# The rails moved the money. Not one of them can prove which agent is spending it.

A2A moves the task, AP2 signs the mandate, x402 settles onchain — and not one of them can tell a merchant or a facilitator which agent is really on the other end, or revoke it when it's compromised. So the card networks shipped a framework just to help merchants tell malicious bots from legitimate agents — the ecosystem conceding it can't. Whisper isn't another bot-filter or a walled-garden registry. It's one primitive — the address is the identity — expressed as three planes that ride on top of the rails you already run.

Derive an agent's identity once from the key it already signs with — its A2A Agent-Card key, its AP2 mandate signer, its x402 wallet — and verify it anywhere with `dig`. That one primitive becomes three planes — identity, an attribution graph that survives IP rotation, and governance you can pin a wallet to and revoke at DNS-TTL — standing on real routable space at AS219419, anchored at the IANA root. Our API is never in the trust path.

whisper verify --trustless — anchored at the IANA DNS root. Our own API is not in the trust path.

- 7.44B nodes in the live attribution graph — BGP, DNS, WHOIS, TLS, JA3/JA4, threat intel
- 39.3B fused relationships across that graph
- <300ms attribution answers, kept off the checkout hot path
- AS219419 — our own autonomous system, real routable space
- 2a04:2a01::/32 — every agent identity derives from here
- 0 — cross-platform agent revocation shipped by A2A, AP2, x402 or MCP (verify their specs)

## Everything below derives from one line: the address is the identity.

A routable IPv6 /128 out of `2a04:2a01::/32` (announced by AS219419), deterministically derived from a key, DNSSEC-anchored, DANE-EE pinned, RDAP/WHOIS-registered — re-derivable and verifiable by anyone with `dig`.

Every agent-payment stack today authenticates an agent by a bearer credential — an API key, an OAuth token, a self-published Agent Card — that grants access to whoever holds it, not to a verified identity. Steal the token and you are the agent. Non-human identities already outnumber humans ~82:1 and climbing past 100:1, and 480,000+ agents have already settled onchain payments with nothing but a pseudonymous wallet behind them. Whisper starts from the other end: it gives the agent an identity that is its address, cryptographically bound to a key it already holds, and publicly verifiable without trusting the issuer. Point it at a shopping agent, a merchant agent, or an MCP server, and the question "which agent is this?" stops being a guess and becomes a fact anyone can check with `dig`. Three products fall out of that one primitive — not three integrations you wire together, three faces of the same address.

## One address, three jobs: which agent is this, who's really behind it, and what may it pay and reach.

Identity answers which agent is this, provably. The attribution graph answers who's really behind an agent that rotates its egress. Governance answers what may it pay, reach, and spend — and how fast can I kill it. Each plane is useful alone; together they close the gaps every agent-payment protocol left open.

- **Identity** — which agent is this, provably (the agent proves it, no one forges its card): device_id = agent id · DNSSEC · DANE-EE · per-agent CA
- **Attribution graph** — who's really behind it, across rotating clouds + residential: identify · origins · walk · history · JA4 · Cypher
- **Agent governance** — what may it pay & reach, every agent on its own routable address: per-agent /128 · policy · firewall · budget · lookups · revoke
- **The base primitive** — THE ADDRESS IS THE IDENTITY · AS219419 · 2a04:2a01::/32

## An agent identity a counterparty verifies against — not a self-asserted card anyone can clone.

This is the plane that closes the core vacuum: a shadow-cloned Agent Card at a plausible domain that A2A never told anyone how to verify. Bind trust to the agent's own key, not to a JSON file it published about itself.

Point the primitive at agents. Derive each agent's /128 from the key it already holds — the key behind its A2A Agent-Card signature, its AP2 mandate signer, or its x402 wallet — with the agent id as the `device_id` domain separator. The private key never leaves the agent; the address is a one-way function of its public half and that id. A counterparty then trusts the agent's pinned identity, not a card that whoever holds it could re-publish — and a forged card with no key behind it verifies to nothing.

A DANE-EE (TLSA) record binds the Agent Card's signing key to the agent's own DNSSEC-anchored /128 — so "this card belongs to THIS agent" is stronger than a CA's "belongs to the domain." One leaf key per agent; never a shared root; revocable in one call.

**"A2A already ships Signed Agent Cards. Why isn't a JWS-signed card enough to prove the agent?"**

Because it's self-asserted, verified only against the domain, and can't be revoked. A Signed Agent Card proves the card was issued by the domain owner via web PKI — not that this agent holds the key, and with no per-agent revocation at all. Whisper DANE-pins the card's signing key to the agent's own /128: a verifier resolves the address, checks the DNSSEC-signed TLSA, and gets "this card belongs to this agent" — then one `revoke` pulls the record worldwide. It's the DNS-anchored, decentralized alternative to a central agent registry — exactly the trade-off the A2A community is weighing in issue #1672.

**A per-identity CA, not a shared root.** Each /128 carries its own leaf, deterministically derived and DANE-EE pinned — one key per agent. There is no issuing intermediate whose compromise mints look-alikes, and no shared secret an attacker steals once to forge every agent. Compromise one agent and you've compromised that agent — the single-CA-breach failure mode is structurally removed. And the agent's web identity ties in cleanly: a `did:web` document resolves alongside the /128, so an agent's DID and its routable address point at the same verifiable key.

**The agent id is the public index — the /128 is its cryptographic counterpart.** The agent id and the Agent-Card URL are public by design; that's what a shadow-clone weaponizes. But the /128 is bound to the agent's key as well as the id, so the id alone yields nothing: you cannot go id → /128 without the key, there is no enumerable directory, and RDAP/reverse-DNS return the registry object, never the agent's live whereabouts. Because the derivation is tenant-bound, the same agent under two operators yields two unrelated /128s — no one can link it across platforms without being told.

**"Isn't DNS-anchored agent identity already a crowded category — DNSid, ANS, DNS-AID all landed in 2026?"**

It is, and we don't claim to have invented it. Identity Digital's DNSid, the Agent Name Service and DNS-AID all anchor an agent to a domain via DNSSEC — good company to keep. But they anchor a name or an ownership record (DNSid, by its own words, "does not authenticate agents or enforce run-time policy"); Whisper anchors a routable, revocable /128 derived from the agent's existing key, with egress governance, pin-a-wallet and a cross-platform attribution graph on top. We're the working identity layer on top of the record they register — additive there too.

Attaches to what the agent already presents — the A2A Agent Card, an AP2 mandate VC, an x402 wallet, an MCP server URI, a Cloudflare Web Bot Auth key (RFC 9421) — as the publicly verifiable, DNSSEC/DANE-anchored layer on top. No bespoke CA trust store, no network membership; revocation at DNS-TTL speed instead of a token that outlives its breach. [Agent-identity docs →](/docs/agent-identity)

## Attribution that survives IP rotation — because it fingerprints the operator, not the exit.

This is the plane that closes the other gap: a compromised agent that rotates across Amazon, Google and Azure or a residential-proxy swarm until a merchant only ever logs a meaningless last IP — and correlates nothing across sessions or platforms.

A live internet-infrastructure graph — 7.44B nodes and 39.3B relationships of fused BGP, DNS, WHOIS, TLS, hosting and threat intelligence, answering in under 300 ms — pulls two levers, kept honestly separate. For cloud rotation it clusters shared ASN, hosting and certificate lineage into one infrastructure genealogy. For a residential-proxy swarm — where a subscriber IP gives an infra graph nothing to grab — a `JA4/JA3` client fingerprint travels with the tooling regardless of the exit and collapses the swarm to one operator. The egress IP is the one thing this plane never relies on — which matters when a compromised agent integration can spread across 700+ trust domains in ~10 days and no per-platform block ever names the operator behind it.

**"When a rogue agent rotates residential proxies and fresh cloud IPs across platforms, can you actually attribute it — or just rate-limit an IP and move on?"**

Attribute it. Infrastructure genealogy collapses the cloud rotation; a JA4 client fingerprint collapses the residential swarm. Every answer returns a reproducible, replayable JSON evidence chain your fraud team, your acquirer and a regulator can hand around. Cross-platform reputation stops being per-domain and becomes one shared, checkable fact.

### `identify(ip)`

Who really operates a host — even behind a CDN, across any cloud or facilitator.

### `origins(prefix)` + `walk(node,depth)`

Cluster rotating IPs into one infrastructure genealogy.

### `history` / `watch`

A timeline of an operator and a standing sentinel — plus `variants(domain)` to catch typosquat storefront and facilitator domains before they activate.

### read-only Cypher

Express "one source presenting N distinct agent identities in a window" as a query your agent runs — not a ticket a fraud analyst files.

Additive to your fraud stack and SIEM — the same fingerprints power external attack-surface mapping and dependency blast-radius (if a facilitator or cloud region goes dark, which agents lose settlement). [Trace the full back-trace →](/agent-fraud)

## Govern what an agent may pay, reach and spend — and pin a wallet to the agent that owns it.

An identity you can prove is also an identity you can bound. The same primitive that names an agent lets you cap it, watch who's checking it, pin a wallet to it, and kill it worldwide in one call.

### Default-deny egress, per agent

`op:policy` + `op:firewall` let each agent egress from its own /128 and allow only the facilitators, merchants and APIs it should reach — allow `facilitator.x402.org` and your PSP, block everything else, by host, cidr or port.

### Budget cap + kill-switch

`op:budget` caps an agent's traffic and spend and arms a kill-switch; `op:revoke` tears down the /128, its PTR and its DANE pin worldwide at DNS-TTL — a compromised agent is dead across every merchant, not just the one that noticed.

### Who checked this agent is a query

`op:lookups` returns who resolved or RDAP-queried an agent's identity — an early-warning tripwire that a merchant or peer is vetting your agent, and a verification-analytics stream you owned nowhere before.

### Pin a wallet to the real agent (roadmap)

Bind an x402 `from` wallet to the agent's DANE-anchored /128, so a facilitator resolving the address knows which real, non-revoked agent is paying — converting a pseudonymous wallet into an accountable one without touching the onchain flow. Built on the shipped /128; see the flow and honest status below.

**The pin-a-wallet flow.** A shopping agent presents its A2A Agent Card and an x402 payment signed by its wallet. Before honoring the HTTP 402, the merchant or facilitator resolves the agent's domain to its /128, checks the DNSSEC-signed DANE-EE TLSA that pins the Agent Card signing key, confirms via RDAP that the identity is registered and not revoked, and confirms the paying wallet is pinned to this verified agent — then honors the payment. If the agent is later revoked, its identity is dead across every merchant even though the wallet's EOA key itself can never be revoked.

**"So pinning a wallet stops a compromised agent from paying?"**

Honest scope: it makes the payment attributable, boundable and revocable — it doesn't override the money layer. Verifiable identity closes the "which agent / for whom / prove it / attribute it / revoke it" gaps the payment protocols left open, and makes every other control — mandate scope, spend caps, human approval, injection defence — enforceable and auditable. It does not stop a legitimately-authenticated agent making a bad purchase, prompt-injection of the agent's own reasoning, or a thief who has stolen the private key itself. It's the missing anchor the rails were built without — not a substitute for the guardrails on top.

**Honest status.** The verifiable, revocable /128 a wallet pins to — and the control plane that governs it (`policy`, `firewall`, `budget`, `lookups`, `revoke`) — are shipped and live today. The first-class pin-a-wallet binding and sign-outputs (signing an agent's payloads for non-repudiation) are on the roadmap, built on that same primitive — they add nothing to the trust root you can't already check with `dig`.

The A2A, AP2, x402 and MCP surfaces the ecosystem is racing to secure — governed by the same address-is-identity primitive, from day one. [Pin-a-wallet & a2a-trust recipes →](/docs/commerce-recipes)

## The three planes ride on top of A2A, AP2, x402 and MCP — never redefining the protocol, never settling the payment.

Whisper anchors the agent's identity, not the interop message or the money. Each row is a proposed integration onto a rail you already speak — the device-identity /128 is the one capability that is shipped and live today. Every one is additive: it complements whatever authorizes the task or settles the transaction, and the identifier field it DANE-pins already exists and is stable.

| Rail / standard you run | Where a plane plugs in | Complements — does not replace |
|---|---|---|
| **A2A · the Agent Card** (/.well-known/agent-card.json, JWS signature) — strongest wedge | **Identity.** DANE-pin the card's `url` / `AgentCardSignature` signing key to the agent's /128: a verifier resolves the address and checks the DNSSEC TLSA → "this card belongs to this agent," stronger than a CA's "belongs to the domain" — and `revoke` is the primitive A2A lacks. | Complements A2A discovery + Signed Agent Cards — Whisper never defines the card or the transport; it anchors and revokes it. |
| **AP2 · the Mandate chain** (W3C VC, ECDSA P-256 — Intent/Cart/Payment) | **Identity.** Bind the mandate signer's `verificationMethod` key to a DANE-anchored /128, so the Credentials Provider and merchant independently confirm "this Shopping-Agent key = verifiable agent X" — the agent-identity + accountability AP2 explicitly defers to FIDO. | Complements the mandate VCs — Whisper never authors the mandate or moves the funds; it identifies the principal that holds it. |
| **x402 · the facilitator** (HTTP 402, EIP-3009 transferWithAuthorization) | **Governance + identity (pin-a-wallet).** Bind the `from` wallet to the agent's DANE-anchored /128; the facilitator resolves the address → a verifiable, non-revoked agent before honoring the 402 — turning a pseudonymous EOA into an accountable, revocable payer, with no onchain-flow change. | Complements x402 settlement — Whisper never settles; it names and revokes the wallet's agent. |
| **MCP · server identity** (OAuth 2.1 + PKCE, RFC 8707 resource) | **Identity + governance.** DANE on the /128 gives a DNSSEC-anchored server identity beyond CA-trust; a2a-trust addresses the confused-deputy / token-passthrough threat by having each side resolve-and-verify the other; DNS revocation complements short-lived bearer tokens. | Complements OAuth 2.1 — Whisper never issues the token; it anchors the server and revokes the identity. |
| **Visa TAP · RFC 9421** (HTTP Message Signatures, keyid @ JWKS) | **Identity.** DANE-pin the request-signing `keyid` to the /128 and cross-check the JWKS — a publicly verifiable, root-anchored key directory instead of one network's central JWKS, checkable across networks with `dig` + `openssl`. | Complements Visa TAP / Mastercard Agent Pay + Cloudflare Web Bot Auth — additive and cross-network, never bound to one network's PKI. |
| **ANS · DNS-AID · DNSid** (SVCB `_ag` + Web Bot Auth — the DNS-anchored peers) | **Interop.** Where these anchor a name, an ownership record or a discovery label in DNS, Whisper anchors a routable, revocable, wallet-pinnable /128 with egress governance + attribution — the working identity layer on top of the record they register. | Complements the DNS-anchored entrants — additive, not a claim to have invented the category. |

Read together, these are the seams the agent-payment protocols left open — no forge-proof identity, no cross-platform attribution, and, most sharply, no revocation protocol: when one domain revokes a compromised agent, connected domains have no standard way to hear it, so a "revoked" agent keeps working elsewhere. That's not a latency problem — it's a missing protocol, and it maps onto the accountability PSD2 and the emerging agent-payment frameworks assume. Whisper is that missing anchor: one `revoke`, verifiable by anyone with `dig`, everywhere. [Integration docs →](/docs/commerce-integrations)

## Five things you can't stand up overnight — and a competitor can't clone from a slide.

A platform is only as durable as what sits underneath it. Whisper's three planes rest on five load-bearing pillars, each a real, checkable fact rather than a claim on a roadmap.

### Real routable space, not a namespace we invented

AS219419 and `2a04:2a01::/32` are announced to the global routing table. You cannot allocate verifiable identities from address space you don't hold and can't announce — which is why this can't be reproduced with a database and a domain. It's the one thing that makes the address be the identity.

### A graph you accrete, not one you query once

7.44B nodes and 39.3B relationships of BGP, DNS, WHOIS, TLS, hosting and threat intel, built over years. Attribution across rotation is only as good as the history behind it, and history is the one thing you can't buy this afternoon.

### A per-identity CA, so blast radius is one

One deterministically-derived leaf per agent — DANE-EE pinned, never a shared intermediate. The single-CA-breach failure mode that has burned this industry before is removed by construction, not by policy.

### Registry-anchored and root-anchored

Every /128 is a real RDAP/WHOIS object, secured by RPKI route origin authorization, and the whole chain validates through DNSSEC to the IANA root. `whisper verify --trustless` checks an identity without trusting Whisper.

**"Agent-identity startups and DNS registrars are all rushing this space. What can't they copy?"**

The address itself, and the years behind the graph. A JWT issuer, a registry-of-record or a discovery label can be stood up in a quarter; real routable address space at AS219419, an accreted attribution graph, a per-identity CA and root-anchored DNSSEC cannot. Whisper is the one where the identity is a routable network address — so egress governance, DNS-TTL revocation and pin-a-wallet fall out of it. You can verify every claim on this page yourself, today, without an account.

## Exercise all three planes yourself — our API isn't in the trust path.

Two tiers, by design. No key: verify an agent's identity and fetch its DANE-pinned Agent Card — the identity plane, trustless, anchored at the IANA root. Your key: back-trace a rotating agent across any cloud, provision an agent, govern what it may pay and reach, revoke it worldwide.

```
# plane 1 — re-derive and verify any agent's identity, trustless
$ whisper verify --trustless 2a04:2a01:c0::a9e7
  ✓ DNSSEC chain valid to the IANA root
  ✓ DANE-EE (TLSA) pins the agent's Agent-Card signing key
  ✓ RDAP: registered under AS219419 · 2a04:2a01::/32 · not revoked
  identity: VERIFIED — and our own API was never trusted

# the address is the agent — reverse DNS names it, and the card is DANE-pinned to it
$ dig -x 2a04:2a01:c0::a9e7 +short
  agent-7f3a.pay.example-store.whisper.online.
$ curl -s https://agent-7f3a.pay.example-store.whisper.online/.well-known/agent-card.json | jq .name
  "example-store checkout agent"

# plane 2 — with your key, attribute who really operates a rotating agent via the public graph API
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: whisper_live_xxx" \
    -H 'content-type: application/json' -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
  operator:  <fingerprinted> · seen across AWS / GCP / Azure
  residential swarm collapsed by JA4: same tooling, 63 exit IPs → 1 operator
```

```
# plane 1 — give an agent a name it can prove, from the key it already signs with
$ export WHISPER_API_KEY=whisper_live_xxx
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'connect', args:{tier:'wireguard',
       identity_public_key:'<base64 SPKI of the agent signing key>',
       device_id:'did:web:pay.example-store.whisper.online:agent-7f3a'}})"   # device_id = the A2A agent id
  → identity 2a04:2a01:c0::a9e7   DNSSEC + DANE live
# plane 3 — govern what it may reach, cap its spend, see who's vetting it, kill it
$ whisper policy --default deny --allow api.stripe.com,facilitator.x402.org   # what it may reach
# cap the agent's spend + requests and arm the kill-switch — budget rides the allowlisted op:firewall
$ curl -s https://graph.whisper.security/api/query -H "X-API-Key: $WHISPER_API_KEY" --data-urlencode "q=CALL whisper.agents({op:'firewall', args:{agent:'2a04:2a01:c0::a9e7',
       budget:{cost_usd:500, requests_cap:100000}}})"
# see who resolved or RDAP-queried this agent before it transacts — keyless recon tripwire
$ curl -s https://whisper.online/ip/2a04:2a01:c0::a9e7/lookups | jq .lookups
$ whisper kill --revoke 2a04:2a01:c0::a9e7   # worldwide, at DNS-TTL — dead across every merchant
```

## Three planes, and all three exit into the stack you already run — not a new silo.

### Feeds your SIEM, not another console

A machine-readable feed into your fraud + security stack: the Splunk, Microsoft Sentinel and OpenCTI connectors ship today. Findings map to CEF and ECS fields and arrive as a signed, replayable JSON evidence chain — STIX 2.1 over TAXII export on the roadmap.

### Nothing issued in the dark

Every identity mint and every revoke lands in a public, append-only RFC 6962 Merkle transparency log, Ed25519-signed and anchored to Bitcoin via OpenTimestamps — an auditable, non-repudiable issuance trail. Honest status: tamper-evident today; it speaks C2SP `tlog-witness`, but independent witnessing is the next step.

### In your checkout path — and safe there

If a facilitator authorizes against the DANE/verify path, that plane is built to fail open: a Whisper outage never blocks a legitimate payment — checks degrade to your existing anchors. Two servers, one truth — ns1 and ns2 answer identically, active/active, no single node in the path.

### Flat, predictable pricing

Per-agent/year and flat — not per-transaction, not usage-metered. Against agentic-commerce economics that's a line item you can forecast. [See pricing →](/pricing)

### On-prem or your own tenant

Data residency and GDPR by construction — the graph and the per-agent logs stay where your regulator needs them, with salt-erase (Art.17) that keeps the transparency proofs valid.

### Where it fits vs. what you run

Additive to A2A, AP2, x402 and the card networks — the identity layer they were built without. It makes your fraud stack sharper; it doesn't replace it. [See the comparison →](/compare)

## One primitive. Three planes. Prove which agent is spending the money.

Identity derived from the agent's own key, an attribution graph that survives IP rotation, and governance you can pin a wallet to and revoke — additive to A2A, AP2 and x402, priced so you can say yes. Keyless to try, one call to provision, one more to revoke.

Or run `whisper verify --trustless` right now.
