Cloudflare Customer SLO Probes

A signing service that lets Cloudflare's reliability team identify itself when probing your endpoints.

This service does not serve traffic to your users. It only issues cryptographic signatures used by Cloudflare's internal monitoring probes so you can verify that a probe request actually came from Cloudflare.

What is the Per-Customer Alerting program?

Cloudflare's Per-Customer Alerting pilot is a proactive monitoring service we provide to select customers. We deploy lightweight, automated checks ("probes") that continuously test the web endpoints you've told us matter most to your business. The probes run from Cloudflare's global network and let us detect availability or performance issues — and start triaging them internally — as quickly as possible.

Think of it like a health check for your web services: our systems visit the URLs you nominate at regular intervals, confirm they respond correctly, and generate availability and latency metrics ("SLIs") specific to your account. The goal is simple — we want to know about problems before you do, so we can investigate and assist faster.

How it works

You tell us which URLs and services matter most.
We configure probes that make small, automated requests to those URLs from Cloudflare's global network (typically 20-30 requests per second total, spread worldwide).
The results feed availability and latency SLOs scoped to your account.
If something looks off, Cloudflare engineering teams use the data to identify and investigate potential issues.

What this worker does

Probe traffic generated by the program is signed using Web Bot Auth, an open standard (built on RFC 9421 HTTP Message Signatures) for proving that an HTTP request came from a specific, registered automated client.

This worker has two responsibilities:

Publish a signed key directory. At /.well-known/http-message-signatures-directory we serve the public keys our probes sign with, in the format Web Bot Auth requires. The directory itself is signed, so only the legitimate holder of the keys can publish it.
Sign probe requests on demand. When a Cloudflare probe is about to send a request to one of your endpoints, it asks this worker to produce a short-lived signature for that specific request. The signature is attached to the outgoing probe as standard HTTP headers (Signature, Signature-Input, and Signature-Agent).

How to verify probe traffic

Because the probe requests carry a Web Bot Auth signature, you can verify them yourself at your origin or in front of it:

The request's Signature-Agent header points back to this worker's directory URL.
Fetch the directory, pick the key whose thumbprint matches the request's keyid, and verify the signature.
If you run on Cloudflare, our edge already validates these signatures and exposes the result via the cf.bot_management.verified_bot field — no work required on your side.

Signatures are short-lived (a minute or so) to limit replay risk, and the worker rotates keys without downtime by publishing old and new public keys in the directory during the cutover window.

Learn more

If you're a Cloudflare customer and want to discuss enrolling in the pilot, please reach out to your account team (CSM/TAM).