# Commerce

**A self-asserted Agent Card and a bearer token shouldn't be able to spend on your behalf.**

When the buyer stops being a human at checkout, a merchant, a facilitator, or a peer agent has to answer one question: *which agent am I really transacting with?* Today it cannot. Whisper closes that gap with one primitive: the agent's address *is* its identity. This page is the commerce front door to the Whisper docs. The full technical library (DNSSEC, DANE, RDAP, the control-plane API) sits one click down the sidebar, shared verbatim with [whisper.online](https://whisper.online/docs).

## The problem: an agent can't prove it's the authorized agent

Every agent-commerce protocol authenticates a *claim* to the counterparty: a self-published card, a signed mandate whose signer is opaque, a bare wallet address, never the software behind it. [A2A](https://a2a-protocol.org/) publishes an agent's identity as an **Agent Card** at `/.well-known/agent-card.json`, but the spec does *not* mandate how that card is verified. It delegates trust to the transport, so a forged or shadow-cloned card at a plausible domain reads as legitimate. [AP2](https://ap2-protocol.org/) chains cryptographically-signed **Mandates** as W3C Verifiable Credentials (ECDSA P-256), yet *explicitly defers the agent's identity and key management to other bodies*: the mandate's `verificationMethod` is an opaque pubkey reference with no external anchor. [x402](https://github.com/coinbase/x402) settles onchain against a buyer-signed [EIP-3009](https://eips.ethereum.org/EIPS/eip-3009) `transferWithAuthorization`, but the paying identity is a bare wallet address (`from`): pseudonymous, unattributable, and non-revocable. The card networks shipped agent frameworks whose stated goal is to *distinguish legitimate AI agents from malicious bots*: Visa's [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) Trusted Agent Protocol and Mastercard's Agentic Token each publish keys to a *private, network-scoped* directory. The ecosystem concedes it cannot tell agents apart.

This is the classic bearer problem at agent scale: [OWASP](https://genai.owasp.org/2025/12/09/owasp-top-10-for-agentic-applications-the-benchmark-for-agentic-security-in-the-age-of-autonomous-ai/)'s Top 10 for Agentic Applications names it *ASI03: Identity & Privilege Abuse*, the "attribution gap." Steal or leak a token and you *are* the agent; agents have become identity-aggregation points holding the combined authority of every credential they carry, and non-human identities now outnumber humans by roughly **100 : 1** and climbing. There is no forge-proof identity, no cross-platform attribution, and no revocation (the sharpest gap): when one domain revokes a compromised agent, connected domains have no standard mechanism to receive that signal. *Not a latency problem but a missing protocol.* A single compromised agent integration has spread across **700+ trust domains in about ten days** on stolen tokens, and the revocation never propagated.

```
Forged Agent Card + stolen bearer   ──legit──▶   Counterparty (merchant · facilitator · peer)
/.well-known/agent-card.json                     trust delegated to transport · claim ✓ · agent ✗
                                                        │ clone
                                                        ▼
                             a fleet of fake agents  →  spend · replay a signed mandate · drain the wallet
                                                        │ phones home through disposable egress
                             AWS · GCP · Azure · residential swarm  →  counterparty logs a meaningless last IP

one domain revokes it  ─(no cross-domain protocol)─▶  …so it keeps transacting everywhere else: a dormant, persistent threat
```

The whole kill chain rests on one thing: the counterparty authenticates a *claim*, whether a self-asserted card or a bearer token, never the agent behind it. Clone it into a fleet, rotate the egress so the *last IP* is disposable, and because no cross-domain revocation protocol exists, one domain's revoke never reaches the others.

Behavioral bot-detection will always be a step behind a credential that is genuinely valid and an identity that is merely asserted. The strictly-stronger move is to change what the counterparty trusts.

## The cure: the address is the agent

> **Shipped & live.** Deriving an agent `/128` from the key it already signs with is in production today. Provision one with the control-plane call below and verify it from the DNSSEC root with tools already on your machine.

Whisper gives each AI agent a routable IPv6 `/128` out of `2a04:2a01::/32` (announced by **AS219419**), derived *deterministically* from the agent's **public key** (its `SubjectPublicKeyInfo`, the public half of the Ed25519 or P-256 key it already holds: the key behind its A2A `AgentCardSignature`, its AP2 mandate `verificationMethod`, or its [Web Bot Auth](https://www.rfc-editor.org/rfc/rfc9421) JWKS entry) with the **agent id** as the domain separator. The private key never leaves the agent; only its public SPKI is an input. The result is [DNSSEC](/docs/dnssec)-anchored, [DANE-EE `3 1 1`](/docs/dane) pinned, and [RDAP](/docs/rdap)-registered: re-derivable and verifiable by anyone with `dig`.

```
agent public key (SPKI)       ──derive · domain-sep = agent id──▶   /128                   ──DNSSEC + DANE-EE 3 1 1──▶   a name anyone verifies
Ed25519 / P-256 : the key                                     2a04:2a01:a9e::a2c7           RDAP-registered            whisper verify --trustless
behind its AgentCard /                                        routable, tenant-bound                                   op:'revoke' → gone at DNS-TTL
mandate / wallet signature
(private key stays with the agent)
```

The agent already holds the key behind its A2A Agent Card signature, its AP2 mandate `verificationMethod`, or its Web Bot Auth JWKS entry. Whisper binds that public key to a routable, publicly verifiable `/128` and gives it the cross-domain off-switch the payment protocols never had.

Because the derivation is **tenant-bound**, the same key under two different platforms yields two unrelated `/128`s. An outsider cannot link an agent across platforms. And because the domain separator is the agent id, **the agent id alone yields nothing**: you cannot go agent id → `/128` without the key, there is no enumerable directory, and RDAP and reverse-DNS return the registry object, never the agent's whereabouts.

What becomes true the moment an agent holds one:

- **"One forged card → a fleet of fake agents" becomes physically impossible.** You cannot present agent identities whose keys you don't hold; every forged or shadow-cloned Agent Card is a DNSSEC/DANE inconsistency any verifier catches.
- **Wallet and session rotation become irrelevant.** Identity is not the source IP or the ephemeral session: the "last IP" was never the credential, so rotating it across clouds or proxies changes nothing.
- **Stolen bearer tokens fail.** A self-asserted card or a leaked API key with no agent key behind it authenticates to nothing.
- **One `revoke` kills a compromised agent worldwide** at DNS-TTL speed: the cross-domain off-switch the ecosystem is missing, delivered as a public DNS fact every counterparty already checks.

**Additive, never a replacement.** Whisper anchors identity at the DNS/transport boundary and hands it *up* to the protocols that already exist. It never redefines A2A, never signs an AP2 mandate, never settles an x402 payment, and never holds the wallet key. DANE-pin the `url`/`AgentCardSignature` key of an A2A Agent Card, the `verificationMethod` of an AP2 mandate, the `from`/`payTo` of an x402 flow, an MCP `resource` URI, or a Visa TAP `keyid`: the `/128` slots under each *without a protocol change*. Whisper is no longer alone in DNS-anchored agent identity; where the newer entrants anchor a *name* (an ownership "birth certificate," an `_ag` discovery label), Whisper anchors a *routable, revocable, wallet-pinnable* identity with egress governance and attribution: the working identity layer on top of the record.

> **Necessary, not sufficient, and we say so.** A verifiable identity proves *which* agent acted, *for whom*, lets you attribute and revoke it, and makes every other control enforceable and auditable. It does *not* stop a legitimately-authenticated agent from making a bad purchase, prevent prompt-injection of the agent's own reasoning, or substitute for spend caps, mandate scoping, key custody, or human-in-the-loop. It is the missing anchor the payment rails were built without, not a replacement for the guardrails on top.

## Provision an agent identity

Provisioning is one control-plane call over the public API: `POST https://graph.whisper.security/api/query` with your `X-API-Key`. Hand it the agent's base64 SPKI and its agent id (passed as `device_id`); it returns the deterministic `/128` and a WireGuard config for source-bound egress:

```
CALL whisper.agents({op:'connect', args:{
  tier:'wireguard',
  identity_public_key:'<base64 SPKI of the agent key>',
  device_id:'acme-shopper-8f3c9a2e'
}}) YIELD op, ok, status, result, error
RETURN op, ok, status, result, error
```

Send it with your key. The heredoc keeps the single-quoted Cypher literals intact, so this runs as-is:

```sh
curl -s https://graph.whisper.security/api/query \
  -H "X-API-Key: whisper_live_xxx" \
  -H 'content-type: application/json' \
  --data @- <<'JSON'
{"query":"CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'<base64 SPKI>', device_id:'acme-shopper-8f3c9a2e'}}) YIELD op, ok, status, result, error RETURN op, ok, status, result, error"}
JSON
```

```json
# response
{ "op": "connect", "ok": true, "status": "created",
  "result": {
    "address": "2a04:2a01:a9e::a2c7",
    "fqdn":    "agent-8f3c9a2e.<tenant>.agents.whisper.online",
    "wireguard": { /* peer, keys, allowed-ips */ }
  } }
```

The `device_id` is the generic domain separator. Pass whatever native identifier your agent already carries: its A2A Agent Card id, its Web Bot Auth key id, or the id you use in your own registry. The call is **idempotent and liberal in what it accepts, strict in what it returns**: re-running with the *same* key and agent id returns the *same* `/128`; a *different* agent id for a key already registered on your tenant is a clear `409`, not a silent overwrite; a non-string agent id is a `400` that tells you exactly what was wrong, never an opaque 500.

> A dedicated first-class `--agent-id` (and `--wallet`) CLI flag is on the roadmap; today, pass the agent id as `device_id` (an alias) to the live control-plane call above. The shipped CLI verbs are `whisper verify --trustless`, `whisper create --register`, `whisper kill --revoke`, `whisper policy`, and `whisper logs`. See [CLI & one-command](/docs/cli).

## Verify it yourself, no account

Every agent identity is checkable with no key and no login, from the internet's own records: the keyless lower half of the two tiers. A merchant, a facilitator, or a peer agent runs the same walk before it trusts anything. The `whisper` CLI does it in one call:

```
whisper verify --trustless agent-8f3c9a2e.<tenant>.agents.whisper.online

✓ DNSSEC chain valid to the IANA root
✓ DANE-EE (TLSA 3 1 1) leaf matches the agent's key
✓ RDAP: registered under AS219419 · 2a04:2a01::/32
identity: VERIFIED · our own API was never trusted
```

Or reach for the raw records directly: the same answer, from stock tools.

```sh
# the public verify endpoint: evidence chain in JSON
curl -s https://whisper.online/verify-identity/2a04:2a01:a9e::a2c7 | jq
# { "is_whisper_agent": true, "dane_ok": true, "jws_ok": true, "evidence": { … } }

# the address is the agent: forward-confirmed reverse DNS names it
dig -x 2a04:2a01:a9e::a2c7 +short
# agent-8f3c9a2e.<tenant>.agents.whisper.online.

# the registry object: who holds the address, and under which allocation
curl -s https://whisper.online/ip/2a04:2a01:a9e::a2c7 | jq
```

None of these calls Whisper as an authority: `--trustless` re-derives the proof against the public DNSSEC root, exactly as any resolver could. This is the check a counterparty runs to turn *"is this a real agent?"* from a guess into a lookup. See [Verify an agent](/docs/verify) for the full keyless walk and [DANE & TLSA](/docs/dane) for the pin, byte for byte.

## Pin a wallet to the agent

An x402 wallet proves control of *funds*, not *who*, and not accountability. **Pin-a-wallet** binds the wallet to the agent's verifiable `/128` so a facilitator or resource server resolves the x402 `from` address to a known, revocable agent *before* honoring the `402`, with no change to the onchain flow. The binding is published in the agent's DNSSEC-signed, DANE-anchored zone and recorded in the [transparency log](/docs/transparency); revoking the `/128` revokes the *agent's* ability to transact even though the EOA itself can never be revoked. It converts x402 from "anonymous money" into "a known, revocable agent paying": the exact wallet↔identity link x402 lacks and AP2 defers to FIDO.

```sh
# a facilitator, before /settle: resolve the x402 `from` wallet to the agent that pinned it
dig +short TXT _wallet.0x1a2b3c9f.pin.<tenant>.agents.whisper.online
# "agent=2a04:2a01:a9e::a2c7; dane=3 1 1; status=live"

# then run the same keyless walk on that agent: is it real, and not revoked?
whisper verify --trustless 2a04:2a01:a9e::a2c7
# ✓ DANE-EE 3 1 1 matches the agent's key · RDAP live · not revoked
# the _wallet TXT above binds 0x1A2b…3C9F to this /128: honor the 402 only if BOTH check out
```

> **Honest status.** The DANE-anchored wallet↔identity binding and DNS-TTL revocation ride the shipped identity plane and the [pin-anything](/docs/pin-anything) mechanism *today*: publish the signed binding via the control plane, and any facilitator resolves and verifies it with stock tools. A first-class `whisper pin-wallet` verb and drop-in facilitator plug-ins for A2A / AP2 / x402 are on the roadmap. Full recipe: [Pin a wallet](/docs/pin-a-wallet).

## Revoke and govern, worldwide

A compromised agent, a rotated wallet, a decommissioned integration: one call tears down the `/128`, its PTR, and its DANE pin everywhere at DNS-TTL speed. This is the cross-domain revocation the ecosystem never standardized: not a private token-revoke inside one network, but a public DNS fact every counterparty already resolves.

```
CALL whisper.agents({op:'revoke', args:{agent:'2a04:2a01:a9e::a2c7'}})

# after the TTL: dig -x returns nothing, verify returns false, the wallet pin dies with it
whisper kill --revoke 2a04:2a01:a9e::a2c7
```

The same address-is-identity primitive governs what an agent may do *before* anything goes wrong. Source-bound egress makes an agent's traffic leave from its own `/128`, and the control plane enforces it by name and by address:

```sh
# default-deny: this agent may reach ONLY its merchant + x402 facilitator allowlist
whisper policy set --default deny --allow api.merchant.example,facilitator.x402.example

# per-agent firewall (allow/deny by host, cidr or port) + a traffic budget with a kill-switch
CALL whisper.agents({op:'firewall', args:{agent:'2a04:2a01:a9e::a2c7', deny:['0.0.0.0/0'], allow:['facilitator.x402.example:443']}})
CALL whisper.agents({op:'budget',   args:{agent:'2a04:2a01:a9e::a2c7', max_mb_per_day:50}})
```

Compromise one agent and you've compromised *that agent*, not the platform. The fleet-takeover failure mode is structurally removed.

And nothing is issued in the dark: every mint and every revoke lands in a public, append-only [RFC 6962 Merkle transparency log](/docs/transparency), Ed25519-signed and anchored to Bitcoin via OpenTimestamps. It's an auditable, non-repudiable issuance trail for a disputed transaction. *Honest status:* tamper-evident and anchored today; independent third-party witnessing is the next step, and the log already speaks the witness-cosigning protocol so any external witness can co-sign.

## Who checked your agent

An identity you can prove is also an identity you can *watch*. Because every agent's name resolves through Whisper's own authoritative DNS and RDAP, the owner sees exactly who looked: reverse observability the private network directories never gave you. `op:'lookups'` returns who resolved or RDAP-queried an agent's identity: the merchants, facilitators, and peer agents that verified you *before* transacting (a verification-analytics stream), and, as a tripwire, anyone enumerating your agent fleet *before* an attack.

```
CALL whisper.agents({op:'lookups', args:{agent:'2a04:2a01:a9e::a2c7'}})
# → who resolved / RDAP-queried this agent's identity (PTR / AAAA / TLSA + /ip accesses)
#   the owner-facing companion to op:'logs' (the agent's OWN outbound activity)
```

It is the mirror of `op:'logs'`: `logs` is what your agent reached out to; `lookups` is who reached in to check your agent. Both are live over the same public API with your key.

## Attribution: name whoever already scraped you

Identity stops the next forgery; the graph names the operator behind the sessions already in your logs: attribution that survives IP and wallet rotation because it fingerprints the operator and the tooling, not the ephemeral egress. When a shadow-cloned Agent Card or a swarm of throwaway wallets keeps reappearing, run it as read-only Cypher over the same public API with your key (there is no CLI subcommand for this; it is the graph API directly):

```sh
curl -s https://graph.whisper.security/api/query \
  -H "X-API-Key: whisper_live_xxx" \
  -H 'content-type: application/json' \
  -d '{"query":"CALL whisper.identify(\"34.90.x.x\")"}'
# operator fingerprinted across AWS / GCP / Azure; residential swarm collapsed by JA4
```

The read-only verbs (`identify`, `origins`, `walk`, `variants`, `history`) each return a reproducible, replayable JSON evidence chain your fraud team, your risk desk, and a regulator can replay: cross-platform attribution in *public* infrastructure, not a per-platform reputation score. More in [Graph & cognition](/docs/graph-api).

## What ships today, and what's on the roadmap

We label these honestly so you can plan against them.

| Shipped & live | On the roadmap |
|---|---|
| Agent `/128` from the agent's public key + agent id as `device_id`: DNSSEC + DANE-EE + RDAP | A first-class typed `--agent-id` / `--wallet` argument (pass them via `device_id` and the control plane today) |
| Control-plane provision, verify, `op:revoke`, `op:lookups`, policy / firewall / budget; the attribution graph; the Bitcoin-anchored transparency log | **STIX 2.1 over TAXII** export |
| **Pin-a-wallet**: bind an x402 wallet to the agent's DANE-anchored `/128` and revoke it at DNS-TTL (via the control plane / the [pin-anything](/docs/pin-anything) mechanism) | A turnkey `whisper pin-wallet` verb and drop-in facilitator plug-ins for A2A / AP2 / x402 |
| The **Splunk**, **Microsoft Sentinel** and **OpenCTI** connectors (signed, replayable JSON → CEF / ECS fields); the DANE-EE per-agent CA leaf that underpins **signed agent outputs** | A turnkey **sign-outputs** receipt workflow (`whisper sign`) for payment / provenance non-repudiation |

The integration guides below describe **proposed** integrations at the protocol and IP boundary: designed to complement the stack you already run, not endorsed by any vendor, and never named against a specific merchant or network as a breach victim.

## The five Commerce guides

The agent-commerce story, in depth: each page is self-contained and copy-paste runnable.

- **[Agent identity](/docs/industries/commerce/agent-identity)**: derive a routable `/128` from the key an agent already signs with. Deterministic, tenant-bound, DNSSEC + DANE-EE pinned. It's the identity spine that every counterparty can verify.
- **[Agent-fraud cure](/docs/industries/commerce/agent-fraud-cure)**: why a self-asserted Agent Card and a bearer token spend on your behalf, and how a forge-proof address ends it. This is the impersonation / confused-deputy / missing-revocation kill chain, cured at the identity layer.
- **[A2A · AP2 · x402](/docs/industries/commerce/commerce-integrations)**: where the `/128` slots under each protocol without a change. DANE-pin the Agent Card signature, the AP2 mandate `verificationMethod`, the x402 `from`/`payTo`, the MCP `resource` URI, and the Visa TAP `keyid`.
- **[PSD2 · agent-payment protocols](/docs/industries/commerce/commerce-compliance)**: map verifiable identity and attribution evidence to PSD2 SCA (evidentiary, never an SCA factor), the EBA delegation ruling, Visa TAP, Mastercard Agent Pay, AP2, and KYA, as a network primitive, not a binder.
- **[Pin-a-wallet · A2A-trust · verify](/docs/industries/commerce/commerce-recipes)**: runnable recipes for pinning an x402 wallet to a verifiable agent, making two A2A agents verify each other's `/128` before they talk, and back-tracing a suspicious agent on the graph.

## The full technical library

Commerce rides on the same address-is-identity platform as every other agent on the network, so the whole shared library applies here unchanged, and every page has a clean Markdown twin at the same path + `.md`. Start with these; the rest is in the sidebar.

- **[Quickstart](/docs/quickstart)**: install, register your first identity, connect it, confirm it (one terminal, start to finish).
- **[Verify an agent](/docs/verify)**: the full keyless identity check, every proof you run with `dig`, `curl`, and `openssl`.
- **[DANE & TLSA](/docs/dane)**: the `3 1 1` pin that makes an address forge-proof, byte for byte, no CA in the path.
- **[Control plane](/docs/control-plane)**: the full `whisper.agents` API over the public endpoint, covering provision, connect, policy, logs, lookups, and revoke.

---

← [For merchants & builders](https://commerce.whisper.online/for-merchants) · [Agent identity →](/docs/industries/commerce/agent-identity)
