---
name: web-bot-auth
description: Publish an HTTP Message Signatures key directory for bot identity
---

# Web Bot Auth — HTTP Message Signatures directory

Publish a public-key directory at `/.well-known/http-message-signatures-directory` so well-behaved AI agents can sign their requests and you can verify their identity.

## Requirements

- Serve `/.well-known/http-message-signatures-directory` with HTTP 200
- Content-Type: `application/http-message-signatures-directory+json` (or `application/json`)
- Body lists JWK public keys you accept for signed bot requests
- Validate incoming `Signature` and `Signature-Input` headers per RFC 9421

## Example

```json
{
  "keys": [
    {
      "kid": "bot-key-2026",
      "kty": "EC",
      "crv": "P-256",
      "x": "...",
      "y": "...",
      "alg": "ES256",
      "use": "sig"
    }
  ]
}
```

## References

- [RFC 9421 — HTTP Message Signatures](https://www.rfc-editor.org/rfc/rfc9421) (spec)
- [Cloudflare — Web Bot Auth](https://blog.cloudflare.com/web-bot-auth/) (overview)