Whisper · Docs
Commerce

Commerce compliance: PSD2/SCA, the agent-payment protocols & the EU AI Act

PSD2 strong customer authentication, the card networks' new agent-payment rails (Visa Trusted Agent Protocol, Mastercard Agent Pay, ACP, AP2, x402), MCP and the EU AI Act all press an agent-commerce stack on one question: which agent is transacting, is it still authorised, and can you prove it and revoke it?

A checkout gated by an API key or an OAuth bearer token cannot answer that: a bearer credential grants access to whoever holds it, not to a verified agent. A routable, DANE-provable, one-call-revocable IPv6 /128 per agent can. It produces the identity, the attribution and the kill-switch these frameworks want as evidence, not as a paragraph in a policy binder. This page is the honest map of where that evidence fits, and, just as important, where it does not. Whisper is the identity layer beneath the payment; it never sits inside the payment message or the settlement rail.

How to read this page. We grade every framework into one of three verdicts and never blur them. DIRECT-ADDITIVE: Whisper produces evidence or a cryptographic anchor that maps to the control (one input to your package, never the whole standard). COMPLEMENTARY: the protocol carries its own identity/trust model; Whisper sits alongside it, DANE-anchors the identifier it already uses, and adds the revocation it lacks, but does not redefine or replace it. DO-NOT-CLAIM: things Whisper is honestly not; we list them so nobody over-claims. The /// column grades how tight the technical mapping is: full, partial, marginal or none. That's a different axis from the verdict.

What every framework is really asking

Read the agentic-commerce specs and the payments regulation side by side and the same three questions surface, phrased in a dozen vocabularies:

None of these is a logging problem you fix with more log lines. They are identity problems: you cannot attribute, monitor or contain an actor that has no stable, provable identity in the first place. Here is the load-bearing finding of the whole standards survey, verified across A2A, AP2, x402, MCP, Visa TAP and Mastercard Agent Pay: none of them anchor agent identity in DNS/DNSSEC. Trust today is a signed document over web PKI (A2A, MCP), an opaque public-key reference in a verifiable credential (AP2), a pseudonymous blockchain address (x402), or a proprietary per-network directory (Visa's JWKS, Mastercard's registry). A2A, AP2, x402 and MCP have no agent revocation at all; Visa and Mastercard have revocation, but only inside their own walled garden. "Which agent, really, and can I revoke it globally" is unsolved or single-vendor everywhere. Whisper's job is to give every agent an identity that is globally addressable, publicly verifiable and universally revocable, then let each protocol and each auditor read the evidence off it.

Three verdicts, stated up front

Here is the grading rule before a single row of the map, because a commerce-compliance page that claimed to "make you PSD2-compliant" or "perform SCA" would be lying. Whisper is a network primitive. Against a given framework it does exactly one of three things, and we mark which:

grade every framework honestly, never blur the three Read the framework what does it ask? DIRECT-ADDITIVE Whisper produces the evidence / the anchor: one input to your package EBA SCA-delegation · dispute attribution KYA P1+P4 · NIST NCCoE · OWASP ASI03 COMPLEMENTARY sits alongside · DANE-anchors the identifier · never redefines it A2A card · AP2→FIDO · x402 · MCP Visa TAP · Mastercard Agent Pay · EU AI Act DO-NOT-CLAIM frameworks Whisper is honestly not SCA conformity · PSP / settlement · PCI-DSS · intent
The honesty rule is the whole point of this page: a network primitive earns a verdict per framework, and we mark DIRECT-ADDITIVE, COMPLEMENTARY or DO-NOT-CLAIM so a merchant, a PSP's risk team, an auditor and a regulator all read the same thing.

The evidence: real, and shipped

Everything this page grades DIRECT-ADDITIVE rests on primitives that exist and answer today. Each is checkable with dig, curl, or one control-plane call over the public API: POST https://graph.whisper.security/api/query with your X-API-Key.

Shipped & live. The device-derived /128, per-/128 logs, op:lookups, per-agent op:policy / op:firewall / op:budget, one-call revoke, the Merkle transparency log and the attribution graph are in production. The Splunk connector ships. Everything grouped under roadmap below is labelled as such. Nothing on this page is described as working unless you can reproduce it.

A device-derived /128 identity

An agent already holds a key: the signing key behind its A2A Agent Card, the verificationMethod that signs its AP2 mandates, a TPM, or a secure element. Whisper derives a deterministic IPv6 /128 from that key's public SubjectPublicKeyInfo, with the agent id as the domain separator, passed as the generic device_id argument. The address is tenant-bound (fleet-unlinkable to an outsider), DNSSEC-anchored, DANE-EE 3 1 1 pinned, and RDAP-registered. Re-deriving from the same key and agent id yields the same /128; nothing new to store. The agent id alone yields nothing: you cannot go agent-id → /128 without the key.

# Provision an agent identity from the key it already holds (control plane, live).
# identity_public_key is the base64 SPKI of the agent's own signing key.
CALL whisper.agents({op:'connect', args:{
  tier:'wireguard',
  identity_public_key:'<base64 SPKI of the agent key>',
  device_id:'agent_01J9Z8ER2MQK3'   // your agent id, the same id your A2A card / AP2 mandate carries
}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error
# -> deterministic /128 + a WireGuard config. Same key + agent id -> same /128 (idempotent).
#    A different agent id on the same tenant -> 409; a non-string device_id -> 400. Never a 500.

agent_01J9Z8ER2MQK3 is a placeholder agent id: no real agent or operator is implied. The device_id argument is generic: pass whatever native identifier your agent already carries (an ACP/Agent-Pay agent id, a ULID, or a DID label). A first-class --agent-id CLI flag is on the roadmap; provision via the control-plane call above today, which is live.

Per-/128 logs, and who checked your agent

Because each agent owns a dedicated /128, every DNS lookup and connection it makes is unambiguously its: no shared-IP noise to reconstruct for the dispute file. And because the identity resolves through Whisper's own authoritative DNS and RDAP, you can also ask who is checking you: a merchant or facilitator resolving your agent's PTR/AAAA/TLSA before honouring a request is exactly the "is this a real, still-authorised agent?" lookup the card networks launched their frameworks to enable. Now it is a verification-analytics stream and a reconnaissance tripwire, not a post-mortem.

# The agent's OWN outbound activity, per-event: timestamp, kind, destination, decision, bytes
CALL whisper.agents({op:'logs',    args:{agent:'2a04:2a01:c0::a9e7', kind:'conn', from:'-24h'}})

# Reverse observability: WHO resolved this agent's PTR/AAAA/TLSA or hit its RDAP object, and when
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:c0::a9e7', window:'24h'}})
curl -s https://whisper.online/ip/2a04:2a01:c0::a9e7/lookups | jq   # same view, keyless

Govern the mandate: policy, firewall, budget

A verifiable identity is also a governable one. The same control plane that mints the /128 bounds what it may talk to, caps it, and kills it: the enforcement surface that turns a written mandate scope into a control that actually holds at the network boundary.

# Default-deny egress; allow only the merchant + the facilitator this agent is mandated to reach
CALL whisper.agents({op:'policy',   args:{agent:'2a04:2a01:c0::a9e7', default:'deny',
                                    allow:['checkout.example-shop.com', 'facilitator.example-psp.com']}})
CALL whisper.agents({op:'firewall', args:{agent:'2a04:2a01:c0::a9e7', deny:['0.0.0.0/0'], allow_port:[443]}})
CALL whisper.agents({op:'budget',   args:{agent:'2a04:2a01:c0::a9e7', cap:'250MB/day', on_exceed:'revoke'}})

One-call revoke: universal, not per-network

Containment, and the end of a mandate, is a single call. It tears down the /128, its PTR and its DANE record worldwide at DNS-TTL speed. This is the primitive the whole ecosystem is missing: today, when one domain revokes a compromised agent, connected domains have no standard mechanism to receive that signal. A public class of incident saw a compromised agent integration spread across 700+ trust domains in roughly ten days on stolen OAuth tokens, because revocation didn't propagate. Whisper's revocation is a property of the identity itself, so it is universal by construction.

CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:c0::a9e7'}})
# after the TTL:
dig -x 2a04:2a01:c0::a9e7 +short                          # -> empty
curl -s https://whisper.online/verify-identity/2a04:2a01:c0::a9e7   # -> {"is_whisper_agent": false}

The attribution graph

Turning a raw destination, or a suspicious counterparty in your logs, into "known-bad" or "clean" is a read-only query against the public graph API. Attribution survives IP rotation because it fingerprints the operator and the tooling (ASN and hosting genealogy for cloud rotation, a JA4/JA3 client fingerprint for a residential-proxy swarm), not the ephemeral egress IP, which is exactly what an impersonating agent rotates to evade correlation across sessions and platforms.

curl -s https://graph.whisper.security/api/query \
  -H "X-API-Key: whisper_live_xxx" \
  --data-urlencode "q=CALL whisper.identify('185.220.101.1')"
# -> what the address is, who operates it, threat-intel reputation, relationships:
#    a reproducible, replayable JSON evidence chain your fraud team and a regulator can replay.

The read-only verbs (identify, origins, walk, variants, history) run the same way, over an infrastructure-and-threat-intelligence graph of billions of nodes. That is the enrichment that turns a per-agent egress log into a detection.

The map, at a glance

Each row is a framework, what it asks for, how tight the technical mapping is ( full · partial · marginal / forward-looking · none), our verdict, and the shipped evidence behind it. Read the verdict column first: it is the load-bearing part.

Framework · control What it asks for Fit Verdict Whisper evidence / role (shipped)
EBA SCA-delegation (Q&A 6141) Issuer may outsource the technical provision of SCA but "remains fully responsible" DIRECT-ADDITIVE Pinned identity + one-call revoke = a cryptographic anchor for the delegated agent (who / still-authorised / instant-revoke), without shifting SCA liability
PSD2 dispute & liability allocation A durable, attributable subject across the four-party liability chain DIRECT-ADDITIVE Every request → a revocable, publicly-verifiable identity + its egress /128 + the attribution graph
KYA (Know Your Agent) Crypto identity (P1) · agent passport (P2) · machine-enforceable authz (P3) · continuous accountability (P4) DIRECT-ADDITIVE Delivers P1 + P4 outright (/128 + signed logs/lookups/transparency log); anchors P2/P3, not a KYA/KYC provider
NIST NCCoE Software & AI-Agent Identity · OWASP ASI03 A verifiable agent identity + the "attribution gap" fix for Identity & Privilege Abuse DIRECT-ADDITIVE A deployed DNSSEC/DANE implementation of the "agent passport" these describe abstractly
A2A Agent Card A per-agent identity + revocation the JWS-signed card lacks (trust root = the domain owner) COMPLEMENTARY DANE-pin the card's url / AgentCardSignature key to the /128; revoke = pull the DNS/RDAP record
AP2 mandate VCs → FIDO The agent identity/key layer AP2 explicitly defers to a standards body COMPLEMENTARY Bind the VC verificationMethod to a DNSSEC/DANE /128; a public, verifiable allowlist for agent_id
x402 Who owns this wallet / who is paying: the from EOA is pseudonymous & non-revocable COMPLEMENTARY pin-a-wallet binds the from address to the /128 → a known, revocable payer; never touches settlement
MCP authorization Server identity beyond CA-trust + revocation beyond token expiry COMPLEMENTARY DANE on the /128; a2a-trust for the confused-deputy / token-passthrough threat
Visa Intelligent Commerce / TAP An HTTP Message Signatures (RFC 9421) keyid resolvable at a public key directory COMPLEMENTARY DNSSEC/DANE is a public key directory; the neutral cross-network anchor next to Visa's JWKS, never replaces it
Mastercard Agent Pay / Agentic Token Agent registration + recognizability + real-time authorization pull COMPLEMENTARY The open identity + universal-revocation substrate alongside MDES; not MDES, does not tokenize the PAN
ACP (OpenAI/Stripe) The durable identity a single-use delegated-payment token points at for dispute attribution COMPLEMENTARY The /128 as the stable subject behind the delegated-payment record
EU AI Act (agents as AI systems) Traceability, logging, human oversight & accountability COMPLEMENTARY ¹ Per-agent identity + attributable logs + transparency log as evidence, not a conformity route
PSD2 / SCA conformity A strong-customer-authentication factor / a route to SCA compliance DO-NOT-CLAIM SCA authenticates a human; Whisper is evidentiary only, never an SCA factor
PSP / settlement · payment processing Settling funds, tokenizing the PAN, issuing Agentic Tokens DO-NOT-CLAIM Whisper does not move money or touch the card rails; it is the identity layer beneath them
PCI-DSS Protection of cardholder data in the cardholder-data environment DO-NOT-CLAIM Whisper never sees or stores cardholder data or the CDE
FATF Travel Rule (Rec. 16) Originator/beneficiary identification for VASP-to-VASP transfers (stablecoins in scope) DO-NOT-CLAIM pin-a-wallet gives the wallet↔identity attribution primitive, not VASP-grade KYC of the legal person

¹ COMPLEMENTARY against the EU AI Act's traceability/logging/oversight obligations for agents-as-AI-systems; Whisper supplies evidence, never a conformity assessment. PSD3/PSR final text was agreed 23 April 2026 and hands the EBA a mandate for a new SCA RTS. The RTS is not yet published, so any mapping to delegated-agent authentication under PSD3 is forward-looking, not a current certification.

DIRECT-ADDITIVE: the evidence and the anchor we produce

Where a framework asks a question the shipped primitives answer, Whisper is a concrete input to your compliance and fraud package. Never the whole standard: one verifiable control, with reproducible artifacts.

PSD2 / SCA: the delegation anchor, stated carefully

Start with the sharpest honesty on the page, because it is the one most tempting to fudge. PSD2 strong customer authentication assumes a human strongly authenticates; an autonomous agent is not the customer, and the EBA has ruled that the responsibility for SCA compliance "cannot be outsourced: issuers remain fully responsible" (Q&A 6141). Whisper does not, and cannot, perform SCA. What it supplies is the piece the delegated-authority and mandate models are missing: a durable, verifiable identity for the agent that acted under a mandate, so the SCA/mandate evidence chain has an attributable subject: who the agent is, that it is still authorised, and an instant, provable off-switch, all without shifting any SCA liability. The issuer keeps the responsibility; Whisper hands the delegated agent a cryptographic anchor.

Frame every SCA sentence as evidentiary. "A verifiable, revocable agent identity supports your fraud controls and audit" is true. "Whisper performs SCA / makes you PSD2-compliant" is false and we will not write it. The agent-payment schemes resemble merchant-initiated transactions under a stored mandate, but the card schemes have not formally classified agent transactions as MITs, so treat that as an analogy, not a rule.

PSD2 dispute & liability: a subject for the chargeback fight

The merchant eats the chargeback when an agent purchase is disputed, and the liability chain across merchant, PSP, model developer and deploying business is, in the industry's own words, "entirely unclear." Every one of those parties needs the same thing to allocate liability: a stable, attributable answer to which agent did this. Because every request carries a revocable, publicly-verifiable /128 and its egress is source-bound to that identity, "which agent, from where, still authorised?" is a lookup rather than a guess, and the attribution graph names the operator behind a session even after the egress IP rotates. This is DIRECT-ADDITIVE to the dispute file, not a replacement for the scheme's dispute process.

KYA: Know Your Agent, two pillars delivered

The emerging Know-Your-Agent model names four pillars: a cryptographic agent identity, an agent passport, machine-enforceable authorization, and continuous accountability. Whisper delivers two outright: pillar 1 is the device-derived /128, and pillar 4 is the per-/128 logs, op:lookups, the signed graph evidence chains and the append-only transparency log. It anchors the other two (the passport binds to the /128; machine-enforceable authorization rides op:policy/op:firewall). The honest line: Whisper is the identity substrate KYA is missing, not a KYA or KYC provider. It binds a technical identity; it does not make the KYC judgment about the human or legal entity behind the agent.

NIST NCCoE & OWASP: a deployed "agent passport"

NIST's NCCoE project on Software & AI-Agent Identity (Feb 2026) and the OWASP Agentic Top-10 (2026) both describe, in the abstract, exactly the primitive this page ships: a verifiable agent identity that closes the "attribution gap" OWASP files under ASI03, Identity & Privilege Abuse. The NCCoE work frames it against MCP, NGAC and SP 800-207 Zero Trust; the agent id → /128 is a concrete, deployed, DNSSEC-anchored instance of the "agent passport" those documents sketch. This is guidance-additive: a shipped implementation of an advisory primitive, not a conformance claim against a control number.

who → what → contain → prove: the reviewer's bundle, as artifacts Agent /128 DANE-EE · RDAP · agent id which agent, provably Attribute logs · lookups · identify what it did · who checked it PSD2 dispute · KYA P4 Contain op:revoke gone at DNS-TTL universal, not per-network Non-repudiable record Merkle log + verify hand it to the reviewer EBA Q&A 6141
The four DIRECT-ADDITIVE fits are one loop: identity → attribution → containment → a non-repudiable record. Every step is a shipped artifact, and the transparency log turns the loop into something an auditor or a scheme's risk team can replay without trusting Whisper's word.

COMPLEMENTARY: one identity under every protocol

The agent-payment protocols and the card networks each carry their own identity or trust model, and each leaves the same hole. Whisper does not redefine or replace any of them. It anchors the identifier they already use to a DNSSEC/DANE /128, and adds the revocation they lack. The load-bearing fact that makes this possible is that the identifier fields to DANE-pin already exist and are stable: A2A's url and AgentCardSignature, AP2's VC verificationMethod, x402's from/payTo, MCP's resource URI, Visa's keyid, Mastercard's agent certificate. So the /128 slots under each without any protocol change.

the identifier each protocol already exposes one anchor · one revocation A2A Agent Card url · AgentCardSignature (JWS) AP2 mandate VC verificationMethod → FIDO x402 payment from · payTo (EOA) MCP server resource URI (RFC 8707) Visa TAP keyid (RFC 9421) @ JWKS Mastercard Agent Pay agent cert @ registry DANE-pin: no protocol change one /128 2a04:2a01:c0::a9e7 DNSSEC · DANE-EE · RDAP one identity · universal revoke Any counterparty verify --trustless no directory to join settlement · the payment message Whisper is never inside this box
Every scheme already exposes a stable identifier; the /128 DANE-pins under each without touching the protocol. One identity replaces registering in Visa's, Mastercard's and Cloudflare's separate directories, and revocation becomes universal. What Whisper never enters is the settlement or the payment message itself.

A2A: the Agent Card, made verifiable and revocable

The A2A Agent Card lives at /.well-known/agent-card.json and, since v1.0, can carry an AgentCardSignature: a JWS over the card whose trust root is the domain owner via web PKI. That proves the card "belongs to the domain," never that it belongs to this specific agent, and A2A does not mandate how a card is verified. That's the gap behind Agent-Card shadowing and impersonation. There is no per-agent revocation. Whisper DANE/TLSA-pins the card's url and signing key to the agent's /128, so a verifier resolves the /128, checks the DNSSEC-anchored TLSA record, and gets "this card belongs to this agent," stronger than "belongs to the domain," and revocation becomes pulling the DNS/RDAP record. A2A is the strongest wedge precisely because it sits at the top of the stack (MCP → A2A → AP2), so anchoring it flows trust downward into the payment legs.

AP2: the identity layer it defers to FIDO

AP2 chains cryptographically-signed Mandates as W3C Verifiable Credentials (JSON-LD, ECDSA P-256): an Intent Mandate (what the user authorised), a Cart Mandate (merchant-signed), and a Payment Mandate the network sees. The mandate machinery is well specified, and AP2 explicitly defers agent identity and key management to a standards body (the FIDO Alliance's Agentic Authentication effort); it is not specified in-protocol, and AP2's own guidance says to "validate agent_id via allowlist registries." That deferred layer is exactly Whisper's lane: bind the VC's verificationMethod to a DNSSEC/DANE-anchored /128 so the Credentials Provider and the merchant independently confirm "this Shopping Agent key = verifiable agent X," which closes AP2's stated Authenticity and Accountability goals. A publicly-verifiable, DNSSEC-anchored allowlist for agent_id is the registry AP2 points at. AP2's terminology is still evolving (the live spec now speaks of a Checkout Mandate and a Payment Mandate); we track the identifier field, which is stable, not the field names.

x402: pin the wallet, keep the rail

x402 answers HTTP 402 with an onchain payment: the resource server advertises what it accepts (an exact scheme, a CAIP-2 network such as eip155:8453 Base, a USDC asset, a payTo), and the agent signs an EIP-3009 transferWithAuthorization. Settlement is trust-minimised, but the payer's identity is a bare from EOA: pseudonymous, unattributable, and non-revocable, because you cannot revoke an externally-owned account. The pin-a-wallet recipe binds that from wallet to the agent's verifiable /128, so a facilitator or resource server resolves the address to a known, non-revoked agent before honouring the 402, with no change to the onchain flow. Revoking the /128 revokes the agent's ability to transact, even though the key itself cannot be revoked. Whisper adds the identity; it never touches the settlement.

MCP: DNSSEC identity beside the OAuth

MCP identifies a server by its canonical URI (the OAuth resource parameter, RFC 8707) and authenticates with OAuth 2.1 + PKCE bearer tokens. Identity is web-PKI/TLS plus a bearer: there is no per-agent cryptographic identity, and no revocation beyond token expiry, so a stolen bearer "appears legitimate." Whisper DANE-anchors the server's /128 for identity beyond CA-trust, and the a2a-trust pattern gives the mutual verify-the-counterparty step MCP lacks, a real mitigation for the confused-deputy and token-passthrough threats that make agents dangerous identity-aggregation points. DNS revocation complements short-lived tokens; it does not replace the OAuth flow.

Visa & Mastercard: the neutral anchor beside the walled garden

The card networks shipped the strongest agent-identity requirements of anyone, and each built a proprietary directory. Visa's Trusted Agent Protocol has agents sign requests with HTTP Message Signatures (RFC 9421) carrying a keyid, with public keys at a Visa-operated well-known JWKS; revocation is key removal from Visa's directory. Mastercard's Agent Pay issues an MDES Agentic Token binding cardholder, registered agent and mandate scope, verifies the agent's certificate at checkout against a Mastercard trusted-agent registry, and revokes by deactivating the registry entry. Both are excellent, and both are single-network: an agent must register in each, and revocation reaches only that network. Whisper is the complement neither is: DNSSEC/DANE is literally a well-known, publicly-verifiable public-key directory anchored in DNS, so the Visa keyid or the Mastercard agent cert can be DANE-pinned to one globally-resolvable /128 the agent presents across every protocol and to any merchant, not only the Visa- or Mastercard-registered ones, and revocation becomes universal (pull the DNS/RDAP record) rather than per-network. It interoperates with their directories; it does not replace MDES or tokenize the PAN.

ACP & the EU AI Act

OpenAI/Stripe's Agentic Commerce Protocol encodes agent identity inside a single-use, constrained Delegated Payment token for dispute attribution. Whisper is the durable identity that token and record point at, so attribution outlives any one token. The EU AI Act treats agents as AI systems subject to traceability, logging, human-oversight and accountability obligations; a per-agent identity, attributable egress logs, and an auditable issuance/revocation trail are natural evidence for those obligations. Both are COMPLEMENTARY: Whisper supplies the identity and attribution substrate, never a conformity assessment against the Act or a replacement for the ACP flow.

The DNS-anchored-identity standards track: we implement and interoperate

Whisper is not inventing DNS-anchored agent identity in a vacuum; it is a deployed implementation on an emerging, largely draft-stage standards track, and it interoperates with the primitives that track is built on:

i

Honest status. These efforts are early: some are drafts, some are proposals, and the field will consolidate. Whisper is one deployed, DNSSEC/DANE-anchored implementation that interoperates with the DANE, DNSSEC, RDAP and did:web primitives they build on. It is not the sole DNS agent-identity scheme, and this page does not pretend the track is finished. What ships today is the standards-track plumbing (DNSSEC, DANE-EE, RDAP, reverse DNS) assembled into a working agent identity you can verify right now.

DO-NOT-CLAIM: stated plainly

The most useful rows on a compliance page are the ones a vendor omits. These are real, they matter, and Whisper is honestly not them. We list them so nobody plans against an over-claim:

The honest caveat, and where the fit is strongest

Buyer trust is built by naming the limits before the sales call does. Two things to hold onto:

Nothing issued in the dark: the transparency-log audit trail

Every identity mint and every revocation lands in a public, append-only Merkle transparency log (RFC 6962 tlog-tiles), with Ed25519-signed C2SP checkpoints, each root anchored to Bitcoin via OpenTimestamps. That gives an agent-commerce operator something a database row cannot: a non-repudiable answer to "when was this agent's identity issued, and when was it revoked," provably not back-dated, provably in order. For a chargeback dispute, a liability allocation, or an EU AI Act traceability review, that is the difference between an assertion and evidence.

# An agent identity's ordered lifecycle (issuance, any rotations, revocation), keyless
curl -s https://whisper.online/ip/2a04:2a01:c0::a9e7/transparency | jq

# The signed log checkpoint + its Bitcoin anchor: the tamper-evidence root
curl -s https://whisper.online/checkpoint
# -> a C2SP signed note; the root is OpenTimestamps-anchored to Bitcoin

Honest status. The log is tamper-evident, Ed25519-signed and Bitcoin-anchored today, but it is not yet independently witnessed (our two authoritative nodes co-signing is availability, not independence). It already speaks the C2SP tlog-witness protocol, so an external witness can co-sign; until one does, treat the guarantee as tamper-evident, not third-party-attested. It is also GDPR-compatible: leaves are salted opaque commitments with selective disclosure, so erasing the salt renders a leaf's meaning unrecoverable while the proofs stay valid.

Evidence you can hand a risk or fraud reviewer

The point of every primitive above is that the reviewer does not have to trust Whisper. Each artifact is reproducible from the internet's own records with stock tools: the same --trustless walk any resolver could run. A per-agent evidence bundle for a dispute file, a KYA review, or an EU AI Act traceability request looks like this, and every line is checkable without an account:

# IDENTITY (KYA P1 / agent passport): the identity is genuine and current, verified to the IANA root
whisper verify --trustless 2a04:2a01:c0::a9e7
✓ DNSSEC chain valid to the IANA root   ✓ DANE-EE (TLSA 3 1 1) matches the key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32   identity: VERIFIED (our API never trusted)

# ATTRIBUTION (PSD2 dispute / KYA P4): the per-agent record and who enumerated it
CALL whisper.agents({op:'logs',    args:{agent:'2a04:2a01:c0::a9e7', kind:'conn', from:'-30d'}})
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:c0::a9e7', window:'30d'}})

# CONTAIN + NON-REPUDIATION (EBA Q&A 6141): the offboarding, provable and timestamped
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:c0::a9e7'}})
curl -s https://whisper.online/ip/2a04:2a01:c0::a9e7/transparency   # the timestamped lifecycle leaf

Because an agent's outputs (a mandate acknowledgement, a receipt, a settlement reference) can be signed under its forge-proof /128, the merchant, the PSP and a regulator can trust the record came from the real agent, which is the non-repudiation a dispute or an audit ultimately wants.

SIEM & threat-intel export

The evidence above is pullable now via op:logs, op:lookups and the graph API, and it exports to Splunk today as signed, replayable JSON mapped to CEF / ECS fields. Broader connectors are on the roadmap, labelled honestly so nobody plans against vapour:

Destination Status
Splunk (signed JSON → CEF / ECS) Shipped
Microsoft Sentinel connector Shipped
OpenCTI Shipped
STIX 2.1 / TAXII feed Roadmap
Fraud / dispute-network JSON export Roadmap

Until the roadmap items land, the same records are already reachable. The exports are a convenience layer over evidence you can pull today.

What this is (and is not)

Whisper anchors one boundary: the transport/IP interface where an agent presents itself to a merchant, a facilitator, or a peer agent. It is deliberate about what it does not touch.

Everything described as working is checkable, today, with dig, curl and one control-plane call. Everything on the roadmap is labelled as such. That is the whole contract of this page.

Next