On July 7th, OpenAI announced ChatGPT agent, a new service that can perform complex tasks for users by combining text-based interactions, visual browser capabilities, and command-line functions for optimal results.

ChatGPT now thinks and acts, proactively choosing from a toolbox of agentic skills to complete tasks for you using its own computer.

A key distinction sets ChatGPT agent apart from OpenAI’s other bot services (OAI-SearchBot, ChatGPT-User, GPTBot, and GPT Actions): its requests do not originate from identifiable IP addresses or a verifiable reverse DNS (a method used to confirm a bot’s identity by checking if its IP address resolves to a trusted hostname).

In this blog post, we show how DataDome can still identify web traffic from ChatGPT agent, even though its requests don’t use conventional bot identifiers as OpenAI’s service is rapidly gaining popularity and adoption.

ChatGPT agent: we see you

While ChatGPT agent doesn’t rely on traditional IP addresses or reverse DNS for authentication, it innovates by leveraging well-established cryptographic protocols to verify the origin of its requests.

While the technical specifics are beyond the scope of this article (we’ll dive deeper into how it works in a follow-up post), this mechanism verifies the origin of the requests. Following some initial erratic bursts around July 21st, the service’s popularity is clearly accelerating.

What’s next?

While OpenAI intends ChatGPT agent to ease our online interactions, the reality is that automated traffic is often a major problem, commonly associated with online fraud.

Relying on published IP addresses to prove bot service intent is a legacy approach that doesn’t align with the demands of 2025’s dynamic digital world. It’s time to leverage and adopt more modern standards for verification.

On July 25th, OpenAI unveiled a modern authentication method: each request now carries a cryptographic signature. This represents the new standard, and every bot service aiming to prove its legitimacy should adopt this approach.

Implementing this approach requires a little more configuration on both ends: bot services need to publish their public key, and edge services must verify each request’s signature with it. OpenAI has adopted the IETF draft for their agent service’s technical implementation, an initiative we fully support and aim to help establish as a standard for bot authentication.

Stay tuned for another technical blog post on this new, modern bot authentication method!