search

Overview

The OpenBotAuth Proxy is a reverse proxy that sits in front of your backend and automatically verifies RFC 9421 HTTP message signatures from AI bots.

hashtag
Why Use the Proxy?

  • Zero-code integration - No changes to your application code

  • Language agnostic - Works with any HTTP backend (Node.js, Python, Go, PHP, etc.)

  • Easy deployment - Available as npm package, Docker image, or GitHub Container Registry

  • Gradual rollout - Observe mode lets you monitor before enforcing

hashtag
How It Works

┌────────────┐      ┌────────────┐      ┌──────────────┐
│   AI Bot   │─────→│   Proxy    │─────→│   Verifier   │
│  (Signed)  │      │  (OBA)     │      │   Service    │
└────────────┘      └────────────┘      └──────────────┘


                    ┌──────────────┐
                    │   Backend    │
                    │  (Your App)  │
                    └──────────────┘

  1. AI bot sends a signed HTTP request to the proxy

  2. Proxy extracts RFC 9421 signature headers

  3. Proxy calls the verifier service to validate the signature

  4. Proxy adds X-OBAuth-* headers with verification results

  5. Proxy forwards the request to your backend

  6. Your backend reads the headers to make access decisions

hashtag
Installation Options

Method
Install
Best For

NPM / CLI

npx @openbotauth/proxy

Quick start, Node.js environments

Docker

docker pull hammadtariq/openbotauth-proxy

Containerized deployments

GHCR

docker pull ghcr.io/openbotauth/openbotauth-proxy

GitHub-integrated workflows

hashtag
Headers Injected

The proxy adds these headers to every request forwarded to your backend:

Header
Description
Example

X-OBAuth-Verified

true if signature verified, false otherwise

true

X-OBAuth-Agent

Bot's client name (if verified)

MyAIBot

X-OBAuth-JWKS-URL

Bot's JWKS URL

https://registry.openbotauth.org/jwks/bot.json

X-OBAuth-Kid

Key ID used for signing

key-abc123

X-OBAuth-Error

Error message (on failure)

signature_expired

hashtag
Modes

hashtag
Observe Mode (Default)

All requests pass through to backend. Use for:

  • Logging and analytics

  • Gradual rollout

  • Testing before enforcement

hashtag
Require-Verified Mode

Protected paths return 401 if verification fails:

hashtag
Configuration

All configuration is via environment variables:

Variable
Default
Description

PORT

8088

Proxy listen port

UPSTREAM_URL

http://localhost:8080

Backend server URL

OBA_VERIFIER_URL

https://verifier.openbotauth.org/verify

Verifier service endpoint

OBA_MODE

observe

observe or require-verified

OBA_TIMEOUT_MS

5000

Verifier request timeout

OBA_PROTECTED_PATHS

/protected

Comma-separated paths requiring verification

hashtag
Backend Integration

Your backend reads the X-OBAuth-* headers to make access decisions:

hashtag
Node.js / Express

hashtag
Python / Flask

hashtag
Go

hashtag
PHP

hashtag
Health Check

The proxy exposes a health check endpoint:

Response:

hashtag
When to Use Proxy vs SDK

Use Proxy When
Use SDK When

Backend is not Node.js or Python

Need fine-grained control

Want zero-code integration

Integrating with auth system

Need language-agnostic solution

Building custom middleware

Prefer infrastructure approach

Want to avoid extra hop

hashtag
Links

PreviousPythonNextNPM / CLI

Last updated