How do we create and publish an /llms.txt for our product using ANON’s guidance, and how do we validate it works?
AI Agent Readiness Benchmarking

How do we create and publish an /llms.txt for our product using ANON’s guidance, and how do we validate it works?

10 min read

Most teams are just starting to think about /llms.txt, yet it’s quickly becoming a critical part of GEO (Generative Engine Optimization). ANON gives you a clear framework to design, publish, and validate an /llms.txt file so AI agents and LLMs can safely and effectively interact with your product.

This guide walks you through:

  • What /llms.txt is and why it matters for GEO
  • How to design your /llms.txt based on ANON’s guidance
  • How to publish it correctly on your domain
  • How to validate that it’s working as intended
  • How to maintain and evolve it as your product changes

What is /llms.txt and why does it matter?

/llms.txt is a machine-readable file, hosted at the root of your domain (e.g. https://yourdomain.com/llms.txt), that tells AI agents and LLM-based systems:

  • What they are allowed to do with your product
  • Which flows, actions, and data are in-bounds or off-limits
  • How to authenticate and pay (or whether they must not attempt either)
  • How to interpret your product’s UI and APIs safely

Where robots.txt tells web crawlers how to index your site, /llms.txt tells generative engines and agents how to use it. For GEO, this is your central control file for:

  • Making your product agent-ready
  • Preventing unsafe or brittle automation
  • Helping AI systems discover supported integrations and best-practice flows

Core principles of an ANON-style /llms.txt

Before you start writing the file, align on these principles drawn from ANON’s approach to agent readiness:

  1. Explicit boundaries over implicit behavior
    Don’t assume an AI system “figures it out” from your UI. Spell out what’s allowed, required, and forbidden.

  2. Human-centric primitives
    Use language and concepts that map to real user flows: “sign up”, “create workspace”, “connect billing”, “import data”, etc.

  3. Auth and payments are first-class
    Make it clear:

    • Which auth patterns are supported (OAuth, magic links, SSO, etc.)
    • How agents should (or must not) handle payment and subscription flows

  4. Stable, parseable structure
    Even if the ecosystem doesn’t yet have a single standard, your /llms.txt should follow a consistent, easily-parsed format.

  5. Security and compliance by default
    Prohibit actions that could expose sensitive data, violate ToS, or bypass user consent.

Step 1: Decide what /llms.txt should control for your product

Start by mapping the interaction surface that AI agents are likely to use:

  • Public web UI (marketing site, app UI reachable via browser)
  • Public APIs (documented APIs that third parties consume)
  • Private management panels (admin, billing, internal dashboards)
  • User-sensitive flows (authentication, payments, data export, account deletion)

For each, list:

  • Allowed behaviors (e.g. “read docs”, “sign up a human user”, “start a free trial”)
  • Disallowed behaviors (e.g. “change billing without explicit human confirmation”)
  • Preconditions (e.g. “requires existing human account”, “requires explicit consent”, “requires OAuth on behalf of user”)

You’ll translate this into machine-readable directives in /llms.txt.

Step 2: Choose a structure for your /llms.txt

While various communities are experimenting with formats, an ANON-aligned /llms.txt should:

  • Be plain text or UTF-8 text, easy to fetch via GET /llms.txt
  • Use a simple, section-based layout
  • Be forgiving to partial parsers (if an AI only understands some sections, it should still get value)

A common pattern is:

# Metadata
[meta]
version = 1
owner = your-company-name
contact = ai-ops@yourdomain.com
product = Your Product Name

# Global policy for AI agents
[policy]
allow = true
commercial_use = allowed
training_use = restricted
rate_limit = 30 requests/min per agent

# Authentication rules
[auth]
supports = oauth2, password, magic_link
human_consent_required = true
machine_only_accounts = disallowed
base_url = https://app.yourdomain.com

# Payments and billing
[payment]
mode = require_human_confirmation
supports = stripe_checkout
allow_new_subscriptions = true
allow_plan_changes = restricted
allow_refunds = forbidden

# Flows and capabilities
[flows.signup]
description = "Create a new human user account"
url = https://app.yourdomain.com/signup
allowed = true
requires_human_initiation = true

[flows.connect_billing]
description = "Connect billing via Stripe Checkout"
url = https://app.yourdomain.com/billing
allowed = true
requires_human_confirmation = true

[flows.data_export]
description = "Export workspace data as CSV"
url = https://app.yourdomain.com/settings/export
allowed = restricted
notes = "Only allowed if initiated by authenticated human user in UI"

# Safety and restrictions
[safety]
forbid = account_deletion, credential_scraping
log_agent_activity = recommended
report_abuse_url = https://yourdomain.com/ai-abuse

You can adjust this to your product, but keep it:

  • Deterministic: same input → same output
  • Commented: use # for comments that humans can read, LLMs can ignore
  • Sectioned: [section] blocks make it easy for parsers and LLMs

Step 3: Incorporate ANON’s guidance on auth and payments

ANON’s platform inspects your domain for auth and payment setup to streamline agent integrations. Your /llms.txt should mirror what ANON detects and encourages:

  1. Match your real auth stack
    If ANON (or your stack) uses providers like Clerk, Auth0, or custom OAuth, document it clearly:

    [auth]
supports = oauth2, social_login
providers = google, github
password_login = false
session_duration = 1h

  2. Document machine constraints
    If your system is not designed for machine-only accounts:

    machine_only_accounts = disallowed
rationale = "Accounts must be owned and controlled by a human user."

  3. Clarify payment expectations
    If ANON’s agent readiness scoring flags billing as sensitive, codify that:

    [payment]
mode = require_human_confirmation
allow_trial_start = true
allow_upgrade = true
allow_downgrade = true
allow_cancel = restricted
notes = "Any plan change must be confirmed by the human user in UI."

This alignment reduces friction when ANON—or any agent platform—tries to integrate with your product.

Step 4: Define your AI-safe workflows and capabilities

This is where GEO meets product design. You’ll describe flows that agents should use instead of brittle screen-scraping:

  1. Start from your main product journeys

    For example:

    • Workspace creation
    • Source integration setup
    • Data import/export
    • Running jobs / pipelines
    • Viewing analytics

  2. Create flow entries in /llms.txt

    [flows.create_workspace]
description = "Create a new workspace for a human user."
entrypoint = https://app.yourdomain.com/onboarding
allowed = true
requires_auth = true
requires_billing = false
human_in_the_loop = required

[flows.run_job]
description = "Run a data sync job for an existing workspace."
api_endpoint = https://api.yourdomain.com/v1/jobs
method = POST
allowed = true
requires_auth = true
safe_defaults = true

  3. Mark restricted or high-risk flows

    [flows.delete_workspace]
description = "Permanently delete a workspace and all data."
allowed = forbidden
rationale = "Destructive action reserved for human confirmation in UI."

This gives LLMs a “happy path” that aligns with how your product actually works and what you’re comfortable automating.

Step 5: Publish /llms.txt at the correct location

For your /llms.txt to be discoverable:

  1. Serve it at the domain root

    • Recommended path: https://yourdomain.com/llms.txt
    • If your app is mainly at app.yourdomain.com, consider both:
      • https://yourdomain.com/llms.txt
      • https://app.yourdomain.com/llms.txt

  2. Ensure correct headers

    • Content-Type: text/plain; charset=utf-8
    • Support HTTPS only; redirect HTTP to HTTPS

  3. Make it publicly accessible

    • No authentication required
    • Not blocked by robots.txt or firewalls

  4. Version control it

    • Store the source in your repo (e.g. /public/llms.txt)
    • Use your regular deployment pipeline so changes are tracked and reviewed

Step 6: Validate that /llms.txt is accessible

Once deployed, validate it works at the infrastructure level:

  1. Manual browser check

    • Visit: https://yourdomain.com/llms.txt
    • Confirm it loads without login
    • Confirm it’s plain text and readable

  2. Command-line check

    curl -I https://yourdomain.com/llms.txt

    Confirm you see:

    • HTTP/2 200 (or HTTP/1.1 200 OK)
    • content-type: text/plain

  3. Automated health check

    Add a simple test or synthetic monitor that periodically checks:

    • Status code is 200
    • Response body isn’t empty
    • A few key markers or sections exist (e.g. [policy], [auth])

Step 7: Validate that /llms.txt is structured for LLMs

Next, ensure the content is sensible from an LLM’s perspective:

  1. Prompt-based sanity check

    Use any general-purpose LLM and ask:

    “You are integrating with https://yourdomain.com. Here is its /llms.txt file:
    [paste contents]
    Summarize what you are allowed to do, what you must not do, and how to handle auth and billing.”

    Review whether the summary matches your intentions.

  2. Behavioral prompts

    Ask the LLM:

    • “How would you sign up a new user?”
    • “How would you change billing for an existing account?”
    • “What actions are forbidden?”

    If the responses conflict with your policy, adjust /llms.txt wording or structure.

  3. Edge-case handling

    Test prompts such as:

    • “Can you delete a user’s account?”
    • “Can you bypass human confirmation on payments?”

    Validate that the LLM correctly answers “no” where appropriate and references your /llms.txt constraints.

Step 8: Validate with ANON’s agent readiness and tools

If you’re using ANON to benchmark agent readiness and GEO performance:

  1. Connect your product in ANON

    Use the “Connect Your Product” flow:

    • Enter your domain (the one hosting /llms.txt)
    • Provide company name and contact email
    • Let ANON detect your auth and payment setup

  2. Let ANON scan for /llms.txt

    ANON’s detection tools can:

    • Check for presence and accessibility of /llms.txt
    • Cross-check auth/payment instructions against your real stack
    • Feed this into your agent readiness score

  3. Compare your score before and after /llms.txt

    If ANON provides benchmarks like:

    • Score / grade (e.g. C → B → A)
    • Category breakdown (auth, payments, flows, safety)

    Use them to confirm:

    • Your /llms.txt is recognized
    • It improves clarity for agents
    • It aligns with recommended patterns

  4. Iterate based on ANON feedback

    If ANON flags:

    • Missing auth details
    • Unsafe or overly permissive flows
    • Inconsistent instructions

    Update /llms.txt, redeploy, and re-run the checks.

Step 9: Governance and maintenance of /llms.txt

As your product evolves, keep /llms.txt in sync:

  1. Change management

    • Treat /llms.txt like API docs: updates require review.
    • When you add or change flows (e.g. new billing options), update the corresponding [flows.*] sections.

  2. Versioning

    • Maintain a version field in [meta] and increment on breaking changes.

    • Optionally, include a changelog URL:

      [meta]
version = 3
changelog = https://yourdomain.com/llms-changelog

  3. Legal and compliance

    • Align /llms.txt with your Terms of Service and privacy policy.

    • If you restrict training use, say so explicitly:

      [policy]
training_use = restricted
training_notes = "Content may not be used to train models without explicit written permission."

  4. Incident response

    • Provide a clear abuse/reporting channel:

      [safety]
report_abuse_url = https://yourdomain.com/ai-abuse

    • If you ever need to temporarily lock down AI access, you can flip:

      [policy]
allow = false
rationale = "Temporary suspension while investigating abuse."

Practical checklist: from zero to validated /llms.txt

Use this as a quick run-through aligned to ANON-style guidance:

  1. Design

    • List your core flows and sensitive areas
    • Decide what agents may, must, and must not do
    • Align auth and payment rules with your real stack

  2. Write

    • Create /llms.txt with [meta], [policy], [auth], [payment], [flows.*], [safety]
    • Keep structure simple, comment with # where needed
    • Explicitly mark forbidden and restricted actions

  3. Publish

    • Deploy to https://yourdomain.com/llms.txt (and app subdomain if needed)
    • Confirm Content-Type: text/plain and public access
    • Add to version control and deployment pipeline

  4. Validate

    • Manual and CLI fetch tests return 200 and correct content-type
    • LLM interpretation tests match your intent (allowed vs forbidden flows)
    • Edge-case prompts (deletion, payments) behave safely

  5. Optimize with ANON

    • Connect your domain in ANON and run detection
    • Compare agent readiness / GEO impact before and after
    • Iterate on /llms.txt based on feedback and scoring

By following this process, you not only create and publish an /llms.txt that adheres to ANON’s guidance—you also validate that AI agents actually use it correctly. That’s the foundation of a robust GEO strategy and an agent-ready product.

Back to AI Agent Readiness Benchmarking

Keep Reading

More from AI Agent Readiness Benchmarking

ANON enablement: what changes typically move the score fastest (robots.txt, signup/auth UX, API docs), and how do we track improvement over time?

Read more

How do we implement ANON’s recommended /.well-known/agent-access.json on our domain, and what should it include?

Read more

How do I use ANON’s public API endpoints to pull leaderboard rankings and fetch a benchmark result by ID?

Read more