← Back to Blog

Cloudflare and GoDaddy Made AI Agent Identity a Web Standard on April 7

On April 7, 2026, Cloudflare and GoDaddy announced a partnership to make AI agent identity a verifiable web standard through Agent Name Service (ANS) and Web Bot Auth. ANS uses DNS and PKI to give AI agents verifiable identities. Web Bot Auth uses cryptographic HTTP signatures to authenticate agent traffic. WooCommerce stores that can’t distinguish a legitimate ChatGPT Shopping agent from an anonymous scraper lose control over their product data — and their visibility in the AI commerce layer that now drives an estimated 8-12% of e-commerce site visits.

What Happened on April 7, 2026

Two infrastructure companies decided that AI agents need identity papers — and the web needs to check them.

On April 7, 2026, Cloudflare and GoDaddy announced a strategic partnership to bring identity, trust, and access control to AI agent traffic on the open web. The partnership has two components: integrating Cloudflare’s AI Crawl Control into GoDaddy’s hosting platform, and jointly supporting open standards for verifying AI agent identities.

The announcement isn’t a product launch. It’s an infrastructure declaration. The two companies are saying, publicly, that the web needs standardised ways to verify who operates an AI agent and what that agent is allowed to do — and they’re building the enforcement layer.

This matters because the web is shifting from a network designed for humans browsing pages to one where AI agents act on behalf of humans. Those agents are already crawling product pages, pulling pricing data, reading schema markup, and recommending products to real shoppers. But most website owners — including the majority of WooCommerce store operators — have no way to tell which agents are visiting, what they’re doing, or whether they’re legitimate.

You may be interested in: Your WooCommerce Store Is Blocking AI Shopping Agents Without Knowing It

Agent Name Service: DNS for Bots

The same infrastructure that gives websites addressable names now gives AI agents verifiable identities.

Agent Name Service is a global open standard introduced by GoDaddy that uses DNS and public key infrastructure to assign verifiable identities to AI agents. Think of it as the domain name system for bots. Just as a domain name resolves to a verified server, an ANS entry resolves to a verified agent operator.

The standard provides three functions: naming (a consistent identifier for each agent), verification (cryptographic proof that the agent is who it claims to be), and discovery (a way for website owners to look up what an agent is authorised to do). All three are built on existing DNS and PKI infrastructure — no new protocols, no proprietary systems, no single point of failure.

Before ANS, the only way to identify an AI agent was through its user-agent string — a text label that any bot can fake. A scraper could claim to be GPTBot. A malicious crawler could impersonate ClaudeBot. Website owners had no cryptographic way to verify the claim. ANS closes that gap by moving agent identity from a self-declared text string to a DNS-verified, PKI-authenticated record.

Agent Name Service is a global open standard using DNS and PKI that enables website owners to distinguish legitimate AI agents from unidentified or malicious impersonators on the open web.

Web Bot Auth: Cryptographic Request Verification

ANS tells you who the agent is. Web Bot Auth tells you whether this specific request is really from them.

Cloudflare introduced Web Bot Auth in 2025 as a method for verifying bot traffic using HTTP message signatures. Where ANS verifies the agent’s identity at the DNS level, Web Bot Auth verifies each individual request at the HTTP level. Together they form two layers: identity verification and request authentication.

Web Bot Auth works by requiring agents to sign their HTTP requests with a cryptographic key tied to their verified identity. When a signed request arrives at a website, the server can check the signature against the agent’s published public key. If the signature matches, the request is authenticated. If it doesn’t — or if there’s no signature at all — the server knows the request is either unverified or forged.

Cloudflare also introduced the Signature Agent Card, which lets agent developers transparently share their agent’s identity and purpose. The card is a machine-readable declaration: this is who I am, this is what I do, and here’s my cryptographic proof. For website owners, this creates the first standardised way to make access decisions based on verified identity rather than guesswork about user-agent strings.

Why Agent Identity Matters for E-Commerce

The agent visiting your product page might be a paying customer’s shopping assistant — or a competitor’s price scraper.

An AI shopping agent from ChatGPT that reads your product schema, checks your pricing, and recommends your product to a buyer is a revenue channel. An anonymous scraper that copies your product descriptions and feeds them to a competitor’s comparison engine is a threat. Without verified identity, both look the same in your server logs.

Standard analytics tools — including GA4 — filter AI agent traffic out as bot noise. They’re designed to count human visitors, not machine visitors. This means the fastest-growing traffic segment on your WooCommerce store is the one your analytics explicitly exclude from measurement.

The commerce implications are already measurable. Shopify reported AI-attributed orders up 11 times year-over-year after launching Agentic Storefronts in March 2026, with AI traffic up 393%. That traffic isn’t shoppers in browsers — it’s agents reading product feeds, checking inventory, and completing purchases on behalf of users. The stores that can identify and serve these agents get recommended. The ones that can’t are invisible to the fastest-growing purchase channel in e-commerce.

AI agents account for an estimated 8-12% of e-commerce site visits as of Q2 2026, and standard analytics tools filter this traffic out as bot noise rather than treating it as a potential revenue channel.

Shopify Already Moved: Rate Limits by Signature

Shopify didn’t wait for the standard to mature — it started enforcing agent verification on May 7, 2026.

On May 7, 2026, Shopify activated rate-limit tiers on its Storefront API and hosted pages based on Web Bot Auth signatures. Agents that sign their requests get the highest access tier. Agents that don’t sign get the strictest rate limits. Unsigned crawlers — including unsigned AI agents — get throttled.

The enforcement is simple and binary. Signed agent? Full catalog access. Unsigned agent? Throttled to the point where your products may not load in their responses. For a ChatGPT Shopping agent trying to check stock on 50 products, the difference between signed and unsigned access is the difference between recommending your store and skipping it.

This is the first time a major e-commerce platform has split “verified AI agent” from “anonymous bot traffic” at the platform level. It means Shopify stores automatically benefit from agent verification without any store-level configuration — the platform handles it. WooCommerce stores don’t have this layer. There’s no platform-level enforcement of agent identity, no automatic rate-limit tiers, and no built-in mechanism for distinguishing signed agents from unsigned ones.

You may be interested in: Your WooCommerce Store Has No llms.txt — AI Agents Are Guessing Your Catalog

The WooCommerce Gap

WordPress gives you the flexibility to build anything — but nobody’s built the AI agent verification layer yet.

As of June 2026, WooCommerce has no native support for Web Bot Auth or ANS. There’s no core function that checks agent signatures. There’s no built-in rate-limit tier system for AI traffic. There’s no dashboard showing which AI agents visited your store, what they accessed, or whether their identity was verified.

The only WooCommerce-level option emerging is server-log analysis and third-party plugins. Plugins like Tactical Agent Detection have appeared on WordPress.org, offering basic agent classification and session counting. But these are detection tools, not enforcement tools — they tell you which agents visited but don’t verify identity or control access.

For WooCommerce stores running behind Cloudflare, AI Crawl Control provides some of the enforcement layer — you can allow, block, or set conditions for AI crawlers at the CDN level. But AI Crawl Control is a Cloudflare feature, not a WooCommerce feature. Stores on other hosting providers or CDNs don’t have access to it.

The result is a widening platform gap. Shopify stores get automatic agent verification. WooCommerce stores get nothing unless they build the detection and enforcement layer themselves — at the server level, behind a CDN that supports it, or through a custom pipeline that classifies and responds to agent traffic in real time.

The Scale of AI Traffic You’re Not Measuring

Cloudflare sees 50 billion AI crawler requests per day. Your WooCommerce store is part of that traffic — you just can’t see it.

In March 2025, Cloudflare reported that AI crawlers were generating more than 50 billion requests per day across its network — roughly 1% of all web requests Cloudflare observed. By January 2026, Cloudflare’s analysis showed Googlebot reaching 1.70 times more unique URLs than ClaudeBot, 1.76 times more than GPTBot, and 167 times more than PerplexityBot.

The distribution is heavily skewed. A handful of AI crawlers — GPTBot, ClaudeBot, PerplexityBot, Googlebot’s AI components, and Meta-ExternalAgent — account for the overwhelming majority of AI traffic. The long tail includes dozens of smaller crawlers, many with no official documentation and no published IP ranges.

For a WooCommerce store, this means the product pages, pricing data, and schema markup you’ve optimised for human shoppers are being read by machines you can’t identify. Some of those machines are shopping agents that drive revenue. Some are training crawlers that consume your content without attribution. Without agent identity verification, you can’t tell the difference — so you can’t make informed decisions about what to allow, what to block, and what to monetise.

The Server-Side Detection Layer

The agent verification gap won’t close with a plugin. It closes with a server-side layer that sees every request.

Agent identity verification starts where all web traffic starts — at the server. Before a request reaches WordPress, before WooCommerce processes it, before GA4 filters it as bot noise, the HTTP request arrives with headers that include (or don’t include) a cryptographic signature, a user-agent string, and an IP address. The server-side layer is the only place where all three pieces of information are available simultaneously.

A server-side pipeline that intercepts every request can classify agent traffic in real time: check for Web Bot Auth signatures, resolve ANS identities via DNS, verify IP ranges against published bot lists, and log the results to BigQuery for analysis. The pipeline doesn’t replace Cloudflare’s AI Crawl Control — it complements it by giving the store owner a first-party record of every agent interaction.

Transmute Engine™ operates at this server-side layer for WooCommerce stores. Every inbound request — human or machine — passes through the pipeline before it reaches WordPress. The pipeline classifies agent traffic, logs verified identities, and streams the data to BigQuery alongside purchase events and tracking data. When ANS and Web Bot Auth mature into enforcement standards, stores running a server-side pipeline already have the detection infrastructure in place — they just add a verification check to the existing classification logic.

Key Takeaways

  • AI agent identity is now a web standard: Cloudflare and GoDaddy launched ANS and Web Bot Auth on April 7, 2026 to give AI agents verifiable identities built on DNS and PKI.
  • Shopify already enforces it: Rate-limit tiers based on Web Bot Auth went live on Shopify on May 7, 2026. Signed agents get full access; unsigned agents get throttled.
  • WooCommerce has no equivalent: No native support for ANS, Web Bot Auth, or agent-based rate limiting. The gap widens as AI commerce traffic grows.
  • AI agents drive 8-12% of e-commerce visits: Standard analytics filter this traffic out. Stores that can’t identify AI agents can’t optimise for the fastest-growing commerce channel.
  • Server-side is the fix: Agent verification starts at the HTTP layer, before WordPress. A server-side pipeline detects, classifies, and logs agent traffic to BigQuery as a first-party record.
What is Agent Name Service (ANS) and how does it identify AI agents?

Agent Name Service is a global open standard introduced by GoDaddy that uses DNS and public key infrastructure to give AI agents verifiable identities. It works like domain names for bots — each legitimate agent gets a registered identity that website owners can check against. ANS enables website owners to distinguish verified AI agents like ChatGPT Shopping or ClaudeBot from anonymous scrapers or malicious impersonators, without relying on user-agent strings that anyone can fake.

What is Cloudflare’s Web Bot Auth and how does it work with ANS?

Web Bot Auth is a cryptographic method Cloudflare introduced in 2025 that uses HTTP message signatures to verify bot and agent traffic at the request level. When combined with ANS, it creates two layers of trust: ANS verifies the agent’s identity through DNS, and Web Bot Auth verifies each individual request through cryptographic signatures. Together they give website owners both identity verification and request authentication for AI traffic.

Why should WooCommerce store owners care about AI agent identity standards?

AI agents now account for an estimated 8-12% of e-commerce site visits as of Q2 2026. These agents include AI shopping assistants from ChatGPT, Perplexity, and Google AI Mode that recommend products to real buyers. Without agent identity verification, WooCommerce stores can’t distinguish a legitimate shopping agent that drives revenue from an anonymous scraper that consumes server resources. Shopify already enforces agent verification through rate-limit tiers — stores without verification risk losing visibility in AI commerce channels.

Does WooCommerce support Web Bot Auth or ANS natively?

No. As of June 2026, WooCommerce has no platform-level support for Web Bot Auth or ANS. Shopify activated Web Bot Auth rate-limit tiers on May 7, 2026, giving signed agents preferred access while throttling unsigned ones. WooCommerce stores need to implement agent verification at the server level — either through Cloudflare’s AI Crawl Control if using Cloudflare, through a server-side pipeline that logs and classifies agent traffic, or through emerging WordPress plugins built for AI agent detection.

References

When AI agents become your next sales channel, you need a server-side layer that sees every request before WordPress does. See how Transmute Engine classifies and logs agent traffic →