How to sign Web Bot Auth for your AI agent, bot, or crawler (and why you should) (stytch.com)

Browserbase’s guide (with Stytch code examples) walks builders through adopting Web Bot Auth — an emerging, cryptographic standard for giving AI agents, crawlers and bots an unspoofable identity so websites can verify and prioritize legitimate traffic instead of lumping it in with bad bots and imposing CAPTCHAs, 403s, or IP blocks. The practical how-to covers generating an Ed25519 public/private key pair, publishing the public key as a JWKS at /.well-known/http-message-signatures-directory, and using the HTTP Message Signatures format to sign requests so site owners can fetch your key and validate your signature. Key technical details: the client builds a signature base containing @authority (host), signature-agent (the URL to your well-known key directory), and @signature-params (metadata). Signature parameters include a JWK thumbprint kid, alg=ed25519, created/expires timestamps (recommend <=24h), nonce, and tag="web-bot-auth". The private key signs the signature base (Ed25519), the binary signature is base64-encoded, and three headers are sent: Signature, Signature-Input, and Signature-Agent (structured-field formats). Implications: operators can authenticate and rotate keys, site owners can whitelist verified agents, and legitimate AI services gain more reliable access—though public reachability of your JWKS and proper key rotation/expiry remain operational requirements. A starter repo (stytchauth/web-bot-auth-example) and Browserbase/Stytch docs provide runnable code.