# Access Control — Letting the Right Agents In

> The agent-readiness dimension that lets the right agents in and verifies them — Web Bot Auth, robots-for-AI, opt-out tokens and pay-per-crawl signals.

## What the access control dimension means

Access control is the agent-readiness dimension that decides which agents may use your site and proves who is actually visiting. Discovery and content make you readable; access control makes you governable. It covers two jobs: verifying that a request claiming to be a known agent really is one, and declaring your policy and terms for automated access — from a plain allow/deny to a licensed, paid arrangement. This dimension bridges into access economics, where the same signals decide whether you welcome, block or charge AI traffic.

## Signals and standards it covers

- **Web Bot Auth** — verifying visiting agents by checking their Ed25519-signed requests under RFC 9421 and publishing your own key directory, so a bot's identity is cryptographic rather than a spoofable user-agent string.
- **robots.txt for AI** — directives that allow or disallow specific AI crawlers and agents by name.
- **Opt-out and content-signal tokens** — machine-readable signals that state how your content may be used (for example for training), so an agent can honor your preference.
- **Pay-per-crawl and RSL** — licensing signals that move access from free/blocked to a metered, paid arrangement.

Verify the cryptographic facts — RFC 9421, Ed25519, the `Signature-Agent` header — against the primary IETF and Cloudflare sources at build, never against an internal note.

## How the Agent-Readiness Audit scores it

The Audit scores access control on whether your verification and policy signals are present and well-formed. The anchor check is `access_control.web_bot_auth`: it passes when you publish a valid key directory and your verification path accepts a correctly signed request under RFC 9421. Companion checks confirm a robots policy that names AI agents explicitly, and the presence of any opt-out, content-signal or pay-per-crawl declaration you intend to enforce. Because verification is cryptographic, the pass criterion is unambiguous: a signature validates against your published key or it does not.

Related: [the Web Bot Auth spec](/protocols/identity/web-bot-auth) · [pay-per-crawl licensing](/protocols/licensing/pay-per-crawl) · [implement Web Bot Auth](/agent-readiness/web-bot-auth) · [verify crawlers](/crawlers/verification) · [pay, block or welcome AI](/access-economics) · [audit your site](/services)