{
  "dataset": "glossary",
  "record": {
    "id": "web-bot-auth",
    "term": "Web Bot Auth",
    "category": "identity",
    "short_def": "Cryptographically verifying which agent is making a request using HTTP Message Signatures (RFC 9421), since user-agent strings are spoofable.",
    "long_def": "An agent signs its requests with an Ed25519 key tied to a published identity (a JWKS directory at /.well-known/http-message-signatures-directory, advertised via the Signature-Agent header); the server verifies the signature per RFC 9421. This lets sites distinguish a genuine ClaudeBot or GPTBot from an impostor, and is the foundation for agent-aware rate limits and paid access.",
    "see_also": [
      "agent-identity",
      "prompt-injection",
      "x402"
    ],
    "etymology_origin": "An IETF effort building on RFC 9421 'HTTP Message Signatures' (February 2024); the Web Bot Auth scheme and the HTTP Message Signatures Directory are active IETF Internet-Drafts, with Cloudflare publishing the reference write-up.",
    "related_to": [
      "agent-identity",
      "prompt-injection",
      "x402",
      "ai-crawler",
      "robots-txt"
    ],
    "contrast_with": "Unlike user-agent strings or IP-range checks, which are spoofable or brittle, Web Bot Auth proves identity cryptographically with an Ed25519 signature over the request (RFC 9421).",
    "example": "OpenAI signs all Operator requests with HTTP Message Signatures so site owners can cryptographically verify they genuinely originate from Operator, per Cloudflare's Web Bot Auth write-up.",
    "source": "https://blog.cloudflare.com/web-bot-auth/",
    "status": "emerging",
    "why_it_matters": "Web Bot Auth is the foundation for trusting an agent's identity — the precondition for agent-aware rate limits, pay-per-crawl and verified-agent certification.",
    "sameAs": [],
    "bridge_entity": "protocols/identity/web-bot-auth",
    "last_verified": "2026-06-15",
    "md_twin": "/glossary/web-bot-auth.md"
  }
}