AAP vs Web Bot Auth
Understanding the difference between authentication and authorization for AI agents. They're complementary, not competing.
Web Bot Auth
by Cloudflare
Proves bot identity via cryptographic signatures
Ed25519 Signatures
Per-request cryptographic proof
Identity Verification
Replaces IP-based allowlists
Edge Protection
CDN/network layer defense
AAP
Agent Authorization Profile
Controls permissions with capability tokens
OAuth 2.0 + JWT
Standard-based tokens
Granular Permissions
Per-action constraints
Rate Limits
Built-in constraint enforcement
Complementary Technologies
Authentication + Authorization = Complete Security
Use Both Together
The Fundamental Difference
Web Bot Auth (Cloudflare)
Problem:
How do we verify that a bot is who it claims to be?
Solution:
Cryptographic signatures on HTTP requests
Focus:
Identity verification (authentication)
Agent Authorization Profile
Problem:
How do we control what an authenticated agent is allowed to do?
Solution:
Structured OAuth 2.0 tokens with capability-based permissions
Focus:
Permission control (authorization)
Side-by-Side Comparison
| Aspect | Web Bot Auth | AAP |
|---|---|---|
| Primary Purpose | Prove bot identity | Define agent permissions |
| Standards Base | HTTP Message Signatures | OAuth 2.0 + JWT |
| Authentication | ✅ Yes (Ed25519) | ⚠️ Via OAuth |
| Authorization | ❌ No | ✅ Yes (capability-based) |
| Key Technology | Ed25519 + HTTP signatures | JWT + structured claims |
| Request Signing | Every HTTP request | Token issuance only |
| Granular Permissions | ❌ Binary (verified or not) | ✅ Per-action constraints |
| Rate Limiting | ❌ Not in protocol | ✅ Built-in |
| Domain Restrictions | ❌ No | ✅ Allow/block lists |
| Time Windows | ⚠️ Signature expiry (~1 min) | ✅ Token + capability windows |
| Delegation Tracking | ❌ No | ✅ Depth + chain |
| Task Binding | ❌ No | ✅ Purpose + context |
| Human Oversight | ❌ No | ✅ Approval requirements |
| Audit Trail | ⚠️ Basic (signature metadata) | ✅ Comprehensive (trace IDs) |
| Deployment | Edge/CDN (Cloudflare) | AS/RS (OAuth servers) |
What Each System Does
Web Bot Auth: "I Am Agent X"
How it works:
- Bot generates Ed25519 key pair
- Bot publishes public key at
/.well-known/http-message-signatures-directory - Bot registers with Cloudflare's Verified Bots Program
- Bot signs every HTTP request with signature headers
- Server verifies signature matches published public key
Example Request:
GET /api/data HTTP/1.1
Host: api.example.com
Signature-Input: sig1=("@authority");created=1704067200;expires=1704067260;keyid="2024-key"
Signature: sig1=:K2qGT5srn2OGbOIDzQ6kYT+ruaycnDAAUpKv+ePFfD0=:
Signature-Agent: https://bot.example.com/.well-known/http-message-signatures-directory✅ What you know:
The request came from a bot that controls the private key matching the public key at bot.example.com
❌ What you DON'T know:
- • What this bot is allowed to do
- • How many requests it can make
- • What data it can access
- • What task it's working on
AAP: "I Can Search Wikipedia 50 Times Per Hour"
How it works:
- Agent authenticates to Authorization Server (e.g., via mTLS, client credentials)
- AS issues JWT with AAP claims (agent, task, capabilities, oversight, delegation)
- Agent presents token to Resource Server
- RS validates token and enforces constraints
Example Token Claims:
{
"iss": "https://as.example.com",
"sub": "spiffe://example.com/agent/crawler-01",
"aud": ["https://api.example.com"],
"exp": 1704067500,
"agent": {
"id": "crawler-01",
"type": "web-crawler",
"operator": "org:acme-corp"
},
"task": {
"id": "task-123",
"purpose": "index_public_documentation"
},
"capabilities": [
{
"action": "search.web",
"constraints": {
"domains_allowed": ["wikipedia.org", "*.gov"],
"max_requests_per_hour": 50,
"time_window": {
"start": "2024-01-01T00:00:00Z",
"end": "2024-01-31T23:59:59Z"
}
}
}
],
"delegation": {
"depth": 0,
"max_depth": 1
}
}✅ What you know:
- • Can search Wikipedia and .gov domains
- • Maximum 50 requests per hour
- • Only during January 2024
- • Cannot delegate to other agents
- • Working on indexing task
❌ What you DON'T know (without Web Bot Auth):
- • Whether this token was stolen
- • Whether the request actually came from the claimed agent
How They Work Together
Authentication
Web Bot Auth verifies identity
Authorization
AAP defines permissions
Secure Request
Complete validation
Real-World Example: AI Shopping Agent
User's AI shopping agent comparing prices across merchant APIs
GET /api/products
# No identity
# No permissionsGET /api/products
Signature: sig1=...
✓ Identity verified
✗ No permission controlGET /api/products
Authorization: Bearer ...
✗ Identity unverified
✓ Permissions enforcedGET /api/products
Authorization: Bearer ...
Signature: sig1=...
✓ Identity verified
✓ Permissions enforcedUse Cases: When to Use Each
Use Web Bot Auth
- Verify bot identity at network edge
- Replace IP-based allowlists
- CDN/Edge protection
- Public endpoint protection
Example:
Googlebot crawling your website - verify it's really Google
Use AAP
- Control what agents can do
- Enforce business constraints
- Track multi-step workflows
- Compliance and oversight
Example:
Research agent - can only read docs, max 100 req/hour
Use Both
- Defense in depth
- High-security agent systems
- Compliance auditing
- Multi-tier architecture
Example:
AI shopping agent - verify identity + enforce purchase limits
Security Comparison
| Threat | Web Bot Auth | AAP |
|---|---|---|
| Bot Impersonation | ✅ Prevents via signature | ⚠️ Relies on client auth |
| Token Theft | N/A (no tokens) | ✅ DPoP/mTLS binding |
| Capability Escalation | N/A (no capabilities) | ✅ Server-enforced |
| Automated Abuse | ⚠️ Binary on/off | ✅ Rate limits + caps |
| Replay Attacks | ✅ Short expiry (~1 min) | ✅ Token expiration + nonce |
| Delegation Abuse | N/A (no delegation) | ✅ Depth limits + reduction |
| Purpose Drift | N/A (no purpose) | ✅ Task binding validation |
Standards and Ecosystem
Web Bot Auth
Standards:
- • IETF Draft: HTTP Message Signatures
- • Uses: Ed25519 (RFC 8032)
Ecosystem:
- • Vendor: Cloudflare
- • Adopters: Google, Bing, monitoring services
- • Integration: Verified Bots Program
Status:
Active IETF drafts, production at Cloudflare
AAP
Standards:
- • IETF Draft: draft-aap-oauth-profile-01
- • Extends: OAuth 2.0 (RFC 6749), JWT (RFC 7519)
- • Uses: Token Exchange (RFC 8693), DPoP (RFC 9449)
Ecosystem:
- • Community: Open spec, vendor-neutral
- • Reference Impl: Python AS/RS (~1,800 LOC)
- • Test Vectors: 80+ conformance tests
- • Schemas: 9 formal validation schemas
Status:
Internet-Draft (draft-01), targeting RFC via OAuth WG
Frequently Asked Questions
Can I use AAP without Web Bot Auth?
Yes. AAP is OAuth 2.0-based and works with any standard client authentication: client credentials, mTLS, DPoP, or SPIFFE/SVID workload identity. You don't need Web Bot Auth for AAP to function.
Can I use Web Bot Auth without AAP?
Yes. Web Bot Auth is standalone. It just proves bot identity, not permissions. You handle authorization separately (API keys, OAuth scopes, etc.).
Does AAP require OAuth 2.0?
Yes. AAP is an OAuth 2.0 profile. It extends standard OAuth tokens with additional claims. You need an OAuth-compatible Authorization Server.
Can AAP tokens be used with Web Bot Auth signatures?
Yes! This is the recommended secure approach. Sign the request including the Authorization header with the AAP token. The signature covers both the endpoint and the token, preventing token theft, replay, and modification.
Which is more mature?
Web Bot Auth: Production deployment at Cloudflare, active IETF drafts, growing ecosystem. AAP: Internet-Draft (draft-01), reference implementation available, test vectors published, targeting RFC. Both are evolving standards.
Conclusion
Web Bot Auth and AAP solve different problems in the agent security stack:
Web Bot Auth
Authentication ("Who are you?")
AAP
Authorization ("What can you do?")
They are complementary technologies that work together to provide:
- Cryptographic identity verification (Web Bot Auth)
- Granular permission control (AAP)
- Audit and compliance (both)
For maximum security, use both:
- • Web Bot Auth prevents impersonation
- • AAP enforces business constraints
- • Together they provide defense in depth
Choose based on your deployment context:
Public edge protection → Web Bot Auth priority
Internal API authorization → AAP priority
High-security agent systems → Both