This tool verifies whether a request claiming to be from a known AI crawler is genuine, using three methods.
Many operators publish their IP ranges from which their crawlers operate (e.g., OpenAI, Google, Microsoft, Perplexity). When we receive a request claiming to be from GPTBot with a source IP, we check that IP against OpenAI's published CIDR blocks. A match confirms the request originated from OpenAI's infrastructure.
Some operators, like Common Crawl and Amazon, do not publish IP ranges. Instead, they can be verified by reverse DNS: the source IP resolves backward (rDNS) to a domain they own (e.g., *.commoncrawl.org or *.crawl.amazon), which then resolves forward (DNS) back to an IP in the same block. This forward-confirmed reverse lookup (FCrDNS) proves the operator controls that IP.
The emerging Web Bot Auth standard allows crawlers to sign their requests with cryptographic signatures keyed to the IANA Signature Agent Card registry. This method is tracked in production but is not yet asserted in this prototype without primary source data.
This tool verifies self-identified crawlers only. If a request's User-Agent string claims to be GPTBot, we check that claim. We cannot unmask stealth bots posing as human browsers, nor can we verify crawlers that publish no IP ranges, DNS records, or signatures.
Operators with no published verification method (e.g., ClaudeBot, Bytespider, Meta-ExternalAgent) cannot be proven genuine by anyone. The User-Agent string alone is unverifiable.
All verification checks run in your browser. No IP addresses, User-Agent strings, or request details are uploaded to our servers or any third party. The tool computes results locally against embedded IP ranges or performs DNS lookups you initiate.