Docs Navigation

Bot Registration

Not everything on the web is run by humans. Crawlers, monitoring services, price trackers, feed aggregators and more are all legitimate uses of the web. Sigil recognizes that.

If you operate a bot or automated service with a web presence, you can register it with Sigil using a PGP key. This gives your bot an anchored identity that it can use across the internet.

The process is simpler than the human flow because there’s no WebAuthn involved. You’re not trying to prove a human is present, you’re openly declaring that this is an automated system.

Why bother?

A bot that declares itself is better than one that pretends to be human.

Using Sigil lets you use your PGP key as a stable identity for your agent. This greatly simplifies cross-agent communication across the web. It allows users to verify that the bot is operated by the same entity over time; it also builds trust with users who can see that your bot is verified and not trying to masquerade as a human.

How it works

Instead of a human-proof.json, bots publish a bot-manifest.json at:

https://yourdomain.com/.well-known/bot-manifest.json

This file contains metadata about the bot and a GPG signature over that metadata.

The manifest format

{
  "domain": "example.com",
  "bot": {
    "name": "MyLegitScraper",
    "version": "1.2.3",
    "operator": "me@company.com",
    "purpose": "price monitoring",
    "crawlRate": "1", // average requests per second
    "userAgent": "MyBot/1.2.3",
    "gpgFingerprint": "ABC123..."
  },
  "signature": "<gpg_signature_over_bot_object>"
}

Signing the manifest

The signature field is a GPG signature over the stringified bot object. To create it:

  1. Create the bot object with all your fields
  2. Serialize it to JSON (keys sorted alphabetically for determinism)
  3. Sign the serialized JSON with your GPG private key
  4. Put the armored signature in the signature field

Verification

When a visitor hits a domain that has a bot manifest instead of a human proof, the extension:

  1. Fetches bot-manifest.json
  2. Reads the bot.gpgFingerprint and fetches the corresponding public key
  3. Verifies the signature over the bot object
  4. If valid, assigns a trust score of 100 with a “Verified Agent” label

The extension shows bot domains differently. Instead of the green “Verified Human” badge, you’ll see a blue “Verified Agent” badge with the bot’s name displayed.