Web Bot Auth
charter-ietf-webbotauth-01
Document | Charter | Web Bot Auth WG (webbotauth) | |
---|---|---|---|
Title | Web Bot Auth | ||
Last updated | 2025-10-23 | ||
State | Approved | ||
WG | State | Active | |
IESG | Responsible AD | Mike Bishop | |
Charter edit AD | Mike Bishop | ||
Send notices to | (None) |
Automated clients (colloquially, ‘bots’) are increasingly used on the Web. These clients may want to securely authenticate themselves as belonging to a specific entity (a company or developer) or as being part of a specific product (an AI bot, a search engine) for various reasons:
- Origins wish to manage their resources and access control
- Both bots and origins seek protection against impersonation and reputation damage
- Origins may wish to differentiate service levels between automated and non-automated traffic
Current solutions (such as IP allowlisting, User-Agent strings, and shared API keys) have significant limitations regarding security, scalability, and manageability.
The Web Bot Authentication (webbotauth) Working Group will standardize methods for cryptographically authenticating automated clients and providing additional information about their operators to Web sites. Its products are intended for use by sites that primarily serve human users.
Scope
In-scope use cases include cryptographically authenticating access to Web sites for:
- Crawlers for search indices
- Web archivers
- Tools such as link checkers and validators
- Crawlers for AI training
- AI agents retrieving or interacting with content on behalf of end users
The following use cases are out of scope for this work:
- Authenticating access to content not intended for human consumption (e.g., HTTP APIs, agent-to-agent interfaces)
- Authenticating the end user of a participating client or agent
- Authentication for application protocols other than HTTP
- Non-cryptographic authentication
- Defining a vocabulary for the intents of bots
- Tracking or assigning reputation to particular bots
- Techniques for distinguishing non-participating bots from non-bot clients
There is significant industry work on "agents," where an automated client makes requests on an end user's behalf. This effort will focus on authentication of the agent; authentication of the end user is out-of-scope.
Deliverables
The Working Group will deliver:
- Standards track document(s) describing technique(s) for authenticating automated clients to Web sites intended for humans.
- Standards track document(s) describing a mechanism to convey more information about a requesting bot using an existing widely-used identifier (such as a domain name, hostname, or URL).
- Best current practice and/or Informational document(s) describing operational considerations such as lifecycle management, key management, deployment considerations, etc. It will also address impacts on the openness of the web.
The new authentication methods produced by this working group can add burden to bot clients and web sites. The working group will consider this additional burden, taking care to avoid architectural bottlenecks.
Liaison
The Working Group is expected to liaise with the AIPREF, HTTPBIS, OAUTH, TLS, and WIMSE Working Groups as appropriate on any relevant documents.