# Compare — additive to A2A / AP2 / x402, honest about the DNS-anchored peers

> A2A moves the task. AP2 signs the mandate. x402 settles the payment. None of them proves
> *which agent* is spending. Several efforts now anchor agent identity in DNS — we respect them.
> Whisper is one additive layer: a routable **/128** that is identity, reachability and egress
> in one — govern what it reaches, revoke it internet-wide at DNS-TTL, attribute it across rotating
> egress. **The address is the agent — verifiable by anyone, without trusting our API.**

Every protocol and product on this page is real work by serious teams, and you should adopt the
ones you need. But the agent's own identity falls through the seams between them: A2A's Agent Card
signature is *optional* and bound to the domain, not the agent's key; AP2 explicitly *defers* agent
identity to FIDO; x402's identity is a *bare wallet address* that can't be revoked. And several
efforts now anchor agent identity in DNS — we respect them, and we're honest about how we differ.

`whisper verify --trustless` — the one line every layer here lacks: you never have to trust *our* API.

- **3 layers** — the rails · the DNS-anchored peers · the registries — Whisper is additive to all three
- **not alone** — several efforts now anchor agent identity in DNS; we respect them and differ honestly
- **480,000+** — agents already moving real money over x402 on Base — none carrying a verifiable identity
- **trustless** — verify an agent's identity without trusting our API — checkable with `dig` + `openssl`
- **1 call** — revoke a compromised agent internet-wide at DNS-TTL — the cross-platform revocation the rails lack

---

## The honest map — four things live on this page

Line the categories up against the three questions a merchant, a facilitator, or a peer agent
has to answer before it trusts an agent, and the picture is honest and simple. The commerce rails
answer the first. Several efforts — ours included — anchor identity in DNS to answer the second.
Only an *address* makes the agent routable, governable and attributable to answer the third.

1. **Discover, pay & authorize the agent?** — the commerce rails (A2A · AP2 · x402) own this.
2. **Identity anchored in the open DNS root, no platform login?** — the DNS-anchored peers
   (ANS · AID · DNS-AID) answer this, and Whisper *shares* the anchor.
3. **Routable, governable, revocable internet-wide, attributable?** — only an address does this,
   and that is Whisper's lane. A central registry answers ② and part of ③ — behind a gatekeeper.

Additive by construction: keep the rails and keep whatever DNS anchor you've chosen. Whisper shares
the open-root anchor and adds the layer no protocol or label reaches — and hands the rails a sharper feed.

---

## The agent-commerce protocols — what they own, what they defer

These are the rails, and they're good. Each solves a hard problem well, and Whisper never redefines
any of them or moves a cent. But read the specs and the same seam appears three times: the agent
presenting the credential is self-asserted, deferred, or pseudonymous.

### A2A · the Agent Card

**What it owns.** Agent-to-agent discovery and task delegation. Every counterparty reads the
**Agent Card** at `/.well-known/agent-card.json` first — name, `url`, `capabilities`, `skills[]`,
`securitySchemes`. v1.0 added Signed Agent Cards: an **AgentCardSignature** (a JWS over the card,
spec §8.4).

**The seam.** The signature is *optional*, and where present its trust root is *"the domain owner"*
via web PKI / a JWKS — not the agent's own key — so a shadow-cloned card at a plausible domain is a
live threat class, and there is *no per-agent revocation and no global registry*. **Whisper's fit:**
DANE-pin the card's `url` / signing key to the agent's own **/128**, and "belongs to the domain"
becomes "belongs to *this* agent" — with a one-call revocation the spec never defined.

### AP2 · the mandate chain

**What it owns.** User authorization, done superbly. AP2 chains cryptographically-signed **Mandates**
as W3C Verifiable Credentials (Intent → Cart → Payment, ECDSA P-256) so a merchant and a credentials
provider can prove exactly what the human allowed.

**The seam.** AP2 *explicitly defers agent identity and key management to the FIDO Alliance* — the
signer key is an opaque pubkey or DID reference, not anchored anywhere a relying party can
independently resolve. **Whisper's fit:** bind the VC's `verificationMethod` to a DNSSEC/DANE-anchored
/128 so the credentials provider and merchant confirm *"this Shopping Agent key is verifiable agent
X"* — closing AP2's own stated Authenticity and Accountability goals — and revoke the /128 to kill
that agent across every mandate at once.

### x402 · HTTP 402 + onchain

**What it owns.** Trust-minimized settlement. An `HTTP 402` returns a `PAYMENT-REQUIRED`; the agent
signs an **EIP-3009 transferWithAuthorization** and a facilitator settles USDC on Base — already
480,000+ agents and rising.

**The seam.** x402 is *deliberately pseudonymous*: the identity is the bare wallet `from` address —
it proves control of funds, not *who*, and an EOA *cannot be revoked*. **Whisper's fit — a proposed pin-a-wallet:**
bind the `from` wallet to a DANE-anchored /128, so a resource server could resolve the address to a
verifiable, non-revoked agent identity *before* honoring the 402 — no change to the onchain flow —
turning "anonymous money" into "a known, revocable agent paying." *(Proposed — complements x402, never replaces it.)*

> **"A2A already shipped Signed Agent Cards. Why isn't that enough?"**
> Because the signature is optional, and it proves the card came from a domain — not that this key is
> that agent — and it still can't be revoked. DANE-pin the card's signing key to the agent's own /128
> and the claim strengthens from "belongs to the domain" to "belongs to this agent," with a DNS-TTL
> revocation the spec left out. We don't replace the Agent Card; we anchor it.

---

## The DNS-anchored peers — we're not alone, and that's the honest part

As of 2026, Whisper is *not* the only scheme putting agent identity in the DNS root, and we won't
pretend to be. Naming the peers is the honest thing to do — and it's also where our real edge becomes
clear.

OWASP's **Agent Name Service (ANS)**, the agentcommunity **Agent Identity & Discovery (AID)** effort
with its `_agent` TXT record, and the IETF **DNS-AID / BANDAID** drafts all put an agent's identity
where anyone can check it against the open, DNSSEC-signed root — no platform login, no membership.
That is the right instinct, and *we share it*. If your architecture already resolves an agent through
ANS or AID, keep it.

The difference, stated plainly: those schemes anchor a **name** or a discovery **label**. Whisper
anchors a **routable /128** — the identity is also an *address*. That single property unlocks
everything a label can't:

- **Reachability** — traffic sources from the /128, and reverse-DNS attributes every action to it.
- **Egress governance** — firewall, budget and policy on what the agent may reach.
- **Pin-a-wallet** *(proposed)* — bind an x402 `from` address to the identity; complements x402, never replaces it.
- **Revoke** — one call, at DNS-TTL, *internet-wide* — not just within a directory.

And where a name tells you what an agent is *called*, our **attribution graph** tells you *who is
really operating it* across rotating clouds and residential proxies. Our edge is the routable address
and the graph — never a claim that we invented DNS-anchored identity.

> **"If ANS or AID already resolves my agent in DNS, why also add Whisper?"**
> Because a resolvable name is not a reachable, governable, revocable address. Keep the discovery
> label. Whisper makes the *same* identity routable — egress-bound, policy-governed, revocable at
> DNS-TTL, and attributable across rotating egress — the working layer on top of the record the peers
> anchor. It's designed to interoperate with them, not to replace them.

---

## Centralized registries — the decentralized DANE alternative

The other way to answer "which agent" is a gatekept directory. That approach works, and inside its
circle it even gives you revocation. The cost is a gatekeeper — and the fact that revocation stops at
the directory's edge.

The live examples are honest and capable: the **getagentid.dev** registry floated in A2A issue
**#1672**, and the network directories already shipping — Visa's well-known **JWKS** under the Trusted
Agent Protocol (agents sign requests with RFC 9421 HTTP Message Signatures, a `keyid` resolved against
Visa's directory), and Mastercard's Agent Pay registry (Agentic Tokens over MDES). You verify by being
a member, and when the directory removes a key the agent is revoked — *for that network only*.

Whisper is the **decentralized DANE alternative.** The same key material a registry would hold lives
in the open DNSSEC/DANE root, so any merchant already running DNS verifies an agent with `dig` +
`openssl` — no membership, no per-network onboarding — and revocation is a single record pull that
*every* verifier sees, on every protocol. We're built to *interoperate* with the registries
(cross-check the `keyid` against the DANE pin on the /128); we are not a competitor to MDES or the
Visa directory. We're the neutral anchor across all of them.

> **"We already register our agents with the card network. Why also anchor in DNS?"**
> So one identity works everywhere, and revocation isn't walled in. A network registry proves an agent
> to *that* network; a DANE-anchored /128 proves it to *any* counterparty on *any* protocol, and one
> pull revokes it for all of them. Additive — it complements the Visa JWKS and MDES, it doesn't replace
> them.

---

## The honest grid — who owns what

Read it as a map of complementary strengths, not a scoreboard. The rails own the commerce; the
DNS-anchored peers share the open-root identity anchor with us; a central registry buys revocation at
the price of a gatekeeper; and the routable /128, the egress governance and the
cross-operator attribution — plus a proposed wallet-pin for x402 — are the columns only an address can fill.

| Capability | A2A · AP2 · x402 (rails) | DNS peers (ANS · AID · DNS-AID) | Central registry (getagentid · JWKS) | Whisper |
|---|---|---|---|---|
| Agent discovery, payments & mandates | ✓ | — | — | additive |
| DNS-anchored, verifiable agent identity (open root, no platform login) | — | ✓ | — | ✓ |
| Routable **/128** — identity, reachability & egress in one address | — | — | — | ✓ |
| Pin an x402 wallet to the identity (proposed) | — | — | — | roadmap |
| Per-agent revocation at DNS-TTL | — | partial | ✓ within its registry | ✓ internet-wide |
| Decentralized — no gatekeeper | ✓ | ✓ | — | ✓ |
| Cross-operator attribution across rotating egress | — | — | — | ✓ |

Whisper owns the routable /128, egress governance and cross-operator attribution — with a proposed wallet-pin for x402; the
DNS-anchored peers share the open-root identity anchor; the protocols own the commerce rails. The one
honest read of this grid: **it's additive to every column** — never a replacement for any of them.

---

## Prove it in 60 seconds — no account

Two tiers, by design. **No key:** anyone can verify an agent's identity, read its
revocation status, and see who checked it — trustless, anchored at the IANA root. **Your key:** mint
an agent's /128 from the key it already holds, govern its egress, rate-budget its traffic, and revoke it
internet-wide.

```console
# keyless — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:a90::a9e7
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the agent's key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the agent — reverse DNS names it (maps to its A2A Agent Card)
$ dig -x 2a04:2a01:a90::a9e7 +short
  agent-7f3a.acme-shopping.whisper.online.

# who checked this agent before transacting — keyless reverse observability
$ curl -s https://whisper.online/ip/2a04:2a01:a90::a9e7/lookups
  3 relying parties resolved this identity in the last hour:
    merchant checkout · a payment facilitator · one peer agent (a2a-trust)
```

```console
# mint an agent's /128 from the key it already holds — device_id = the agent id
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the agent key>',
       device_id:'agent-7f3a-acme-shopping'}})"
  → identity 2a04:2a01:a90::a9e7   DNSSEC + DANE-EE live

# (roadmap) pin the agent's x402 wallet to the /128 — see /docs/commerce-recipes
# then govern exactly what it may reach, and rate-budget its egress
$ whisper policy set --default deny --allow checkout.acme.com,facilitator.x402.org
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'budget', args:{id:'agent-7f3a-acme-shopping', requests_per_min:60}})"   # rate-cap egress · kill-switch on breach

# a compromised agent — gone worldwide at DNS-TTL, on every protocol at once
$ whisper kill --revoke 2a04:2a01:a90::a9e7
```

**Shipped & live:** the derived /128 (from your agent's public key + `device_id`), the attribution
graph, the control plane, keyless `verify`, and the **Splunk**, Microsoft Sentinel and OpenCTI connectors (signed JSON → CEF / ECS).
**On the roadmap:** STIX 2.1 over TAXII, the
**pin-a-wallet** binding for x402, and a first-class typed `--a2a` / `--wallet` argument — proposed,
complements-not-replaces. We label nothing "shipped" that isn't.

---

## Where we don't play — and don't pretend to

Verifiable identity is necessary, not sufficient. Naming what Whisper does *not* do is how you know
exactly what you're buying. Identity closes the "which agent, for whom, prove it, attribute it, revoke
it" gaps the rails left open — and makes every *other* control enforceable and auditable. It is not a
substitute for the guardrails on top.

- **Not the payment rail.** We never settle a payment, tokenize the PAN, issue Agentic Tokens, or move
  funds. Whisper is the identity layer *beneath* the tokens and rails — it makes the money attributable,
  it doesn't move it.
- **Not SCA — evidentiary only.** PSD2 Strong Customer Authentication assumes a human, and the EBA ruled
  the responsibility *"cannot be outsourced"* (Q&A 6141). Whisper supplies the attributable identity a
  mandate binds to — evidence for the delegated-authority chain, **never an SCA factor**.
- **Doesn't stop a bad decision.** A legitimately-authenticated agent making a poor purchase,
  prompt-injection of the agent's own reasoning, or a confused-deputy *within* granted scope — identity
  makes those attributable, boundable and revocable; it doesn't replace spend caps, mandate scope,
  injection defense or human-in-the-loop. It makes them enforceable.
- **Not KYA / KYC of the legal person.** We bind a *technical* identity and wallet publicly and
  revocably — the missing anchor for Know-Your-Agent and the FATF Travel-Rule originator question. The
  VASP still owns the KYC judgment of the human or legal entity.
- **Not a key-custody vault.** The binding says which agent *should* hold a wallet or signing key — it
  doesn't stop a thief who already has the private key. Custody (HSM, secure element, mTLS) is
  complementary and lives below us. Only the public half is ever an input.
- **Anchored at the DNS / transport boundary.** We sit on the wire and in the open DNS root — never
  inside the merchant's checkout logic or the model's reasoning loop. Whisper complements the rails, the
  DNS peers and the registries; it doesn't reach into any of their closed layers.

Whisper is one layer, done well: the network-identity, attribution and governance plane that closes the
gaps the payment protocols left open — and it's honest about being exactly that.

---

## Why additive is the safe bet

The additive posture isn't just tidy architecture — it's what makes the buy defensible. Nothing you
already chose gets torn out; one anchor makes the identity every layer references routable, revocable
and attributable, and feeds your SIEM. Three planes rest on one primitive — **the address is the
agent** (AS219419 · 2a04:2a01::/32) — and all three exit into what you already run:

- **Identity** — agent /128 · DNSSEC · DANE-EE · revocable → *which agent, provably*.
- **Attribution graph** — operator fingerprint across rotating clouds + residential (**7.44B**
  nodes · BGP · DNS · TLS · JA4) → *who's really behind it*.
- **Egress governance** — per-agent /128 · policy · lookups · firewall · budget · revoke → *what it may
  talk to*.

…exiting into **the rails** (A2A · AP2 · x402 — additive), **the DNS peers** (ANS · AID —
interoperable), and **your SIEM** (Splunk & Sentinel today).

- **A feed, not another console.** The **Splunk** connector ships today — signed JSON mapped to CEF and
  ECS. Microsoft Sentinel and OpenCTI, and STIX 2.1 over TAXII, are on the roadmap. Zero analysts
  babysitting a new pane of glass.
- **Nothing issued in the dark.** Every identity mint and every revoke lands in a public, append-only
  RFC 6962 Merkle transparency log, Ed25519-signed and Bitcoin-anchored via OpenTimestamps — a
  non-repudiable trail for dispute attribution and KYA accountability. *Honest status:* tamper-evident
  today, not yet independently witnessed.
- **See who checked your agent.** `op:lookups` (and the keyless `/ip/<addr>/lookups`) returns who
  resolved or RDAP-queried your agent *before* transacting — a verification-analytics stream and a
  reconnaissance tripwire the payment rails never gave you.
- **Bound the confused deputy.** Egress governance — `op:firewall`, `op:budget`, `op:policy`,
  `op:revoke` — caps exactly which endpoints an agent may reach and how much traffic it may push, so a compromised
  agent is denied at the network before it hits an unapproved facilitator, and one call kills it worldwide. The dollar spend cap still lives in your mandate — we make it enforceable, we don't replace it.
- **Speaks your compliance language.** The neutral cross-network anchor for Visa TAP and Mastercard
  Agent Pay, an attributable subject for PSD2 / PSD3–PSR mandate evidence, and the KYA *"crypto identity
  + continuous accountability"* pillars — additive and evidentiary, never a certification we don't hold.
- **A vendor built to outlast the question.** Real routable address space (**AS219419**), run by people
  who ran a regional internet address registry and operated one of its root DNS servers. Keyless to try;
  POC → pilot → enterprise on real address space.

> **"We're adopting A2A / AP2 / x402, and maybe ANS. Does Whisper make us pick?"**
> No — that's the whole point. Keep every protocol and every DNS anchor you've chosen. Whisper binds the
> identity each of them references to one routable, revocable /128 and feeds your SIEM. *Additive* means
> low switching cost in both directions — the safest way to start, and the easiest to unwind if you ever
> want to.

---

## Keep the rails. Anchor the agent.

Whisper is the identity, attribution and governance layer that sits on top of the rails, the DNS peers
and the registries you already run — additive, interoperable, verifiable without trusting us. Keyless
to try, one call to provision, one more to revoke.

[Verify your agents →](https://console.whisper.security/sign-up) · [For merchants →](/for-merchants)

Or run `whisper verify --trustless` right now — our API isn't in the trust path.
