ShoptestBot is the name Shoptest uses for its automated storefront testing traffic: the browser automation that visits Shopify-hosted storefronts to run tests configured inside Shoptest.

Shoptest is a monitoring and QA product for merchants and agencies. ShoptestBot visits customer-facing storefront URLs (for example home, collection, product, cart, and journeys recorded by the store team) to verify that pages load, flows work, and regressions are caught before shoppers do.

This page explains ShoptestBot for merchants, agencies, security teams, and platform operators.

Operator: Shoptest
Contact: bot@shoptest.ai
Last updated: 2026-05-18

User-Agent

Published bot identity string

Shoptest publishes the following public bot identity string for transparency:

ShoptestBot/1.0 (+https://www.shoptest.ai/bot)

Linking this URL from the identity string matches common bot-documentation expectations, including guidance such as Cloudflare's verified bot policies.

What you may see on the wire today

Shoptest storefront testing traffic identifies itself with the public bot identity string above when verified request signing is enabled. Device mode and traffic simulation settings may still affect rendering, referrer, cookies, query parameters, and network location, but the storefront-visible User-Agent is the ShoptestBot identity for signed storefront requests.

Some related Shoptest systems may still use different User-Agents, so if you filter solely on the ShoptestBot/... string, you may miss traffic from systems that are outside the signed storefront testing path.

How the browser behaves

Shoptest storefront checks run in an interactive browser environment, not as a static HTTP crawler. That means:

• JavaScript executes like a normal visitor session (themes, cart drawers, lazy-loaded sections, etc.).

• Interactions include navigation, clicks, typing, scrolling, hovers, and waits as recorded or generated for the test.

• Optional tracker and ad blocking may be enabled to reduce third-party analytics noise during tests. First-party Shopify requests needed for the journey still occur.

Some Shoptest features use other execution paths against storefronts (see Related automated traffic below).

Why ShoptestBot visits a store

ShoptestBot may visit a store to:

• Verify that important storefront URLs load and render for customers.

• Replay customer journeys defined in Shoptest (navigation, product flows, cart interactions, assertions on text/URLs/elements, and similar checks).

• Capture evidence when something breaks, such as screenshots, console logs, and network activity summaries scoped to what the test collects.

• Support monitoring schedules chosen by the merchant or agency (frequency is a product/plan concern; it is not unbounded crawling of the entire site).

What ShoptestBot does not do

ShoptestBot is not designed or operated for:

• Broad unsolicited crawling of arbitrary Shopify stores; visits should trace back to a test configured for that shop in Shoptest.

• Credential stuffing, password guessing, or authentication attacks.

• Bypassing access controls as an adversary would; stores may use storefront passwords or other gates, and Shoptest customers configure how tests authenticate if needed.

• Exploitation or vulnerability scanning of infrastructure.

• Bulk scraping of competitor pricing as a business purpose (Shoptest is store monitoring for the subscribing merchant/agency).

• Shopify Admin (admin.shopify.com / Admin API for merchant configuration) as part of this storefront browser automation path. Admin operations are outside this crawler's documented storefront scope.

• Harvesting private customer PII from the storefront; tests operate like a browser session and should not be used to collect unrelated shopper data.

Checkout and purchases

Checkout behavior depends entirely on what the merchant or agency recorded or configured in Shoptest:

• The automation can click buttons such as Add to cart, open cart drawers, and proceed through checkout steps that exist on the storefront, because those are normal shopper interactions used to validate flows.

• Completing a paid order should only happen when the merchant or agency explicitly configures a journey that supplies the required checkout details and submits the final purchase action. Shoptest is not intended to silently purchase products; behavior follows the configured journey and what the storefront allows for that browser session.

If you observe checkout-related traffic you do not expect, use the Contact section. Another team in the merchant's organization may have configured the test.

Authorization

ShoptestBot should only generate storefront traffic for shops where a Shoptest customer (merchant, agency, or authorized ecommerce team) has installed/configured Shoptest and defined tests targeting that storefront domain.

If you believe traffic is unintended for your domain, contact Shoptest with evidence below. Unexpected visits may indicate misconfigured targets, stale DNS, or abuse of Shoptest accounts, which Shoptest can investigate.

Request signing (HTTP Message Signatures / Web Bot Auth)

Some bot transparency programs encourage cryptographically verifiable HTTP requests (for example HTTP Message Signatures and related Web Bot Auth directory conventions).

Implementation status: Shoptest supports Web Bot Auth signing for storefront testing traffic behind deployment configuration. When enabled, requests include HTTP Message Signature headers and public keys are published under:

https://www.shoptest.ai/.well-known/http-message-signatures-directory

Related automated systems, such as broken-link checks and compatibility checks, should be verified through their documented User-Agent patterns, network evidence, and contacting Shoptest.

How to verify traffic today

If you need to confirm whether traffic came from Shoptest, contact bot@shoptest.ai and include:

• Store domain

• Approximate request time in UTC

• Full request URL

• User-Agent header

• Source IP address, if available

• CDN or firewall request identifiers, such as Cloudflare Ray ID, if available

• Why the traffic appears unexpected or needs verification

Shoptest can use these details to investigate whether the request matches a configured customer test or related Shoptest automation.

Crawling etiquette and load

Shoptest aims to limit unnecessary load:

• Work is driven by configured tests and schedules, not discovery crawling of every URL on the internet.

• Shoptest applies internal retry/backoff behavior for its own service calls, for example after HTTP 429 responses. That governs Shoptest services, not your storefront's rate limits directly.

• Customers choose execution frequency and scope inside the product; Shoptest does not claim a single global storefront requests-per-second cap in this document. Deployment configuration and customer schedules matter.

Sensitive paths are only touched when they are part of a configured journey.

robots.txt and crawl policy

ShoptestBot is not a general-purpose web crawler and does not discover storefront URLs from robots.txt or sitemap crawling. It visits URLs and journeys configured by a Shoptest customer for that store.

Because configured test journeys may need to validate customer-facing pages that are intentionally monitored by the merchant, Shoptest does not describe robots.txt as the control plane for these tests. To block, reduce, or investigate Shoptest traffic, contact bot@shoptest.ai.

Cookies, storage, and simulated traffic

Depending on configuration, a run may:

• Send cookies or extra query parameters configured under traffic simulation (for example campaign attribution tests).

• Apply referrer overrides.

• Route outbound traffic through a proxy with geography aligned to the proxy exit IP (when the customer enables proxy modes Shoptest supports).

Popup flows captured during recording may restore captured cookie/storage state needed to dismiss consent banners consistently during playback.

Related automated traffic

Other Shoptest subsystems may hit storefront or external URLs with different User-Agents, including:

• Broken link checks that may identify as Mozilla/5.0 (compatible; ShopifyBrokenLinkChecker/1.0) when validating links.

• Compatibility checks that may use their own browser identity strings.

If you are tuning firewall rules, consider whether you need to account for these patterns separately.

Contact

For questions, coordination, verification, or abuse reports related to Shoptest storefront automation:

Email: bot@shoptest.ai

Blocking or reducing traffic

If you believe ShoptestBot, or related Shoptest automation, is visiting your store unexpectedly:

1. Email bot@shoptest.ai.

2. Include as much of the following as possible:

   • Store domain (myshopify.com and public domain if different)

   • Approximate time (UTC) of requests

   • Full request URL(s)

   • User-Agent header value(s)

   • HTTP client IP (if available) and any CDN ray IDs

   • Why the traffic appears unintended, for example "we do not use Shoptest" or "wrong merchant"

Shoptest will investigate ownership of the configuration and work toward resolving mistaken targeting where appropriate.