Cloudflare built the original anti-gatekeeper: a free CDN that let anyone publish without paying a toll to the telecom giants. In 2026, its bot-verification system is the new gatekeeper — and now it is being extended to 20 million small businesses through a GoDaddy partnership announced this week.
The deal brings Cloudflare's cryptographic bot-verification layer to GoDaddy's customer base, giving site owners tools to distinguish legitimate AI agents from impersonators and control what data those agents can access. On the surface it is a partnership announcement. Underneath it is an attempt to solve one of the nastier problems the agent era has created for publishers: bots that read everything and send nothing back.
The ANS backstory nobody in the press release mentioned
The technical foundation matters. Cloudflare's verification system builds on Web Bot Auth, an HTTP message-signature scheme that lets bots prove their identity cryptographically. But the naming layer underneath comes from the Agent Name Service, a standard introduced last year by OWASP, the Open Worldwide Application Security Project. ANS borrows DNS conventions for human-readable naming, but it is not DNS: underneath it uses Public Key Infrastructure to verify identity, structured JSON for capability descriptions, and supports protocols including Google's Agent2Agent, Anthropic's Model Context Protocol, and IBM's Agent Communication Protocol.
GoDaddy is the first registrar to implement ANS publicly. The press release frames this as GoDaddy innovation. It is not: OWASP wrote the spec, and an open-source reference implementation is on GitHub. GoDaddy shipped it first at commercial scale. That is meaningful, but the framing matters for anyone evaluating this as a proprietary moat.
Stephanie Cohen, chief strategy officer at Cloudflare, said in the announcement that AI agents are increasingly reshaping web traffic. What the announcement does not say is how unevenly that traffic is distributed.
The traffic data tells a different story
Cloudflare's own Radar data, published alongside the partnership, shows Googlebot still dominates web traffic at 40.2 percent over the trailing six months. The next three slots belong to AI agents: GPTBot at 12.1 percent, Meta's ExternalAgent at 11.6 percent, and Anthropic's ClaudeBot at 10.4 percent. Together, AI agents account for roughly 34 percent of bot traffic. Google still outranks them individually and collectively.
This matters because the business case for ANS and Web Bot Auth rests on a narrative of AI agents overwhelming publishers. The traffic data suggests a more nuanced picture: real volume, real growth, but a long way from displacing search. Publishers are being asked to adopt infrastructure for a problem that is real but not yet at the scale the marketing implies.
Jared Sine, GoDaddy's chief strategy and legal officer, pointed to the 20 million small businesses his company serves and the 20-plus percent of domain names registered through GoDaddy as the reason this matters at scale. That is a legitimate reach argument. GoDaddy has distribution that no other registrar can match. If ANS gains traction through GoDaddy's customer base, it becomes the de facto standard not because it is technically superior but because it is already there.
What is actually being signed
The first cohort of agents enrolled in Cloudflare's signed-agents program — ChatGPT agent, Goose from Block, Browserbase, and Anchor Browser — are all remote browsing platforms. These are services that run a browser on behalf of a user and execute tasks through that browser. The signed-agent system lets those platforms sign their HTTP requests with a cryptographic key, proving to the destination site that the request came from a legitimate agent rather than a spoofed crawler.
This is a meaningful security improvement over the current state, where any crawler can claim to be GPTBot by setting a user-agent header. Message signatures make impersonation computationally expensive. But it is worth noting what the system does not solve: ANS verifies that an agent is who it claims to be, not what it will do with the data once collected.
Travis Muhlestein, CTO of product AI at GoDaddy, said the partnership is about giving publishers the choice about whether their content feeds AI agents at all. That is accurate, but the choice has a structural asymmetry built in. A publisher who blocks all agents excludes human visitors and verified bots. A publisher who allows signed agents is making a trust decision about companies that have gone through Cloudflare's application process, which is better than nothing but is not a neutral or universal standard.
What this means for builders
For developers building agentic products, the ANS layer is worth watching. The protocol adapters for MCP and A2A mean agents built on different frameworks can in principle discover each other and verify identity through the same PKI infrastructure. If ANS achieves meaningful adoption outside the GoDaddy customer base, it could become the identity layer for a cross-framework agent internet: the rough equivalent of what TLS certificates did for HTTPS.
That future is early and contingent. The open-source reference implementation has no production hardening. The governance model, with OWASP as the standards body, is sensible but untested at scale. The companies signed on so far are all U.S.-based. A global identity layer for agents without coverage in regulated industries or non-English-speaking markets is a partial solution.
The partnership is real. The scale argument is real. The question of whether ANS becomes infrastructure or remains a niche deployment is genuinely open, and that is worth watching more closely than the press release suggests.
