Rate expectation

What this check verifies

The Signature Agent Card is optional metadata describing the agent behind a Web Bot Auth deployment, defined in the web-bot-auth registry draft (draft-meunier-webbotauth-registry). It is separate from the JWKS directory and has no fixed well-known path.

This check looks for either a rate-expectation or a rate-control member on the card. It passes when at least one is present and warns when both are absent. The field states how often the agent expects to make requests, or the rate-control mechanism it respects.

This check is advisory. A missing declaration lowers the score slightly and raises a warning, but it never caps the grade and never changes the verdict. A directory with valid keys is VALID even with no card at all.

Why it matters

Request rate is the part of an agent’s behaviour an operator notices first, because it drives load. Declaring an expected rate, or a rate-control mechanism the agent honours, lets an operator size for the traffic and tell normal activity from a runaway client. As with the other card fields, it is a stated expectation rather than an enforced limit, but it gives the operator a baseline to compare against.

How to fix it

Add a rate-expectation or rate-control member describing the expected request rate:

{ "rate-expectation": "10 requests/second" }

State a figure that matches how the agent actually behaves, so the operator’s expectation lines up with the traffic they see.

References

• The web-bot-auth registry draft (draft-meunier-webbotauth-registry) defines the Signature Agent Card and its rate-expectation and rate-control fields.
• What is a Signature Agent Card? explains the card and how it differs from an A2A or MCP agent card.
• How grading works explains why card checks are advisory.