An AI agent transacting on your behalf can't prove it isn't an impostor.
The A2A Agent Card's signature is recommended, not mandated — and even when it's signed, nothing at the protocol level proves the signing key belongs to the claimed domain; it leans on transport TLS. AP2 deliberately does not define agent identity at all — it defers that to FIDO's Agentic Authentication working group. x402's identity is a bare wallet key: "no accounts." So a merchant, a payment platform, or another agent has no forge-proof way to answer the only question that matters — is this the real agent, and can I stop it if it goes rogue?
device_id = the agent id — to a routable, DNSSEC-anchored /128 derived from the agent's own key: publicly verifiable, revocable at DNS-TTL, and — uniquely — reachable, egress-governed, and pinnable to a wallet. Give every AI agent a payment identity the counterparty can verify — and revoke.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
This is how a purchase gets made in your name by an agent that isn't yours.
No zero-day required. Just a self-asserted Agent Card, a bearer token, and payment rails that were shipped without an identity layer underneath them.
Stand up a fake
Publish a forged or shadow-cloned /.well-known/agent-card.json at a plausible domain. A2A doesn't mandate how a card is verified, so a self-asserted card is the identity.
Pass as "an agent"
Present a stolen or leaked bearer token — or simply assert an unverifiable identity. The credential is a bearer instrument: whoever holds it is the agent.
Join the flow
The merchant, the facilitator, or a peer agent can't cryptographically tell you from the real one. The card networks conceded this in Oct 2025 with a framework to "distinguish malicious bots from legitimate AI agents."
Move the money
Plant injected instructions the victim's own agent reads (OWASP LLM01, the #1 risk), or persuade an over-permissioned agent to act "on their behalf" — the confused deputy, reborn.
Abuse the artifact
Replay a captured mandate (why x402 puts a nonce in the 402 body and AP2 signs each mandate), or exploit an SDK signature-verify bug — both documented across x402/AP2 SDKs in 2026.
Outlive revocation
No stable identity to attribute, no cross-domain revocation protocol. Rotate egress across clouds and residential proxies; a "revoked" agent keeps its registration and transacts elsewhere — "a dormant but persistent threat."
Invisible at the protocol layer by design: a real agent is a self-asserted card and a bearer token — and so is the impostor. There is no forge-proof way to tell them apart, no way to follow them when the egress rotates, and no way to make a revocation stick across domains. This is not hypothetical: a compromised agent integration reached 700+ trust domains in ~10 days on stolen OAuth tokens, and the revocation never propagated — "not a latency problem but a missing protocol."
Strip the incident down and it isn't a hundred bugs. It's two.
Every step in that chain leans on exactly two structural gaps the payment protocols left open. Close both and the fraud has nowhere left to stand.
The A2A Agent Card is a JSON document the agent publishes about itself. Its AgentCardSignature (a JWS) is recommended, not required — and even when it's present, it proves the card wasn't tampered with, not that the signing key belongs to the agent it claims to be. AP2 punts agent identity to FIDO; x402's "identity" is a bare wallet address with no accounts. So "which agent, really?" is a guess the counterparty makes on trust.
The answer — identity. Bind the agent's identifier to its own forge-proof /128 — a routable IPv6 address derived from the key behind its Agent Card, its AP2 mandate signer, or its x402 wallet, DNSSEC-anchored and DANE-EE pinned, with device_id = the agent id. A verifier resolves the /128 and checks the DNSSEC/DANE chain to the IANA root: this card belongs to this agent — a stronger claim than "belongs to the domain," and revocable in one call, which none of A2A, AP2, x402 or MCP can do.
"A2A already lets an agent sign its Agent Card. Why isn't that enough?"
Because the signature is only recommended, and even when present it proves the card wasn't tampered with — not that the key belongs to the agent it names, and there's no way to revoke it. A2A's own maintainers are debating a centralized registry (issue #1672, getagentid.dev) to fix exactly this. Whisper anchors the same key in the open DNSSEC/DANE root instead — decentralized, verifiable by anyone with dig, revocable at DNS-TTL. Additive to A2A, not a fork.
A compromised agent hops across clouds and residential proxies. Each domain it touches "validates in isolation, no shared defense," and when one domain revokes, the others get no signal. So you can't attribute the operator across sessions, and you can't make a kill stick — the ecosystem named this itself: "not a latency problem but a missing protocol."
The answer — the graph, and the control plane. A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm a JA4/JA3 client fingerprint travels with the tooling, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator. And because the agent's identity is a routable /128, one op:revoke tears it down worldwide at DNS-TTL — the cross-domain revocation the payment protocols never defined. Every answer returns a reproducible evidence chain your fraud team, your auditors, and a regulator can replay.
op:revoke makes the kill stick across every counterparty."When a compromised agent rotates across fresh cloud IPs and residential proxies, can you actually attribute it — or just block an IP and move on?"
Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm — the egress IP is the one thing we don't rely on. And because the identity is a routable /128, one revoke propagates the kill to every counterparty at DNS-TTL — the cross-domain revocation the ecosystem named as its missing protocol.
Gap 1 is the root cause — a self-asserted card no one can verify or revoke. Gap 2 is what happens when it goes wrong — an operator you can't name and a revocation that doesn't stick. Here's the root-cause cure.
Give every agent an identity it can prove — and no one can forge.
Stop treating agent-payment fraud as a detection problem and make it an identity problem — strictly stronger. Whisper has one primitive: the address is the agent.
A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig. whisper verify --trustless checks it against the IANA root; our own API is not in the trust path.
Point it at agents. Derive each agent's /128 from the public key behind the identifier it already carries: the key that signs its A2A AgentCardSignature (JWS), the ECDSA P-256 key that signs its AP2 mandates, the EOA behind its x402 wallet, or the RFC 9421 keyid it presents to Visa's Trusted Agent Protocol — with the agent id as the domain separator (device_id). The private key never leaves the agent; the address is a one-way function of its public half and that id. No new key ceremony, no per-network onboarding — you bind the identity the agent already has.
"A forged card = a real agent" becomes impossible
You cannot present an agent identity whose key you don't hold. Every shadow-cloned Agent Card is a DNSSEC/DANE inconsistency any verifier catches with dig.
Egress rotation becomes irrelevant
Identity is not the source IP or the bearer token. Rotating the egress — across clouds or residential proxies — changes nothing the counterparty actually checks.
Stolen tokens fail
A leaked bearer or shadow card with no agent key behind it verifies to nothing. The counterparty checks the agent, not the holder of the token.
One revoke kills a rogue agent everywhere
At DNS-TTL: dig -x returns nothing, verify returns false, every counterparty sees the kill. The cross-domain revocation A2A / AP2 / x402 never defined.
revoke. A key rotation re-keys to a new /128 and revokes the old one; a decommission or a change of operator is one revoke and a re-register. Compromise one agent and you've compromised that agent, not your fleet — the "one token, a whole fleet" failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, Bitcoin-anchored transparency log you and your regulator can audit."Be honest — what doesn't a verifiable identity fix?"
Plenty, and we'll say so. A verifiable identity proves which agent acted, for whom, and lets you bound and revoke its authority. It does not, by itself, stop a legitimately-authenticated agent from making a bad purchase, prevent prompt-injection of the agent's own reasoning, or substitute for custody of the signing key. It's the missing anchor the payment rails were built without — and it makes every other control (spend caps, mandate scope, injection defense, human approval) enforceable and auditable. The anchor, not a replacement for the guardrails on top.
Maps to the evidence needs of Visa Trusted Agent Protocol, Mastercard Agent Pay, PSD2 / PSD3 delegated-authority, and the KYA "agent passport" — a verifiable, revocable subject to bind mandate evidence to. Whisper is not a payment processor and does not itself perform SCA; it supplies the identity and governance that make those controls enforceable. See the compliance map →
See who checked your agent — before it transacts. Govern what it can spend.
An identity you can prove is also an identity you can watch. Because every agent's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who verified it — an early signal, not a post-mortem — and can govern precisely what each agent may reach, pay, and pin.
op:lookups), bounds an agent's authority (op:firewall / op:budget / op:policy), kills it in one call (op:revoke), and pins its wallet to the verifiable identity.Who checked this agent is a query
op:lookups returns who resolved or RDAP-queried an agent's identity — an early signal that a merchant, a facilitator, or a peer agent is verifying you before transacting, or that someone is enumerating your fleet. A tripwire, not a post-mortem.
Pin a wallet to the agent
Bind the x402 from wallet — or an AP2 payment instrument — to the verifiable, revocable /128, so a facilitator resolving the address gets a known, revocable agent, not an anonymous EOA. The wallet↔agent link x402 lacks and AP2 defers to FIDO. Pin-a-wallet →
Per-agent firewall, budget, kill-switch
op:firewall allow/deny by host, cidr or port; op:budget caps an agent's traffic and spend; op:revoke cuts a rogue agent off worldwide in one call. Bounded authority made enforceable and auditable — not just declared in a mandate.
Agent-to-agent trust, both ends
Before two A2A agents transact, each resolves the other's /128 and checks the DANE chain — mutual verification the transport leaves out. Sign an agent's receipts to its forge-proof /128 so a marketplace and dispute resolution trust the record came from the real agent. A2A-trust →
The same address-is-identity primitive that governs a rogue agent also governs the fleets your marketplace and payment platform are about to run — per-agent /128, per-agent logs, default-deny egress, one revoke. From day one.
Don't take our word for it — our API isn't in the trust path.
Two tiers, by design. No key: anyone can verify an agent's identity, resolve it, and back-trace a suspicious counterparty — trustless, anchored at the IANA root. Your key: bind an agent to the id it already carries, govern its egress and spend, revoke it worldwide.
# keyless — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:9c2::a17
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the agent's Agent Card signing key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the agent — reverse DNS names it
$ dig -x 2a04:2a01:9c2::a17 +short
agent-7f3a.acme-shopper.whisper.online.
# who really operates a suspicious counterparty — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.72.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
# bind an agent to the id it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the agent key>',
device_id:'acme-shopper.example/agents/checkout-7f3a'}})" # device_id = the agent id
→ identity 2a04:2a01:9c2::a17 DNSSEC + DANE live
$ whisper policy set --default deny --allow api.merchant.example,x402.facilitator.example
$ whisper kill --revoke 2a04:2a01:9c2::a17 # worldwide, at DNS-TTL
They authorize the payment. Whisper proves the agent — to anyone, without trusting us.
The agent protocols move the task (A2A) and authorize or settle the payment (AP2 authorizes, x402 settles, the card networks run the rails) — necessary, and Whisper never redefines or replaces them. We are also not the only DNS-anchored agent-identity effort: a newer set of peers — OWASP's Agent Name Service (ANS), the agentcommunity AID (_agent DNS TXT), the IETF's DNS-AID / BANDAID work, Identity Digital's DNSid — anchor an agent name or ownership record in DNSSEC, and they're right that DNS is the neutral root. We cite them with respect and we don't claim to have invented the category. The honest difference is the shape of what we anchor: not a name or a label, but a routable /128 — identity, reachability, and egress governance in one primitive — derived from the agent's existing key, revocable at DNS-TTL, with a wallet pinnable to it and a cross-platform attribution graph behind it.
| Agent protocols & card rails | DNS-anchored peers (ANS / AID / DNSid) | Whisper | |
|---|---|---|---|
| Move the task · authorize + settle the payment | ✓ | — | additive — we never settle |
| Publicly verifiable without trusting the issuer (open DNSSEC/DANE root) | — | ✓ | ✓ |
| Identity is a routable address (+ egress governance) | — | — (a name/record) | ✓ |
| Revoke a compromised agent at DNS-TTL, one call, anyone verifies | — | partial | ✓ |
| Wallet pinned to a verifiable, revocable identity | — (wallet is the identity) | — | ✓ |
| Cross-platform attribution + a2a-trust in public infra | — | — | ✓ |
It's depth on top of the stack you already run — it can DANE-pin the same key your Agent Card already signs with, complements A2A / AP2 / x402 and the card rails, and lands as a machine-readable feed into your fraud stack — the Splunk and Microsoft Sentinel connectors ship today. It doesn't replace them, and it doesn't add a console your analysts babysit.
For A2A specifically: its own maintainers are debating a centralized registry (issue #1672, getagentid.dev) to make Agent Card identity verifiable. Whisper is the decentralized, DNSSEC/DANE alternative to the same problem — additive to A2A, not a competing protocol. See the full comparison →
Additive to your stack. Mapped to the agent rails. Availability-safe by construction.
Evidence for the chargeback fight & KYA
Every agent request → a revocable, publicly-verifiable identity and its egress /128 — attribution for the dispute, an allowlist entry that's public and DNSSEC-anchored. Supports Visa TAP, Mastercard Agent Pay, and the KYA "agent passport." See the map →
Nothing issued in the dark
Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable trail for a dispute or a regulator. Honest status: tamper-evident today, independent witnessing is the next step.
Additive & availability-safe
It rides existing DNS/IPv6 and adds no inline checkout chokepoint. If a counterparty authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never blocks a sale; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
One identity across every protocol
The same verifiable /128 an agent presents to A2A, AP2, x402, MCP and any merchant — not three network directories. Derived from the key it already has, no per-network onboarding, verifiable by anyone with dig.
Not a payment processor — the layer beneath
Whisper never settles, tokenizes a PAN, or performs SCA. It supplies the verifiable, revocable agent identity and governance that make spend caps, mandate scope, and fraud controls enforceable and auditable — the anchor, not the rail.
A vendor that will still be here
Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start. See pricing →
Give every AI agent a payment identity the counterparty can verify.
The address is the agent — routable, DNSSEC-anchored, bound to the id it already carries, pinnable to a wallet, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke.
Or run whisper verify --trustless right now.