Agent card contacts

What this check verifies

The Signature Agent Card is optional metadata describing the agent behind a Web Bot Auth deployment, defined in the web-bot-auth registry draft (draft-meunier-webbotauth-registry). It is separate from the JWKS directory and has no fixed well-known path.

This check looks for a contacts member on the card and confirms it is an array with at least one entry. The entries are contact addresses for the operator, such as an email address or a URL for reporting problems.

This check is advisory. A missing or empty contacts list lowers the score slightly and raises a warning, but it never caps the grade and never changes the verdict. A directory with valid keys is VALID even with no card at all.

Why it matters

When an agent behaves in a way a site operator wants to discuss, such as crawling too fast or hitting the wrong paths, the operator needs a way to reach whoever runs it. The contacts list provides that channel directly from the card, so a problem can be raised without hunting for an address elsewhere.

How to fix it

Add a contacts array with one or more reachable addresses:

{ "contacts": ["mailto:bots@example.com"] }

A single working address is enough to pass. Use one that is monitored, so reports actually reach the operator.

References

• The web-bot-auth registry draft (draft-meunier-webbotauth-registry) defines the Signature Agent Card and its contacts field.
• What is a Signature Agent Card? explains the card and how it differs from an A2A or MCP agent card.
• How grading works explains why card checks are advisory.