The /.well-known/ Directory: What It Is and What Goes There
July 6, 2026 · DevTools
If you've ever seen a request to /.well-known/something in your logs and wondered what it was, you're looking at a quiet but important web convention. RFC 8615 reserves the /.well-known/ path prefix as a standard home for machine-readable site metadata, so clients know exactly where to look without you inventing custom URLs.
Why a reserved path
Before this convention, every protocol picked its own location for metadata, and clients had to guess or be configured. A single reserved prefix means a tool can fetch https://example.com/.well-known/<name> and reliably find a documented file — no per-site configuration.
What commonly lives there
security.txt— RFC 9116 vulnerability-disclosure contacts. → Security.txt Generatoracme-challenge/— how Let's Encrypt and other ACME certificate authorities verify you control the domain.change-password— a standard redirect to your password-change page, used by password managers.assetlinks.json/apple-app-site-association— link a website to its Android/iOS app for deep linking.openid-configuration— OpenID Connect discovery metadata for identity providers.webfinger— used by the fediverse (Mastodon, etc.) to resolve user identities.
A note on robots.txt
robots.txt predates this convention, so it lives at the site root (/robots.txt), not under /.well-known/. Same idea — a predictable location for crawler metadata — just an older one. → Robots.txt Generator
The takeaway
/.well-known/ is where the web puts files that other software needs to find automatically. If you're adding a security contact, supporting certificate automation, or integrating with identity or mobile-app linking, this is the path involved. Start with a security.txt — it's the easiest win, and every production site should have one.