# Whisper for Commerce — device identity on the wire for AI commerce agents. This is commerce.whisper.online. The marketing story here is told for the payments, fraud and platform-risk team; the console and the whole system behind it are the same as whisper.online. Read it in full — written so both an agent and a person can act on it. ## The problem it solves Anyone can publish a self-asserted A2A Agent Card and present a bearer token portable to any IP, then transact on a buyer's or merchant's behalf — indistinguishable from the real agent because it speaks the same protocol (A2A / AP2 / x402). The Agent Card's signature is recommended, not mandated, and even when signed nothing proves the key belongs to the claimed agent; AP2 defers agent identity to FIDO; x402's identity is a bare wallet key. The root cause is broken authentication (OWASP API BOLA / LLM01): the credential authenticates a claim, never the machine. Undetectable at the network layer, because the attacker rotates egress across clouds and residential proxies — and a "revoked" agent keeps its registration and transacts elsewhere. ## The cure — make it an identity problem Give every commerce agent a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the key it already holds, with its agent id — the A2A Agent Card id, the AP2 mandate signer, or the x402 wallet — as the domain separator. DNSSEC-anchored, DANE-EE pinned, RDAP-registered, verifiable trustlessly with `whisper verify --trustless`. The counterparty then authorizes on the agent's pinned identity, not a stealable token: one wallet key fanned across thousands of agents becomes impossible, IP rotation is irrelevant, replayed mandates fail, and one revoke kills a rogue agent worldwide at DNS-TTL. Additive to A2A, AP2 and x402 — complements them, never replaces. ## Pages - / Home — the fraud step by step, the two structural gaps, and the cure - /agent-fraud The agent-fraud cure, end to end - /platform The three planes + where they fit the stack you already run - /for-merchants For merchants: fraud/risk + SOC fit, PCI DSS / 3-D Secure / bot-management - /compare Honest comparison — additive, not a replacement - /pricing Flat, predictable pricing - /docs The full technical documentation for Commerce ## Verify it yourself (keyless, no API key) whisper verify --trustless dig -x # forward-confirmed reverse DNS curl https://whisper.online/verify-identity/ curl https://whisper.online/ip/ ## Provision (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query (header: X-API-Key: whisper_live_xxx) CALL whisper.agents({op:'register', args:{...}}) # mints the /128 identity # Pass your agent id as device_id (A2A Agent Card id / AP2 mandate signer / x402 wallet); # a first-class typed --agent arg is on the roadmap. Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32, one /128 per commerce agent.