Inferensys

Glossary

User-Agent Token

A specific substring in the User-Agent HTTP request header used in a robots.txt file to target a directive block at a particular crawler, such as 'Googlebot' or 'GPTBot'.
Developer demonstrating multi-agent tool use, agent tool selection interface on laptop, casual tech demo moment.
CRAWLER IDENTIFICATION

What is a User-Agent Token?

A User-Agent Token is a specific substring in the User-Agent HTTP request header used in a robots.txt file to target a directive block at a particular crawler.

A User-Agent Token is the case-insensitive identifier string placed after the User-agent: field in a robots.txt file to specify which automated crawler a subsequent rule block applies to. It acts as the primary addressing mechanism of the Robots Exclusion Protocol (REP), allowing site owners to grant or deny access on a per-bot basis by matching the token against the crawler's self-reported User-Agent HTTP header.

Common tokens include Googlebot for Google's search indexer and GPTBot for OpenAI's data collection crawler. The * wildcard token matches any crawler not specifically addressed by another block. Precise token identification is critical for retrieval-bot access management, as a misconfigured token renders all associated Disallow or Allow directives ineffective against the intended target.

IDENTIFICATION STRINGS

Key Characteristics of User-Agent Tokens

A User-Agent token is the case-insensitive substring used in a robots.txt file to target directives at a specific crawler. It must exactly match the token the crawler uses to identify itself in the HTTP User-Agent request header.

01

Case-Insensitive Matching

According to RFC 9309, matching between the token declared in robots.txt and the crawler's User-Agent header is case-insensitive. A directive for User-agent: googlebot applies identically to a crawler identifying as GoogleBot or GOOGLEBOT. This prevents trivial case variations from bypassing access controls. However, the token itself is often documented in a specific case by its vendor for clarity.

02

Token Structure and Syntax

A valid token is a substring match against the product token in the crawler's User-Agent header. Key structural rules include:

  • The token must be a continuous string with no whitespace.
  • Version numbers in the header are ignored for matching purposes.
  • The * wildcard token matches any crawler not specifically addressed by another block.
  • A crawler must obey the most specific matching block; if googlebot and googlebot-news blocks exist, the crawler identifies as Googlebot-News will use the latter.
03

Official Tokens for AI Crawlers

Major foundation model providers publish specific tokens for their ingestion crawlers. These must be used in robots.txt to manage training data access:

  • GPTBot: OpenAI's crawler for model training data.
  • CCBot: Common Crawl's bot, used to build open datasets for LLM training.
  • anthropic-ai: Anthropic's crawler for Claude model training.
  • Google-Extended: Google's standalone token for controlling content used in Gemini and other AI products, separate from standard search indexing.
04

Grouping and Precedence

A robots.txt file is organized into rule groups, each beginning with one or more User-agent lines. A group applies only to the declared tokens. If a crawler matches multiple groups, the most specific match wins, determined by the longest matching token string. This allows a site to define a broad policy for * (all bots) while carving out granular exceptions for specific AI crawlers like GPTBot.

05

Spoofing and Security Limitations

The Robots Exclusion Protocol is a voluntary standard. A malicious crawler can easily falsify its User-Agent string—a practice known as User-Agent spoofing—to impersonate a permitted bot or a standard browser. Therefore, robots.txt tokens provide no security against adversarial scraping. They are a cooperative access control mechanism that must be supplemented with IP reputation analysis, rate limiting, and behavioral fingerprinting for enforcement.

06

Discovery and Verification

Crawler operators typically publish their official tokens in documentation. Webmasters can verify a token's behavior using:

  • robots.txt Tester tools in platforms like Google Search Console to simulate crawler access.
  • Server log analysis to confirm the exact User-Agent header string sent by a crawler.
  • Reverse DNS lookups to verify the IP range belongs to the claimed organization, adding a layer of identity verification beyond the token itself.
USER-AGENT TOKEN

Frequently Asked Questions

A user-agent token is the fundamental identifier that allows webmasters to target specific crawlers within the Robots Exclusion Protocol. Understanding how to correctly identify and use these tokens is critical for managing AI bot access to enterprise content.

A user-agent token is a specific substring from the User-Agent HTTP request header used in a robots.txt file to target a directive block at a particular crawler. It acts as the primary selector in the Robots Exclusion Protocol (RFC 9309), allowing site owners to grant or deny access on a per-bot basis. For example, the token GPTBot targets OpenAI's crawler, while Googlebot targets Google's search indexer. The token must exactly match the identifying portion of the crawler's advertised user-agent string for the directives to apply. A wildcard token * matches any crawler that does not have a more specific rule block defined.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.