# Web Bot Auth

Category: Bot Access Control

## Goal
Publish a JWKS at /.well-known/http-message-signatures-directory containing the public keys you use to sign outgoing bot requests, so receiving sites can verify those requests via HTTP Message Signatures (RFC 9421). Rotate keys on a regular cadence and keep the previous key in the JWKS until in-flight requests have aged out.

## Validation
- Use public machine-readable artifacts where the standard expects them.
- Confirm content types, payload shape, and discoverability from the public web surface.
- Keep the implementation read-only from the scanner perspective.

## Copyable Fix Prompt
```text
Fix the Web Bot Auth gap for https://example.com.

Requirements:
- Publish a JWKS at /.well-known/http-message-signatures-directory containing the public keys you use to sign outgoing bot requests, so receiving sites can verify those requests via HTTP Message Signatures (RFC 9421). Rotate keys on a regular cadence and keep the previous key in the JWKS until in-flight requests have aged out.
- Preserve existing product behavior and do not do UI work.
- Use machine-readable public artifacts under /.well-known/ or response headers when appropriate.
- Add or update automated tests covering the new behavior.
- Validate the final response shape and content types.
```