Google is experimenting with a new bot authentication method called Web Bot Auth. In a newly published help document, Google describes Web Bot Auth as a “new cryptographic protocol that helps websites to validate that bots are authentic.” Its purpose is to streamline and automate how you verify which AI Agent bots are legitimate and which are fraudulent.
Limited test. Google said the search company is currently “testing the protocol with some AI agents hosted on Google infrastructure.” At this stage, not every Google user agent supports Web Bot Auth, and even for those that do, Google is not yet signing every request. Because of this, Google advises site owners to keep using existing verification methods—such as IP addresses, reverse DNS, and user-agent strings—while it gradually increases the amount of signed traffic.
What is Web Bot Auth? Google defines it as “an experimental cryptographic protocol used to authenticate requests sent by bots. Instead of relying solely on self-reported headers and IP addresses, Web Bot Auth allows agents to cryptographically sign their requests.”
According to Google, Web Bot Auth can offer several advantages:
- Future-proofing: Help create a web ecosystem where agent providers and websites can establish mutual trust and make better-informed access decisions.
- Cryptographic certainty: Move past easily spoofed headers toward a verified identity, and separate an agent’s identity from its IP address.
- Improved observability: Provide clearer visibility into how agents access and interact with your content.
Why it matters. As AI Agents proliferate across the web, the ability to manage and distinguish between trustworthy and fraudulent automated traffic will become increasingly important for site owners and platforms.