A User-Agent Token is the case-insensitive identifier string placed after the User-agent: field in a robots.txt file to specify which automated crawler a subsequent rule block applies to. It acts as the primary addressing mechanism of the Robots Exclusion Protocol (REP), allowing site owners to grant or deny access on a per-bot basis by matching the token against the crawler's self-reported User-Agent HTTP header.
Glossary
User-Agent Token

What is a User-Agent Token?
A User-Agent Token is a specific substring in the User-Agent HTTP request header used in a robots.txt file to target a directive block at a particular crawler.
Common tokens include Googlebot for Google's search indexer and GPTBot for OpenAI's data collection crawler. The * wildcard token matches any crawler not specifically addressed by another block. Precise token identification is critical for retrieval-bot access management, as a misconfigured token renders all associated Disallow or Allow directives ineffective against the intended target.
Key Characteristics of User-Agent Tokens
A User-Agent token is the case-insensitive substring used in a robots.txt file to target directives at a specific crawler. It must exactly match the token the crawler uses to identify itself in the HTTP User-Agent request header.
Case-Insensitive Matching
According to RFC 9309, matching between the token declared in robots.txt and the crawler's User-Agent header is case-insensitive. A directive for User-agent: googlebot applies identically to a crawler identifying as GoogleBot or GOOGLEBOT. This prevents trivial case variations from bypassing access controls. However, the token itself is often documented in a specific case by its vendor for clarity.
Token Structure and Syntax
A valid token is a substring match against the product token in the crawler's User-Agent header. Key structural rules include:
- The token must be a continuous string with no whitespace.
- Version numbers in the header are ignored for matching purposes.
- The
*wildcard token matches any crawler not specifically addressed by another block. - A crawler must obey the most specific matching block; if
googlebotandgooglebot-newsblocks exist, the crawler identifies asGooglebot-Newswill use the latter.
Official Tokens for AI Crawlers
Major foundation model providers publish specific tokens for their ingestion crawlers. These must be used in robots.txt to manage training data access:
- GPTBot: OpenAI's crawler for model training data.
- CCBot: Common Crawl's bot, used to build open datasets for LLM training.
- anthropic-ai: Anthropic's crawler for Claude model training.
- Google-Extended: Google's standalone token for controlling content used in Gemini and other AI products, separate from standard search indexing.
Grouping and Precedence
A robots.txt file is organized into rule groups, each beginning with one or more User-agent lines. A group applies only to the declared tokens. If a crawler matches multiple groups, the most specific match wins, determined by the longest matching token string. This allows a site to define a broad policy for * (all bots) while carving out granular exceptions for specific AI crawlers like GPTBot.
Spoofing and Security Limitations
The Robots Exclusion Protocol is a voluntary standard. A malicious crawler can easily falsify its User-Agent string—a practice known as User-Agent spoofing—to impersonate a permitted bot or a standard browser. Therefore, robots.txt tokens provide no security against adversarial scraping. They are a cooperative access control mechanism that must be supplemented with IP reputation analysis, rate limiting, and behavioral fingerprinting for enforcement.
Discovery and Verification
Crawler operators typically publish their official tokens in documentation. Webmasters can verify a token's behavior using:
- robots.txt Tester tools in platforms like Google Search Console to simulate crawler access.
- Server log analysis to confirm the exact User-Agent header string sent by a crawler.
- Reverse DNS lookups to verify the IP range belongs to the claimed organization, adding a layer of identity verification beyond the token itself.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
A user-agent token is the fundamental identifier that allows webmasters to target specific crawlers within the Robots Exclusion Protocol. Understanding how to correctly identify and use these tokens is critical for managing AI bot access to enterprise content.
A user-agent token is a specific substring from the User-Agent HTTP request header used in a robots.txt file to target a directive block at a particular crawler. It acts as the primary selector in the Robots Exclusion Protocol (RFC 9309), allowing site owners to grant or deny access on a per-bot basis. For example, the token GPTBot targets OpenAI's crawler, while Googlebot targets Google's search indexer. The token must exactly match the identifying portion of the crawler's advertised user-agent string for the directives to apply. A wildcard token * matches any crawler that does not have a more specific rule block defined.
Related Terms
Master the components that interact with the User-Agent token to build a comprehensive crawler governance strategy.
User-Agent Spoofing
The practice of a crawler falsifying its User-Agent string to impersonate a different bot or a standard web browser. Malicious actors use this technique to bypass access restrictions defined in robots.txt. Detection methods include:
- IP reputation analysis against known crawler ranges
- Behavioral fingerprinting of request patterns
- Reverse DNS lookups to verify declared identity
robots.txt Grouping
The structural mechanism where a User-Agent line is followed by one or more directive lines, forming a rule group that applies exclusively to that bot. Example structure:
codeUser-agent: Googlebot Disallow: /admin/ Allow: /admin/public/ User-agent: GPTBot Disallow: /
Each group is independent; directives do not cascade between groups.
Crawl-Delay Directive
An unofficial but widely supported robots.txt parameter specifying the number of seconds a crawler should wait between successive requests. Placed within a User-Agent group to prevent server overload:
Crawl-Delay: 10enforces a 10-second pause- Supported by Bingbot, CCBot, and many others
- Googlebot ignores this directive; use Google Search Console for rate limiting instead

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us