# Web Bot Auth

> Cryptographically verifying which agent is making a request using HTTP Message Signatures (RFC 9421), since user-agent strings are spoofable.

_The Agentic Web Lexicon · /glossary/web-bot-auth · [JSON](/api/glossary/web-bot-auth) · [all The Agentic Web Lexicon](/glossary)_

- **term:** Web Bot Auth
- **category:** identity
- **short_def:** Cryptographically verifying which agent is making a request using HTTP Message Signatures (RFC 9421), since user-agent strings are spoofable.
- **long_def:** An agent signs its requests with an Ed25519 key tied to a published identity (a JWKS directory at /.well-known/http-message-signatures-directory, advertised via the Signature-Agent header); the server verifies the signature per RFC 9421. This lets sites distinguish a genuine ClaudeBot or GPTBot from an impostor, and is the foundation for agent-aware rate limits and paid access.
- **see_also:** agent-identity, prompt-injection, x402
- **etymology_origin:** An IETF effort building on RFC 9421 'HTTP Message Signatures' (February 2024); the Web Bot Auth scheme and the HTTP Message Signatures Directory are active IETF Internet-Drafts, with Cloudflare publishing the reference write-up.
- **related_to:** agent-identity, prompt-injection, x402, ai-crawler, robots-txt
- **contrast_with:** Unlike user-agent strings or IP-range checks, which are spoofable or brittle, Web Bot Auth proves identity cryptographically with an Ed25519 signature over the request (RFC 9421).
- **example:** OpenAI signs all Operator requests with HTTP Message Signatures so site owners can cryptographically verify they genuinely originate from Operator, per Cloudflare's Web Bot Auth write-up.
- **source:** https://blog.cloudflare.com/web-bot-auth/
- **status:** emerging
- **why_it_matters:** Web Bot Auth is the foundation for trusting an agent's identity — the precondition for agent-aware rate limits, pay-per-crawl and verified-agent certification.
- **sameAs:** —
- **bridge_entity:** protocols/identity/web-bot-auth
- **last_verified:** 2026-06-15
- **md_twin:** /glossary/web-bot-auth.md