AI Agent Verification · Web Bot Auth

Find out which AI agent can be trusted

AgentBouncer verifies cryptographic signatures of incoming AI agents using the Web Bot Auth standard (RFC 9421) and tells your backend if the agent is real, what its permissions are, and whether it can be trusted — in a single API call, with no CDN lock-in.

Get started with SDK How it works

RFC 9421 · Ed25519Works behind any hostingReplay protection

Response /v1/verify

POST /v1/verify

{
  "verified": true,
  "agent": "OpenAI Operator",
  "confidence": 0.97,
  "scope": "agent-payer-auth",
  "keyid": "poqkLGiymh_W0uP6PZFw...",
  "trusted": true
}

Agent verification response example~12ms

How it works

Verification in four steps

The agent signs the request with its private key. We verify the signature using the public key from the provider's directory — and deliver the verdict to your backend.

Incoming request

The agent sends a request with Signature, Signature-Input, and Signature-Agent headers.

Key lookup

We find the public key in the cached provider directory (JWKS) by keyid and refresh it if necessary.

Signature verification

We verify the Ed25519 signature, the created/expires window, and the intent tag — browsing or payment.

Verdict and analytics

We return verified, scope, and agent reputation, and log the event in the owner's analytics.

Our niche

Cryptography says 'who'. We say 'can they be trusted'

Web Bot Auth and CDNs confirm that an agent is cryptographically authentic. AgentBouncer adds a trust layer on top of the standard: scopes, reputation, owner passport, and analytics — for your specific endpoint and behind any hosting.

The standard answers the question 'who sent the request'. We answer the question 'should they be allowed to access your specific API'.

On top of the standard

We use Web Bot Auth / RFC 9421 as a ready-made cryptographic foundation — we don't reinvent the wheel.

CDN independence

Works behind any hosting with a single API call, not just within a specific CDN network.

Reputation and behavior

We calculate a reputation score based on the signature, velocity, and behavioral anomalies of the agent.

Agent passport

Delegation and owner permissions via OAuth and Verifiable Credentials.

SDK

One-line integration

Connect agent verification to Node, Python, or any backend via REST. No custom cryptography — just check the result.

import { verifyAgent } from "@agentbouncer/sdk";

// Express / Next.js middleware — одна строка
app.use(verifyAgent({ apiKey: process.env.AGENTBOUNCER_KEY }));

app.get("/api/products", (req, res) => {
  if (!req.agent?.verified) return res.status(403).end();
  // req.agent.scope === "agent-payer-auth"
  res.json({ price: 100 });
});

API Documentation