webbotauth.net
Web Bot Auth report
- 24 pass
- 0 warn
- 0 fail
Score 100/100
How grading works
JWKS Directory
/.well-known/http-message-signatures-directory The published set of public keys (a JSON Web Key Set) used to verify signatures.
- Pass Directory URL uses HTTPS
- Pass Reachable (HTTP 200)
- Pass Content-Type: application/http-message-signatures-directory+json
- Pass Body is valid JSON
- Pass Body is a key set
- Pass 1 key(s)
- Pass Key set size within bound
- Pass Cache-Control: public, max-age=3600
- Pass All kty = OKP
- Pass All crv = Ed25519
- Pass All x decode to 32 bytes
- Pass No private key material
- Pass kid is the key thumbprint (p2yP7aUOfr8wAe7xZeSi-K3mGutbdd6qEGtdLNEdQsM)
- Pass No duplicate kids
- Pass Key validity windows coherent
- Pass Directory response is self-signed (1 valid signature, 1 key in the set)
Agent Card
Optional metadata about the agent (operator identity, contacts, robots.txt compliance, rate expectations). It is linked from the site or directory; web-bot-auth defines no fixed well-known path for it, and it is not the same as an A2A or MCP agent card. What is this?
- Pass Agent Card linked: https://webbotauth.net/.well-known/web-bot-auth-agent-card
- Pass client_name present
- Pass client_uri present
- Pass contacts present
- Pass jwks_uri present
- Pass purpose declared
- Pass robots.txt (RFC 9309) compliance declared
- Pass rate expectation declared
Response details / debug
- Directory URL fetched
- https://webbotauth.net/.well-known/http-message-signatures-directory
- HTTP status
- 200
- Content-Type
- application/http-message-signatures-directory+json
- Bytes
- 190
- Agent Card
- https://webbotauth.net/.well-known/web-bot-auth-agent-card
Raw response snippet (first 4 KB)
{"keys":[{"key_ops":["verify"],"ext":true,"alg":"Ed25519","crv":"Ed25519","x":"53yxTVhGpSrrIca97Jf7u5YFrwKYyKbIZxpcY_9D_MQ","kty":"OKP","kid":"p2yP7aUOfr8wAe7xZeSi-K3mGutbdd6qEGtdLNEdQsM"}]}