AgentPKI

For site operators

Honest bots through. Scalpers out.

It's tour-announcement morning. 100,000 visitors hit your marketplace. 80% of them are bots. Some are real fans' shopping assistants (you want them). Some are scalper farms with rotating IPs (you don't). Your bot defender treats them the same and blocks both — real fans get angry, scalpers eventually break through anyway.

AgentPKI Intent is the positive signal your bot defender doesn't have today. Bots arrive with declared intent. You publish a policy saying what you accept. The verifier does the matching at the edge in milliseconds.

Two ways the ticket drop goes.

Same marketplace, same Black-Friday-scale bot traffic, two configurations.

Today — heuristic-only defense

  • Cloudflare/Akamai sees 80k bot requests in 5 minutes
  • It blocks all of them. False positive rate ~30%.
  • Real fans whose shopping assistants tried to help get bounced
  • Scalper farms with residential-IP rotation get through anyway after 50ms latency
  • Checkout completes for 4,000 buyers — half of them resellers
  • Negative press the next day: "marketplace blocked real customers"

The heuristic can't tell good from bad, so it blocks everyone. The scalpers still win.

With AgentPKI Intent policy

  • Marketplace publishes /.well-known/agentpki-intent-policy.json: accept `purchase` at 10 rpm, deny `automate-account`, `evade-rate-limit`, `manipulate-rank`
  • Honest shopping assistants present their AgentPKI passport declaring intent `purchase`
  • Verifier checks policy in 50ms, allows them through
  • Scalper farms either decline to present a passport (denied — `unspecified`) or declare a denied intent (denied directly)
  • Real fans complete checkout at normal speed; scalpers can't get past the verifier
  • Audit log records every declaration for after-the-fact dispute resolution

The site finally has a positive signal. Honest bots get through, adversarial bots don't.

Three steps for a site.

AgentPKI Intent plugs into your existing bot defense (Cloudflare, Akamai, HUMAN, DataDome) as an additional positive signal. Doesn't replace anything. Just adds clarity on the bots that bothered to identify.

1

Build your policy

Decide which intents you accept (purchase, monitor, read-public), throttle (extract-train), and deny (scrape-bulk, manipulate-rank). Use the visual /policy-builder or write the JSON by hand.

2

Publish at well-known URL

Drop your policy JSON at /.well-known/agentpki-intent-policy.json. Public, cacheable, no auth, no infrastructure. The verifier reads it on demand.

3

Check intent_match in your stack

On each request, your edge code calls verify.agentpki.dev with the agent's passport and your site as intent_check.site. Verdict comes back in ~50ms with intent_match.overall.

Hands-on

Build your policy in 60 seconds.

Click through the intent vocabulary, decide accept/throttle/deny on each, get back a copyable JSON file. Drop it at your well-known URL. Then watch a verify call against it via the audit log.

Open Policy Builder Watch the live audit log Read the spec

Who we want to work with first.

Talk to Founder

Personal reply from Founder within 48 hours. Tell us a bit about you — what you're building, what you'd want from AgentPKI, anything you want to push back on.

By submitting, you agree we can email you back. We don't share leads, ever.