Web Bot Auth
Also known as: Bot Authentication, Agent Authentication, HTTP Message Signatures, RFC 9421
- platform
- security
- authentication
- agents
- glossary
Definition
Web Bot Auth is the IOF standard for authenticating AI agents, automated bots, and inter-service calls on the Islamic Open Finance™ platform. It is built on RFC 9421 (HTTP Message Signatures), which provides a cryptographic signing mechanism for HTTP request components (method, path, headers, body digest). Each IOF agent or bot identity is issued a key pair; the public key is published in a JWKS (JSON Web Key Set) endpoint hosted at a well-known URL, enabling any verifier to validate the signature without central coordination. The bot trust registry maps agent identities to their permitted rails and actions, enforced by Cerbos ABAC policies. This ensures agent-to-agent calls are authenticated, non-repudiable, and auditable — satisfying SOC 2 Type II control requirements for automated access and the EU AI Act's transparency obligations for GPAI systems.
Primary Sources & Standards
- ID
- web-bot-auth
- Status
- active
- Version
- 1.0.0
- Effective
- 2025-01-01