OpenBotAuth – AI Crawler Access Control

OpenBotAuth helps publishers control automated access from AI crawlers and agents. It verifies requests using RFC 9421 HTTP Message Signatures (via a configurable verifier) and applies per-site or per-post policies like allow, deny, teaser previews, and 402 payment-required responses. It also publishes AI-friendly endpoints like llms.txt, a JSON feed, and per-post Markdown.

Instead of blocking all bots or allowing unrestricted access, you can:

• See AI bot traffic – Local-only analytics showing which bots are crawling your site
• Verify bot identity using cryptographic signatures (RFC 9421)
• Show teasers to unverified bots (first N words)
• Rate limit bot access per agent
• Whitelist/blacklist specific bots

Key Features

• Bot Traffic Analytics – See which AI bots (GPTBot, ClaudeBot, PerplexityBot, etc.) are visiting your site
• Signature Verification – Verifies RFC 9421 HTTP Message Signatures using Ed25519 cryptography
• Content Teasers – Show first N words to unverified bots with customizable per-post settings
• Rate Limiting – Per-agent rate limits with configurable time windows
• Access Control – Whitelist/blacklist with wildcard pattern matching
• Local Analytics – Visual dashboard with charts, stats cards, and decision breakdowns (no external tracking)
• AI-Ready Endpoints – Serve llms.txt, JSON feed, and markdown for AI crawlers
• Tabbed Admin Interface – Clean organization with Analytics, AI Endpoints, and Configuration tabs

AI-Ready Endpoints

OpenBotAuth provides machine-readable endpoints for AI systems:

• /llms.txt – Standardized AI feed discovery (also at /.well-known/llms.txt)
• /.well-known/openbotauth-feed.json – JSON list of all published posts
• /.well-known/openbotauth/posts/{ID}.md – Per-post markdown content

Configure which post types to include (posts, pages, or custom types) and set the feed limit (up to 500 items). All data is served locally from your WordPress database. No external tracking or telemetry. Only published, non-password-protected posts are exposed.

How It Works

1. AI agent signs HTTP request with its private key (RFC 9421 signature)
2. WordPress plugin extracts signature headers and sends them to a verifier service
3. Verifier fetches agent’s public key from registry and verifies signature
4. Plugin applies policy: allow full content, show teaser, require payment, or deny

External Service Disclosure

This plugin connects to an external verifier service. When a signed bot request is received, the plugin sends the following data to your configured verifier URL via wp_remote_post:

• HTTP method (GET, POST, etc.)
• The accessed URL (including query string, if present)
• HTTP signature headers (Signature, Signature-Input, Signature-Agent)
• Additional HTTP header values explicitly listed in the Signature-Input header (e.g., content-type, accept, user-agent)

Privacy protection: Sensitive headers (cookies, authorization, proxy-authorization, www-authenticate) are NEVER forwarded, even if present in the request. If a bot’s signature covers a sensitive header, verification will fail with a clear error.

No WordPress user accounts or personal data is transmitted. Only the headers explicitly covered by the bot’s signature are forwarded to enable cryptographic verification. Note that the URL may include query parameters depending on your site’s structure.

You can:
* Use the hosted verifier at https://verifier.openbotauth.org/verify
* Self-host the verifier service (see documentation)
* The verifier service may log requests server-side depending on your configuration

Analytics are local-only. Decision counts (allow/teaser/deny/pay/rate_limit) and bot traffic observations (User-Agent based) are stored in your WordPress database. No analytics data is sent to external servers.

For more information, please review our Terms of Service and Privacy Policy.

Developer Hooks

Filters

openbotauth_policy
Modify policy before applying:

add_filter('openbotauth_policy', function($policy, $post) {
    if ($post->post_type === 'premium') {
        $policy['price_cents'] = 1000;
    }
    return $policy;
}, 10, 2);

Actions

openbotauth_verified
Triggered when a bot is verified:

add_action('openbotauth_verified', function($agent, $post) {
    error_log("Bot {$agent['jwks_url']} accessed post {$post->ID}");
}, 10, 2);

openbotauth_payment_required
Triggered when 402 is returned:

add_action('openbotauth_payment_required', function($agent, $post, $price) {
    // Track payment requests
}, 10, 3);

AI Endpoint Filters (v0.1.2+)

openbotauth_should_serve_llms_txt
Disable llms.txt endpoint (e.g., when using Yoast):

add_filter('openbotauth_should_serve_llms_txt', '__return_false');

openbotauth_should_serve_feed
Disable JSON feed endpoint:

add_filter('openbotauth_should_serve_feed', '__return_false');

openbotauth_should_serve_markdown
Disable markdown endpoints:

add_filter('openbotauth_should_serve_markdown', '__return_false');

openbotauth_feed_item
Modify feed items:

add_filter('openbotauth_feed_item', function($item, $post) {
    $item['custom_field'] = get_post_meta($post->ID, 'my_field', true);
    return $item;
}, 10, 2);

openbotauth_markdown_content
Post-process markdown output:

add_filter('openbotauth_markdown_content', function($markdown, $post) {
    return $markdown . "\n\n---\nCopyright notice here";
}, 10, 2);