{
  "dataset": "protocols",
  "record": {
    "id": "web-bot-auth",
    "name": "Web Bot Auth",
    "full_name": "Web Bot Authentication (HTTP Message Signatures)",
    "layer": "identity",
    "creator": "IETF drafts, championed by Cloudflare",
    "status": "emerging",
    "year": 2025,
    "one_liner": "Cryptographically proves which agent is making a request via HTTP Message Signatures — because a User-Agent string can be forged and a signature cannot.",
    "spec_url": "https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/",
    "snippet": "Signature-Agent: \"https://my-agent.example\"\\nSignature-Input: sig1=(\"@authority\" \"signature-agent\");keyid=\"...\"",
    "abbreviation": "Web Bot Auth",
    "also_known_as": [
      "Web Bot Authentication",
      "HTTP Message Signatures for bots",
      "Signature Agent"
    ],
    "canonical_spec_url": "https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture-02",
    "entity_uri": "https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/",
    "taxonomy_layer": "identity",
    "sub_layer": "request-signing",
    "protocol_type": "verification",
    "central_problem": "Lets a server cryptographically verify which agent is making an HTTP request, since a User-Agent string can be forged and an Ed25519 signature cannot.",
    "maintainer": "IETF (draft-meunier-web-bot-auth-architecture), championed by Cloudflare",
    "governance_body": "IETF",
    "license": "IETF Trust (RFC / Internet-Draft terms)",
    "maturity_tag": "emerging",
    "current_spec_version": {
      "value": "draft-meunier-web-bot-auth-architecture-02",
      "verify_status": "verify-against-primary-at-build",
      "source_hint": "https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/",
      "note": "Draft -02 observed; confirm the latest draft revision at build (datatracker increments these)."
    },
    "spec_date": {
      "value": null,
      "verify_status": "verify-against-primary-at-build",
      "source_hint": "https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/",
      "note": "Confirm the current draft's date against datatracker at build."
    },
    "launch_date": {
      "value": "2025",
      "verify_status": "verify-against-primary-at-build",
      "source_hint": "https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/",
      "note": "Confirm first-draft date at build."
    },
    "last_verified": "2026-06-15",
    "transport": "HTTP message signatures (RFC 9421), Ed25519 keys; Signature-Agent header",
    "core_mechanism": "Built on RFC 9421 HTTP Message Signatures with Ed25519 keys: the agent signs covered components (e.g. @authority and signature-agent) and advertises its public keys as a JWKS at /.well-known/http-message-signatures-directory; the server fetches that directory and verifies the signature to confirm the agent's identity.",
    "discovery_endpoint": "/.well-known/http-message-signatures-directory (JWKS) + Signature-Agent header",
    "settlement_type": null,
    "adoption_metric": {
      "value": null,
      "verify_status": "verify-against-primary-at-build",
      "source_hint": "https://radar.cloudflare.com/",
      "note": "Adoption/verified-bot counts not asserted from internal docs; confirm against Cloudflare Radar / operator data at build."
    },
    "notable_adopters": [
      {
        "value": "Cloudflare (champion + reference implementation)",
        "source": "https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/"
      }
    ],
    "relationships": [
      {
        "predicate": "verifies",
        "target": "x402",
        "note": "Web Bot Auth can verify the agent identity behind a paid request."
      },
      {
        "predicate": "verifies",
        "target": "rsl",
        "note": "Web Bot Auth -verifies-> pay-per-crawl-class enforcement (research §2 seed triple: 'Web Bot Auth verifies pay-per-crawl'); RSL/pay-per-crawl licensing relies on knowing which agent is real."
      }
    ],
    "ideal_use_case": "Letting a site trust that a request claiming to be ClaudeBot/GPTBot really is that agent before granting access or charging it.",
    "when_to_use": "When you must verify agent identity for access control, licensing enforcement, or paid crawling — not just read a forgeable User-Agent string.",
    "when_not_to_use": "When you only need to declare content to agents (Layer-1 discovery) and don't gate or charge access by identity.",
    "code_example": "Signature-Agent: \"https://my-agent.example\"\nSignature-Input: sig1=(\"@authority\" \"signature-agent\");keyid=\"...\";alg=\"ed25519\"\nSignature: sig1=:<base64 ed25519 signature>:",
    "source": "RFC 9421 + Ed25519 + Signature-Agent header + /.well-known/http-message-signatures-directory: https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture-02 ; Cloudflare reference: https://http-message-signatures-example.research.cloudflare.com/ ; research §1.",
    "agent_readiness_link": "agent-readiness/web-bot-auth"
  }
}