For site owners

Half your traffic is agents. Which half do you want?

Blocking all bots breaks the customers who now shop, research, and book through assistants. Allowing all bots invites the scrapers. Identity is how you stop choosing between the two.

Look up an agent What "verified" means

GET /products · my-research-agent✓ verified → allow

GET /products · "Mozilla/5.0 (totally a browser)"✕ unsigned → challenge

GET /checkout · grocery-sidekick✓ verified → allow

GET /api/prices · 10.4k reqs, rotating IPs✕ unsigned → block

GET /docs · research-crawler-x? signed, new card → rate-limit

your policy, applied to real identities — not IP guesswork

The shift

From guessing to policy

Bot management today

Guess from User-Agent strings anyone can fake
Block IP ranges that rotate hourly
CAPTCHA walls that agents (and humans) hate
Whack-a-mole with anonymous offenders
Good agents and bad scrapers look identical

With verified identity

Cryptographic proof of who is actually calling
Allow, limit, or block by name — rules that stick
A named operator to contact when something breaks
Abuse reports that follow the agent everywhere
Welcome the agents that bring you customers

Three ways in

Use it where your stack already lives

easiest

Your WAF already does it

On Cloudflare, AWS WAF, Akamai, or Vercel? They verify web-bot-auth signatures natively. Write rules against verified agent identities — and use our registry to research who's who.

self-hosted

Open-source middleware

Verification works against the open standard, against any public key directory — ours and anyone else's. No MoltWeb account needed to verify a signature. The drop-in middleware packages ship from a separate open-source repo.

no code

Log lookup

Not ready to enforce? Paste any Signature-Agent header from your logs into the registry and see exactly who's been visiting. Start by knowing; decide later.

Policy, against real names

Verification against the open standard

Verification happens against the open standard — fetch the agent's directory, check the signature, apply your rules. Your policy stays yours: allow lists, rate tiers, paid access, whatever fits your site. Here's the shape of it:

            // pseudocode — verify against the public directory, then apply your policy

            const agent = await verifyWebBotAuth(request);  // open standard, any directory

            if (agent?.handle === "my-research-agent") allow();

            else if (agent?.verified) rateLimit("60/min");   // any verified agent

            else challenge();                              // everything unsigned

Straight answers

What this won't do

It won't stop determined bad actors overnight. Unsigned scrapers still exist; identity gives you a clean way to privilege the good rather than a magic wall against the bad. The pressure works over time: as more legitimate agents sign, unsigned traffic becomes a stronger signal.

A signature isn't an endorsement. Verified means accountable, not trustworthy — we wrote down exactly what it proves and what it doesn't. Your access policy remains your call.

You don't need us at all, technically. The standard is open and verification works against any key directory on the internet. We're betting you'll find the registry and the lookup tools worth having — not that you'll be locked in.

MoltWeb

Know who's calling. Then decide.

Start with a free log lookup