Fingerprint's Free Web Bot Auth Testing Tool for AI Agent Developers
What Web Bot Auth Is and Why It Matters
Web Bot Auth (WBA) is an emerging open standard progressing through the IETF that enables automated clients to cryptographically sign their HTTP requests. Legacy identification methods like User-Agent strings can be easily spoofed, and IP allow lists are time-consuming and gameable. WBA solves this by allowing bot operators to generate asymmetric key pairs, host public keys in discoverable directories, and sign outbound requests with private keys.
How Web Bot Auth Signing Works
A properly signed WBA request includes three headers:
Signature-Inputdefines the components being signed and parameters including: tag set toweb-bot-auth,keyidmatching the JSON Web Key (JWK) thumbprint of your signing key,createdandexpirestimestamps, and anonce(strongly recommended to reduce replay risk)Signaturecontains the actual cryptographic signature over those componentsSignature-Agentpoints to your key directory, making it easier for servers to discover and cache your public key
Fingerprint requires Ed25519 keys, and your key directory needs to be hosted over HTTPS at /.well-known/http-message-signatures-directory, with the directory response itself signed to prevent someone else from mirroring it.
The Free Testing Tool
Fingerprint's Web Bot Auth testing page is a free, public endpoint where you can send a signed request and get clear feedback on whether your signature validates correctly. No account is required, and the testing tool is open source with frontend and backend repositories available.
The endpoint is at: fingerprint.com/web-bot-auth/test/
Getting Started with WBA
If you're implementing WBA:
- Generate an Ed25519 key pair and convert your public key to JWK format
- Host your key directory at
/.well-known/http-message-signatures-directoryover HTTPS, with the directory response signed using your private key - Sign your bot's outbound HTTP requests with the
Signature-Input,Signature, andSignature-Agentheaders - Send a test request to
fingerprint.com/web-bot-auth/test/to confirm everything validates
When your bot signs requests correctly, sites using Fingerprint Bot Detection can identify it as a signed bot rather than treating it as unknown automated traffic.
📖 Read the full source: HN AI Agents
👀 See Also
Custom Voice Extraction Process for Claude Code with Template
A developer shares a three-pass extraction process to create a custom voice skill for Claude Code, resulting in a 510-line SKILL.md file with ban lists for LLM-isms, anti-performative rules, and format-specific voice modes. The open-source template works with any language using 10+ writing samples.
Chat Saver CG: Browser Extension Built with Claude Exports Conversations Across 12 AI Platforms
A developer built Chat Saver CG, a browser extension that exports and transfers conversations between Claude, ChatGPT, Gemini, and 9 other AI platforms, using Claude extensively for development including architecture decisions, debugging DOM parsing issues, and writing adapter logic.
MCP Server: Comparing Local and Cloud LLMs with Debate Feature
The MCP server enables developers to query local models via Ollama alongside various cloud LLMs, offering features like side-by-side comparison and a structured debate function.
Founder Operations in Claude: 19 Reusable Skills for Early-Stage Startups
A founder who exited their first startup published 19 Claude-compatible skill prompts for functions like positioning, pricing, prospecting, and copy — based on their own SOPs and Notion workflows.