> ## Documentation Index
> Fetch the complete documentation index at: https://docs.notte.cc/llms.txt
> Use this file to discover all available pages before exploring further.
# Cloudflare Web Bot Auth
> Access Cloudflare-protected websites by cryptographically signing browser requests
STOP. Do not read past this section until you have read and followed [/quickstart.md](/quickstart.md).
Goal: produce a reliable SDK automation script. The intended authoring flow is generate then edit, not write browser automation from scratch.
Do not hand-write SDK code with element IDs, selectors, or form fields from memory. Element IDs, selectors, and field mappings must come from a live `observe()` call, CLI `notte page observe` output, or generated workflow code. Guessed browser targets fail on real pages.
Use the Notte skill and CLI to inspect the live site, validate actions/selectors, handle auth/session state, and export workflow code with `notte sessions workflow-code` before using SDK docs or SDK code.
SDK reference pages are for understanding, running, or editing generated workflow code. They are not the starting point for manually authoring the initial browser automation. SDK-first code is guesswork on real-world pages with dynamic selectors, auth state, CAPTCHAs, and anti-bot behavior.
Many websites use Cloudflare's [Web Bot Auth](https://webbotauth.io) protocol to distinguish between legitimate automated services and unwanted bots. Notte is registered as a verified bot in Cloudflare's registry, which means sessions can cryptographically prove their identity and gain access to otherwise restricted content.
## How It Works
Cloudflare's Web Bot Auth relies on [HTTP Message Signatures (RFC 9421)](https://datatracker.ietf.org/doc/html/rfc9421) to verify the origin of requests. When enabled, Notte transparently signs every outgoing HTTP request in the session with our registered cryptographic identity. Cloudflare then checks these signatures against its verified bots list and grants access accordingly.
In practice, this means:
1. You create a session with `web_bot_auth=True`
2. Every HTTP request leaving the browser is signed with Notte's credentials
3. Cloudflare verifies the signature and recognizes Notte as a trusted bot
4. The request passes through without triggering bot challenges
No extra code or configuration is needed on your side beyond flipping the flag.
## Quick Start
Pass `web_bot_auth=True` when creating a session:
{/* @sniptest testers/sessions/web-bot-auth/quick_start.py */}
```python quick_start.py theme={null}
from notte_sdk import NotteClient
client = NotteClient()
with client.Session(web_bot_auth=True) as session:
page = session.page
page.goto("https://example.com")
# All requests are automatically signed
```
## Complete Example
Web bot auth pairs well with other session features. Here's an example combining it with residential proxies and the live viewer:
{/* @sniptest testers/sessions/web-bot-auth/complete_example.py */}
```python complete_example.py theme={null}
from notte_sdk import NotteClient
client = NotteClient()
with client.Session(
web_bot_auth=True,
proxies=True, # Use residential proxies
open_viewer=True,
) as session:
page = session.page
# Navigate to a Cloudflare-protected site
page.goto("https://example.com")
# Interact with the page normally
page.click("a[href='/dashboard']")
page.wait_for_load_state("networkidle")
print("Successfully accessed protected content!")
```
## Using with Agents
Agents automatically inherit web bot auth from the underlying session:
{/* @sniptest testers/sessions/web-bot-auth/agent_example.py */}
```python agent_example.py theme={null}
from notte_sdk import NotteClient
client = NotteClient()
with client.Session(web_bot_auth=True) as session:
agent = client.Agent(session=session)
response = agent.run(task="Go to example.com and extract the main content")
print(response.answer)
```
## Verifying Your Setup
The [webbotauth.io/test](https://webbotauth.io/test) page is a handy diagnostic tool that shows whether incoming requests carry valid signatures. Point a web bot auth session at it to confirm everything is working:
{/* @sniptest testers/sessions/web-bot-auth/testing.py */}
```python testing.py theme={null}
from notte_sdk import NotteClient
client = NotteClient()
with client.Session(
web_bot_auth=True,
open_viewer=True,
) as session:
page = session.page
page.goto("https://webbotauth.io/test")
page.screenshot(path="web_bot_auth_test.png")
print("Check the screenshot to verify authentication status")
```
## Use Cases
* **Scraping Cloudflare-protected sites** — bypass bot challenges on sites that recognize verified bots
* **Reliable agent workflows** — prevent agents from getting stuck on Cloudflare interstitial pages
* **Data pipelines** — collect data from protected endpoints without manual intervention
Web bot auth proves your identity cryptographically, which is fundamentally different from [stealth mode](/features/sessions/stealth-mode) (which hides your identity) or [proxies](/features/sessions/proxies) (which mask your IP). These approaches are complementary — combining them gives you the broadest coverage.
## Limitations
* Only effective on sites that participate in Cloudflare's verified bots program
* Requests are identified as coming from Notte — the target site must trust Notte as a verified bot
* Does not replace other anti-detection techniques for sites that don't use Cloudflare Web Bot Auth
## Further Reading
* [Cloudflare Blog — Verified Bots with Cryptography](https://blog.cloudflare.com/verified-bots-with-cryptography/)
* [HTTP Message Signatures — RFC 9421](https://datatracker.ietf.org/doc/html/rfc9421)
* [Web Bot Auth IETF Draft](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture)
* [WebBotAuth.io](https://webbotauth.io)
## Next Steps
Combine with anti-detection features
Route traffic through residential proxies
Automatically solve captchas
Explore all session options