top | item 45057515

(no title)

jithinraj | 6 months ago

Web Bot Auth solves authentication (“who is this bot?”) but not authorization/usage control. We still need a machine-readable policy layer so sites can express “what this bot may do, under which terms” (purpose limits, retention, attribution, optional pricing) at a well-known path, robots.txt-like, but enforceable via signatures.

A practical flow:

1. Bot self-identifies (Web Bot Auth)

2. Fetch policy

3. Accept terms or negotiate (HTTP 402 exists)

4. Present a signed receipt proving consent/payment

5. Origin/CDN verifies receipt and grants access

That keeps things decentralized: identity is transport; policy stays with the site; receipts provide auditability, no single gatekeeper required. There’s ongoing work in this direction (e.g., PEAC using /.well-known/peac.txt) that aims to pair Web Bot Auth with site-controlled terms and verifiable receipts.

Disclosure: I work on PEAC, but the pattern applies regardless of implementation.

discuss

No comments yet.