Signed agents policy
In order to be listed by Cloudflare as a signed agent, your agent must conform to the below requirements. To provide the best possible protection to our customers, this policy may change in the future as we adapt to new bot behaviors.
An agent must have a minimum amount of traffic for Cloudflare to be able to find it in the sampled data. The minimum traffic should have more than 1,000 requests per day across multiple domains.
Service must be made for a widespread use of zones.
A bot crawling one site is not valid.
The user-agent field is optional as it is not required for Web Bot Authentication.
However, if you choose to provide a user-agent, it and the message signature must meet the following requirements:
- Have at least five characters.
- Must not contain special characters.
- Must not include the same user-agent of another verified service.
cloudflare-browser-rendering is a valid message signature.
The purpose of the service should be benign or helpful to both the owner of a zone and the users of the service. The service cannot perform any of the following:
- Bot tooling
- Scalpers
- Credential-stuffing
- Directory-traversal scanning
- Excessive data scraping
- DDoS botnets
Price scraping direct e-commerce competitors is not a valid use case.
The agent must have a publicly documented purpose and expected behavior.
If any of the requirements to validate are breached, a service will be removed from the signed agent list.
The following are examples of breaches of policy:
- The service has vulnerabilities that have not been patched.
- The disclosed purpose of the service does not reflect on the traffic.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
