What is a Signature Agent Card?

The Signature Agent Card is optional metadata that describes the agent behind a Web Bot Auth deployment. It answers "who is this bot, and how does it behave?", alongside the keys that prove "is this request really from them?".

What it carries

It is defined by the Web Bot Auth registry draft and can include:

Operator identity: name, URL, logo, and contacts.
Where the keys live: a jwks_uri pointing to the JSON Web Key Set, or the keys inline.
Declared purpose and the expected User-Agent string.
RFC 9309 (robots.txt) compliance.
Rate expectations, IP ranges, and known URLs.

How the checker treats it

Agent Card checks are advisory. A missing or incomplete card lowers the score slightly and raises notes, but it never changes the verdict and never caps the grade. A directory with valid keys is still VALID even with no card at all.

Where it lives

Unlike the JWKS directory, which is always at the well-known path /.well-known/http-message-signatures-directory, the Signature Agent Card has no fixed well-known location. It is referenced from the site or directory, or listed in a registry. The checker only validates a card when it can find one or you provide its URL.

Not the same as an A2A or MCP agent card

Many sites publish a /.well-known/agent-card.json. That is usually an A2A (Agent2Agent) or MCP agent card, which describes an agent's skills and interfaces for agent-to-agent use. It is a different standard with different fields (name, skills, supportedInterfaces) and no cryptographic keys. The checker recognises that shape and will not grade it as a Web Bot Auth card.