AI Visitor Verification
100% accurate AI detection using RFC 9421 signatures
Why verify AI visitors?
When users copy a link from ChatGPT, Claude, or Perplexity and paste it into their browser, that traffic appears as "direct" in every analytics tool. No referrer, no UTM parameters, nothing.
The basic Loamly tracker uses behavioral signals and timing analysis to detect this traffic with ~75% accuracy. But if you want 100% certainty, you need RFC 9421 signature verification.
This works by routing traffic through Loamly's edge, where we:
- Check for cryptographic signatures that AI agents include
- Verify signatures using Ed25519 public keys
- Forward the request to your origin server
- Tag the visit with verified AI attribution
What's RFC 9421?
Setup methods
Choose the method that works best for your setup:
| Method | Best for | Maintenance |
|---|---|---|
| DNS (A record) | Everyone | Zero |
| Cloudflare worker | Already on Cloudflare | Minimal |
| CLI | Developers who want control | You manage it |
DNS (recommended)
Point your domain to Loamly's edge. We handle SSL, verification, and forwarding. Zero maintenance.
Step 1: Add an A record
In your DNS provider, add:
| Type | Name | Value |
|---|---|---|
| A | @ | 37.16.7.18 |
Cloudflare DNS users
Step 2: Tell Loamly your origin URL
When traffic hits Loamly, we need to know where to forward it. Enter your origin URL in the installation page. This is your hosting provider's domain before you added your custom domain.
Step 3: Verify DNS propagation
Click "Save & Verify" in the installation page. DNS changes typically propagate in 5-30 minutes, but can take up to 48 hours depending on your DNS provider.
Once verified, SSL is automatically provisioned via Let's Encrypt. First request may take a few seconds while the certificate is issued.
Cloudflare worker
If you're already on Cloudflare, deploy our verification worker to your account. This runs on Cloudflare's edge, not Loamly's.
- Create a Cloudflare API token with permissions: Workers Scripts: Edit and Workers Routes: Edit
- Paste the token in the installation page
- Click Deploy
The worker intercepts requests to your domain, checks for AI signatures, sends verification data to Loamly, and forwards the request to your origin.
CLI deployment
For developers who prefer command-line deployment:
git clone https://github.com/loamly/rfc9421-verifier.git
cd rfc9421-verifier
# Set your credentials
npx wrangler secret put LOAMLY_WORKSPACE_ID
npx wrangler secret put LOAMLY_WORKSPACE_API_KEY
# Deploy
npx wrangler deployYou can find your workspace ID and API key in the installation page.
Finding your origin URL
Your origin URL is the domain your hosting provider gave you before you set up a custom domain. It's where your site actually lives.
| Hosting provider | Origin URL format |
|---|---|
| Vercel | your-project.vercel.app |
| Netlify | your-site.netlify.app |
| Squarespace | your-site.squarespace.com |
| Webflow | your-site.webflow.io |
| Cloudflare Pages | your-site.pages.dev |
| Shopify | your-store.myshopify.com |
| Wix | username.wixsite.com/site-name |
| Railway | your-app.up.railway.app |
| Render | your-app.onrender.com |
| Fly.io | your-app.fly.dev |
Not sure?
Verifying it works
Check DNS propagation
Use a DNS lookup tool to verify your A record:
dig yourdomain.com A
# Should show:
# yourdomain.com. 300 IN A 37.16.7.18Check SSL
Visit your domain in a browser. You should see a valid SSL certificate issued by Let's Encrypt. The first request may take a few seconds while the certificate is provisioned.
Check verification in dashboard
In your Loamly dashboard, AI-verified visits show a shield icon and "RFC 9421 Verified" tag in the attribution details. These are 100% confirmed AI visitors—no probabilistic guessing.
Mixed results are normal