# Whisper for Commerce — give every AI agent a payment identity the counterparty can verify

> An AI agent transacting on your behalf can't prove it isn't an impostor.
> Bind its identifier — A2A Agent Card, AP2 mandate signer, x402 wallet — to a
> routable, DNSSEC-anchored **/128** derived from the agent's own key: publicly
> verifiable, revocable at DNS-TTL, pinnable to a wallet. Additive to A2A, AP2 and x402.

The A2A Agent Card's signature is *recommended*, not mandated — and even when it's
signed, nothing at the protocol level proves the signing key belongs to the claimed
domain; it leans on transport TLS. AP2 deliberately does *not* define agent identity,
deferring it to FIDO's Agentic Authentication working group. x402's identity is a bare
wallet key: *"no accounts."* So a merchant, a payment platform, or another agent has no
forge-proof way to answer the only question that matters — *is this the real agent, and
can I stop it if it goes rogue?* **We give it one.**

`whisper verify --trustless` — anchored at the IANA DNS root. Our own API is not in the trust path.

- **15–25%** — of all e-commerce projected to run through AI agents by 2030 (Bain)
- **480,000+** — agents settled 165M+ x402 txns on Base through Q1 2026; value in >$1 payments went 49%→~95% in a year
- **~1 in 4** — enterprise breaches will be traced to AI-agent abuse by 2028 (Gartner)
- **~25%+** — prompt-injection success against even the best agents (AgentDojo); OWASP's #1 LLM risk
- **~109:1** — non-human identities now outnumber humans; 28.65M new hardcoded secrets on GitHub in 2025
- **700+** — trust domains reached in ~10 days on stolen agent tokens; revocation didn't propagate

---

## The fraud, step by step

**This is how a purchase gets made in your name by an agent that isn't yours.** No
zero-day required. Just a self-asserted Agent Card, a bearer token, and payment rails
shipped without an identity layer underneath them.

1. **SPOOF** — Publish a forged or shadow-cloned `/.well-known/agent-card.json` at a plausible domain. A2A doesn't mandate how a card is verified, so a self-asserted card *is* the identity.
2. **AUTH** — Present a stolen or leaked bearer token — or simply assert an unverifiable identity. The credential is a bearer instrument: whoever holds it is the agent.
3. **ENTER** — The merchant, the facilitator, or a peer agent can't cryptographically tell you from the real one. The card networks conceded this in Oct 2025 with a framework to "distinguish malicious bots from legitimate AI agents."
4. **TRIGGER** — Plant injected instructions the *victim's own* agent reads (OWASP LLM01, the #1 risk), or persuade an over-permissioned agent to act "on their behalf" — the confused deputy, reborn.
5. **REPLAY** — Replay a captured mandate (why x402 puts a `nonce` in the 402 body and AP2 signs each mandate), or exploit an SDK signature-verify bug — both documented across x402/AP2 SDKs in 2026.
6. **PERSIST** — No stable identity to attribute, no cross-domain revocation protocol. Rotate egress across clouds and residential proxies; a "revoked" agent keeps its registration and transacts elsewhere — "a dormant but persistent threat."

Invisible at the protocol layer by design: a real agent is a self-asserted card and a
bearer token — and so is the impostor. There is no forge-proof way to tell them apart,
follow them when the egress rotates, or make a revocation stick across domains. Not
hypothetical: a compromised agent integration reached **700+ trust domains in ~10 days**
on stolen OAuth tokens, and the revocation never propagated — *"not a latency problem but
a missing protocol."*

---

## Strip the incident down and it isn't a hundred bugs. It's two.

Every step in that chain leans on exactly two structural gaps the payment protocols left
open. Close both and the fraud has nowhere left to stand.

### Gap 1 · a self-asserted card is not a verifiable identity

The A2A **Agent Card** is a JSON document the agent publishes *about itself*. Its
`AgentCardSignature` (a JWS) is *recommended*, not required — and even when present, it
proves the card wasn't tampered with, not that the signing key belongs to the agent it
claims to be. AP2 punts agent identity to FIDO; x402's "identity" is a bare wallet address
with no accounts. So *"which agent, really?"* is a guess the counterparty makes on trust.

**The answer — identity.** Bind the agent's identifier to its own forge-proof **/128** —
a routable IPv6 address derived from the key behind its Agent Card, its AP2 mandate signer,
or its x402 wallet, DNSSEC-anchored and `DANE-EE` pinned, with `device_id` = the agent id.
A verifier resolves the /128 and checks the DNSSEC/DANE chain to the IANA root: *this card
belongs to **this** agent* — stronger than "belongs to the domain," and revocable in one
call, which none of A2A, AP2, x402 or MCP can do.

> **"A2A already lets an agent sign its Agent Card. Why isn't that enough?"**
> Because the signature is only recommended, and even when present it proves the card
> wasn't tampered with — not that the key belongs to the agent it names, and there's no
> way to revoke it. A2A's own maintainers are debating a *centralized* registry (issue
> #1672, getagentid.dev) to fix exactly this. Whisper anchors the same key in the open
> DNSSEC/DANE root instead — decentralized, verifiable by anyone with `dig`, revocable at
> DNS-TTL. Additive to A2A, not a fork.

### Gap 2 · when the egress rotates, you can't name who's behind it — or stop them

A compromised agent hops across clouds and residential proxies. Each domain it touches
*"validates in isolation, no shared defense,"* and when one domain revokes, the others get
no signal. So you can't attribute the operator across sessions, and you can't make a kill
stick — the ecosystem named this itself: *"not a latency problem but a missing protocol."*

**The answer — the graph, and the control plane.** A live internet-infrastructure graph —
**7.44B** nodes and **39.3B** relationships of fused BGP, DNS,
WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — fingerprints the
*operator*, not the IP.

- **Cloud rotation** — the graph clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy.
- **Residential-proxy swarm** — a `JA4/JA3` client fingerprint travels with the *tooling*, invisible to the proxy because it lives in the TLS handshake, and collapses the swarm to one operator.

And because the agent's identity is a routable /128, one `op:revoke` tears it down
worldwide at DNS-TTL — the cross-domain revocation the payment protocols never defined.
Every answer returns a reproducible **evidence chain** your fraud team, your auditors and a
regulator can replay.

```
   cloned card / stolen token         ┌── AWS / GCP / Azure ──┐  infra genealogy ─┐
   = agent authority        ──rotate──┤                       │                  ├─▶  ONE operator
   every last IP disposable           └── residential swarm ──┘  JA4 fingerprint ─┘   evidence → fraud stack
                                                                                       op:revoke → gone, DNS-TTL
```

> **"When a compromised agent rotates across fresh cloud IPs and residential proxies, can
> you actually attribute it — or just block an IP and move on?"**
> Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client
> fingerprint collapses the residential swarm — the egress IP is the one thing we don't
> rely on. And because the identity is a routable /128, one `revoke` propagates the kill to
> every counterparty at DNS-TTL — the cross-domain revocation the ecosystem named as its
> missing protocol.

Gap 1 is the root cause — a self-asserted card no one can verify or revoke. Gap 2 is what
happens when it goes wrong — an operator you can't name and a revocation that doesn't
stick. Here's the root-cause cure.

---

## The root-cause cure · identity

**Give every agent an identity it can prove — and no one can forge.** Stop treating
agent-payment fraud as a detection problem and make it an *identity* problem — strictly
stronger. Whisper has one primitive: **the address is the agent.**

A routable IPv6 **/128** out of `2a04:2a01::/32` (announced by **AS219419**),
deterministically derived from a key, DNSSEC-anchored, **DANE-EE** pinned,
RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.
`whisper verify --trustless` checks it against the IANA root; *our own API is not in the trust path.*

**Point it at agents.** Derive each agent's /128 from the public key behind the identifier
it *already* carries: the key that signs its A2A **AgentCardSignature** (JWS), the ECDSA
P-256 key that signs its AP2 **mandates**, the EOA behind its x402 **wallet**, or the
RFC 9421 `keyid` it presents to Visa's Trusted Agent Protocol — with the **agent id as the
domain separator** (`device_id`). The private key never leaves the agent; the address is a
one-way function of its public half and that id. No new key ceremony, no per-network
onboarding — you bind the identity the agent already has.

```
agent key                     ──pubkey + agent id──▶  /128  ──DNSSEC+DANE-EE──▶  a name anyone can verify
(Agent Card JWS · AP2 P-256                            2a04:2a01:9c2::a17         whisper verify --trustless
 · x402 wallet; private key                            routable identity          our API not in the trust path
 never leaves the agent)                                     │                    op:revoke → gone at DNS-TTL
                                              pin-a-wallet → x402 from 0x8f…c1
```

What becomes true the moment you do this:

- **"A forged card = a real agent" becomes impossible.** Every shadow-cloned Agent Card is a DNSSEC/DANE inconsistency any verifier catches with `dig`.
- **Egress rotation becomes irrelevant.** Identity is not the source IP or the bearer token; rotating it changes nothing the counterparty checks.
- **Stolen tokens fail.** A leaked bearer or shadow card with no agent key behind it verifies to nothing. The counterparty checks the agent, not the holder of the token.
- **One `revoke` kills a rogue agent everywhere** at DNS-TTL — `dig -x` returns nothing, verify returns false, every counterparty sees the kill. The cross-domain revocation A2A / AP2 / x402 never defined.

**Attaches to what you already ship — it does not replace it.** Whisper complements A2A's
Signed Agent Card, AP2's Intent / Cart / Payment mandates, x402's onchain settlement,
Visa's RFC 9421 signatures, Mastercard's Agentic Token, MCP's OAuth. It is the publicly
verifiable, DNSSEC/DANE-anchored layer *on top*: no registry silo to join, and revocation
at DNS-TTL instead of a token that lives until it expires. You can even DANE-pin the very
key your Agent Card already signs with.

**The agent id is the public handle — the /128 is its cryptographic counterpart.** An agent
id or Agent Card URL is a known, structured identifier that flows through every A2A
exchange; useful for interoperability, but not a secret. The /128 is bound to the agent's
key *and* its id — so the id alone yields nothing: you cannot go agent-id → /128 without
the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object,
never the agent's whereabouts. Because the derivation is **tenant-bound**, the same agent
under two platforms yields two unrelated /128s — no one can link it across marketplaces.

**Lifecycle, end to end.** Key at spawn → in-flight transacting → compromise `revoke`. A
key rotation re-keys to a new /128 and revokes the old one; a decommission or a change of
operator is one `revoke` and a re-register. Compromise one agent and you've compromised
*that agent*, not your fleet — the "one token, a whole fleet" failure mode is structurally
removed. And nothing is issued in the dark: every mint and every revoke lands in a public,
Bitcoin-anchored [transparency log](/docs/commerce-compliance) you and your regulator can audit.

> **"Be honest — what doesn't a verifiable identity fix?"**
> Plenty, and we'll say so. A verifiable identity proves *which agent acted, for whom, and
> lets you bound and revoke its authority.* It does not, by itself, stop a
> legitimately-authenticated agent from making a bad purchase, prevent prompt-injection of
> the agent's own reasoning, or substitute for custody of the signing key. It's the missing
> anchor the payment rails were built without — and it makes every *other* control (spend
> caps, mandate scope, injection defense, human approval) enforceable and auditable. The
> anchor, not a replacement for the guardrails on top.

Maps to the evidence needs of **Visa Trusted Agent Protocol**, **Mastercard Agent Pay**,
**PSD2 / PSD3** delegated-authority, and the **KYA "agent passport"** — a verifiable,
revocable subject to bind mandate evidence to. Whisper is *not* a payment processor and
does not itself perform SCA; it supplies the identity and governance that make those
controls enforceable. [See the compliance map →](/for-merchants)

---

## See who checked your agent — before it transacts. Govern what it can spend.

An identity you can prove is also an identity you can *watch*. Because every agent's name
resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who
verified it — an early signal, not a post-mortem — and can govern precisely what each agent
may reach, pay, and pin.

```
who checked this agent        ┌──────────────┐        govern it · default-deny
 merchant checkout   ──lookups─▶│  Agent /128  │──ops──▶  op:firewall — host·cidr·port
 x402 facilitator              │ 2a04:2a01:…  │          op:budget   — cap spend/traffic
 peer A2A agent                │ DNSSEC·DANE  │          op:policy   — allow merchant only
 (op:lookups tripwire)         └──────┬───────┘          op:revoke   — kill, DNS-TTL
                          pin-a-wallet → x402 / AP2 instrument
```

- **Who checked this agent is a query.** `op:lookups` returns who resolved or RDAP-queried an agent's identity — an early signal that a merchant, a facilitator, or a peer agent is verifying you before transacting, or that someone is enumerating your fleet. A tripwire, not a post-mortem.
- **Pin a wallet to the agent.** Bind the x402 `from` wallet — or an AP2 payment instrument — to the verifiable, revocable /128, so a facilitator resolving the address gets a *known, revocable* agent, not an anonymous EOA. The wallet↔agent link x402 lacks and AP2 defers to FIDO. [Pin-a-wallet →](/docs/commerce-recipes)
- **Per-agent firewall, budget, kill-switch.** `op:firewall` allow/deny by host, cidr or port; `op:budget` caps an agent's traffic and spend; `op:revoke` cuts a rogue agent off worldwide in one call. Bounded authority made *enforceable and auditable* — not just declared in a mandate.
- **Agent-to-agent trust, both ends.** Before two A2A agents transact, each resolves the other's /128 and checks the DANE chain — mutual verification the transport leaves out. Sign an agent's receipts to its forge-proof /128 so a marketplace and dispute resolution trust the record came from the real agent. [A2A-trust →](/docs/commerce-recipes)

The same *address-is-identity* primitive that governs a rogue agent also governs the fleets
your marketplace and payment platform are about to run — per-agent /128, per-agent logs,
default-deny egress, one `revoke`. From day one.

---

## Prove it in 60 seconds · no account

Two tiers, by design. **No key:** anyone can verify an agent's identity, resolve it, and
back-trace a suspicious counterparty — trustless, anchored at the IANA root. **Your key:**
bind an agent to the id it already carries, govern its egress and spend, revoke it worldwide.

```sh
# keyless — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:9c2::a17
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) leaf matches the agent's Agent Card signing key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32
  identity: VERIFIED — and our own API was never trusted

# the address is the agent — reverse DNS names it
$ dig -x 2a04:2a01:9c2::a17 +short
  agent-7f3a.acme-shopper.whisper.online.

# who really operates a suspicious counterparty — the real graph API, a CALL whisper.identify()
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.72.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 41 exit IPs → 1 operator
```

```sh
# bind an agent to the id it already carries, and govern it
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the agent key>',
       device_id:'acme-shopper.example/agents/checkout-7f3a'}})"   # device_id = the agent id
  → identity 2a04:2a01:9c2::a17   DNSSEC + DANE live
$ whisper policy set --default deny --allow api.merchant.example,x402.facilitator.example
$ whisper kill --revoke 2a04:2a01:9c2::a17   # worldwide, at DNS-TTL
```

Verify your agents → <https://console.whisper.security/sign-up> · Read the [docs](/docs).

---

## Where Whisper fits

**They authorize the payment. Whisper proves the agent — to anyone, without trusting us.**
The agent protocols move the task (**A2A**) and authorize or settle the payment (**AP2**
authorizes, **x402** settles, the card networks run the rails) — necessary, and Whisper
never redefines or replaces them. We are also *not* the only DNS-anchored agent-identity
effort: a newer set of peers — OWASP's **Agent Name Service (ANS)**, the agentcommunity
**AID** (`_agent` DNS TXT), the IETF's **DNS-AID / BANDAID** work, Identity Digital's
**DNSid** — anchor an agent *name* or ownership record in DNSSEC, and they're right that
DNS is the neutral root. We cite them with respect and don't claim to have invented the
category. The honest difference is the *shape* of what we anchor: not a name or a label, but
a **routable /128** — identity, reachability, and egress governance in one primitive —
derived from the agent's existing key, revocable at DNS-TTL, with a wallet pinnable to it
and a cross-platform attribution graph behind it.

| | Agent protocols & card rails | DNS-anchored peers (ANS / AID / DNSid) | Whisper |
|---|---|---|---|
| Move the task · authorize + settle the payment | ✓ | — | *additive — we never settle* |
| **Publicly verifiable** without trusting the issuer (open DNSSEC/DANE root) | — | ✓ | ✓ |
| Identity is a **routable** address (+ egress governance) | — | — (a name/record) | ✓ |
| Revoke a compromised agent at DNS-TTL, one call, anyone verifies | — | partial | ✓ |
| Wallet **pinned** to a verifiable, revocable identity | — (wallet is the identity) | — | ✓ |
| Cross-platform attribution + a2a-trust in public infra | — | — | ✓ |

It's depth on top of the stack you already run — it can DANE-pin the same key your Agent
Card already signs with, complements A2A / AP2 / x402 and the card rails, and lands as a
machine-readable feed into your fraud stack — the Splunk and Microsoft Sentinel connectors ship today. It doesn't replace them, and it doesn't add a console
your analysts babysit.

For A2A specifically: its own maintainers are debating a *centralized* registry (issue
#1672, getagentid.dev) to make Agent Card identity verifiable. Whisper is the
**decentralized**, DNSSEC/DANE alternative to the same problem — additive to A2A, not a
competing protocol. [See the full comparison →](/compare)

---

## Built for the people who eat the chargeback

**Additive to your stack. Mapped to the agent rails. Availability-safe by construction.**
Three planes on one primitive — identity, attribution graph, egress governance — and all
three exit into the stack you already run, not a new silo. The Splunk and Sentinel feeds ship today; STIX/TAXII and CEF/ECS export are on the roadmap.

- **Evidence for the chargeback fight & KYA.** Every agent request → a revocable, publicly-verifiable identity and its egress /128 — attribution for the dispute, an allowlist entry that's public and DNSSEC-anchored. Supports Visa TAP, Mastercard Agent Pay, and the KYA "agent passport." [See the map →](/for-merchants)
- **Nothing issued in the dark.** Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable trail for a dispute or a regulator. *Honest status:* tamper-evident today, independent witnessing is the next step.
- **Additive & availability-safe.** It rides existing DNS/IPv6 and adds no inline checkout chokepoint. If a counterparty authorizes against the DANE/verify path, that plane is built to fail open — a Whisper outage never blocks a sale; checks degrade to your existing anchors. Anycast on AS219419, no single node in the path.
- **One identity across every protocol.** The same verifiable /128 an agent presents to A2A, AP2, x402, MCP *and* any merchant — not three network directories. Derived from the key it already has, no per-network onboarding, verifiable by anyone with `dig`.
- **Not a payment processor — the layer beneath.** Whisper never settles, tokenizes a PAN, or performs SCA. It supplies the verifiable, revocable agent identity and governance that make spend caps, mandate scope, and fraud controls *enforceable and auditable* — the anchor, not the rail.
- **A vendor that will still be here.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. POC → pilot → enterprise, keyless to start. [See pricing →](/pricing)

---

## Give every AI agent a payment identity the counterparty can verify.

The address is the agent — routable, DNSSEC-anchored, bound to the id it already carries,
pinnable to a wallet, revocable worldwide in one call. Keyless to try, one call to
provision, one more to revoke.

Verify your agents → <https://console.whisper.security/sign-up> · [For merchants →](/for-merchants)

Or run `whisper verify --trustless` right now.

---

*Whisper for Commerce · Identity on the wire for AI commerce agents · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
