We are building open source tooling around Web Bot Auth IETF draft, built on RFC 9421 HTTP Message Signatures (the standard Cloudflare and others are pushing).
This week we shipped the following packages for the website operators that verify signed HTTP requests so crawler and agent traffic can be tied to a private/public keypair. Once you can verify identity, you can do allowlists, rate limits, analytics, and policy enforcement at the origin or edge.
- Node verifier middleware: @openbotauth/verifier-client (Express and Next.js style)
- Python verifier: openbotauth-verifier (FastAPI and Flask)
- Zero code reverse proxy: @openbotauth/proxy
- Registry signer utilities: @openbotauth/registry-signer (Ed25519 + JWKS)
- Test crawler and key generation: @openbotauth/bot-cli
- WordPress plugin (pending WP.org review if you run WP)
We are building open source tooling around Web Bot Auth IETF draft, built on RFC 9421 HTTP Message Signatures (the standard Cloudflare and others are pushing).
This week we shipped the following packages for the website operators that verify signed HTTP requests so crawler and agent traffic can be tied to a private/public keypair. Once you can verify identity, you can do allowlists, rate limits, analytics, and policy enforcement at the origin or edge.
- Node verifier middleware: @openbotauth/verifier-client (Express and Next.js style) - Python verifier: openbotauth-verifier (FastAPI and Flask) - Zero code reverse proxy: @openbotauth/proxy - Registry signer utilities: @openbotauth/registry-signer (Ed25519 + JWKS) - Test crawler and key generation: @openbotauth/bot-cli - WordPress plugin (pending WP.org review if you run WP)
Links: - NPM org: https://www.npmjs.com/org/openbotauth - PyPI: https://pypi.org/project/openbotauth-verifier/
We would love feedback on the threat model, replay protection approach, or how to build sub-agent identities using X509 certs.