AI Crawler Robots.txt Guide: GPTBot, OAI-SearchBot, ClaudeBot and PerplexityBot

A role-by-role guide to AI search, training, and user-triggered agents, with deployable robots.txt policies and log-verification steps.

Memo Details

Category: CRAWLER POLICY. Author: SULAYMAN BOWLES. Published: 2026.06.19. Read time: 14 MIN. Source count: 10.

Evidence Boundary

This guide documents published crawler controls as verified on July 14, 2026. A robots.txt rule expresses policy; it does not secure private content, authenticate a bot, or prove indexing, ranking, training exclusion, or answer-system citation.

Article Metrics

Agents compared

8 USER AGENTS

Policies

2 COPY-READY

Last verified

2026.07.14

Research Note

AI crawler policy is not one yes-or-no switch. OpenAI, Anthropic, and Perplexity publish different agents for search discovery, model-development crawling, and fetches initiated by a user. A useful robots.txt file starts by deciding what each role may access instead of treating every AI-related request as equivalent.

The configurations below are policy templates, not security controls. Publish them at the root of every host and subdomain they are meant to govern, test the live response, then inspect access logs. Keep confidential or regulated material behind authentication because a robots.txt file is public and voluntary.

Search crawler versus training crawler versus user-triggered crawler

A search crawler builds or improves an index used to retrieve and cite web pages in an answer product. A training crawler gathers public content that may contribute to future foundation-model development. A user-triggered crawler or fetcher visits a URL because a person asked a product to retrieve it at that moment.

Those roles have different consequences. Blocking a search crawler can reduce eligibility for that provider's search results. Blocking a training crawler expresses an opt-out from future training collection without necessarily blocking search. Blocking a user-triggered fetcher can prevent a product from opening a page on a user's behalf, but robots.txt behavior is provider-specific.

  • Search: OAI-SearchBot, Claude-SearchBot, and PerplexityBot.
  • Training or model development: GPTBot and ClaudeBot.
  • User-triggered retrieval: ChatGPT-User, Claude-User, and Perplexity-User.

AI crawler comparison table

Use the exact case-sensitive product tokens below in robots.txt. Version numbers in full HTTP User-Agent strings can change, so policy should target the stable token rather than a copied versioned string.

Published AI crawler roles and robots.txt behavior, last verified July 14, 2026
ProviderExact user-agentRolerobots.txt behaviorOperational noteLast verified
OpenAIOAI-SearchBotSearch crawlerSupportedControls inclusion in ChatGPT search answers; navigational links may still appear.2026-07-14
OpenAIGPTBotTraining crawlerSupportedDisallowing signals that crawled content should not be used to train generative AI foundation models.2026-07-14
OpenAIChatGPT-UserUser-triggered fetcherMay not applyNot used for automatic crawling or Search inclusion; requests are initiated by a user.2026-07-14
AnthropicClaude-SearchBotSearch crawlerHonoredSupports search quality and indexing for Claude search responses.2026-07-14
AnthropicClaudeBotTraining crawlerHonoredCollects public content that could contribute to model training.2026-07-14
AnthropicClaude-UserUser-triggered fetcherHonoredRetrieves content in response to a Claude user request.2026-07-14
PerplexityPerplexityBotSearch crawlerSupportedSurfaces and links websites in Perplexity search; not used for foundation-model training.2026-07-14
PerplexityPerplexity-UserUser-triggered fetcherGenerally ignoredPerplexity says this user-requested fetcher generally ignores robots.txt.2026-07-14

Copy-and-paste robots.txt configurations

These examples cover the named agents in the comparison table. They are not an exhaustive registry of every AI-related crawler on the web. Preserve any existing rules for Googlebot, Bingbot, media crawlers, private paths, and your sitemap when merging a template into a live file.

Allow AI search but block training — Allows search-oriented and user-triggered access while blocking the two published training/model-development agents in this guide.
User-agent: OAI-SearchBot
Allow: /

User-agent: GPTBot
Disallow: /

User-agent: ChatGPT-User
Allow: /

User-agent: Claude-SearchBot
Allow: /

User-agent: ClaudeBot
Disallow: /

User-agent: Claude-User
Allow: /

User-agent: PerplexityBot
Allow: /

User-agent: Perplexity-User
Allow: /

Sitemap: https://example.com/sitemap.xml
Block all AI crawlers — Blocks every AI-related agent named in this guide. No static list can cover every crawler, ChatGPT-User rules may not apply, and Perplexity-User generally ignores robots.txt, so enforce sensitive-content controls at authentication or the server edge.
User-agent: OAI-SearchBot
Disallow: /

User-agent: GPTBot
Disallow: /

User-agent: ChatGPT-User
Disallow: /

User-agent: Claude-SearchBot
Disallow: /

User-agent: ClaudeBot
Disallow: /

User-agent: Claude-User
Disallow: /

User-agent: PerplexityBot
Disallow: /

User-agent: Perplexity-User
Disallow: /

What robots.txt cannot accomplish

Robots.txt manages cooperative crawler access. It does not authenticate a requester, create a legal or technical access barrier, remove a URL from every index, or guarantee that previously collected material is deleted. A malicious client can copy a trusted User-Agent token, and compliant providers can interpret user-triggered requests differently from automatic crawling.

Google also warns that a disallowed URL can still appear in search results when other pages link to it. Use authentication for private content, noindex for crawlable pages that should not appear in supporting search engines, and server or WAF rules when you need enforceable traffic controls. Do not block a page in robots.txt and expect a crawler to read a noindex directive on that blocked page.

  • It cannot keep secrets private or replace access control.
  • It cannot prove a request came from the company named in its User-Agent.
  • It cannot guarantee deindexing, ranking, citation, or model-training outcomes.
  • It cannot retroactively govern content already fetched under an earlier policy.
  • It cannot cover unknown or newly introduced agents unless the policy is reviewed and updated.

Verify crawler behavior in server logs

Start with raw access logs rather than an analytics dashboard: many bot requests do not execute client-side analytics. Record the timestamp, request path, status, response bytes, source IP, host, and full User-Agent. The example below filters a standard NGINX access-log archive for the exact tokens in this guide.

A matching User-Agent is only a claim. Compare the source IP with the provider's current published CIDR manifest, and retain the manifest retrieval time with your evidence. Do not hard-code today's ranges forever; providers update them. Then check whether requests to /robots.txt preceded content fetches, whether disallowed paths stopped receiving compliant automatic-crawler traffic after the provider's stated propagation window, and whether CDN or WAF rules changed the observed result.

  • Confirm /robots.txt returns 200 on every relevant host and contains the intended group.
  • Filter logs by exact User-Agent token and review status codes, paths, rate, and timestamps.
  • Validate the source IP against the linked OpenAI, Anthropic, or Perplexity JSON manifest.
  • Separate automatic crawlers from user-triggered fetchers when interpreting compliance.
  • Recheck after policy changes and keep a dated snapshot; absence of requests is not proof of blocking.
Find the named agents in NGINX logs — Adjust the log path for your server or CDN export. This reads current and rotated gzip logs without changing them.
zgrep -hEi 'OAI-SearchBot|GPTBot|ChatGPT-User|ClaudeBot|Claude-SearchBot|Claude-User|PerplexityBot|Perplexity-User' /var/log/nginx/access.log*

curl -sS -D - https://example.com/robots.txt -o /dev/null

Thesis

Treat search crawlers, training crawlers, and user-triggered fetchers as separate policy choices, then verify observed traffic with server logs and provider-published IP ranges.

Source Ledger

Internal Links