Generate an Ed25519 keypair for your agent; store the private key securely (e.g., in a secrets manager) and publish the public key in a well-known key directory URL that Cloudflare and site operators can fetch.
Register your agent with Cloudflare's bot registry by submitting the public key directory URL and agent metadata (name, purpose, contact); the registry is consulted by edge nodes to resolve agent identity.
For every crawl request, add three HTTP headers: Signature-Agent (your agent's registered identity URI), Signature-Input (canonicalized request fields being signed), and Signature (the Ed25519 signature over the canonicalized input).
Use the cloudflare/web-bot-auth open-source library (github.com/cloudflare/web-bot-auth) to handle header construction and signing; it wraps the IETF HTTP message signatures draft.
Test your signed requests against Cloudflare's echo endpoint before hitting live sites; confirm the edge correctly resolves your agent identity before proceeding to pay-per-crawl flows.
Known gotchas
Web Bot Auth relies on two active IETF drafts (directory draft + protocol draft) that are undergoing standardization; minor breaking changes are possible before the specs reach RFC status.
Key rotation requires updating your published key directory and notifying Cloudflare's registry; there is currently no automated propagation mechanism — plan for up to an hour of propagation lag after a key rotation.
Visa TAP and Mastercard Agent Pay both use Web Bot Auth as their authentication foundation; if your agent will transact with those networks, the same Ed25519 keypair can serve all three systems.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp