←back to thread

Web Bot Auth

(developers.cloudflare.com)
82 points ananddtyagi | 1 comments | 28 Aug 25 18:35 UTC | HN request time: 0.309s | source
Show context
bobbiechen ◴[28 Aug 25 20:30 UTC] No.45056701[source]
I disagree with the other top-level comments at the moment: I believe Web Bot Auth is a useful and non-centralized emerging standard for self-identifying bots and agents.

This press release today is a better statement of _why_ this feature exists (as opposed to the submission link, which is nuts-and-bolts of implementing): https://blog.cloudflare.com/signed-agents/

Web Bot Auth is a way for bots to self-identify cryptographically. Unlike the user agent header (which is trivially spoofed) or known IPs (painful to manage), Web Bot Auth uses HTTP Message Signatures using the bot's key, which should be published at some well-known location.

This is a good thing! We want bots to be able to self-identify in a way that can't be impersonated. This gives website operators the power to allow or deny well-behaved bots with precision. It doesn't change anything about bots who try to hide their identity, who are not going to self-identify anyways.

It's worth reading the proposal on the details: https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-... . Nothing about this is limited to Cloudflare.

I'm also working on support for Web Bot Auth for our Agent Identification project at Stytch https://www.isagent.dev . Well-behaved bots benefit from this self-identification because it enables a better Agent Experience: https://stytch.com/blog/introducing-is-agent/

replies(6): >>45056742 #>>45057086 #>>45060053 #>>45061067 #>>45062265 #>>45062681 #
binarymax ◴[28 Aug 25 20:34 UTC] No.45056742[source]
I agree in principle, but I disagree that it should be designed and mandated by a private gatekeeper
replies(2): >>45057629 #>>45057766 #
jrochkind1 ◴[28 Aug 25 22:30 UTC] No.45057766[source]
What's now at the top has links to IETF drafts in the first paragraph. What am I missing?

A way to authenticate identity for crawlers so I can allow-list ones I want to get in, exempt them from turnstile/captcha, etc -- is something I need.

I'm not following what makes this controversial. Cryptographic verification of identity for web requests, sounds right.

replies(1): >>45057952 #
binarymax ◴[28 Aug 25 22:54 UTC] No.45057952[source]
I think about failure modes. What happens if cloudflare decides you are a bot and you’re not. What recourse do you have? What are the formal mechanisms to ensure a person is not blocked from the majority of the web because cloudflare is a middleman and you are a false positive?
replies(3): >>45061858 #>>45061868 #>>45064189 #
1. delroth ◴[29 Aug 25 09:10 UTC] No.45061868[source]
Don't use a user agent that sends signed headers identifying you as a bot? How are any of the failure modes you mention not /improved/ by the spec proposal this comment section is about?