AWS WAF announces Web Bot Auth support
Today, we're excited to announce the addition of Web Bot Auth (WBA) support in AWS WAF, providing a secure and standardized way to authenticate legitimate AI agents and automated tools accessing web applications.
Web Bot Auth is an authentication method that leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. Web Bot Auth is used as a verification method for verified bots and signed agents. It relies on two active IETF drafts: a directory draft allowing the crawler to share their public keys, and a protocol draft defining how these keys should be used to attach crawler's identity to HTTP requests.
AWS WAF now automatically allows verified AI agent traffic. Verified WBA bots will now be automatically allowed by default. Previously, Category AI blocked unverified bots; this behavior is now refined to respect WBA verification. To learn more, please review the documentation. There is no additional cost for using this feature, however standard AWS WAF charges still apply. For details, visit the AWS WAF Pricing page.
This feature is currently available only for AWS WAF customers protecting Amazon CloudFront distributions.