Web Bot Auth
bofreq-nottingham-web-bot-auth-01

Document Type Approved BOF request
Title Web Bot Auth
Last updated 2025-09-16
State Approved
Editor Mark Nottingham
Responsible leadership Mike Bishop
Send notices to (None)
bofreq-nottingham-web-bot-auth-01

Name: Web Bot Auth

Description

Currently, wide practice is for Web sites to identify non-browser clients using IP addresses, the User-Agent header field, and/or reverse DNS. All of these techniques have limitations and deficiencies, and at the same time the need for stronger identify for bots is becoming stronger, as non-browser traffic on the Web grows in volume and importance.

The community appears to be converging on cryptographic identity as a solution. This BoF proposes a Working Group to define such mechanisms.

Required Details

  • Status: WG Forming
  • Responsible AD: TBD
  • BOF proponents: Mark Nottingham <mnot@mnot.net>
  • Number of people expected to attend: 100
  • Length of session (1 or 2 hours): 2 hours
  • Conflicts (whole Areas and/or WGs)
  • Chair Conflicts: Rifaat Shekh-Ysef, TBD
  • Technology Overlap: Web-related groups (e.g., HTTPBIS, HTTPAPI, MASQUE, OHAI), identity-based groups (e.g., OAUTH, SPICE)
  • Key Participant Conflict: TBD

Information for IAB/IESG

This discussion started in a well-attended side meeting in Bangkok, and has continued on the web-bot-auth mailing list. There appears to be strong and urgent interest in finding a solution for this space, and reasonable alignment on the way forward (that needs to be confirmed in a BoF).

The scope is chosen carefully to be manageable; there is a lot of excitement about "agentic" use cases, but they are more uncertain and complex. To address the urgent needs in other cases, the charter considers most of those uses out of scope.

Open source implementation includes:
- https://github.com/cloudflareresearch/web-bot-auth

Agenda

  • TBD