Agent card jwks_uri

What this check verifies

The Signature Agent Card is optional metadata describing the agent behind a Web Bot Auth deployment, defined in the web-bot-auth registry draft (draft-meunier-webbotauth-registry). It is separate from the JWKS directory and has no fixed well-known path.

This check looks for a jwks_uri member on the card and confirms it is a non-empty string. The value is a URL pointing to the JSON Web Key Set (RFC 7517) that holds the public keys the agent signs with.

This check is advisory. A missing jwks_uri lowers the score slightly and raises a warning, but it never caps the grade and never changes the verdict. A directory with valid keys is VALID even with no card at all.

Why it matters

The card describes the agent; jwks_uri ties that description to the keys that prove a request came from it. With the URL on the card, a reader can move from “who is this operator” to “which keys verify their signatures” in one step, and confirm the card and the directory refer to the same key set. Signatures are still verified against the published directory either way, so this field is for linkage, not verification.

How to fix it

Add a jwks_uri string pointing to the key set:

{ "jwks_uri": "https://example.com/.well-known/http-message-signatures-directory" }

Point it at the same JWKS the agent actually signs with, so the card and the keys in use stay in agreement.

References

• RFC 7517 defines the JSON Web Key Set that jwks_uri points to.
• The web-bot-auth registry draft (draft-meunier-webbotauth-registry) defines the Signature Agent Card and its jwks_uri field.
• What is a Signature Agent Card? explains the card and how it differs from an A2A or MCP agent card.
• How grading works explains why card checks are advisory.