What is the /.well-known/ path for?

RFC 8615 reserves the /.well-known/ prefix so protocols can publish site-wide metadata at a predictable location. Clients fetch these documents to discover endpoints, keys and policies without you having to invent a custom URL.

Where do I put security.txt?

Serve it at https://yourdomain/.well-known/security.txt as plain text. It lists how to report vulnerabilities, including a Contact field and an Expires date as required by RFC 9116.

What is the difference between permanent and provisional entries?

Permanent registrations are defined by a published specification and are stable. Provisional entries are widely-used conventions that are registered but may still evolve. Both work in practice, but permanent ones are safest to depend on.

Must well-known documents be public?

Yes. They are designed to be fetched by automated clients and bots, so they must be reachable over HTTPS without authentication and returned with the correct content type for the protocol that consumes them.

Does this tool send my domain anywhere?

No. The host you type is only used locally in your browser to assemble the URL string. Nothing is fetched or transmitted — it is a pure reference and URL builder.

Well-Known URIs Reference

Discover site metadata with well-known URIs

The /.well-known/ path prefix is a small but powerful corner of the web. Defined by RFC 8615, it reserves a predictable location under every origin where protocols can publish site-wide metadata: security contacts, OAuth and OpenID endpoints, federation records, certificate-validation tokens and more. Instead of every standard inventing its own URL, they all register a suffix with IANA and live under /.well-known/. This reference lets you search that registry, see what each path is for, and build the exact URL for your own host.

How it works

Each entry in the IANA Well-Known URIs registry has a registered suffix — the text that follows /.well-known/ — plus the application that uses it, a registry status (permanent or provisional), and the spec that defines it. The full address is always:

https://<host>/.well-known/<suffix>

For example, the security disclosure file is https://example.com/.well-known/security.txt, and OpenID Connect discovery lives at https://example.com/.well-known/openid-configuration. When you enter a host, the tool strips any scheme or path you paste and assembles the canonical HTTPS URL for each entry so you can copy it straight into a request.

Tips and notes

Serve over HTTPS without auth. These documents are meant for automated clients (browsers, certificate authorities, federation servers), so they must be publicly reachable and return the correct content type.
security.txt needs an Expires field. RFC 9116 makes it mandatory, and many scanners flag a missing or past expiry.
ACME validation is temporary. The acme-challenge token files are written and removed automatically by your certificate client during issuance — you do not host them permanently.
Permanent vs provisional. Prefer permanent registrations when building something durable; provisional ones such as jwks.json or apple-app-site-association are conventions that work but are not yet locked to a single spec.

Well-Known URIs Reference

Email me this result

Discover site metadata with well-known URIs

How it works

Tips and notes