Web Bot Auth tag

What this check verifies

The tag parameter in Signature-Input names the signing profile. For Web Bot Auth it must be the exact string web-bot-auth:

Signature-Input: sig1=("@authority");created=...;expires=...;keyid="...";tag="web-bot-auth"

This check reads the tag value and confirms it equals web-bot-auth. Any other value, or a missing tag, fails the check. The comparison is exact: web-bot-auth passes, while variants such as webbotauth, web_bot_auth, or a different casing do not.

Why it matters

HTTP Message Signatures is a general mechanism used for many things. The tag is how a request declares which profile it follows, so a verifier can apply the right rules (the required components, the required parameters, the key type) instead of guessing. A Web Bot Auth verifier keys on tag="web-bot-auth" to decide that this signature should be checked as a bot-auth signature at all.

The tag is also part of the signed input. It appears in @signature-params inside the signature base, so it is covered by the signature and cannot be changed after signing without breaking verification. A wrong tag is not just a label problem: it means the request is not claiming the Web Bot Auth profile, and a strict verifier treats it as not applicable.

Because the tag is what marks a request as Web Bot Auth, a wrong tag makes the signature verdict invalid.

How to fix it

Set the parameter to the literal value:

;tag="web-bot-auth"

• Use the exact spelling and hyphenation, web-bot-auth, as a quoted string.
• Do not localize, abbreviate, or rename it.

If your signing library exposes a profile or tag setting, point it at the Web Bot Auth profile rather than setting tag by hand.

References

• RFC 9421 defines the tag signature parameter.
• The web-bot-auth architecture draft fixes the tag value at web-bot-auth.
• How grading works explains why a wrong tag makes the signature verdict invalid.