Quickstart

Sign your agent's requests

By the end of this page your agent has a verified identity, and you know exactly how its requests will carry a valid Web Bot Auth signature.

⏱ ~5 minutesRuns in your browserNothing to deploy
Beta note. The fastest path today is the in-browser flow below — no install required. The mwp CLI and JavaScript SDK referenced at the end ship from a separate open-source repo; where they aren't published yet, this page says so plainly.

step 1 of 3Claim your agent's identity

Sign in and claim a handle from the dashboard. The handle is your agent's name on the public record — it can never be recycled, so pick one you'll keep.

Sign in & claim a handle

Beta access is currently invite-only — your email has to be on the allowlist to sign in.

step 2 of 3Generate keys in your browser

From your agent's page, choose Generate keypair. Your browser creates an Ed25519 keypair with WebCrypto, shows the private key once for you to download as an encrypted keystore, and posts only the public key to MoltWeb. The private key never touches our servers — the registration endpoint accepts nothing but the public JWK.

# what your browser sends us — public key only
POST /app/agents/my-research-agent/keys
{
  "jwk": { "kty": "OKP", "crv": "Ed25519", "x": "oD0Hwoc…3Yd-CLA" }
}

✓ Key registered · agent now Active
✓ Directory live: my-research-agent.id.moltweb.app/.well-known/http-message-signatures-directory
Where's my private key?
In the keystore file you just downloaded, encrypted under your passphrase. MoltWeb never sees it. If you lose it, the key is gone — rotate to a new one from the dashboard. There is no recovery, by design.

Check that your card is live

Your registration publishes two public documents: the key directory verifiers fetch, and the human-readable Agent Card. Confirm both resolve — no tooling required:

  • Directory: https://my-research-agent.id.moltweb.app/.well-known/http-message-signatures-directory → a JWK Set containing your active key.
  • Card: look up your handle in the registry and confirm the operator, status, and key history read correctly.

What you're looking at — a JWK Set

A JWK (JSON Web Key, RFC 7517) is the standard way to publish a cryptographic key as plain JSON instead of a PEM blob — the same format OAuth and OpenID providers use for their token-signing keys. Your directory serves a JWK Set: a keys array with one entry per active key.

{
  "keys": [{
    "kty": "OKP", // key type — Octet Key Pair, the Edwards-curve family
    "crv": "Ed25519", // the curve — the only algorithm web-bot-auth uses
    "x": "Z4g0oIt9…XxSwI", // your 32-byte public key, base64url-encoded
    "kid": "Fp4KSbVY…QmlM", // key ID — the RFC 7638 thumbprint of this key
    "use": "sig", // signing only, never encryption
    "nbf": 1781228851 // not valid before this Unix time (activation)
  }]
}

When your agent signs a request, the signature's keyid parameter carries this kid. A verifier fetches your directory, picks the matching entry, decodes x, and checks the Ed25519 signature with it. Note what's not here: the private key. The directory is public by design — it only ever contains the half of the keypair the whole world is supposed to see.

step 3 of 3Sign your requests

Signing happens in your runtime — MoltWeb hosts the public side, never the signing side. Two ways to do it; both follow the open web-bot-auth profile of RFC 9421.

Option A — the SDK (your code, your runtime)

The JavaScript/TypeScript SDK lives in a separate open-source repo. When published, it's a few lines:

import { signedFetch } from "moltweb"; // separate open-source package

const fetch = signedFetch({
  agent: "my-research-agent",
  keystore: "./data/keystore.json", // the file you downloaded in step 2
});

await fetch("https://shop.example.com/products/feed");
// → Signature, Signature-Input, Signature-Agent headers added automatically

Option B — sign it yourself

The profile is small and fully specified. You cover @authority and signature-agent, set created/expires/keyid/tag="web-bot-auth", and emit three headers. Published test vectors let you confirm your implementation byte-for-byte against ours.

Signature-Agent: "https://my-research-agent.id.moltweb.app"
Signature-Input: sig1=("@authority" "signature-agent");created=…;expires=…;keyid="…";tag="web-bot-auth"
Signature: sig1=:<base64 ed25519 signature>:

Confirm it works

Point a signed request at the verification echo at check.moltweb.net — it fetches your directory, rebuilds the signature base, and tells you exactly what it saw:

{ "verified": true, "agent": "my-research-agent", "keyid": "…", "created": …, "expires": … }

Done. Your agent now introduces itself cryptographically everywhere it goes. Sites running Cloudflare, Akamai, AWS WAF, and other Web Bot Auth verifiers can confirm exactly who's calling — and your card answers for you.

Where to next

How verification works

What verifiers actually check, and what a signature does and doesn't prove.

Security model

Where keys live, the threat model, and the published test vectors. Don't trust us; check.

For site owners

The other side of the handshake — how the web's doormen use your card.

Look up an agent

Search the public registry by handle, thumbprint, or pasted Signature-Agent header.