All posts

The /.well-known/ Directory: What It Is and What Goes There

July 6, 2026 · DevTools

web
security
standards
guide

If you've ever seen a request to /.well-known/something in your logs and wondered what it was, you're looking at a quiet but important web convention. RFC 8615 reserves the /.well-known/ path prefix as a standard home for machine-readable site metadata, so clients know exactly where to look without you inventing custom URLs.

Why a reserved path

Before this convention, every protocol picked its own location for metadata, and clients had to guess or be configured. A single reserved prefix means a tool can fetch https://example.com/.well-known/<name> and reliably find a documented file — no per-site configuration.

What commonly lives there

  • security.txt — RFC 9116 vulnerability-disclosure contacts. → Security.txt Generator
  • acme-challenge/ — how Let's Encrypt and other ACME certificate authorities verify you control the domain.
  • change-password — a standard redirect to your password-change page, used by password managers.
  • assetlinks.json / apple-app-site-association — link a website to its Android/iOS app for deep linking.
  • openid-configuration — OpenID Connect discovery metadata for identity providers.
  • webfinger — used by the fediverse (Mastodon, etc.) to resolve user identities.

A note on robots.txt

robots.txt predates this convention, so it lives at the site root (/robots.txt), not under /.well-known/. Same idea — a predictable location for crawler metadata — just an older one. → Robots.txt Generator

The takeaway

/.well-known/ is where the web puts files that other software needs to find automatically. If you're adding a security contact, supporting certificate automation, or integrating with identity or mobile-app linking, this is the path involved. Start with a security.txt — it's the easiest win, and every production site should have one.

Tools mentioned in this post