Loamly Documentation

Overview

Loamly's managed proxy allows you to verify 100% of AI traffic on your website. This page explains how it works, what data we handle, and why it's safe to route your traffic through us.

TL;DR: We're a transparent pass-through proxy. We verify AI bot signatures, forward requests to your origin unchanged, and never store request bodies or modify your content.

How it works

When you point your domain's DNS to Loamly:

User Request → Your Domain (A: 37.16.7.18)
    → Loamly Proxy (Frankfurt, EU)
    → SSL Termination (Let's Encrypt)
    → RFC 9421 Signature Verification
    → Forward to Your Origin (unchanged)
    → Response back to User

What happens at each step

Step	What happens	Data accessed
SSL Termination	Caddy provisions and renews Let's Encrypt certificates automatically	Domain name only
Signature Check	We inspect HTTP headers for RFC 9421 signatures from AI bots (ChatGPT, Perplexity, etc.)	Headers only
Verification	Cryptographic verification using embedded public keys (JWKS)	Signature headers
Forward	Request forwarded to your origin server unchanged	Pass-through
Logging	If AI bot detected, we log: URL, timestamp, bot type, verification result	Metadata only

Pass-through architecture

We never buffer, cache, or modify your request bodies or response content. Every byte passes through unchanged.

Data handling

What we collect

For AI bot requests only, we log:

Landing page URL
Timestamp
AI bot type (ChatGPT, Perplexity, Claude, etc.)
Verification result (signature valid/invalid)
Country (derived from IP, IP itself is not stored)
User-Agent header

This data is sent to your Loamly workspace dashboard.

What we don't collect

No IP addresses stored — We hash IPs for visitor deduplication, then discard the original
No request bodies — Form submissions, API payloads, etc. pass through unread
No response bodies — Your HTML, JSON, images are not cached or logged
No cookies — We don't read, set, or store your cookies (except our own AI referrer cookie)
No human visitor logging — Only AI bots with signatures are logged

Human visitors

Regular human traffic is proxied but not logged. We only track AI bots that identify themselves with RFC 9421 signatures or known User-Agent patterns.

Open source

Our signature verification logic is fully open source. You can inspect exactly what we do:

RFC 9421 Verifier (Cloudflare Worker): github.com/loamly/rfc9421-verifier
Managed Proxy (Go + Caddy): Uses the same verification logic, source available on request

The verification code is straightforward: we check HTTP headers against known AI bot public keys using Ed25519 cryptographic signatures.

Instant rollback

Removing Loamly takes 30 seconds. Just change your DNS record back to your original server:

# To remove Loamly:
# Change your A record from:
example.com  A  37.16.7.18

# Back to your origin:
example.com  A  [your-original-ip]

# Or CNAME to your host:
example.com  CNAME  your-site.vercel.app

DNS propagation typically takes 5-30 minutes. There's no lock-in, no migration process, no data to export.

Compliance

Standard	Status
GDPR	✅ Compliant — EU data residency (Frankfurt), no PII stored
CCPA	✅ Compliant — No personal information sold or shared
SOC 2	🚧 In progress — Target Q2 2025
HIPAA	N/A — We don't handle health data

Infrastructure

Proxy: Fly.io (Frankfurt, Germany)
Database: Supabase (Zurich, Switzerland)
SSL: Let's Encrypt (auto-renewed)

FAQ

Can you see my customer data?

No. Request and response bodies pass through without being read or stored. We only inspect HTTP headers for AI bot signatures.

Can you modify my website content?

No. We're a transparent proxy. Your HTML, CSS, JavaScript, and API responses are forwarded byte-for-byte unchanged.

What if Loamly goes down?

Our proxy runs on Fly.io with automatic failover. In the unlikely event of an outage, you can point your DNS back to your origin within minutes. We target 99.9% uptime.

Do you cache my content?

No. We don't cache anything. Every request goes directly to your origin. Your origin's caching headers are passed through unchanged.

Can I self-host the proxy?

Yes. Contact us for the self-hosted deployment guide if you require on-premise infrastructure. The verification logic is already open source.

How do I verify you're not logging everything?

Our verification code is open source. For enterprise customers, we offer audit logs and can provide infrastructure access for security reviews.

Questions?

Email security@loamly.ai for security questionnaires, DPA requests, or technical questions.