Agent card purpose

What this check verifies

The Signature Agent Card is optional metadata describing the agent behind a Web Bot Auth deployment, defined in the web-bot-auth registry draft (draft-meunier-webbotauth-registry). It is separate from the JWKS directory and has no fixed well-known path.

This check looks for a purpose member on the card and confirms it is a non-empty string. The value is a short statement of what the agent does, for example search indexing, price comparison, or fetching content for a user.

This check is advisory. A missing purpose lowers the score slightly and raises a warning, but it never caps the grade and never changes the verdict. A directory with valid keys is VALID even with no card at all.

Why it matters

Knowing who runs an agent does not tell a site operator why it visits. The purpose answers that, so an operator can decide whether to allow, rate-limit, or block the agent based on what it is for rather than guessing from traffic. A stated purpose also sets an expectation the operator can hold the agent to.

How to fix it

Add a purpose string describing what the agent does:

{ "purpose": "Indexing public pages for a search product" }

Keep it specific enough that a reader can tell whether they want this agent on their site.

References

• The web-bot-auth registry draft (draft-meunier-webbotauth-registry) defines the Signature Agent Card and its purpose field.
• What is a Signature Agent Card? explains the card and how it differs from an A2A or MCP agent card.
• How grading works explains why card checks are advisory.