Why it matters
AWS explains how Web Bot Authentication uses HTTP Message Signatures and published public keys to verify automated agents in WAF Bot Control, then exposes verification labels for allow, block, rate-limit, and monitoring rules.
My takeaway: Agent identity should not depend on IP addresses or user-agent strings. Cryptographic verification improves attribution, but authorization must still be scoped separately and invalid, expired, or unknown identities should be logged and constrained.