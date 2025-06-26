Web Bot Auth
Web Bot Auth is an authentication method that leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot.
It relies on two active IETF drafts: a directory draft ↗ allowing the crawler to share their public keys, and a protocol draft ↗ defining how these keys should be used to attach crawler's identity to HTTP requests.
This documentation goes over specific integration within Cloudflare.
You need to generate a signing key which will be used to authenticate your bot's requests.
-
Generate a unique Ed25519 ↗ private key to sign your requests. This example uses the OpenSSL ↗
genpkeycommand:
-
Extract your public key.
-
Convert the public key to JSON Web Key (JWK) using a tool of your choice. This example uses
jwker↗ command line application.
By following these steps, you have generated a private key and a public key, then converted the public key to a JWK.
You need to host a key directory which creates a way for your bot to authenticate its requests to Cloudflare. This directory should follow the definition from the active IETF draft draft-meunier-http-message-signatures-directory-01 ↗.
-
Host a key directory at
/.well-known/http-message-signatures-directory(note that this is a requirement). This key directory should serve a JSON Web Key Set (JWKS) including the public key derived from your signing key.
-
Serve the web page over HTTPS (not HTTP).
-
Calculate the base64 URL-encoded JWK thumbprint ↗ associated with your Ed25519 public key.
-
Sign your HTTP response using the HTTP message signature specification by attaching one signature per key in your key directory. This ensures no one else can mirror your directory and attempt to register on your behalf. Your response must include the following headers:
Content-Type: This header must have the value
application/http-message-signatures-directory+json.
Signature: Construct a
Signatureheader ↗ over your chosen components.
Signature-Input: Construct a
Signature-Inputheader ↗ over your chosen components. The header must meet the following requirements.
Required component parameter Requirement
tag
This should be equal to
http-message-signatures-directory.
keyid
JWK thumbprint of the corresponding key in your directory.
created
This should be equal to a
Unixtimestamp associated with when the message was sent by your application.
expires
This should be equal to a
Unixtimestamp associated with when Cloudflare should no longer attempt to verify the message.
The following example shows the annotated request and response with required headers against
https://example.com.
-
You can use the Cloudflare-developed
http-signature-directory CLI tool ↗ to assist you in validating your directory.
You need to register your bot and its key directory to add your bot to the list of verified bots.
- Log in to the Cloudflare dashboard ↗, and select your account and domain.
- Go to Manage Account > Configurations.
- Go to the Verified Bots tab.
- For Verification Method: select Request Signature.
- For Validation Instructions: enter the URL of your key directory. You can additionally supply User Agents values (and their match patterns) that will be sent by your bot.
- Select Submit.
Cloudflare accepts all valid Ed25519 keys found in your key directory. In the event a key already exists in Cloudflare's registered database, Cloudflare will work with you to supply a new key, or rotate your existing key.
After your bot has been successfully verified, your bot is ready to sign its requests. The signature protocol is defined in draft-meunier-web-bot-auth-architecture-02 ↗
Choose a set of components to sign.
A component is either an HTTP header, or any derived components ↗ in the HTTP Message Signatures specification. Cloudflare recommends the following:
- Choose at least the
@authorityderived component, which represents the domain you are sending requests to. For example, a request to
https://example.comwill be interpreted to have an
@authorityof
example.com.
- Use components that only contain ASCII values. HTTP Message Signature specification disallows non-ASCII characters, which will result in failure to validate your bot's requests.
Calculate the base64 URL-encoded JWK thumbprint ↗ from the public key you registered with Cloudflare.
Construct the three required headers for Web Bot Auth.
Construct a
Signature-Input header ↗ over your chosen components. The header must meet the following requirements.
|Required component parameter
|Requirement
tag
|This should be equal to
web-bot-auth.
keyid
|This should be equal to the thumbprint computed in step 2.
created
|This should be equal to a
Unix timestamp associated with when the message was sent by your application.
expires
|This should be equal to a
Unix timestamp associated with when Cloudflare should no longer attempt to verify the message. A short
expires reduces the likelihood of replay attacks, and Cloudflare recommends choosing suitable short-lived intervals.
Construct a
Signature header ↗ over your chosen components.
Construct a
Signature-Agent header ↗ that points to your key directory. Note that Cloudflare will fail to verify a message if:
- The message includes a
Signature-Agentheader that is not an
https://.
- The message includes a valid URI but does not enclose it in double quotes. This is due to Signature-Agent being a structured field.
- The message has a valid
Signature-Agentheader, but does not include it in the component list in
Signature-Input.
Attach these three headers to your bot's requests.
An example request may look like this:
You may wish to refer to the following resources.
- Cloudflare blog: Forget IPs: using cryptography to verify bot and agent traffic ↗.
- Cloudflare's
web-bot-authlibrary in Rust ↗.
- Cloudflare's
web-bot-authnpm package in Typescript ↗.
