# Web Bot Auth > Cryptographically proves which agent is making a request via HTTP Message Signatures — because a User-Agent string can be forged and a signature cannot. _The Agent Protocol Atlas · /protocols/web-bot-auth · [JSON](/api/protocols/web-bot-auth) · [all The Agent Protocol Atlas](/protocols)_ - **name:** Web Bot Auth - **full_name:** Web Bot Authentication (HTTP Message Signatures) - **layer:** identity - **creator:** IETF drafts, championed by Cloudflare - **status:** emerging - **year:** 2025 - **one_liner:** Cryptographically proves which agent is making a request via HTTP Message Signatures — because a User-Agent string can be forged and a signature cannot. - **spec_url:** https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/ - **snippet:** ``` Signature-Agent: "https://my-agent.example" Signature-Input: sig1=("@authority" "signature-agent");keyid="..." ``` - **abbreviation:** Web Bot Auth - **also_known_as:** Web Bot Authentication, HTTP Message Signatures for bots, Signature Agent - **canonical_spec_url:** https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture-02 - **entity_uri:** https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/ - **taxonomy_layer:** identity - **sub_layer:** request-signing - **protocol_type:** verification - **central_problem:** Lets a server cryptographically verify which agent is making an HTTP request, since a User-Agent string can be forged and an Ed25519 signature cannot. - **maintainer:** IETF (draft-meunier-web-bot-auth-architecture), championed by Cloudflare - **governance_body:** IETF - **license:** IETF Trust (RFC / Internet-Draft terms) - **maturity_tag:** emerging - **current_spec_version:** draft-meunier-web-bot-auth-architecture-02 - **spec_date:** — (verify-against-primary-at-build) - **launch_date:** 2025 - **last_verified:** 2026-06-15 - **transport:** HTTP message signatures (RFC 9421), Ed25519 keys; Signature-Agent header - **core_mechanism:** Built on RFC 9421 HTTP Message Signatures with Ed25519 keys: the agent signs covered components (e.g. @authority and signature-agent) and advertises its public keys as a JWKS at /.well-known/http-message-signatures-directory; the server fetches that directory and verifies the signature to confirm the agent's identity. - **discovery_endpoint:** /.well-known/http-message-signatures-directory (JWKS) + Signature-Agent header - **settlement_type:** — - **adoption_metric:** — (verify-against-primary-at-build) - **notable_adopters:** {"value":"Cloudflare (champion + reference implementation)","source":"https://datatracker.ietf.org/doc/draft-meunier-web-bot-auth-architecture/"} - **relationships:** {"predicate":"verifies","target":"x402","note":"Web Bot Auth can verify the agent identity behind a paid request."}, {"predicate":"verifies","target":"rsl","note":"Web Bot Auth -verifies-> pay-per-crawl-class enforcement (research §2 seed triple: 'Web Bot Auth verifies pay-per-crawl'); RSL/pay-per-crawl licensing relies on knowing which agent is real."} - **ideal_use_case:** Letting a site trust that a request claiming to be ClaudeBot/GPTBot really is that agent before granting access or charging it. - **when_to_use:** When you must verify agent identity for access control, licensing enforcement, or paid crawling — not just read a forgeable User-Agent string. - **when_not_to_use:** When you only need to declare content to agents (Layer-1 discovery) and don't gate or charge access by identity. - **code_example:** Signature-Agent: "https://my-agent.example" Signature-Input: sig1=("@authority" "signature-agent");keyid="...";alg="ed25519" Signature: sig1=:: - **source:** RFC 9421 + Ed25519 + Signature-Agent header + /.well-known/http-message-signatures-directory: https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture-02 ; Cloudflare reference: https://http-message-signatures-example.research.cloudflare.com/ ; research §1. - **agent_readiness_link:** agent-readiness/web-bot-auth