Web Bot Auth lets AI agents prove their identity cryptographically on every request
A new authentication mechanism called Web Bot Auth, developed through the IETF and already deployed by Cloudflare, allows AI agents to cryptographically sign each web request using a private key, with the corresponding public key published at a standardized URL. Receiving servers or Cloudflare's edge infrastructure can then verify the signature, confirming the agent's identity without relying on easily spoofed user-agent strings or unstable IP ranges. Cloudflare launched its signed agent program in August 2025, initially registering ChatGPT agent, Goose, Browserbase, and Anchor Browser in a publicly accessible directory on Cloudflare Radar. Anthropic's Claude is not yet registered in the directory, meaning sites using Cloudflare's Block AI Bots rule can currently block Claude entirely, forcing operators to add manual exceptions. Once Claude receives a verified entry, websites will be able to grant or restrict agent access based on confirmed identity rather than unverifiable claims.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in