Every official drop-in — the Next.js middleware,
Cloudflare Worker and WordPress plugin —
is a thin wrapper around exactly the logic below. If your language isn’t listed, port the
~40 lines of pseudocode; it’s deliberately simple.
How it works
On each request you make a fast local decision, then either serve the artifact or pass through. You always fail open — if anything errors, serve your normal page.- Match the User-Agent against the verified bot set. Not a known crawler → pass through.
- Cloaking firewall. If the bot is a search index (Googlebot/Bingbot/Applebot) → always pass through. See Cloaking firewall.
- Verify the IP against the crawler’s published CIDR ranges →
IP_VERIFIEDvsUA_ONLY. - Check eligibility — verified, the purpose is enabled, and your serve mode is Live (
default). - Serve the pre-generated artifact for
sha256(url); otherwise pass through. - Report the hit to telemetry (fire-and-forget).
The endpoints
All calls sendAuthorization: Bearer <your edge token> (from Agent Analytics → Setup).
| Endpoint | Method | Purpose |
|---|---|---|
/api/v1/edge/botset | GET | Verified crawlers: uaToken, cidrs, purpose, isSearchIndex. Cache ~1h. |
/api/v1/edge/config | GET | serveMode (off/shadow/canary:<pct>/default) + enabledPurposes. Cache ~5m. |
/api/v1/edge/artifact?u=<sha256(url)> | GET | The { markdown, jsonLd, … } for one URL. |
/api/v1/edge/telemetry | POST | { hits: [ … ] } — record what was crawled and served. |
https://app.trybluesky.com.
Snippets
Each snippet ships in shadow mode (log-only) — flipSERVE_MODE to "default" when
you’re ready to serve. Set your edge token as the AEN_EDGE_TOKEN environment variable.
- Node.js (Express)
- PHP (any framework)
- Ruby (Rack)
aen.js
server.js
nginx and Apache
nginx and Apache can’t verify IPs or fetch artifacts on their own — but they don’t need to. They already sit in front of an app. Two options:You already run an app (recommended)
You already run an app (recommended)
If nginx/Apache proxies to Node, PHP, Ruby, etc., just add the snippet above to that app.
The web server needs no changes — the request already reaches your handler.
nginx — route crawlers to a small sidecar
nginx — route crawlers to a small sidecar
Run the Node snippet as a tiny sidecar on The sidecar serves the artifact for verified crawlers and, for anything it decides to pass
through, proxies back to your origin. Because the UA list is only a coarse pre-filter, the
sidecar still does the real IP verification and the cloaking firewall.
127.0.0.1:8788 and send only AI-crawler
user-agents to it. Everything else hits your origin unchanged.Apache — hand crawlers to a PHP handler
Apache — hand crawlers to a PHP handler
With In
mod_rewrite, route AI user-agents to a front controller that includes aen.php..htaccess
aen-entry.php, run the interceptor, then fall back to rendering your normal page:aen-entry.php
Test it
Trigger a real AI crawler
Open ChatGPT (or Perplexity) with browsing and ask it to look up your site.
Watch the hit land
The visit appears in Agent Analytics as
IP_VERIFIED.Go live
Flip
SERVE_MODE to "default" and redeploy. See Serve modes.