| title | Web Bot Auth |
|---|---|
| description | Cryptographically sign browser requests with Web Bot Auth |
Web Bot Auth is quickly becoming the standard way for agents to establish identity. That's why we've partnered with Vercel and Cloudflare to support Web Bot Auth on Kernel.
You can now cryptographically sign browser requests, so your agents can prove who they are to services like Vercel.
Web Bot Auth works via a Chrome extension that intercepts all outgoing HTTP requests and adds cryptographic signature headers:
Signature: The RFC 9421 signature of the requestSignature-Input: Metadata about how the signature was createdSignature-Agent: URL that points to your key directory
Platforms like Vercel or other hosting providers can verify these signatures against your public key, confirming that the request came from your authenticated agent.
The fastest way to get started is using a test key, which works with this test verification site.
Use the Kernel CLI to build the Web Bot Auth extension:
kernel extensions build-web-bot-auth --to ./web-bot-auth-ext --upload my-web-bot-auth
```typescript TypeScript
import { Kernel } from "@onkernel/sdk";
import { chromium } from "playwright";
const kernel = new Kernel();
// Create browser with web-bot-auth extension
const browser = await kernel.browsers.create({
extensions: [{ name: "my-web-bot-auth" }],
});
// Connect via Playwright
const pw = await chromium.connectOverCDP(browser.browser_url);
const context = pw.contexts()[0];
const page = context?.pages()[0] || await context.newPage();
// Navigate to a page - requests will be automatically signed
await page.goto("https://http-message-signatures-example.research.cloudflare.com/");
from kernel import Kernel
from playwright.sync_api import sync_playwright
kernel = Kernel()
# Create browser with web-bot-auth extension
browser = kernel.browsers.create(extensions=[{"name": "my-web-bot-auth"}])
# Connect via Playwright
with sync_playwright() as p:
pw = p.chromium.connect_over_cdp(browser.browser_url)
context = pw.contexts[0]
page = context.pages[0] if context.pages else context.new_page()
# Navigate to a page - requests will be automatically signed
page.goto("https://http-message-signatures-example.research.cloudflare.com/")Navigate to the test site to verify your signatures are being accepted:
This site validates requests signed with the RFC9421 test key and shows whether the signature was verified successfully.
For production use, you'll want to use your own signing keys instead of the test key.
Create a JWK file with your Ed25519 private key. The key must include both the public (x) and private (d) components:
{
"kty": "OKP",
"crv": "Ed25519",
"x": "YOUR_PUBLIC_KEY_BASE64URL",
"d": "YOUR_PRIVATE_KEY_BASE64URL"
}For websites to verify your signatures, you need to host your public key at a well-known URL. Create a key directory at:
https://yourdomain.com/.well-known/http-message-signatures-directory
The directory should contain your public keys in JWKS format:
{
"keys": [
{
"kty": "OKP",
"crv": "Ed25519",
"x": "YOUR_PUBLIC_KEY_BASE64URL",
"kid": "YOUR_KEY_ID"
}
],
"purpose": "your-bot-purpose"
}kernel extensions build-web-bot-auth \
--to ./web-bot-auth-ext \
--key ./my-key.jwk \
--url https://yourdomain.com/.well-known/http-message-signatures-directory \
--upload my-web-bot-authIf you want Vercel-protected sites to recognize your agent, you can register your key directory with Vercel. Kernel is officially listed in the Vercel directory.