bot_info field of the Server API response.
This lets you make precise access decisions: allow authorized agents, block unverified automation, or apply different logic based on agent category and provider.
How verification works
- The agent signs its HTTP requests using a private key.
- Fingerprint retrieves the agent’s public key from a directory hosted at a known URL.
- Fingerprint verifies the signature and returns an
identityvalue inbot_info.
identity value reflects the outcome of the verification:
| Value | Meaning |
|---|---|
signed | Signature verified against the agent’s public key directory |
verified | Signature verified, and the agent is operated exclusively by its vendor (not configurable by vendor customers) |
unknown | Agent recognized, but no verifiable identity was presented |
spoofed | Agent presented an identity that failed verification |
API response
When Fingerprint detects a bot or agent, the Server API response includes the following fields:| Field | Type | Description |
|---|---|---|
bot | string | good, bad, or not_detected |
bot_type | string | Additional classification, e.g. ai_agent |
bot_info | object | Extended metadata for recognized agents and bots |
bot_info object contains:
| Field | Description |
|---|---|
category | Agent category, e.g. ai_agent, ai_browser, browser_automation (full list) |
provider | The organization that operates the agent, e.g. OpenAI or AWS |
name | Human-readable agent name, e.g. ChatGPT Agent |
identity | Verification status: signed, verified, unknown or spoofed |
bot_info is available in Server API v4 and only when Fingerprint recognizes the agent or bot. See the Server API reference for the full schema.
Supported AI agents
The following agents are currently detected and returnbot_info metadata:
| Name | Provider | Category | Identity |
|---|---|---|---|
| ChatGPT Agent | OpenAI | ai_agent | signed |
| Bedrock AgentCore | AWS | ai_agent | signed |
| Browserbase Agent | Browserbase | ai_agent | signed |
| Manus Agent | Manus | ai_agent | signed |
| AGI Agent | AGI Inc | ai_agent | signed |
| Anchor Browser | Anchor | ai_browser | signed |
Using detection results
Thebot field (good, bad, not_detected) is a legacy signal. For AI agents
and other recognized bots, use bot_info.identity instead, as it provides more
precise, actionable information.
Note that identity is only available for well-known bots and agents in the
Bot Directory. Some generic browser
automation tools (Selenium, Playwright, headless Chrome, etc.) will not have a
bot_info entry and should be handled using the bot: bad signal.
| Scenario | Suggested action |
|---|---|
bot_info.identity: verified | Allow: agent identity is confirmed and safety verified |
bot_info.identity: signed | Allow: agent identity is cryptographically verified |
bot_info.identity: unknown | Apply custom logic: agent is recognized but unverified |
bot_info.identity: spoofed | Review: verification failed, which may indicate misconfiguration or malicious spoofing |
bot is bad, no bot_info (legacy) | Review or Block: unrecognized and potentially malicious automation |
Next steps
Bot Directory
Full list of detectable bots and agents
Web Bot Auth implementation
Cryptographically sign your agent to verify identity
Submit your agent to Fingerprint directory
Subimt your agent or bot to the Fingerprint Bot Directory