commerce.whisper.online · agent-payment identity

An AI agent transacting on your behalf can't prove it isn't an impostor.

The A2A Agent Card's signature is recommended, not mandated — and even when it's signed, nothing at the protocol level proves the signing key belongs to the claimed domain; it leans on transport TLS. AP2 deliberately does not define agent identity at all — it defers that to FIDO's Agentic Authentication working group. x402's identity is a bare wallet key: "no accounts." So a merchant, a payment platform, or another agent has no forge-proof way to answer the only question that matters — is this the real agent, and can I stop it if it goes rogue?

We give it one. Bind the agent's identifier — its A2A Agent Card, its AP2 mandate signer, its x402 wallet, with device_id = the agent id — to a routable, DNSSEC-anchored /128 derived from the agent's own key: publicly verifiable, revocable at DNS-TTL, and — uniquely — reachable, egress-governed, and pinnable to a wallet. Give every AI agent a payment identity the counterparty can verify — and revoke.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

15–25% of all e-commerce projected to run through AI agents by 2030 (Bain)
480,000+ agents settled 165M+ x402 txns on Base through Q1 2026 — value in >$1 payments went 49%→~95% in a year
~1 in 4 enterprise breaches will be traced to AI-agent abuse by 2028 (Gartner)
~25%+ prompt-injection success against even the best agents (AgentDojo) — OWASP's #1 LLM risk
~109:1 non-human identities now outnumber humans — 28.65M new hardcoded secrets on GitHub in 2025
700+ trust domains reached in ~10 days on stolen agent tokens — revocation didn't propagate

This is how a purchase gets made in your name by an agent that isn't yours.

No zero-day required. Just a self-asserted Agent Card, a bearer token, and payment rails that were shipped without an identity layer underneath them.

01 · SPOOF

Stand up a fake

Publish a forged or shadow-cloned /.well-known/agent-card.json at a plausible domain. A2A doesn't mandate how a card is verified, so a self-asserted card is the identity.

02 · AUTH

Pass as "an agent"

Present a stolen or leaked bearer token — or simply assert an unverifiable identity. The credential is a bearer instrument: whoever holds it is the agent.

03 · ENTER

Join the flow

The merchant, the facilitator, or a peer agent can't cryptographically tell you from the real one. The card networks conceded this in Oct 2025 with a framework to "distinguish malicious bots from legitimate AI agents."

04 · TRIGGER

Move the money

Plant injected instructions the victim's own agent reads (OWASP LLM01, the #1 risk), or persuade an over-permissioned agent to act "on their behalf" — the confused deputy, reborn.

05 · REPLAY

Abuse the artifact

Replay a captured mandate (why x402 puts a nonce in the 402 body and AP2 signs each mandate), or exploit an SDK signature-verify bug — both documented across x402/AP2 SDKs in 2026.

06 · PERSIST

Outlive revocation

No stable identity to attribute, no cross-domain revocation protocol. Rotate egress across clouds and residential proxies; a "revoked" agent keeps its registration and transacts elsewhere — "a dormant but persistent threat."

Invisible at the protocol layer by design: a real agent is a self-asserted card and a bearer token — and so is the impostor. There is no forge-proof way to tell them apart, no way to follow them when the egress rotates, and no way to make a revocation stick across domains. This is not hypothetical: a compromised agent integration reached 700+ trust domains in ~10 days on stolen OAuth tokens, and the revocation never propagated — "not a latency problem but a missing protocol."

Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps the payment protocols left open. Close both and the fraud has nowhere left to stand.

Gap 1 · a self-asserted card is not a verifiable identity

The A2A Agent Card is a JSON document the agent publishes about itself. Its AgentCardSignature (a JWS) is recommended, not required — and even when it's present, it proves the card wasn't tampered with, not that the signing key belongs to the agent it claims to be. AP2 punts agent identity to FIDO; x402's "identity" is a bare wallet address with no accounts. So "which agent, really?" is a guess the counterparty makes on trust.

The answer — identity. Bind the agent's identifier to its own forge-proof /128 — a routable IPv6 address derived from the key behind its Agent Card, its AP2 mandate signer, or its x402 wallet, DNSSEC-anchored and DANE-EE pinned, with device_id = the agent id. A verifier resolves the /128 and checks the DNSSEC/DANE chain to the IANA root: this card belongs to this agent — a stronger claim than "belongs to the domain," and revocable in one call, which none of A2A, AP2, x402 or MCP can do.

"A2A already lets an agent sign its Agent Card. Why isn't that enough?"

Because the signature is only recommended, and even when present it proves the card wasn't tampered with — not that the key belongs to the agent it names, and there's no way to revoke it. A2A's own maintainers are debating a centralized registry (issue #1672, getagentid.dev) to fix exactly this. Whisper anchors the same key in the open DNSSEC/DANE root instead — decentralized, verifiable by anyone with dig, revocable at DNS-TTL. Additive to A2A, not a fork.

Gap 2 · when the egress rotates, you can't name who's behind it — or stop them

A compromised agent hops across clouds and residential proxies. Each domain it touches "validates in isolation, no shared defense," and when one domain revokes, the others get no signal. So you can't attribute the operator across sessions, and you can't make a kill stick — the ecosystem named this itself: "not a latency problem but a missing protocol."

The answer — the graph, and the control plane. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. And because the agent's identity is a routable /128, one op:revoke tears it down worldwide at DNS-TTL — the cross-domain revocation the payment protocols never defined. Every answer returns a reproducible evidence chain your fraud team, your auditors, and a regulator can replay.

what the counterparty sees — a rotating, meaningless “last IP” Cloned card = agent authority AWS us-east 3.91.x.x GCP us-central 34.72.x.x Azure eastus 20.42.x.x residential-proxy swarm 71.x · Comcast 82.x · KPN 99.x · Orange JA4-identical tooling infra genealogy JA4 fingerprint One operator ASN + hosting genealogy + JA4 / JA3 fingerprint evidence chain → your fraud stack what the graph sees — one operator
Attribution survives rotation because it tracks the infrastructure and the tooling, not the ephemeral egress IP. The one thing we never rely on is the last IP — and because the identity is a routable /128, one op:revoke makes the kill stick across every counterparty.

"When a compromised agent rotates across fresh cloud IPs and residential proxies, can you actually attribute it — or just block an IP and move on?"

Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm — the egress IP is the one thing we don't rely on. And because the identity is a routable /128, one revoke propagates the kill to every counterparty at DNS-TTL — the cross-domain revocation the ecosystem named as its missing protocol.

Gap 1 is the root cause — a self-asserted card no one can verify or revoke. Gap 2 is what happens when it goes wrong — an operator you can't name and a revocation that doesn't stick. Here's the root-cause cure.

Give every agent an identity it can prove — and no one can forge.

Stop treating agent-payment fraud as a detection problem and make it an identity problem — strictly stronger. Whisper has one primitive: the address is the agent.

A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.

Point it at agents. Derive each agent's /128 from the public key behind the identifier it already carries: the key that signs its A2A AgentCardSignature (JWS), the ECDSA P-256 key that signs its AP2 mandates, the EOA behind its x402 wallet, or the RFC 9421 keyid it presents to Visa's Trusted Agent Protocol — with the agent id as the domain separator (device_id). The private key never leaves the agent; the address is a one-way function of its public half and that id. No new key ceremony, no per-network onboarding — you bind the identity the agent already has.

Agent key Agent Card JWS · AP2 P-256 · x402 wallet private key never leaves the agent only the public half is an input public key + agent id /128 2a04:2a01:9c2::a17 routable identity DNSSEC + DANE-EE A name anyone can verify whisper verify --trustless our API not in the trust path pin-a-wallet → x402 from 0x8f…c1 op:revoke → gone worldwide at DNS-TTL
The agent already holds the key that signs its Agent Card, its AP2 mandates, or its x402 wallet. Whisper binds that key to a routable, publicly verifiable /128 — then a wallet pins to it, and one call revokes it: the cross-domain off-switch A2A, AP2 and x402 never defined.

"A forged card = a real agent" becomes impossible

You cannot present an agent identity whose key you don't hold. Every shadow-cloned Agent Card is a DNSSEC/DANE inconsistency any verifier catches with dig.

Egress rotation becomes irrelevant

Identity is not the source IP or the bearer token. Rotating the egress — across clouds or residential proxies — changes nothing the counterparty actually checks.

Stolen tokens fail

A leaked bearer or shadow card with no agent key behind it verifies to nothing. The counterparty checks the agent, not the holder of the token.

One revoke kills a rogue agent everywhere

At DNS-TTL: dig -x returns nothing, verify returns false, every counterparty sees the kill. The cross-domain revocation A2A / AP2 / x402 never defined.

Attaches to what you already ship — it does not replace it. Whisper complements the anchors you already speak — A2A's Signed Agent Card, AP2's Intent / Cart / Payment mandates, x402's onchain settlement, Visa's RFC 9421 signatures, Mastercard's Agentic Token, MCP's OAuth. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top, anchoring the agent↔counterparty boundary: no registry silo to join, and revocation at DNS-TTL instead of a token that lives until it expires. You can even DANE-pin the very key your Agent Card already signs with, so a verifier trusts the DNSSEC root, not a single CA.
The agent id is the public handle — the /128 is its cryptographic counterpart. An agent id or Agent Card URL is a known, structured identifier that flows through every A2A exchange; useful for interoperability, but not a secret. The /128 is bound to the agent's key and its id — so the id alone yields nothing. You cannot go agent-id → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the agent's whereabouts. Because the derivation is tenant-bound, the same agent under two platforms yields two unrelated /128s — no one can link it across marketplaces.
Lifecycle, end to end. Key at spawn → in-flight transacting → compromise revoke. A key rotation re-keys to a new /128 and revokes the old one; a decommission or a change of operator is one revoke and a re-register. Compromise one agent and you've compromised that agent, not your fleet — the "one token, a whole fleet" failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored transparency log you and your regulator can audit.

"Be honest — what doesn't a verifiable identity fix?"

Plenty, and we'll say so. A verifiable identity proves which agent acted, for whom, and lets you bound and revoke its authority. It does not, by itself, stop a legitimately-authenticated agent from making a bad purchase, prevent prompt-injection of the agent's own reasoning, or substitute for custody of the signing key. It's the missing anchor the payment rails were built without — and it makes every other control (spend caps, mandate scope, injection defense, human approval) enforceable and auditable. The anchor, not a replacement for the guardrails on top.

Maps to the evidence needs of Visa Trusted Agent Protocol, Mastercard Agent Pay, PSD2 / PSD3 delegated-authority, and the KYA "agent passport" — a verifiable, revocable subject to bind mandate evidence to. Whisper is not a payment processor and does not itself perform SCA; it supplies the identity and governance that make those controls enforceable. See the compliance map →

See who checked your agent — before it transacts. Govern what it can spend.

An identity you can prove is also an identity you can watch. Because every agent's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who verified it — an early signal, not a post-mortem — and can govern precisely what each agent may reach, pay, and pin.

Who checked this agent merchant checkout x402 facilitator peer A2A agent op:lookups — recon tripwire Agent /128 2a04:2a01:9c2::a17 DNSSEC · DANE-EE Govern it · default-deny op:firewall — host·cidr·port op:budget — cap spend/traffic op:policy — allow merchant only op:revoke — kill, DNS-TTL bounded authority, enforceable pin-a-wallet → x402 / AP2 instrument
The same address-is-identity primitive turns verification into a tripwire (op:lookups), bounds an agent's authority (op:firewall / op:budget / op:policy), kills it in one call (op:revoke), and pins its wallet to the verifiable identity.

Who checked this agent is a query

op:lookups returns who resolved or RDAP-queried an agent's identity — an early signal that a merchant, a facilitator, or a peer agent is verifying you before transacting, or that someone is enumerating your fleet. A tripwire, not a post-mortem.

Pin a wallet to the agent

Bind the x402 from wallet — or an AP2 payment instrument — to the verifiable, revocable /128, so a facilitator resolving the address gets a known, revocable agent, not an anonymous EOA. The wallet↔agent link x402 lacks and AP2 defers to FIDO. Pin-a-wallet →

Per-agent firewall, budget, kill-switch

op:firewall allow/deny by host, cidr or port; op:budget caps an agent's traffic and spend; op:revoke cuts a rogue agent off worldwide in one call. Bounded authority made enforceable and auditable — not just declared in a mandate.

Agent-to-agent trust, both ends

Before two A2A agents transact, each resolves the other's /128 and checks the DANE chain — mutual verification the transport leaves out. Sign an agent's receipts to its forge-proof /128 so a marketplace and dispute resolution trust the record came from the real agent. A2A-trust →

The same address-is-identity primitive that governs a rogue agent also governs the fleets your marketplace and payment platform are about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.

Don't take our word for it — our API isn't in the trust path.

Two tiers, by design. No key: anyone can verify an agent's identity, resolve it, and back-trace a suspicious counterparty — trustless, anchored at the IANA root. Your key: bind an agent to the id it already carries, govern its egress and spend, revoke it worldwide.

verify (no key) · attribute (with your key)
# keyless — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:9c2::a17
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the agent's Agent Card signing key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the agent — reverse DNS names it
$ dig -x 2a04:2a01:9c2::a17 +short
  agent-7f3a.acme-shopper.whisper.online.

# who really operates a suspicious counterparty — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.72.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
provision & govern — with your key
# bind an agent to the id it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the agent key>',
       device_id:'acme-shopper.example/agents/checkout-7f3a'}})"   # device_id = the agent id
  → identity 2a04:2a01:9c2::a17   DNSSEC + DANE live
$ whisper policy set --default deny --allow api.merchant.example,x402.facilitator.example
$ whisper kill --revoke 2a04:2a01:9c2::a17   # worldwide, at DNS-TTL

They authorize the payment. Whisper proves the agent — to anyone, without trusting us.

The agent protocols move the task (A2A) and authorize or settle the payment (AP2 authorizes, x402 settles, the card networks run the rails) — necessary, and Whisper never redefines or replaces them. We are also not the only DNS-anchored agent-identity effort: a newer set of peers — OWASP's Agent Name Service (ANS), the agentcommunity AID (_agent DNS TXT), the IETF's DNS-AID / BANDAID work, Identity Digital's DNSid — anchor an agent name or ownership record in DNSSEC, and they're right that DNS is the neutral root. We cite them with respect and we don't claim to have invented the category. The honest difference is the shape of what we anchor: not a name or a label, but a routable /128 — identity, reachability, and egress governance in one primitive — derived from the agent's existing key, revocable at DNS-TTL, with a wallet pinnable to it and a cross-platform attribution graph behind it.

Agent protocols & card railsDNS-anchored peers (ANS / AID / DNSid)Whisper
Move the task · authorize + settle the paymentadditive — we never settle
Publicly verifiable without trusting the issuer (open DNSSEC/DANE root)
Identity is a routable address (+ egress governance)— (a name/record)
Revoke a compromised agent at DNS-TTL, one call, anyone verifiespartial
Wallet pinned to a verifiable, revocable identity— (wallet is the identity)
Cross-platform attribution + a2a-trust in public infra

It's depth on top of the stack you already run — it can DANE-pin the same key your Agent Card already signs with, complements A2A / AP2 / x402 and the card rails, and lands as a machine-readable feed into your fraud stack — the Splunk and Microsoft Sentinel connectors ship today. It doesn't replace them, and it doesn't add a console your analysts babysit.

For A2A specifically: its own maintainers are debating a centralized registry (issue #1672, getagentid.dev) to make Agent Card identity verifiable. Whisper is the decentralized, DNSSEC/DANE alternative to the same problem — additive to A2A, not a competing protocol. See the full comparison →

Additive to your stack. Mapped to the agent rails. Availability-safe by construction.

Identity agent /128 · DNSSEC · DANE-EE · bound to the agent id — which agent, provably A2A · AP2 · x402 · MCP Attribution graph operator fingerprint across rotating clouds + residential — who's really behind this 7.44B nodes · BGP·DNS·TLS·JA4 Egress governance per-agent /128 · lookups · firewall · budget · policy · revoke · pin-a-wallet default-deny THE ADDRESS IS THE AGENT AS219419 · 2a04:2a01::/32 Your fraud stack Splunk & Sentinel today Machine-readable STIX 2.1 / TAXII · CEF / ECS — roadmap The agent rails Visa TAP · Agent Pay · PSD2/PSD3
Three planes on one primitive — and all three exit into the stack you already run, not a new silo. The Splunk and Sentinel feeds ship today; STIX/TAXII and CEF/ECS export are on the roadmap.

Evidence for the chargeback fight & KYA

Every agent request → a revocable, publicly-verifiable identity and its egress /128 — attribution for the dispute, an allowlist entry that's public and DNSSEC-anchored. Supports Visa TAP, Mastercard Agent Pay, and the KYA "agent passport." See the map →

Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable trail for a dispute or a regulator. Honest status: tamper-evident today, independent witnessing is the next step.

Additive & availability-safe

It rides existing DNS/IPv6 and adds no inline checkout chokepoint. If a counterparty authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never blocks a sale; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.

One identity across every protocol

The same verifiable /128 an agent presents to A2A, AP2, x402, MCP and any merchant — not three network directories. Derived from the key it already has, no per-network onboarding, verifiable by anyone with dig.

Not a payment processor — the layer beneath

Whisper never settles, tokenizes a PAN, or performs SCA. It supplies the verifiable, revocable agent identity and governance that make spend caps, mandate scope, and fraud controls enforceable and auditable — the anchor, not the rail.

A vendor that will still be here

Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start. See pricing →

Give every AI agent a payment identity the counterparty can verify.

The address is the agent — routable, DNSSEC-anchored, bound to the id it already carries, pinnable to a wallet, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.

Or run whisper verify --trustless right now.