Agent card client URI

What this check verifies

The Signature Agent Card is optional metadata describing the agent behind a Web Bot Auth deployment, defined in the web-bot-auth registry draft (draft-meunier-webbotauth-registry). It is separate from the JWKS directory and has no fixed well-known path.

This check looks for a client_uri member on the card and confirms it is a non-empty string. The value is a URL that identifies the operator, usually the operator’s website or a page describing the agent.

This check is advisory. A missing client_uri lowers the score slightly and raises a warning, but it never caps the grade and never changes the verdict. A directory with valid keys is VALID even with no card at all.

Why it matters

client_name says who the operator is in words; client_uri points to where you can read more. A site operator deciding how to treat an agent can follow the URL to confirm the operator is real and to find their policies. Pairing the name with a resolvable URL makes the card more useful for attribution than a name alone.

How to fix it

Add a client_uri string with a URL that identifies the operator:

{ "client_uri": "https://example.com" }

Use a page you control and that a reader can reach, ideally one that describes the agent or links back to the same operator identity used elsewhere.

References

• The web-bot-auth registry draft (draft-meunier-webbotauth-registry) defines the Signature Agent Card and its client_uri field.
• What is a Signature Agent Card? explains the card and how it differs from an A2A or MCP agent card.
• How grading works explains why card checks are advisory.