Web Bot Auth
Cryptographically verifying which agent is making a request using HTTP Message Signatures (RFC 9421), since user-agent strings are spoofable.
- term
- Web Bot Auth
- category
- identity
- short_def
- Cryptographically verifying which agent is making a request using HTTP Message Signatures (RFC 9421), since user-agent strings are spoofable.
- long_def
- An agent signs its requests with an Ed25519 key tied to a published identity (a JWKS directory at /.well-known/http-message-signatures-directory, advertised via the Signature-Agent header); the server verifies the signature per RFC 9421. This lets sites distinguish a genuine ClaudeBot or GPTBot from an impostor, and is the foundation for agent-aware rate limits and paid access.
- see_also
agent-identityprompt-injectionx402- etymology_origin
- An IETF effort building on RFC 9421 'HTTP Message Signatures' (February 2024); the Web Bot Auth scheme and the HTTP Message Signatures Directory are active IETF Internet-Drafts, with Cloudflare publishing the reference write-up.
- related_to
agent-identityprompt-injectionx402ai-crawlerrobots-txt- contrast_with
- Unlike user-agent strings or IP-range checks, which are spoofable or brittle, Web Bot Auth proves identity cryptographically with an Ed25519 signature over the request (RFC 9421).
- example
- OpenAI signs all Operator requests with HTTP Message Signatures so site owners can cryptographically verify they genuinely originate from Operator, per Cloudflare's Web Bot Auth write-up.
- source
- https://blog.cloudflare.com/web-bot-auth/
- status
- emerging
- why_it_matters
- Web Bot Auth is the foundation for trusting an agent's identity — the precondition for agent-aware rate limits, pay-per-crawl and verified-agent certification.
- sameAs
- —
- bridge_entity
- protocols/identity/web-bot-auth
- last_verified
- 2026-06-15
- md_twin
- /glossary/web-bot-auth.md