashboard.
What hurts agents: The "Loading…" SPA problem. The signup page returns zero useful HTML to non-JavaScript clients. An agent using curl or simple HTTP gets nothing. This is fixable with server-side rendering of at least the initial signup state.
Tier 2: Agent-possible (16–20 points)
Notion — 19/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 3 | SPA renders only "Notion" for non-JS clients |
| Friction | 4 | Google/Apple OAuth or email |
| CAPTCHA | 5 | No CAPTCHA |
| Verification | 3 | Email code verification (6-digit code, not link) |
| API key TTV | 4 | Settings → Connections → Develop → Create integration |
Agent experience: Notion's email verification requires reading a 6-digit code from an inbox and typing it back. This is doable for agents with email access but adds a round-trip. Google OAuth bypasses this entirely. The integration (API key) creation flow involves navigating to an external site (notion.so/my-integrations), which adds confusion.
Slack — 19/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | Signup page server-renders enough for basic interaction |
| Friction | 4 | Google OAuth or email |
| CAPTCHA | 5 | No CAPTCHA on initial signup |
| Verification | 3 | Email confirmation code (6-digit) |
| API key TTV | 3 | Requires creating a workspace, then building an "app" at api.slack.com |
Agent experience: Slack's signup is clean, but getting to API access requires navigating to a completely different domain (api.slack.com), creating an "app," configuring OAuth scopes, and installing it to a workspace. This multi-site, multi-step flow is where most agents get lost. Our benchmark scored Slack at 75 overall but only 4/15 on onboarding automation.
Datadog — 18/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | Server-rendered signup form |
| Friction | 3 | Name, email, company, password (4 fields) + role dropdown |
| CAPTCHA | 5 | No CAPTCHA |
| Verification | 3 | Email verification required |
| API key TTV | 3 | Dashboard → Organization Settings → API Keys (but requires free trial activation) |
Agent experience: Datadog asks for more fields than necessary — "company" and "role" could be deferred. The free trial activation adds an extra gate. But the biggest win is no CAPTCHA and a server-rendered form. An agent can fill and submit the form programmatically without a full browser.
MongoDB Atlas — 18/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | Google OAuth prominently featured, form renders server-side |
| Friction | 4 | Google OAuth (1 click) or first/last name + email + password |
| CAPTCHA | 5 | No CAPTCHA |
| Verification | 3 | Email verification for non-OAuth |
| API key TTV | 2 | Requires: create organization → create project → create cluster → then API keys |
Agent experience: MongoDB's signup is great; the onboarding after signup is where complexity lives. Getting an API key requires creating an organization, a project, and deploying a cluster — all before you can generate credentials. The benchmark gave MongoDB the highest overall score in our dataset (78) but only 4/15 on onboarding.
Shopify — 18/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | Server-rendered, works without full JS |
| Friction | 4 | Email or Apple/Google OAuth |
| CAPTCHA | 5 | No CAPTCHA on signup |
| Verification | 2 | Email verification + store URL selection + industry survey |
| API key TTV | 3 | Requires: create store → install app → get API keys |
Agent experience: Shopify's form is clean, but post-signup it drops you into a store creation wizard — select store name, industry, expected revenue — before you can do anything. The survey is skippable for humans but confusing for agents because the "skip" button isn't always labeled clearly.
HubSpot — 18/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | Server-rendered signup |
| Friction | 4 | Google OAuth or email + name |
| CAPTCHA | 5 | No CAPTCHA |
| Verification | 3 | Email code verification |
| API key TTV | 2 | API keys deprecated! Must create a private app (Settings → Integrations → Private Apps) |
Agent experience: HubSpot deprecated simple API keys in late 2022 — everything now requires creating a "private app" with OAuth scopes. While more secure, this adds significant complexity for agent onboarding. The private app creation flow involves naming the app, selecting scopes from a multi-page checkbox interface, and then finding the generated token. Most agents won't complete this without specific training.
Tier 3: Agent-hostile (11–15 points)
Stripe — 15/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 2 | Returns "Incompatible browser" for non-standard clients |
| Friction | 3 | Email + full name + password + country selector |
| CAPTCHA | 2 | reCAPTCHA on signup and on API key pages |
| Verification | 3 | Email verification + phone verification for live mode |
| API key TTV | 5 | Test keys available immediately on dashboard |
Agent experience: Yes, Stripe — the company with the best developer documentation in the industry — is agent-hostile at signup. Here's what the agent sees:
- Navigate to
dashboard.stripe.com/register→ "Incompatible browser" error (no form rendered at all for headless/non-standard user agents) - Bypass with proper browser UA → reCAPTCHA v2 on the form
- Complete signup → email verification required
- Access dashboard → test API keys available immediately (this part is excellent)
- Want live keys? → phone verification + business verification
The irony is stark: Stripe has an llms.txt file, excellent API docs, and agent-friendly documentation. But the actual front door — the signup page — blocks agents entirely. From our benchmark: 68 overall, only 4/15 on onboarding, and a CAPTCHA penalty.
GitHub — 14/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 4 | Server-rendered, clean HTML |
| Friction | 2 | Multi-step wizard: email → password → username → email prefs → CAPTCHA |
| CAPTCHA | 1 | Puzzle-based CAPTCHA (visual puzzle, not reCAPTCHA) |
| Verification | 3 | Email code verification |
| API key TTV | 4 | Settings → Developer settings → Personal access tokens |
Agent experience: GitHub's signup is a 5-step wizard where each step loads a new page. The CAPTCHA is a custom visual puzzle (not reCAPTCHA, so third-party solving services may not support it). The username-selection step can trigger validation errors if the name is taken, requiring retry logic.
Our benchmark scored GitHub at 49 overall — one of the lowest among major developer tools, largely due to the signup friction and CAPTCHA.
Cloudflare — 14/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 3 | Server-rendered but with Turnstile challenge on load |
| Friction | 3 | Email + password |
| CAPTCHA | 1 | Cloudflare Turnstile on signup (their own product!) |
| Verification | 3 | Email verification |
| API key TTV | 4 | Dashboard → Profile → API Tokens → Create |
Agent experience: Cloudflare uses its own Turnstile CAPTCHA product on its signup page. While Turnstile is meant to be "invisible" for most humans, it can block automated browsers. The form itself is simple (just email + password), making the Turnstile the only significant barrier. From our benchmark: 67 overall, 4/15 onboarding, CAPTCHA flagged.
Atlassian (Jira/Confluence) — 13/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 3 | Renders server-side |
| Friction | 2 | Multi-step: email → name → password → site name → team size survey |
| CAPTCHA | 2 | reCAPTCHA on signup |
| Verification | 3 | Email verification |
| API key TTV | 3 | Settings → API tokens (but must navigate from Jira to id.atlassian.com) |
Agent experience: The multi-step wizard with team size and role surveys adds significant friction. The CAPTCHA appears inconsistently — sometimes on first load, sometimes only on retry. API token generation happens on a different subdomain (id.atlassian.com) than the product (*.atlassian.net). Our benchmark: 35 overall for Jira, 67 for Atlassian proper.
Twilio — 12/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 2 | Signup redirects to login page, SPA rendering issues |
| Friction | 2 | First name, last name, email, password + terms |
| CAPTCHA | 3 | reCAPTCHA v3 (invisible, lower barrier) |
| Verification | 1 | Email verification + mandatory phone verification + account SID approval |
| API key TTV | 4 | Console → API keys available after verification |
Agent experience: Twilio's mandatory phone verification is the highest-friction element in our entire teardown. An agent needs a phone number that can receive SMS — which means either having a real number or using a service like Twilio itself (ironic). The signup page also has routing issues — /try-twilio redirects to a login page in some configurations. From our benchmark: 68 overall but only 4/15 on onboarding.
Tier 4: Agent-blocked (1–10 points)
Salesforce — 10/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 3 | Form renders server-side |
| Friction | 1 | Multi-page form: name, email, company, title, phone, employees, country, postal code |
| CAPTCHA | 2 | reCAPTCHA |
| Verification | 2 | Email + phone + may require sales contact |
| API key TTV | 2 | Requires: org setup → connected app → OAuth configuration → wait for approval |
Agent experience: Salesforce asks for 8+ form fields on signup, including company size and job title. After signup, getting API access requires creating a "Connected App" through the Setup menu — a multi-step process involving OAuth callback URLs, scope configuration, and admin approval. Self-service developer access is practically nonexistent. Our benchmark: 68 overall, but only 1/15 on onboarding.
Zendesk — 10/25
| Dimension | Score | Details |
|---|---|---|
| Accessibility | 3 | Server-rendered trial form |
| Friction | 1 | Full name, work email, phone, company name, employees, job function, language |
| CAPTCHA | 3 | No CAPTCHA initially |
| Verification | 2 | Email + phone verification, sales follow-up for larger tiers |
| API key TTV | 1 | API tokens buried: Admin Center → Apps and integrations → APIs → Zendesk API |
Agent experience: Zendesk's signup asks for work email specifically (may reject personal domains), phone number (mandatory), and company details. The "free trial" signup page has 7+ fields. API key generation requires navigating through Admin Center — which is a separate interface from the main Zendesk dashboard. Our benchmark: 58 overall, 1/15 on onboarding.
The patterns: what's killing agent onboarding
Across all 2,000 companies we benchmarked, five patterns account for the vast majority of onboarding failures:
Pattern 1: The SPA rendering gap
Affected: 60%+ of SaaS companies
When an agent makes a simple HTTP request to a signup URL, many modern SaaS products return empty shells — <div id="root"></div> and 300KB of JavaScript. The form only renders after client-side JS execution.
This means agents need a full browser automation framework (Playwright, Puppeteer) just to see the signup form. Simpler agents using HTTP clients or lightweight scrapers are completely locked out.
The fix: Server-side render at least the initial signup state. You don't need to SSR your entire app — just the entry point. Supabase does this well.
Free Tool
How agent-ready is your website?
Run a free scan to see how AI agents experience your signup flow, robots.txt, API docs, and LLM visibility.
Run a free scan →Pattern 2: CAPTCHA on the front door
Affected: 11% of benchmarked companies (but includes some of the biggest: Stripe, GitHub, Cloudflare, Atlassian)
From our data: 224 out of 1,993 benchmarked domains have CAPTCHAs. That sounds low, but the companies with CAPTCHAs tend to be the most popular ones — the ones agents most need to access.
| CAPTCHA Type | Agent Impact | Solvable? |
|---|---|---|
| reCAPTCHA v3 (invisible) | Low — usually passes for headless browsers | Often passes automatically |
| Cloudflare Turnstile | Medium — designed to be invisible but can challenge automation | Solvable via 2Captcha/CapSolver |
| reCAPTCHA v2 (image puzzles) | High — requires visual puzzle solving | Solvable via services ($2-4 per 1,000) |
| Custom puzzles (GitHub) | Very High — no standardized solver | Manual or custom ML model |
| hCaptcha | High — specifically designed to catch bots | Solvable but expensive |
The fix: Remove CAPTCHAs from signup entirely. Use email verification + rate limiting + behavioral analysis instead. Or implement risk-based challenges — only show CAPTCHAs to traffic that looks malicious, not to every visitor.
Pattern 3: Phone verification walls
Affected: Twilio, Salesforce, Zendesk, and ~15% of enterprise SaaS
Phone verification is the single hardest barrier for AI agents. An agent needs:
- Access to a phone number
- Ability to receive SMS
- Ability to read the SMS
- The actual verification code entry
This effectively requires a human in the loop — or a phone number provisioning service (which adds cost and complexity to what should be a free signup).
The fix: Make phone verification optional, or defer it to when the user needs elevated privileges (like live API keys or payment processing). Stripe's approach of requiring phone only for live mode is more sensible than requiring it for initial signup.
Pattern 4: The post-signup maze
Affected: MongoDB, HubSpot, Shopify, Salesforce, Slack
Even when signup is smooth, the path from "account created" to "API key in hand" can involve 5–10 additional steps across multiple pages or even multiple domains. MongoDB requires creating an organization, project, and cluster. Slack requires navigating to api.slack.com and creating an "app." HubSpot requires creating a "private app" with OAuth scopes.
The fix: Offer an "I'm a developer" fast-path during onboarding that skips surveys, tutorials, and team setup — and goes straight to API credentials. Or better yet, auto-generate a test API key and display it on the first dashboard load. Stripe does this part excellently — test keys are immediately visible.
Pattern 5: Survey gates and onboarding wizards
Affected: Shopify, Atlassian, Salesforce, Datadog
Multi-step wizards that ask for company size, industry, role, and use case before letting you into the product. These exist for product analytics and personalization — but they're invisible walls for agents that don't have "What's your company size?" in their task description.
The fix: Make every survey question skippable. Use progressive profiling instead of gates — collect this data over time as users engage, not as a prerequisite for access.
Scorecard: all 20 at a glance
| Company | Score | Tier | Key Barrier | Agent Can Signup? |
|---|---|---|---|---|
| Supabase | 23/25 | ✅ Agent-ready | Email verification | Yes, autonomously |
| Vercel | 22/25 | ✅ Agent-ready | SPA rendering | Yes, with browser |
| Linear | 22/25 | ✅ Agent-ready | SPA rendering | Yes, with browser |
| Notion | 19/25 | ⚡ Agent-possible | Email code, SPA | Yes, with email access |
| Slack | 19/25 | ⚡ Agent-possible | Multi-domain API setup | Signup yes, API key maybe |
| Datadog | 18/25 | ⚡ Agent-possible | Extra form fields | Yes, with browser |
| MongoDB | 18/25 | ⚡ Agent-possible | Post-signup maze | Signup yes, API key hard |
| Shopify | 18/25 | ⚡ Agent-possible | Survey gate | Yes, with skip logic |
| HubSpot | 18/25 | ⚡ Agent-possible | Private app creation | Signup yes, API key hard |
| Postman | 17/25 | ⚡ Agent-possible | Workspace setup | Yes, with browser |
| Airtable | 17/25 | ⚡ Agent-possible | SPA + workspace setup | Yes, with browser |
| ClickUp | 17/25 | ⚡ Agent-possible | Multi-step wizard | Yes, with patience |
| Stripe | 15/25 | ⛔ Agent-hostile | CAPTCHA + browser block | Needs CAPTCHA solving |
| GitHub | 14/25 | ⛔ Agent-hostile | Custom CAPTCHA puzzle | Needs custom solver |
| Cloudflare | 14/25 | ⛔ Agent-hostile | Turnstile CAPTCHA | Needs CAPTCHA solving |
| Atlassian | 13/25 | ⛔ Agent-hostile | CAPTCHA + survey maze | Needs solving + patience |
| Twilio | 12/25 | ⛔ Agent-hostile | Phone verification | Needs human or phone API |
| Intercom | 12/25 | ⛔ Agent-hostile | Sales-gated onboarding | Needs human |
| Salesforce | 10/25 | 🚫 Agent-blocked | 8+ fields + phone + sales | Needs human |
| Zendesk | 10/25 | 🚫 Agent-blocked | 7+ fields + phone + sales | Needs human |
What the best agent-ready signups have in common
Looking at the top scorers, five practices stand out:
1. OAuth as the primary (or only) path
Vercel's OAuth-only signup is the most agent-friendly pattern we found. When your signup is "click Continue with GitHub," the entire authentication problem — passwords, CAPTCHA, email verification — is outsourced to a provider that's already handled it.
2. Server-rendered forms
Supabase's signup page returns actual HTML on a standard HTTP request. No JavaScript required to see the form. This means even lightweight agents can interact with it.
3. Zero CAPTCHAs
Every company in our "agent-ready" tier has zero CAPTCHAs on signup. They rely on email verification and rate limiting instead — which are less disruptive and equally effective at stopping spam account creation.
4. Minimal form fields
The best flows ask for 2 or fewer fields: email + password, or just email for magic links. Every additional field is friction that reduces both human and agent conversion.
5. Immediate API key access
Stripe's test keys appearing instantly on the dashboard is the gold standard for time-to-value. An agent that successfully signs up should be able to find an API key within 1–2 page navigations.
The blueprint: building an agent-ready signup flow
If you're redesigning your signup, here's the pattern that scores 25/25:
1. GET /signup → Server-rendered HTML with OAuth buttons + email field
2. User clicks "Continue with Google/GitHub" → Standard OAuth consent
3. OAuth callback → Account created, session established
4. Redirect to /dashboard → Test API key displayed prominently
5. First API call → Getting started guide with working code snippet
No CAPTCHA. No phone verification. No company size survey. No multi-step wizard. Just: authenticate → here's your key → start building.
For agents, this entire flow completes in under 10 seconds.
The competitive advantage is real
Gartner projects that 60% of enterprise workflows will involve AI agents by 2026. The AI agent market is growing at a 46% CAGR, from $7.9 billion in 2025 to $52.2 billion by 2030. This isn't theoretical future traffic — it's happening now.
When an AI agent is tasked with "find the best analytics tool and set up an account," it will try your competitors too. If Mixpanel has a clean OAuth signup and you have a 7-field form with reCAPTCHA, the agent will recommend Mixpanel. Not because it's better — because it's the one that worked.
The first 30 seconds of agent onboarding might be the most important 30 seconds in your entire growth funnel. Make them count.
Want to see how your signup flow scores? Run the free AgentGate Benchmark on your domain — it tests your signup accessibility, CAPTCHA presence, OAuth availability, and 4 other categories. Check the Leaderboard to see how you compare against 2,000+ SaaS companies.
Get Started
Ready to make your product agent-accessible?
Add a few lines of code and let AI agents discover, request access, and get real credentials — with human oversight built in.
Get started with Anon →