AxioRank Agent Verification checks the AI agents that reach into your site. Instead of guessing from a user-agent string, it verifies Web Bot Auth signatures (RFC 9421) and known-agent identity through AxioRank, then lets you monitor or block on the result.
It is built for the surface that actually reaches PHP: the REST API (/wp-json), admin-ajax, XML-RPC, login, search, and any request with a signature or a bot-like user-agent. Full-page-cached visits are served before PHP loads and are not seen by the plugin, which is expected. This protects your API and dynamic endpoints, not cached pages.
The plugin is a thin client. Each protected request is forwarded as one authenticated POST to the AxioRank verify endpoint, and the verdict is applied locally. There is no heavy SDK and no local model.
What you get
- Cryptographic verification of signed agents (Web Bot Auth), plus known-agent identity.
- Monitor mode by default: verdicts are logged in your AxioRank dashboard, nothing is blocked.
- Enforce mode: apply block (403) and challenge (401) verdicts, gated by your surface posture.
- Scope controls: choose which endpoints are verified.
- Fail-open by design: if AxioRank cannot be reached, requests are allowed, so a verification outage never takes your site down.
Requirements
An AxioRank account and a website surface site key (axr_site_…). Create one in AxioRank under Settings, Surfaces.
