www.spyglasses.io
Web Bot Auth report
- 15 pass
- 2 warn
- 0 fail
Score 92/100
How grading works
JWKS Directory
/.well-known/http-message-signatures-directory The published set of public keys (a JSON Web Key Set) used to verify signatures.
- Pass Directory URL uses HTTPS
- Pass Reachable (HTTP 200)
- Pass Content-Type: application/http-message-signatures-directory+json
- Pass Body is valid JSON
- Pass Body is a key set
- Pass 1 key(s)
- Pass Key set size within bound
- Pass Cache-Control: max-age=86400
- Pass All kty = OKP
- Pass All crv = Ed25519
- Pass All x decode to 32 bytes
- Pass No private key material
- Pass Key thumbprint: 33ADskUIGpEdSpRcln3JPYnwSVgvssBLqDeos5dZkSE. kid is a custom label; web-bot-auth resolves signatures by computed thumbprint, so a custom kid is allowed (Cloudflare uses the thumbprint as the kid by convention).
- Pass No duplicate kids
- Pass Key validity windows coherent
- Warn Directory response is not self-signed. The draft recommends one signature per key with tag "http-message-signatures-directory", so verifiers can ignore mirrored or misattributed key sets. Why this matters
Agent Card
Optional metadata about the agent (operator identity, contacts, robots.txt compliance, rate expectations). It is linked from the site or directory; web-bot-auth defines no fixed well-known path for it, and it is not the same as an A2A or MCP agent card. What is this?
- Warn No Signature Agent Card discovered (checked Link header + homepage) Why this matters
Response details / debug
- Directory URL fetched
- https://www.spyglasses.io/.well-known/http-message-signatures-directory
- HTTP status
- 200
- Content-Type
- application/http-message-signatures-directory+json
- Bytes
- 90
- Agent Card
- No Agent Card discovered
Raw response snippet (first 4 KB)
{"keys":[{"kty":"OKP","crv":"Ed25519","x":"HOcLXypRQSOQhhNIQiB0cJyWADn3mHHccOLWVOLckF8"}]}