Fingerprint's Free Web Bot Auth Testing Tool for AI Agent Developers
What Web Bot Auth Is and Why It Matters
Web Bot Auth (WBA) is an emerging open standard progressing through the IETF that enables automated clients to cryptographically sign their HTTP requests. Legacy identification methods like User-Agent strings can be easily spoofed, and IP allow lists are time-consuming and gameable. WBA solves this by allowing bot operators to generate asymmetric key pairs, host public keys in discoverable directories, and sign outbound requests with private keys.
How Web Bot Auth Signing Works
A properly signed WBA request includes three headers:
Signature-Inputdefines the components being signed and parameters including: tag set toweb-bot-auth,keyidmatching the JSON Web Key (JWK) thumbprint of your signing key,createdandexpirestimestamps, and anonce(strongly recommended to reduce replay risk)Signaturecontains the actual cryptographic signature over those componentsSignature-Agentpoints to your key directory, making it easier for servers to discover and cache your public key
Fingerprint requires Ed25519 keys, and your key directory needs to be hosted over HTTPS at /.well-known/http-message-signatures-directory, with the directory response itself signed to prevent someone else from mirroring it.
The Free Testing Tool
Fingerprint's Web Bot Auth testing page is a free, public endpoint where you can send a signed request and get clear feedback on whether your signature validates correctly. No account is required, and the testing tool is open source with frontend and backend repositories available.
The endpoint is at: fingerprint.com/web-bot-auth/test/
Getting Started with WBA
If you're implementing WBA:
- Generate an Ed25519 key pair and convert your public key to JWK format
- Host your key directory at
/.well-known/http-message-signatures-directoryover HTTPS, with the directory response signed using your private key - Sign your bot's outbound HTTP requests with the
Signature-Input,Signature, andSignature-Agentheaders - Send a test request to
fingerprint.com/web-bot-auth/test/to confirm everything validates
When your bot signs requests correctly, sites using Fingerprint Bot Detection can identify it as a signed bot rather than treating it as unknown automated traffic.
📖 Read the full source: HN AI Agents
👀 See Also
Claude Code skill generates App Store screenshots using Gemini AI
A new Claude Code skill called /aso-cosmicmeta-ss creates App Store and Google Play screenshots through a 6-phase workflow that analyzes codebases and uses Gemini AI for enhancement. The skill includes an approval gate to catch layout issues before using API credits.
MCP Slim: Local Embedding Search for MCP Tools Reduces Context Bloat
MCP Slim is a proxy that replaces full MCP tool catalogs with three meta-tools (search, describe, call), using local MiniLM embeddings for semantic search. It achieves 96% context window reduction and works offline without API keys.
Claude DevTools: A Log Reader for Enhanced Claude Code Visibility
Claude DevTools is a local, open-source tool that reads Claude Code's existing log files in ~/.claude/ to provide detailed session visibility, including file operations with inline diffs, token breakdowns, context window visualization, and full subagent execution trees.
Toothcomb: Open-Source Real-Time Speech Fact-Checker Built with Claude Opus and Sonnet APIs
Toothcomb is an open-source tool that takes a speech transcript, fact-checks claims, detects logical fallacies and manipulative language using Claude Opus API, and supports real-time microphone streaming.