Google printed documentation explaining its testing of Net Bot Auth, an experimental IETF protocol that may assist web sites cryptographically confirm some automated requests from bots and AI brokers.
The protocol provides one other verification layer by letting brokers signal HTTP requests with cryptographic keys. Web sites can then confirm these signatures towards printed public keys to verify the request got here from who it claims to be.
What’s New
Net Bot Auth makes use of HTTP Message Signatures (RFC 9421) to let automated purchasers signal outgoing requests. A bot holds a personal key, publishes its public key at a recognized URL, and indicators every request. The receiving web site checks the signature towards the general public key to verify id.
Google says a subset of signed Google-Agent requests are authenticated as https://agent.bot.goog. Signed requests embrace a Signature-Agent HTTP header set to g="https://agent.bot.goog", and the corresponding signature could be verified utilizing public keys printed at that area’s .well-known listing.
In response to Google’s documentation, bot-detection providers, CDNs, and WAFs already assist the protocol. The IETF draft is authored by Thibault Meunier of Cloudflare and Sandor Main of Google. Cloudflare publishes a reference implementation on GitHub.
The IETF Net Bot Auth Working Group was chartered in early 2026 with milestones for standards-track specs and a finest present observe doc.
What Google Is Not Doing But
Not all Google consumer brokers are collaborating. The documentation says Google is testing with “some AI brokers hosted on Google infrastructure” however doesn’t title which of them past the Google-Agent user-triggered fetcher.
Even for collaborating brokers, not each request is signed. The documentation recommends that websites proceed counting on IP addresses, reverse DNS, and user-agent strings as the first verification technique whereas signed visitors rolls out step by step.
The Web-Draft may change because the working group develops the usual.
Why This Issues
Bot impersonation has been a persistent downside. Scrapers and dangerous actors can spoof user-agent strings to disguise their visitors as Googlebot or different respectable crawlers, making it tougher for website house owners to inform actual bot visitors from pretend.
We lined this challenge when Google’s Martin Splitt warned that “not everybody who claims to be Googlebot really is Googlebot.” The accessible verification strategies on the time have been reverse DNS lookups and IP vary checks. Net Bot Auth would add a layer that may’t be solid with out the agent’s personal key.
For websites already utilizing a CDN or WAF that helps the protocol, verification could occur robotically. For everybody else, the experimental standing means there is no such thing as a urgency to behave. The documentation recommends treating current verification because the default and Net Bot Auth as supplementary.
Trying Forward
Net Bot Auth remains to be shifting by way of the requirements course of, and Google’s implementation stays experimental.
For now, the sensible change is visibility. Web sites could begin seeing signed requests from some Google-Agent visitors, whereas current verification strategies stay the default.
The subsequent query is whether or not extra AI brokers undertake signed requests, and whether or not internet hosting suppliers make verification automated for web sites that don’t need to handle keys.
