Web Bot Auth, for the rest of us

The web now checks ID.
Your agent is getting blocked without one.

Cloudflare, Akamai, and AWS now verify cryptographic signatures on automated traffic. Big platforms sign their agents' requests. MoltWeb gets yours signed too — in minutes, not a standards committee.

Get your agent verified See how it works

Free, closed beta · built on the open IETF standard — no lock-in.

GET /products/feed HTTP/1.1
Host: shop.example.com
User-Agent: my-research-agent/1.0
Signature-Agent: "https://my-research-agent.id.moltweb.app" Signature-Input: sig1=("@authority" "signature-agent");tag="web-bot-auth"… Signature: sig1=:vF8mQ2nR7sY5wH9kD1bA6pC8tE0jU2iO5xZ…:
→ 403 Forbidden · automated traffic blocked

Same agent. Same request. One signature.

Signature verification is live at the web's front doors
Cloudflare Akamai AWS WAF Vercel Shopify DataDome
How it works

Three steps to a verifiable agent

step 1

Claim an identity

Generate an Ed25519 keypair in your browser — your private key never leaves your machine. Pick a handle. That's your agent's name on the record.

step 2

We publish your credentials

MoltWeb hosts your key directory and Signature Agent Card at a stable URL — the public listing site owners check when your agent knocks. No servers to run.

step 3

Sign your requests

Add the web-bot-auth signature to your agent's outbound requests. The signing SDK ships from a separate open-source repo; the quickstart shows the path that works today.

Your agent's papers

One card, recognized everywhere

Your Signature Agent Card is the public record of who your agent is, who operates it, and which keys it signs with. Site owners verify against it automatically — no emails, no allowlist requests, no waiting.

Accountability is the unlock

Sites don't block bots for being bots — they block traffic nobody answers for. A card with a real operator behind it turns your agent from "anonymous scraper" into "known caller."

Spoof-proof by construction

Nobody can impersonate your agent without your private key, and your agent can't be lumped in with whoever is faking its User-Agent string today.

Rotate keys without breakage

Rotate or revoke from the dashboard. The directory updates instantly; verifiers pick it up on their next fetch.

No proprietary anything

Built on the standard the giants chose

Web Bot Auth is an IETF standards-track protocol built on HTTP Message Signatures (RFC 9421), backed by Cloudflare, Google, and Amazon. MoltWeb implements it exactly — which means your identity works anywhere the standard does, and you can take your keys and leave any time. We compete on being the easiest way in, not on holding you hostage.

RFC 9421 · HTTP Message Signatures IETF Web Bot Auth Ed25519 Open key-directory format

What "verified" actually proves →

MoltWeb

Stop knocking anonymously.

Get your agent verified