Web Bot Auth is a method by which automated clients like AI agents and crawlers identify themselves cryptographically to a website — based on signed HTTP messages (HTTP Message Signatures, RFC 9421). Instead of recognizing bots only via easily forged user agents or IP lists, a site can selectively allow verified, legitimate agents and block unwanted or malicious bots.
Classic bot detection relies on user-agent strings and IP ranges — both are forgeable. With the rise of many AI agents, a reliable way to tell good from bad bots is needed.
And ideally without bothering real users with captchas and click puzzles.
The agent signs its request with a private key; its public key is discoverable via a known directory. The website verifies the signature and then knows for sure which agent is asking.
That's identity instead of guesswork: no more inferring from the user agent, but cryptographically proving who is knocking.
Whoever lets legitimate AI agents in on a good path and blocks abuse is accessible in the agent web without sacrificing security.
That is the basis for taking part in agentic commerce and AI traffic while limiting bot abuse — instead of blanket-blocking all automation.
Web Bot Auth builds on established IETF standards for HTTP Message Signatures (RFC 9421) and is driven by several infrastructure providers. Adoption is growing but still early.
For verified agents yes — they don't need to pass a human test. For unknown clients some protection remains necessary; ideal is a combination of verification and invisible protection.
You can selectively allow good agents that use your content for AI answers and block malicious bots — without hindering real visitors.