Commerce
A self-asserted Agent Card and a bearer token shouldn't be able to spend on your behalf.
When the buyer stops being a human at checkout, a merchant, a facilitator, or a peer agent has to answer one question: which agent am I really transacting with? Today it cannot. Whisper closes that gap with one primitive: the agent's address is its identity. This page is the commerce front door to the Whisper docs. The full technical library (DNSSEC, DANE, RDAP, the control-plane API) sits one click down the sidebar, shared verbatim with whisper.online.
The problem: an agent can't prove it's the authorized agent
Every agent-commerce protocol authenticates a claim to the counterparty: a self-published card, a signed mandate whose signer is opaque, a bare wallet address, never the software behind it. A2A publishes an agent's identity as an Agent Card at /.well-known/agent-card.json, but the spec does not mandate how that card is verified. It delegates trust to the transport, so a forged or shadow-cloned card at a plausible domain reads as legitimate. AP2 chains cryptographically-signed Mandates as W3C Verifiable Credentials (ECDSA P-256), yet explicitly defers the agent's identity and key management to other bodies: the mandate's verificationMethod is an opaque pubkey reference with no external anchor. x402 settles onchain against a buyer-signed EIP-3009 transferWithAuthorization, but the paying identity is a bare wallet address (from): pseudonymous, unattributable, and non-revocable. The card networks shipped agent frameworks whose stated goal is to distinguish legitimate AI agents from malicious bots: Visa's RFC 9421 Trusted Agent Protocol and Mastercard's Agentic Token each publish keys to a private, network-scoped directory. The ecosystem concedes it cannot tell agents apart.
This is the classic bearer problem at agent scale: OWASP's Top 10 for Agentic Applications names it ASI03: Identity & Privilege Abuse, the "attribution gap." Steal or leak a token and you are the agent; agents have become identity-aggregation points holding the combined authority of every credential they carry, and non-human identities now outnumber humans by roughly 100 : 1 and climbing. There is no forge-proof identity, no cross-platform attribution, and no revocation (the sharpest gap): when one domain revokes a compromised agent, connected domains have no standard mechanism to receive that signal. Not a latency problem but a missing protocol. A single compromised agent integration has spread across 700+ trust domains in about ten days on stolen tokens, and the revocation never propagated.
Behavioral bot-detection will always be a step behind a credential that is genuinely valid and an identity that is merely asserted. The strictly-stronger move is to change what the counterparty trusts.
The cure: the address is the agent
Shipped & live. Deriving an agent /128 from the key it already signs with is in production today. Provision one with the control-plane call below and verify it from the DNSSEC root with tools already on your machine.
Whisper gives each AI agent a routable IPv6 /128 out of 2a04:2a01::/32 (announced by AS219419), derived deterministically from the agent's public key (its SubjectPublicKeyInfo, the public half of the Ed25519 or P-256 key it already holds: the key behind its A2A AgentCardSignature, its AP2 mandate verificationMethod, or its Web Bot Auth JWKS entry) with the agent id as the domain separator. The private key never leaves the agent; only its public SPKI is an input. The result is DNSSEC-anchored, DANE-EE 3 1 1 pinned, and RDAP-registered: re-derivable and verifiable by anyone with dig.
verificationMethod, or its Web Bot Auth JWKS entry. Whisper binds that public key to a routable, publicly verifiable /128 and gives it the cross-domain off-switch the payment protocols never had.Because the derivation is tenant-bound, the same key under two different platforms yields two unrelated /128s. An outsider cannot link an agent across platforms. And because the domain separator is the agent id, the agent id alone yields nothing: you cannot go agent id → /128 without the key, there is no enumerable directory, and RDAP and reverse-DNS return the registry object, never the agent's whereabouts.
What becomes true the moment an agent holds one:
- "One forged card → a fleet of fake agents" becomes physically impossible. You cannot present agent identities whose keys you don't hold; every forged or shadow-cloned Agent Card is a DNSSEC/DANE inconsistency any verifier catches.
- Wallet and session rotation become irrelevant. Identity is not the source IP or the ephemeral session: the "last IP" was never the credential, so rotating it across clouds or proxies changes nothing.
- Stolen bearer tokens fail. A self-asserted card or a leaked API key with no agent key behind it authenticates to nothing.
- One
revokekills a compromised agent worldwide at DNS-TTL speed: the cross-domain off-switch the ecosystem is missing, delivered as a public DNS fact every counterparty already checks.
Additive, never a replacement. Whisper anchors identity at the DNS/transport boundary and hands it up to the protocols that already exist. It never redefines A2A, never signs an AP2 mandate, never settles an x402 payment, and never holds the wallet key. DANE-pin the url/AgentCardSignature key of an A2A Agent Card, the verificationMethod of an AP2 mandate, the from/payTo of an x402 flow, an MCP resource URI, or a Visa TAP keyid: the /128 slots under each without a protocol change. Whisper is no longer alone in DNS-anchored agent identity; where the newer entrants anchor a name (an ownership "birth certificate," an _ag discovery label), Whisper anchors a routable, revocable, wallet-pinnable identity with egress governance and attribution: the working identity layer on top of the record.
Necessary, not sufficient, and we say so. A verifiable identity proves which agent acted, for whom, lets you attribute and revoke it, and makes every other control enforceable and auditable. It does not stop a legitimately-authenticated agent from making a bad purchase, prevent prompt-injection of the agent's own reasoning, or substitute for spend caps, mandate scoping, key custody, or human-in-the-loop. It is the missing anchor the payment rails were built without, not a replacement for the guardrails on top.
Provision an agent identity
Provisioning is one control-plane call over the public API: POST https://graph.whisper.security/api/query with your X-API-Key. Hand it the agent's base64 SPKI and its agent id (passed as device_id); it returns the deterministic /128 and a WireGuard config for source-bound egress:
CALL whisper.agents({op:'connect', args:{
tier:'wireguard',
identity_public_key:'<base64 SPKI of the agent key>',
device_id:'acme-shopper-8f3c9a2e'
}}) YIELD op, ok, status, result, error
RETURN op, ok, status, result, error
Send it with your key. The heredoc keeps the single-quoted Cypher literals intact, so this runs as-is:
curl -s https://graph.whisper.security/api/query \
-H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' \
--data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'<base64 SPKI>', device_id:'acme-shopper-8f3c9a2e'}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error"}
JSON
# response
{ "op": "connect", "ok": true, "status": "created",
"result": {
"address": "2a04:2a01:a9e::a2c7",
"fqdn": "agent-8f3c9a2e.<tenant>.agents.whisper.online",
"wireguard": { /* peer, keys, allowed-ips */ }
} }
The device_id is the generic domain separator. Pass whatever native identifier your agent already carries: its A2A Agent Card id, its Web Bot Auth key id, or the id you use in your own registry. The call is idempotent and liberal in what it accepts, strict in what it returns: re-running with the same key and agent id returns the same /128; a different agent id for a key already registered on your tenant is a clear 409, not a silent overwrite; a non-string agent id is a 400 that tells you exactly what was wrong, never an opaque 500.
A dedicated first-class --agent-id (and --wallet) CLI flag is on the roadmap; today, pass the agent id as device_id (an alias) to the live control-plane call above. The shipped CLI verbs are whisper verify --trustless, whisper create --register, whisper kill --revoke, whisper policy, and whisper logs. See CLI & one-command.
Verify it yourself, no account
Every agent identity is checkable with no key and no login, from the internet's own records: the keyless lower half of the two tiers. A merchant, a facilitator, or a peer agent runs the same walk before it trusts anything. The whisper CLI does it in one call:
whisper verify --trustless agent-8f3c9a2e.<tenant>.agents.whisper.online
✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) leaf matches the agent's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED · our own API was never trusted
Or reach for the raw records directly: the same answer, from stock tools.
# the public verify endpoint: evidence chain in JSON
curl -s https://whisper.online/verify-identity/2a04:2a01:a9e::a2c7 | jq
{ "is_whisper_agent": true, "dane_ok": true, "jws_ok": true, "evidence": { /* … */ } }
# the address is the agent: forward-confirmed reverse DNS names it
dig -x 2a04:2a01:a9e::a2c7 +short
agent-8f3c9a2e.<tenant>.agents.whisper.online.
# the registry object: who holds the address, and under which allocation
curl -s https://whisper.online/ip/2a04:2a01:a9e::a2c7 | jq
None of these calls Whisper as an authority: --trustless re-derives the proof against the public DNSSEC root, exactly as any resolver could. This is the check a counterparty runs to turn "is this a real agent?" from a guess into a lookup. See Verify an agent for the full keyless walk and DANE & TLSA for the pin, byte for byte.
Pin a wallet to the agent
An x402 wallet proves control of funds, not who, and not accountability. Pin-a-wallet binds the wallet to the agent's verifiable /128 so a facilitator or resource server resolves the x402 from address to a known, revocable agent before honoring the 402, with no change to the onchain flow. The binding is published in the agent's DNSSEC-signed, DANE-anchored zone and recorded in the transparency log; revoking the /128 revokes the agent's ability to transact even though the EOA itself can never be revoked. It converts x402 from "anonymous money" into "a known, revocable agent paying": the exact wallet↔identity link x402 lacks and AP2 defers to FIDO.
# a facilitator, before /settle: resolve the x402 `from` wallet to the agent that pinned it
dig +short TXT _wallet.0x1a2b3c9f.pin.<tenant>.agents.whisper.online
"agent=2a04:2a01:a9e::a2c7; dane=3 1 1; status=live"
# then run the same keyless walk on that agent: is it real, and not revoked?
whisper verify --trustless 2a04:2a01:a9e::a2c7
✓ DANE-EE 3 1 1 matches the agent's key · RDAP live · not revoked
# the _wallet TXT above binds 0x1A2b…3C9F to this /128: honor the 402 only if BOTH check out
Honest status. The DANE-anchored wallet↔identity binding and DNS-TTL revocation ride the shipped identity plane and the pin-anything mechanism today: publish the signed binding via the control plane, and any facilitator resolves and verifies it with stock tools. A first-class whisper pin-wallet verb and drop-in facilitator plug-ins for A2A / AP2 / x402 are on the roadmap. Full recipe: Pin a wallet.
Revoke and govern, worldwide
A compromised agent, a rotated wallet, a decommissioned integration: one call tears down the /128, its PTR, and its DANE pin everywhere at DNS-TTL speed. This is the cross-domain revocation the ecosystem never standardized: not a private token-revoke inside one network, but a public DNS fact every counterparty already resolves.
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:a9e::a2c7'}})
# after the TTL: dig -x returns nothing, verify returns false, the wallet pin dies with it
whisper kill --revoke 2a04:2a01:a9e::a2c7
The same address-is-identity primitive governs what an agent may do before anything goes wrong. Source-bound egress makes an agent's traffic leave from its own /128, and the control plane enforces it by name and by address:
# default-deny: this agent may reach ONLY its merchant + x402 facilitator allowlist
whisper policy set --default deny --allow api.merchant.example,facilitator.x402.example
# per-agent firewall (allow/deny by host, cidr or port) + a traffic budget with a kill-switch
CALL whisper.agents({op:'firewall', args:{agent:'2a04:2a01:a9e::a2c7', deny:['0.0.0.0/0'], allow:['facilitator.x402.example:443']}})
CALL whisper.agents({op:'budget', args:{agent:'2a04:2a01:a9e::a2c7', max_mb_per_day:50}})
Compromise one agent and you've compromised that agent, not the platform. The fleet-takeover failure mode is structurally removed.
And nothing is issued in the dark: every mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps. It's an auditable, non-repudiable issuance trail for a disputed transaction. Honest status: tamper-evident and anchored today; independent third-party witnessing is the next step, and the log already speaks the witness-cosigning protocol so any external witness can co-sign.
Who checked your agent
An identity you can prove is also an identity you can watch. Because every agent's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who looked: reverse observability the private network directories never gave you. op:'lookups' returns who resolved or RDAP-queried an agent's identity: the merchants, facilitators, and peer agents that verified you before transacting (a verification-analytics stream), and, as a tripwire, anyone enumerating your agent fleet before an attack.
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:a9e::a2c7'}})
# → who resolved / RDAP-queried this agent's identity (PTR / AAAA / TLSA + /ip accesses)
# the owner-facing companion to op:'logs' (the agent's OWN outbound activity)
It is the mirror of op:'logs': logs is what your agent reached out to; lookups is who reached in to check your agent. Both are live over the same public API with your key.
Attribution: name whoever already scraped you
Identity stops the next forgery; the graph names the operator behind the sessions already in your logs: attribution that survives IP and wallet rotation because it fingerprints the operator and the tooling, not the ephemeral egress. When a shadow-cloned Agent Card or a swarm of throwaway wallets keeps reappearing, run it as read-only Cypher over the same public API with your key (there is no CLI subcommand for this; it is the graph API directly):
curl -s https://graph.whisper.security/api/query \
-H "X-API-Key: whisper_live_xxx" \
-H 'content-type: application/json' \
-d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
# operator fingerprinted across AWS / GCP / Azure; residential swarm collapsed by JA4
The read-only verbs (identify, origins, walk, variants, history) each return a reproducible, replayable JSON evidence chain your fraud team, your risk desk, and a regulator can replay: cross-platform attribution in public infrastructure, not a per-platform reputation score. More in Graph & cognition.
What ships today, and what's on the roadmap
We label these honestly so you can plan against them.
| Shipped & live | On the roadmap |
|---|---|
Agent /128 from the agent's public key + agent id as device_id: DNSSEC + DANE-EE + RDAP |
A first-class typed --agent-id / --wallet argument (pass them via device_id and the control plane today) |
Control-plane provision, verify, op:revoke, op:lookups, policy / firewall / budget; the attribution graph; the Bitcoin-anchored transparency log |
STIX 2.1 over TAXII export |
Pin-a-wallet: bind an x402 wallet to the agent's DANE-anchored /128 and revoke it at DNS-TTL (via the control plane / the pin-anything mechanism) |
A turnkey whisper pin-wallet verb and drop-in facilitator plug-ins for A2A / AP2 / x402 |
| The Splunk, Microsoft Sentinel and OpenCTI connectors (signed, replayable JSON → CEF / ECS fields); the DANE-EE per-agent CA leaf that underpins signed agent outputs | A turnkey sign-outputs receipt workflow (whisper sign) for payment / provenance non-repudiation |
The integration guides below describe proposed integrations at the protocol and IP boundary: designed to complement the stack you already run, not endorsed by any vendor, and never named against a specific merchant or network as a breach victim.
The five Commerce guides
The agent-commerce story, in depth: each page is self-contained and copy-paste runnable.
/128 from the key an agent already signs with. Deterministic, tenant-bound, DNSSEC + DANE-EE pinned. It's the identity spine that every counterparty can verify.
Agent-fraud cure →Why a self-asserted Agent Card and a bearer token spend on your behalf, and how a forge-proof address ends it. This is the impersonation / confused-deputy / missing-revocation kill chain, cured at the identity layer.
A2A · AP2 · x402 →Where the /128 slots under each protocol without a change. DANE-pin the Agent Card signature, the AP2 mandate verificationMethod, the x402 from/payTo, the MCP resource URI, and the Visa TAP keyid.
PSD2 · agent-payment protocols →Map verifiable identity and attribution evidence to PSD2 SCA (evidentiary, never an SCA factor), the EBA delegation ruling, Visa TAP, Mastercard Agent Pay, AP2, and KYA, as a network primitive, not a binder.
Pin-a-wallet · A2A-trust · verify →Runnable recipes for pinning an x402 wallet to a verifiable agent, making two A2A agents verify each other's /128 before they talk, and back-tracing a suspicious agent on the graph.
The full technical library
Commerce rides on the same address-is-identity platform as every other agent on the network, so the whole shared library applies here unchanged, and every page has a clean Markdown twin at the same path + .md. Start with these; the rest is in the sidebar.
dig, curl, and openssl.
DANE & TLSA →The 3 1 1 pin that makes an address forge-proof, byte for byte, no CA in the path.
Control plane →The full whisper.agents API over the public endpoint, covering provision, connect, policy, logs, lookups, and revoke.