Loading...
Web Bot Auth (Signed Agents)(WBA)
An emerging IETF-draft standard (Cloudflare and Google) that lets an agent cryptographically prove its identity to a website using RFC 9421 HTTP Message Signatures. The agent signs each outbound request with an Ed25519 key, publishes its public keys as a JWKS key directory at /.well-known/http-message-signatures-directory, and points to it with a Signature-Agent header; the origin fetches the directory, verifies the signature, and decides whether to allow, deny, rate-limit, or price the traffic. It replaces brittle IP-range and User-Agent allowlists, and Cloudflare's Signed Agents productizes it at the edge. Distinct from authenticated-delegation: that proves user-to-agent authority, whereas Web Bot Auth is the inverse, an agent proving its origin to a website.
Loading technique guideβ¦
Web Bot Auth (Signed Agents)(WBA)
An emerging IETF-draft standard (Cloudflare and Google) that lets an agent cryptographically prove its identity to a website using RFC 9421 HTTP Message Signatures. The agent signs each outbound request with an Ed25519 key, publishes its public keys as a JWKS key directory at /.well-known/http-message-signatures-directory, and points to it with a Signature-Agent header; the origin fetches the directory, verifies the signature, and decides whether to allow, deny, rate-limit, or price the traffic. It replaces brittle IP-range and User-Agent allowlists, and Cloudflare's Signed Agents productizes it at the edge. Distinct from authenticated-delegation: that proves user-to-agent authority, whereas Web Bot Auth is the inverse, an agent proving its origin to a website.
Loading technique guideβ¦