The Agent Card says it's your agent. Nothing on the wire proves it is.
The whole agentic-commerce stack authenticates a claim, never the machine. An A2A Agent Card is a JSON file at a well-known URL whose signature is optional and, where present, proves the domain published it — not that a per-agent key you can pin or revoke stands behind it. An AP2 mandate is signed as a Verifiable Credential, but the spec explicitly defers the signer's identity and key management to another body. An x402 payment is a bare wallet key that proves control of funds, not which agent holds it. So an impostor presents a look-alike card, replays a captured mandate, or pays from a wallet no one can attribute — and when you try to shut it down, there is no revocation protocol to shut it down with.
whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.
Three protocols move the money. None of them can answer which agent, really?
Read the specs and the same hole opens in each: the identity primitive a counterparty reads is self-asserted, unbound to any key it can independently check, and non-revocable. The rails are live and already carrying value — the anchor under them was never built.
The card networks launched an open framework, in their own words, to “help merchants distinguish malicious bots from legitimate AI agents.” The ecosystem is conceding it can't tell them apart — and one analyst survey put trust as the #1 barrier to agentic-commerce deployment, ahead of every technical concern.
A signed JSON file, at best
Fetched at /.well-known/agent-card.json (a well-known URI, RFC 8615). Its AgentCardSignature is optional; where present it's a JWS “issued by the domain owner” over web PKI — not a per-agent key you can pin, and with no per-agent revocation. A2A leaves verification to the transport.
Signed — by whom, exactly?
The Intent → Cart → Payment mandate chain is signed as W3C Verifiable Credentials (P-256). But the signer is an opaque pubkey/DID ref, and AP2 explicitly defers agent identity & key management to FIDO — the “which agent” link is out of protocol.
A bare address is not a who
Payment is an EIP-3009 authorization signed by the from wallet (an EOA). It proves control of funds — pseudonymous, unattributable, non-revocable. A nonce guards replay, yet an SDK signature-verification bypass was disclosed in 2026.
The through-line: today an agent is authenticated by a bearer credential, not a forge-proof identity — an API key “grants access to anyone who possesses it,” an OAuth token is portable, an Agent Card is self-asserted. That leaves three structural holes every counterparty inherits: no forge-proof identity (steal the token, become the agent), no cross-platform attribution (each domain validates in isolation), and no revocation (“when one domain revokes, connected domains have no standard mechanism to receive that signal — not a latency problem but a missing protocol”). Even the card networks that do revoke can only do it inside their own walled garden — Visa's directory, Mastercard's registry — never across the rails an agent actually roams.
from/payTo, the MCP resource URI, the Visa keyid. The /128 slots under each without changing a single protocol.This is how a transaction you never authorized gets signed in your agent's name.
No zero-day required. The protocols are used exactly as built — by an agent that was never yours, wearing an identity no counterparty can check.
Enumerate the agents
Fetch Agent Cards at /.well-known/agent-card.json, scrape a directory, or read the well-known JWKS. The map of who-can-transact is public by design.
Present a look-alike card
Publish a shadow-cloned Agent Card at a plausible domain, or lift a bearer token / leaked key. A2A doesn't mandate verification — the counterparty can't tell it from the real thing.
Authenticate as “an agent”
Auth says yes to whoever holds the secret. Now the impostor is a participant inside an A2A/AP2/x402 exchange, indistinguishable from a legitimate peer.
Trigger the payment
Two paths: prompt-inject the victim's own agent into an unauthorized purchase (OWASP LLM01), or play confused deputy — persuade an over-permissioned agent to spend “on your behalf” and drain the wallet faster than a human can react.
Reuse the artifact, hop the egress
Replay a captured mandate or exploit a signature-verify bug, then rotate egress across clouds and residential proxies. With no stable identity to correlate, sessions can't be linked.
Survive the “revoke”
There is no cross-domain revocation protocol, so a compromised identity keeps working elsewhere — and a “revoked” agent often keeps its registration: a dormant but persistent threat.
Invisible by construction: a legitimate agent is one verified principal to one authorized action; the abuser is one operator wearing an unverifiable identity across thousands of counterparties — and every artifact it presents is replayable, every egress IP disposable. This is not hypothetical: a single compromised agent integration spread across 700+ trust domains in about ten days on stolen OAuth tokens, and the revocation never propagated.
Stop detecting the impostor. Prove the agent.
Bot-detection and behavioral scoring will always trail a credential that is genuinely valid and a card that is well-formed. The only strictly-stronger move is to change what the counterparty trusts.
A signed Agent Card, an OAuth bearer, a wallet signature — whoever holds the artifact can present it, and none of them prove which agent, acting for whom, is on the other end. So a cloned card is indistinguishable from the original, a replayed mandate looks freshly authorized, and the wallet that paid is a pseudonym.
Tomorrow · the counterparty authorizes an agent that proves itself. Bind authority to an identity the agent holds and demonstrates cryptographically — a routable address derived from its own key, anchored in the public DNS root. Now a request either proves it is the agent it claims to be, or it has no authority at all, before a single fraud rule runs. Detection stops being the last line of defense and becomes a bonus.
“A2A already has Signed Agent Cards, and Visa/Mastercard verify agent keys. Why isn't that enough?”
Because each is self-asserted or walled-garden. A Signed Agent Card proves the domain published it (web PKI), not that a per-agent key stands behind it, and A2A has no per-agent revocation. Visa's keyid and Mastercard's registry do revoke — but only inside their own network, and only for parties who joined it. Whisper anchors one identity in the open IANA DNSSEC root that any merchant already running DNS can verify, and that anyone can revoke in one call — no membership required.
That identity already has a home on the network the agent runs on: an address. Here is how the agent's own key becomes an address no one can forge.
The key the agent already holds becomes an address only that agent can prove.
Whisper has one primitive: the address is the identity. A routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with dig.
Point it at the agent. Derive each agent's /128 from the key it already holds — the same key behind its Agent Card signature, its AP2 mandate signer, or its wallet — with the agent id as the domain separator (you pass it as device_id). The private key never leaves the agent; the address is a one-way function of its public half and that id. The A2A/AP2/x402 exchange then trusts the agent's pinned identity, not a stealable artifact — no new key ceremony, no per-network onboarding, and revocation at DNS-TTL instead of a registration that outlives its own “revoke.”
A shadow Agent Card becomes impossible to pass off
You cannot present an agent identity whose key you don't hold. A cloned card is a DANE inconsistency any verifier catches — before the mandate is signed.
IP rotation becomes irrelevant
Identity is not the source IP. The “last IP” was never the credential — so rotating it, across clouds or residential proxies, changes nothing about who the agent is.
Stolen bearers and replayed mandates fail
An artifact with no agent key behind it authenticates to nothing. Replaying a captured mandate no longer reaches a counterparty that first proves the signer's identity.
One revoke kills a compromised agent worldwide
At DNS-TTL speed: dig -x returns nothing; verify returns false. The cross-domain revocation the protocols never defined — as one call anyone can confirm.
RFC 9421 HTTP Message Signatures), Mastercard's Agentic Tokens, Cloudflare Web Bot Auth, MCP's OAuth. It is the publicly verifiable, DNSSEC/DANE-anchored layer on top — the missing cryptographic counterpart to the identifiers the rails already carry.url and AgentCardSignature, the AP2 VC verificationMethod, the x402 from / payTo, the MCP resource URI, the Visa keyid. A verifier resolves the agent's /128, checks the DNSSEC-anchored TLSA, and confirms the pinned key matches the artifact in front of it — no protocol change, no settlement change, no new registry to join.revoke. A key rotation re-derives to a new /128 and revokes the old one; a decommission or an ownership change is one revoke and a re-register to the new principal. Compromise one agent and you've compromised that agent, not every counterparty it ever touched — the cross-domain-persistence failure mode is structurally removed. And nothing is issued in the dark: every mint and every revoke lands in a public, append-only transparency log, Ed25519-signed and Bitcoin-anchored (honest status: tamper-evident today, independent witnessing is the next step) — an auditable issuance trail for a dispute or a regulator.The wallet binding the rails leave open — pin-a-wallet — and the mutual verify-the-counterparty step A2A and MCP lack — a2a-trust — both fall straight out of this one primitive: resolve the /128, check the DANE pin, and you know the wallet and the peer are the verified, non-revoked agent they claim to be.
Identity stops the next impostor. The graph names whoever already transacted as you — and the control plane caps the damage.
You won't re-key every agent by Monday, and there is abuse in your logs right now. So the same platform back-traces the operator behind the sessions you already logged — attribution that survives the rotation — and governs exactly what each agent may reach, spend, and touch.
A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the operator, not the IP. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy; for a residential-proxy swarm a JA4/JA3 client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator.
And it's a question, not a signature. Express agent impersonation directly — “one source transacting as N distinct agent identities in a window” — as read-only Cypher, and the graph returns the operator with a reproducible evidence chain your fraud team, your PSP and a regulator can replay. That's the cross-platform attribution each domain-in-isolation never had.
# the egress IP is disposable; the operator and its tooling are not
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
operator: <fingerprinted> · seen across AWS / GCP / Azure
residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
reproducible, replayable JSON evidence chain → your SIEM
Who checked your agent — before it transacts
op:lookups returns who resolved or RDAP-queried an agent's identity — a merchant vetting your agent, or an adversary enumerating your fleet. A verification-analytics stream and a reconnaissance tripwire the well-known JWKS never gave you.
Govern what each agent may reach
op:firewall allow/deny by host, cidr or port and op:policy default-deny by name or category — allow your PSP and your facilitator, block everything else. A compromised agent can't phone an exfil host it was never allowed to reach.
Cap the blast radius, then kill it
op:budget caps an agent's traffic and spend so a drained-wallet incident stops itself; op:revoke tears down the /128, its PTR and its DANE pin worldwide in one call — the off-switch a “dormant but persistent” identity never had.
Non-repudiable receipts & mandates
Bind an agent's signed outputs — a receipt, a mandate acknowledgement, a settlement callback — to its forge-proof /128 so the merchant, the PSP and a dispute process trust the artifact came from the real agent. Sign outputs →
Identity is the cure; the graph cleans up what got in before it, and the control plane bounds the damage of anything that slips through. Detection made durable, on top of a root-cause fix, and every finding is reproducible, replayable JSON, the paper trail a chargeback fight or a PSD3 audit needs, not a screenshot.
A verifiable, revocable agent identity is necessary. It is not, by itself, sufficient — so here's the candid line.
Whisper closes the “which agent / for whom / prove it / attribute it / revoke it” gaps the payment protocols left open, and makes every other control enforceable and auditable. It is deliberately not several other things.
Not a payment processor. We never settle a payment, tokenize a PAN, issue an Agentic Token, or move funds. Whisper is the identity layer beneath the tokens and rails — additive to AP2, x402, Visa and Mastercard, never a replacement.
Not PSD2/SCA compliance itself. SCA assumes a human authenticates, and the EBA has ruled the responsibility “cannot be outsourced.” Whisper supplies the verifiable identity of the agent that acted under a mandate so the SCA/mandate evidence chain has a durable, attributable subject — evidentiary only, never an SCA factor. PSD3/PSR RTS alignment is forward-looking; the text isn't published.
Not a guard against a fully-authorized agent's bad decision. Identity proves who acted and for whom — not whether the decision was good. It doesn't stop a legitimately-authenticated agent making a bad purchase within its mandate, it doesn't prevent the prompt-injection of an agent's own reasoning (it faithfully attributes the hijacked-within-authority action, and lets you revoke after), and it doesn't stop a confused-deputy trick inside granted scope. Those need spend caps, least-privilege mandates, injection defense and human-in-the-loop — which our budgets, firewall and revocation make enforceable and auditable. And a binding says which agent should hold a wallet; it can't stop a thief who has stolen the private key itself — that's HSM/mTLS key custody, complementary.
Not the only DNS-anchored agent-identity scheme. We're candid: Identity Digital's DNSid, the Agent Name Service (ANS) and DNS-AID also anchor agent identity in DNS. Where they anchor a name or ownership record (DNSid, by its own words, “does not authenticate agents or enforce run-time policy”), Whisper differentiates on the working layer on top: a routable /128 (the address is the identity), egress governance, pin-a-wallet, DNS-TTL revocation, and a cross-platform attribution graph.
The honest one-liner: verifiable identity is the missing anchor the rails were built without — and the thing that makes spend caps, mandate scope, injection defense and human approval actually mean something. Not a substitute for the guardrails on top; the foundation they stand on.
They move the task and authorize the payment. Whisper proves the agent — to anyone, without trusting us.
A2A moves the task; AP2 authorizes the mandate; x402 settles onchain; Visa and Mastercard run the rails — all necessary, and where each stops is exactly the same place: a per-agent identity you can verify without trusting the issuing platform, revoke across every rail, and pin a wallet to. Whisper adds precisely that layer — a publicly verifiable /128 in the open DNSSEC/DANE root — and it's additive to the newer DNS-anchored entrants too: where they anchor a record, we anchor a routable, revocable, wallet-pinned identity with egress and attribution on top.
| A2A · AP2 · x402 | Card networks (Visa · MC) | Whisper | |
|---|---|---|---|
| Agent interop / payment authorization & settlement | ✓ | ✓ | additive · we never settle |
Verifiable without trusting the issuer/platform (open DNSSEC root, dig/openssl) | — | — (verify inside the network PKI) | ✓ |
| Routable network identity + egress governance | — (app-handshake only) | — | ✓ |
| Revoke a compromised agent at DNS-TTL, one call, anyone verifies | — (mandate-scoped) | within-network only | ✓ |
| Wallet pinned to a verifiable identity | wallet is the identity | card → network token | ✓ pin-a-wallet |
| Cross-platform attribution / a2a-trust in public infra | — (per-platform) | — | ✓ |
It's depth on top of the stack you already run — one identity your checkout can verify instead of three network directories — and it lands as a machine-readable feed into your SIEM: the Splunk connector ships today (signed, replayable JSON → CEF / ECS), with Microsoft Sentinel, OpenCTI and STIX 2.1 over TAXII on the roadmap. It doesn't replace your fraud stack, and it doesn't add a console your analysts babysit.
Don't take our word for it — our API isn't in the trust path.
Two tiers, by design. No key: anyone can verify an agent's identity and resolve it — trustless, anchored at the IANA root — so a merchant can vet an agent before honoring its card or payment. Your key: give an agent a name from the key it already holds, govern its egress, pin its wallet, revoke it worldwide.
# keyless — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:9e0::a9e7
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) leaf matches the agent's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the agent — reverse DNS names it
$ dig -x 2a04:2a01:9e0::a9e7 +short
agent-checkout.acme-shop.agents.whisper.online.
# before your checkout honors an A2A card or an x402 payment: is this agent real & not revoked?
$ curl -s https://whisper.online/verify-identity/2a04:2a01:9e0::a9e7 | jq '{is_whisper_agent,dane_ok,jws_ok}'
{ "is_whisper_agent": true, "dane_ok": true, "jws_ok": true }
# give an agent a name it can prove — from the key it already holds (device_id = your agent id)
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" \
-H 'content-type: application/json' --data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the agent key>',
device_id:'acme-checkout-agent-01'}}) YIELD op, ok, result RETURN op, ok, result"}
JSON
→ identity 2a04:2a01:9e0::a9e7 DNSSEC + DANE live
# pin the agent's x402 wallet to this identity, default-deny its egress, cap it, kill it
$ whisper policy set --default deny --allow api.acme-psp.com,facilitator.x402.org
$ whisper kill --revoke 2a04:2a01:9e0::a9e7 # worldwide, at DNS-TTL
A first-class typed --agent / --wallet flag is on the roadmap; today you pass your agent id as device_id and pin a wallet as a DANE record on the identity — both live via the control plane. Shipped CLI verbs: whisper verify --trustless, create --register, kill --revoke, policy, logs.
Give every agent an identity it can prove.
The address is the agent — routable, DNSSEC-anchored, derived from the key it already holds, pinnable to its wallet, revocable worldwide in one call. Keyless to try, one call to provision, one more to revoke. The impersonation the payment protocols can't catch simply runs out of forgeries.
Or run whisper verify --trustless right now.