For site operators

Honest bots through. Scalpers out.

It's tour-announcement morning. 100,000 visitors hit your marketplace. 80% of them are bots. Some are real fans' shopping assistants (you want them). Some are scalper farms with rotating IPs (you don't). Your bot defender treats them the same and blocks both — real fans get angry, scalpers eventually break through anyway.

AgentPKI Intent is the positive signal your bot defender doesn't have today. Bots arrive with declared intent. You publish a policy saying what you accept. The verifier does the matching at the edge in milliseconds.

What this looks like at your edge

Five steps from an incoming request to a routing decision. The gold-bordered box is the AgentPKI Verifier API — that's the billed surface for sites; the chips below show that "your policy" fans out to four distinct actions.

🛡️
You run a site or platform. Roughly half your traffic today is bots — a mix of legitimate shopping assistants, search crawlers, and adversarial scrapers / scalpers. AgentPKI gives you a cryptographic positive signal for the legitimate ones plus a declared intent claim. Your policy decides what gets through.
🤖 Incoming agent AgentPKI-Token RFC 9421 signature intent: scrape-bulk 🛡️ Your edge Worker / nginx Express / Fastify 5 lines of code 🔐 Verifier verify.agentpki.dev intent_match abuse_score Verifier · $49–$499/mo 📋 Your policy your code your rules fans out below 1. extract token 2. verify + enrich 3. apply policy
allow → upstream throttle → bucket captcha challenge deny → 403
Step 0 of 5
Ready to start.
Click Play for the passive walkthrough, or Step through manually.

Two ways the ticket drop goes.

Same marketplace, same Black-Friday-scale bot traffic, two configurations.

Today — heuristic-only defense

  • Cloudflare/Akamai sees 80k bot requests in 5 minutes
  • It blocks all of them. False positive rate ~30%.
  • Real fans whose shopping assistants tried to help get bounced
  • Scalper farms with residential-IP rotation get through anyway after 50ms latency
  • Checkout completes for 4,000 buyers — half of them resellers
  • Negative press the next day: "marketplace blocked real customers"

The heuristic can't tell good from bad, so it blocks everyone. The scalpers still win.

With AgentPKI Intent policy

  • Marketplace publishes /.well-known/agentpki-intent-policy.json: accept `purchase` at 10 rpm, deny `automate-account`, `evade-rate-limit`, `manipulate-rank`
  • Honest shopping assistants present their AgentPKI passport declaring intent `purchase`
  • Verifier checks policy in 50ms, allows them through
  • Scalper farms either decline to present a passport (denied — `unspecified`) or declare a denied intent (denied directly)
  • Real fans complete checkout at normal speed; scalpers can't get past the verifier
  • Audit log records every declaration for after-the-fact dispute resolution

The site finally has a positive signal. Honest bots get through, adversarial bots don't.

Three steps for a site.

AgentPKI Intent plugs into your existing bot defense (Cloudflare, Akamai, HUMAN, DataDome) as an additional positive signal. Doesn't replace anything. Just adds clarity on the bots that bothered to identify.

1

Build your policy

Decide which intents you accept (purchase, monitor, read-public), throttle (extract-train), and deny (scrape-bulk, manipulate-rank). Use the visual /policy-builder or write the JSON by hand.

2

Publish at well-known URL

Drop your policy JSON at /.well-known/agentpki-intent-policy.json. Public, cacheable, no auth, no infrastructure. The verifier reads it on demand.

3

Check intent_match in your stack

On each request, your edge code calls verify.agentpki.dev with the agent's passport and your site as intent_check.site. Verdict comes back in ~50ms with intent_match.overall.

Hands-on

Build your policy in 60 seconds.

Click through the intent vocabulary, decide accept/throttle/deny on each, get back a copyable JSON file. Drop it at your well-known URL. Then watch a verify call against it via the audit log.

Who we want to work with first.

Talk to Founder

Personal reply from Founder within 48 hours. Tell us a bit about you — what you're building, what you'd want from AgentPKI, anything you want to push back on.

By submitting, you agree we can email you back. We don't share leads, ever.