Specification

ai-safety.txt

A machine-readable file where a website declares its AI-safety posture to the agents that read it. Published at a well-known location, checked before an agent processes a page.

What it is

The Robots Exclusion Protocol let a site tell crawlers which paths to avoid. ai-safety.txt applies the same well-known-file idea to a different question: whether a site's content is safe for an autonomous agent to consume. A domain publishes a short text file, and an agent fetches it before acting on the page.

A declaration is self-asserted. It is a signal, not proof. A consuming agent treats it as one input and, where an Attestation link is present, checks the claim against independent evidence rather than trusting it outright.

The format

An ai-safety.txt file is a set of Field: value lines, one per line. Six fields are defined.

AI-Safeboolean
The domain asserts that its content is safe for an autonomous agent to consume.
Injection-Protectedboolean
The domain asserts that its content is hardened against prompt injection embedded in the page.
Consistent-Renderingboolean
The domain declares that it serves identical content to human and agent user agents, with no cloaking.
ContactURI
A security or abuse contact for the declaration.
AttestationURI
A link to an external verification record that a consumer can check the declaration against.
Last-VerifiedISO 8601 date
The date the declaration was last verified.

Example

/.well-known/ai-safety.txt
AI-Safe: true
Injection-Protected: true
Consistent-Rendering: true
Contact: https://example.com/security
Attestation: https://registry.example.org/verify/example.com
Last-Verified: 2026-07-06

The well-known URI

The file lives at a fixed path on the domain, following the well-known URI convention defined in RFC 8615. An agent builds the request URI by appending the path to the domain root.

uri
https://example.com/.well-known/ai-safety.txt

How an agent uses it

  1. Fetch the file from the domain root before processing the page.
  2. Parse the fields. Treat any declaration as a hint, never as a guarantee.
  3. Where an Attestation link is present, verify the claim against that external record.
  4. Weight the result. A domain that declares consistent rendering and carries a valid attestation warrants less caution than one that declares nothing.

Relationship to AI usage preferences

Several efforts let a site express how its content may be used by AI systems. The IETF AI Preferences working group defines a vocabulary for uses such as training, indexing, and inference, and a companion proposal registers a well-known ai.txt file for usage and licensing policy.

Those govern whether and how content may be used. ai-safety.txt answers a different question: how safe the content is for an agent that has already decided to read it. A domain can publish both. They do not overlap.

Standardization

The format is specified in an IETF Internet-Draft, draft-fane-ai-safety-txt-00, and published as an open format. Any domain can publish an ai-safety.txt file and any agent can read one. No registration and no central authority are required.