Repository presenting authentication for orchestrated agents navigating the web. It implements all components required by Web Bot Authentication defined by draft-meunier-web-bot-auth-architecture, and presents examples.
Cloudflare Research provides a live environment at http-message-signatures-example.research.cloudflare.com.
This deployment allows to test your implementation.
- It validates the presence of a
Signatureheader signed RFC9421 ed25519 test key, - It exposes a bot directory on /.well-known/http-message-signatures-directory,
- It provides explanation about the protocol.
| Example | Description |
|---|---|
| Browser extension | Adds a Signature on every outgoing request |
| Rust | Signs a hardcoded test request |
| Example | Description |
|---|---|
| Cloudflare Workers | Verify RFC 9421 Signature for every incoming request |
| Caddy Plugin | Verify RFC 9421 Signature for every incoming request |
| Rust | Verify a sample test request |
This repository uses npm and cargo workspaces. There are 3 packages which it provides
| Package | Language | Description |
|---|---|---|
| http-message-sig | TypeScript | HTTP Message Signatures as defined in RFC 9421 |
| jsonwebkey-thumbprint | TypeScript | JWK Thumbprint as defined in RFC 7638 |
| web-bot-auth | TypeScript | HTTP Message Signatures for Bots as defined in draft-meunier-web-bot-auth-architecture |
| web-bot-auth | Rust | HTTP Message Signatures for Bots as defined in draft-meunier-web-bot-auth-architecture |
This software has not been audited. Please use at your sole discretion.
This project is under the Apache 2.0 license.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be Apache 2.0 licensed as above, without any additional terms or conditions.