A2A moves the task. AP2 signs the mandate. x402 settles the payment. None of them proves which agent is spending.
Every protocol and product on this page is real work by serious teams, and you should adopt the ones you need. But the agent's own identity falls through the seams between them: A2A's Agent Card signature is optional and bound to the domain, not the agent's key; AP2 explicitly defers agent identity to FIDO; x402's identity is a bare wallet address that can't be revoked. And several efforts now anchor agent identity in DNS — we respect them, and we're honest about how we differ.
whisper verify --trustless — the one line every layer here lacks: you never have to trust our API.
dig + opensslFour things live on this page. Here's exactly what each one owns.
Line the categories up against the three questions a merchant, a facilitator, or a peer agent has to answer before it trusts an agent, and the picture is honest and simple. The commerce rails answer the first. Several efforts — ours included — anchor identity in DNS to answer the second. Only an address makes the agent routable, governable and attributable to answer the third.
They own discovery, payments and mandates. They leave the agent's identity under-specified — on purpose.
These are the rails, and they're good. Each solves a hard problem well, and Whisper never redefines any of them or moves a cent. But read the specs and the same seam appears three times: the agent presenting the credential is self-asserted, deferred, or pseudonymous.
What it owns. Agent-to-agent discovery and task delegation. Every counterparty reads the Agent Card at /.well-known/agent-card.json first — name, url, capabilities, skills[], securitySchemes. v1.0 added Signed Agent Cards: an AgentCardSignature (a JWS over the card, spec §8.4).
The seam. The signature is optional, and where present its trust root is "the domain owner" via web PKI / a JWKS — not the agent's own key — so a shadow-cloned card at a plausible domain is a live threat class, and there is no per-agent revocation and no global registry. Whisper's fit: DANE-pin the card's url / signing key to the agent's own /128, and "belongs to the domain" becomes "belongs to this agent" — with a one-call revocation the spec never defined.
What it owns. User authorization, done superbly. AP2 chains cryptographically-signed Mandates as W3C Verifiable Credentials (Intent → Cart → Payment, ECDSA P-256) so a merchant and a credentials provider can prove exactly what the human allowed.
The seam. AP2 explicitly defers agent identity and key management to the FIDO Alliance — the signer key is an opaque pubkey or DID reference, not anchored anywhere a relying party can independently resolve. Whisper's fit: bind the VC's verificationMethod to a DNSSEC/DANE-anchored /128 so the credentials provider and merchant confirm "this Shopping Agent key is verifiable agent X" — closing AP2's own stated Authenticity and Accountability goals — and revoke the /128 to kill that agent across every mandate at once.
What it owns. Trust-minimized settlement. An HTTP 402 returns a PAYMENT-REQUIRED; the agent signs an EIP-3009 transferWithAuthorization and a facilitator settles USDC on Base — already 480,000+ agents and rising.
The seam. x402 is deliberately pseudonymous: the identity is the bare wallet from address — it proves control of funds, not who, and an EOA cannot be revoked. Whisper's fit — a proposed pin-a-wallet: bind the from wallet to a DANE-anchored /128, so a resource server could resolve the address to a verifiable, non-revoked agent identity before honoring the 402 — no change to the onchain flow — turning "anonymous money" into "a known, revocable agent paying." (Proposed — complements x402, never replaces it.)
"A2A already shipped Signed Agent Cards. Why isn't that enough?"
Because the signature is optional, and it proves the card came from a domain — not that this key is that agent — and it still can't be revoked. DANE-pin the card's signing key to the agent's own /128 and the claim strengthens from "belongs to the domain" to "belongs to this agent," with a DNS-TTL revocation the spec left out. We don't replace the Agent Card; we anchor it.
Several efforts now anchor agent identity in DNS. We respect them — here's exactly how we differ.
As of 2026, Whisper is not the only scheme putting agent identity in the DNS root, and we won't pretend to be. Naming the peers is the honest thing to do — and it's also where our real edge becomes clear.
OWASP's Agent Name Service (ANS), the agentcommunity Agent Identity & Discovery (AID) effort with its _agent TXT record, and the IETF DNS-AID / BANDAID drafts all put an agent's identity where anyone can check it against the open, DNSSEC-signed root — no platform login, no membership. That is the right instinct, and we share it. If your architecture already resolves an agent through ANS or AID, keep it.
The difference, stated plainly: those schemes anchor a name or a discovery label. Whisper anchors a routable /128 — the identity is also an address. That single property unlocks everything a label can't: the agent's traffic sources from the /128 (so egress is governable and every action is attributable by reverse-DNS), a proposed wallet-pin can bind an x402 from-address to it, and one call revokes it at DNS-TTL internet-wide, not just within a directory. And where a name tells you what an agent is called, our attribution graph tells you who is really operating it across rotating clouds and residential proxies. Our edge is the routable address and the graph — never a claim that we invented DNS-anchored identity.
"If ANS or AID already resolves my agent in DNS, why also add Whisper?"
Because a resolvable name is not a reachable, governable, revocable address. Keep the discovery label. Whisper makes the same identity routable — egress-bound, policy-governed, revocable at DNS-TTL, and attributable across rotating egress — the working layer on top of the record the peers anchor. It's designed to interoperate with them, not to replace them.
A central registry can revoke an agent — inside its own walls. We do it in the open root.
The other way to answer "which agent" is a gatekept directory. That approach works, and inside its circle it even gives you revocation. The cost is a gatekeeper — and the fact that revocation stops at the directory's edge.
The live examples are honest and capable: the getagentid.dev registry floated in A2A issue #1672, and the network directories already shipping — Visa's well-known JWKS under the Trusted Agent Protocol (agents sign requests with RFC 9421 HTTP Message Signatures, a keyid resolved against Visa's directory), and Mastercard's Agent Pay registry (Agentic Tokens over MDES). You verify by being a member, and when the directory removes a key the agent is revoked — for that network only.
Whisper is the decentralized DANE alternative. The same key material a registry would hold lives in the open DNSSEC/DANE root, so any merchant already running DNS verifies an agent with dig + openssl — no membership, no per-network onboarding — and revocation is a single record pull that every verifier sees, on every protocol. We're built to interoperate with the registries (cross-check the keyid against the DANE pin on the /128); we are not a competitor to MDES or the Visa directory. We're the neutral anchor across all of them.
"We already register our agents with the card network. Why also anchor in DNS?"
So one identity works everywhere, and revocation isn't walled in. A network registry proves an agent to that network; a DANE-anchored /128 proves it to any counterparty on any protocol, and one pull revokes it for all of them. Additive — it complements the Visa JWKS and MDES, it doesn't replace them.
Who owns what — and nobody covers the whole row.
Read it as a map of complementary strengths, not a scoreboard. The rails own the commerce; the DNS-anchored peers share the open-root identity anchor with us; a central registry buys revocation at the price of a gatekeeper; and the routable /128, the egress governance and the cross-operator attribution — plus a proposed wallet-pin for x402 — are the columns only an address can fill.
| Capability | A2A · AP2 · x402the rails | DNS-anchored peersANS · AID · DNS-AID | Central registrygetagentid · network JWKS | Whisper |
|---|---|---|---|---|
| Agent discovery, payments & mandates | ✓ | — | — | additive |
| DNS-anchored, verifiable agent identity (open root, no platform login) | — | ✓ | — | ✓ |
| Routable /128 — identity, reachability & egress in one address | — | — | — | ✓ |
| Pin an x402 wallet to the identity (proposed) | — | — | — | roadmap |
| Per-agent revocation at DNS-TTL | — | partial | ✓ within its registry | ✓ internet-wide |
| Decentralized — no gatekeeper | ✓ | ✓ | — | ✓ |
| Cross-operator attribution across rotating egress | — | — | — | ✓ |
Whisper owns the routable /128, egress governance and cross-operator attribution — with a proposed wallet-pin for x402; the DNS-anchored peers share the open-root identity anchor; the protocols own the commerce rails. The one honest read of this grid: it's additive to every column — never a replacement for any of them.
Every anchor here asks you to trust it. Ours you can check yourself.
Two tiers, by design. No key: anyone can verify an agent's identity, read its revocation status, and see who checked it — trustless, anchored at the IANA root. Your key: mint an agent's /128 from the key it already holds, govern its egress, rate-budget its traffic, and revoke it internet-wide.
# keyless — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:a90::a9e7
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA) leaf matches the agent's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED — and our own API was never trusted
# the address is the agent — reverse DNS names it (maps to its A2A Agent Card)
$ dig -x 2a04:2a01:a90::a9e7 +short
agent-7f3a.acme-shopping.whisper.online.
# who checked this agent before transacting — keyless reverse observability
$ curl -s https://whisper.online/ip/2a04:2a01:a90::a9e7/lookups
3 relying parties resolved this identity in the last hour:
merchant checkout · a payment facilitator · one peer agent (a2a-trust)
# mint an agent's /128 from the key it already holds — device_id = the agent id
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
identity_public_key:'<base64 SPKI of the agent key>',
device_id:'agent-7f3a-acme-shopping'}})"
→ identity 2a04:2a01:a90::a9e7 DNSSEC + DANE-EE live
# (roadmap) pin the agent's x402 wallet to the /128 — see /docs/commerce-recipes
# then govern exactly what it may reach, and rate-budget its egress
$ whisper policy set --default deny --allow checkout.acme.com,facilitator.x402.org
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'budget', args:{id:'agent-7f3a-acme-shopping', requests_per_min:60}})" # rate-cap egress · kill-switch on breach
# a compromised agent — gone worldwide at DNS-TTL, on every protocol at once
$ whisper kill --revoke 2a04:2a01:a90::a9e7
Shipped & live: the derived /128 (from your agent's public key + device_id), the attribution graph, the control plane, keyless verify, and the Splunk connector (signed JSON → CEF / ECS). On the roadmap: STIX 2.1 over TAXII, the pin-a-wallet binding for x402, and a first-class typed --a2a / --wallet argument — proposed, complements-not-replaces. We label nothing "shipped" that isn't.
Verifiable identity is necessary, not sufficient. Here's the boundary.
Naming what Whisper does not do is how you know exactly what you're buying. Identity closes the "which agent, for whom, prove it, attribute it, revoke it" gaps the rails left open — and makes every other control enforceable and auditable. It is not a substitute for the guardrails on top.
Not the payment rail
We never settle a payment, tokenize the PAN, issue Agentic Tokens, or move funds. Whisper is the identity layer beneath the tokens and rails — it makes the money attributable, it doesn't move it.
Not SCA — evidentiary only
PSD2 Strong Customer Authentication assumes a human, and the EBA ruled the responsibility "cannot be outsourced" (Q&A 6141). Whisper supplies the attributable identity a mandate binds to — evidence for the delegated-authority chain, never an SCA factor.
Doesn't stop a bad decision
A legitimately-authenticated agent making a poor purchase, prompt-injection of the agent's own reasoning, or a confused-deputy within granted scope — identity makes those attributable, boundable and revocable; it doesn't replace spend caps, mandate scope, injection defense or human-in-the-loop. It makes them enforceable.
Not KYA / KYC of the legal person
We bind a technical identity and wallet publicly and revocably — the missing anchor for Know-Your-Agent and the FATF Travel-Rule originator question. The VASP still owns the KYC judgment of the human or legal entity.
Not a key-custody vault
The binding says which agent should hold a wallet or signing key — it doesn't stop a thief who already has the private key. Custody (HSM, secure element, mTLS) is complementary and lives below us. Only the public half is ever an input.
Anchored at the DNS / transport boundary
We sit on the wire and in the open DNS root — never inside the merchant's checkout logic or the model's reasoning loop. Whisper complements the rails, the DNS peers and the registries; it doesn't reach into any of their closed layers.
Whisper is one layer, done well: the network-identity, attribution and governance plane that closes the gaps the payment protocols left open — and it's honest about being exactly that.
Additive into A2A, AP2 and x402. Interoperable with the DNS peers. A feed into the stack you already run.
The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing you already chose gets torn out; one anchor makes the identity every layer references routable, revocable and attributable, and feeds your SIEM.
A feed, not another console
The Splunk connector ships today — signed JSON mapped to CEF and ECS. Microsoft Sentinel and OpenCTI, and STIX 2.1 over TAXII, are on the roadmap. Zero analysts babysitting a new pane of glass.
Nothing issued in the dark
Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and Bitcoin-anchored via OpenTimestamps — a non-repudiable trail for dispute attribution and KYA accountability. Honest status: tamper-evident today, not yet independently witnessed.
See who checked your agent
op:lookups (and the keyless /ip/<addr>/lookups) returns who resolved or RDAP-queried your agent before transacting — a verification-analytics stream and a reconnaissance tripwire the payment rails never gave you.
Bound the confused deputy
Egress governance — op:firewall, op:budget, op:policy, op:revoke — caps exactly which endpoints an agent may reach and how much traffic it may push, so a compromised agent is denied at the network before it hits an unapproved facilitator, and one call kills it worldwide. The dollar spend cap still lives in your mandate — we make it enforceable, we don't replace it.
Speaks your compliance language
The neutral cross-network anchor for Visa TAP and Mastercard Agent Pay, an attributable subject for PSD2 / PSD3–PSR mandate evidence, and the KYA "crypto identity + continuous accountability" pillars — additive and evidentiary, never a certification we don't hold.
A vendor built to outlast the question
Real routable address space (AS219419), run by people who ran a regional internet address registry and operated one of its root DNS servers. Keyless to try; POC → pilot → enterprise on real address space.
"We're adopting A2A / AP2 / x402, and maybe ANS. Does Whisper make us pick?"
No — that's the whole point. Keep every protocol and every DNS anchor you've chosen. Whisper binds the identity each of them references to one routable, revocable /128 and feeds your SIEM. Additive means low switching cost in both directions — the safest way to start, and the easiest to unwind if you ever want to.
Keep the rails. Anchor the agent.
Whisper is the identity, attribution and governance layer that sits on top of the rails, the DNS peers and the registries you already run — additive, interoperable, verifiable without trusting us. Keyless to try, one call to provision, one more to revoke.
Or run whisper verify --trustless right now — our API isn't in the trust path.