Know Your Agent (KYA) is the identity layer for agent-driven payments — a set of cryptographic and reputational standards that lets a merchant, processor, or fraud system answer one question before a transaction settles: is the AI agent making this request a registered, accountable entity, or an anonymous bot in disguise. The term mirrors the Know Your Customer (KYC) framework banks built for human account holders, and the analogy is deliberate: by April 2026 every major payment network had shipped or unveiled a KYA primitive. Visa's Trusted Agent Protocol (TAP) went live on October 14, 2025 with twelve launch partners; Skyfire's KYAPay uses signed JWTs to attach agent identity to HTTP requests; Mastercard's Agent Pay (unveiled April 29, 2025, full US rollout November 2025) ties identity into the network token itself; Google's AP2 handles the user-mandate side of the same problem; and fraud platforms Forter (Identity Monitoring for Agentic Commerce), Riskified (in partnership with HUMAN), and HUMAN Security (AgenticTrust) each launched agent-trust scoring layers on top. This piece is the comparison primer: what KYA is, why it became necessary in 2026, the five major standards, and the trade-offs each one accepts to ship.
​

Know Your Agent (KYA) is an emerging identity framework that cryptographically binds an AI agent's requests to a registered operator and an authorized user, so that a merchant can verify both before settling a payment. KYA covers signed identity headers, user-signed mandates, agent reputation scoring, and directory-based revocation. It is the agent-economy analog of KYC for human banking customers.
​

The term emerged from Skyfire's product naming in 2024 — KYAPay was the first commercial framing — but by 2026 it had broadened into an ecosystem label. Visa, Mastercard, and Cloudflare don't use "KYA" as a product name, but their published specifications all solve the same identity problem and compose with each other. Cloudflare's October 2025 launch post describes the gap KYA is meant to close: traditional bot-management systems are built to block automated traffic, but agentic commerce makes legitimate agents look bot-like by design. Heuristic blocking breaks legitimate flows; pure allow-listing breaks scale. Cryptographic identity replaces heuristics with verifiable signatures.
​

KYA is distinct from authentication and from authorization. Authentication answers "is this user logged in." Authorization answers "is this user allowed to spend." KYA sits earlier and answers two prior questions: "is the entity making this HTTP request a known agent at all" and "did the human delegate this purchase to this agent." Visa's launch announcement called the gap "the missing trust layer for AI commerce," and the framing has stuck across the industry.
​

KYA became necessary because three production realities arrived together in late 2025: AI agents started transacting at scale, scrapers got better at impersonating them, and chargeback systems had no way to attribute fraud to a specific agent operator. Without an identity layer, a merchant could not tell a legitimate purchase from a scraper-driven attack from a malicious bot, and disputes had no defendant.
​

The volumes shifted fast. Adobe Analytics measured a 4,700% year-over-year increase in generative-AI traffic to US retail sites between July 2024 and July 2025. Coinbase's x402 stablecoin payment protocol registered roughly 69,000 active agents and 165 million transactions by April 2026. ChatGPT Instant Checkout launched September 2025 across Etsy plus a Shopify cohort, with broader rollouts continuing through Q1 2026. None of those flows had a network-level way to distinguish "real OpenAI agent acting for a real user" from "scraper sending the same headers."
​

The fraud surface compounds the volume. Forter's agentic commerce briefing describes three failure modes that KYA addresses directly. First, agent impersonation: an attacker forges User-Agent strings or proxies traffic through a legitimate agent surface to bypass bot detection. Second, stolen-credential agent abuse: a compromised user account is loaded into an agent that can run hundreds of purchases in parallel before the human notices. Third, the dispute-attribution gap: when a chargeback arrives, the merchant has no cryptographic proof of which agent operator made the request, so liability defaults to the merchant under existing card-network rules.
​

Regulators amplified the pressure. The EU's AI Act provisions affecting deployed agents took effect through 2025 and 2026, and bank supervisors in the US and UK began asking how existing KYC obligations extend when an agent is the entity actually making a transaction. None of the existing KYC tooling was built to onboard non-human entities, and existing PCI DSS rules treat any non-human accessor as a bot. KYA is the answer the industry shipped: cryptographic identity that satisfies both the technical question (is this a registered agent) and the regulatory one (whose books does this transaction live on).
​

A merchant tells a real agent from a bot by requiring a cryptographic signature on the request that resolves to a registered operator. With Visa TAP, the merchant verifies an Ed25519 signature in the Signature header against a Visa-operated directory. With Skyfire KYAPay, the merchant verifies a signed JWT that names the agent operator and the user delegation. With AP2, the merchant verifies a user-signed mandate inside the request body. A request without any of these layers is treated as anonymous bot traffic and routed to the bot-management or fraud system.
​

The cryptographic check is what changed. Pre-KYA, merchants relied on User-Agent strings, IP reputation, JavaScript challenges, and behavioral fingerprinting — all of which a determined scraper can defeat. Post-KYA, the merchant has an Ed25519 signature or a JWT that either verifies against a published key or it doesn't. Forging a signature requires stealing the operator's private key, which moves the attack from network-layer impersonation to operator-side compromise — a much smaller and more defensible surface.
​

Five KYA standards mattered as of April 2026: Visa TAP, Skyfire KYAPay, Mastercard Agentic Tokens, Google AP2 mandates, and the fraud-side stack from Forter, Riskified, and HUMAN Security. Each occupies a slightly different slice of the identity problem, and most production stacks compose two or three together rather than picking a single winner.
​

The five standards share one architectural pattern — cryptographic proof verified by the merchant — but split on three dimensions: what they identify, who issues the keys, and where the proof travels in the request. The sections below cover each in turn, with the comparison table further down summarizing the trade-offs.
​

Visa's Trusted Agent Protocol is the largest KYA shipping standard by partner footprint. TAP launched October 14, 2025 with twelve initial partners on the merchant and processor side: Adyen, Ant International, Checkout.com, Coinbase, CyberSource, Elavon, Fiserv, Microsoft, Nuvei, Shopify, Stripe, and Worldpay. The protocol attaches three signed HTTP headers to every agent request — Signature-Agent, Signature-Input, and Signature — using RFC 9421 HTTP Message Signatures built on the IETF Web Bot Auth draft.
​

The mechanism is signed but not encrypted. An Ed25519 signature covers the canonical request, and any node in the request path (CDN, edge proxy, fraud system) can read the agent's identity without holding any keys. TAP defines two tag values that distinguish browse-only requests (agent-browser-auth) from payment-intent requests (agent-payer-auth), so merchants can apply different rate limits and risk policies to each. Verification adds a directory lookup on cache miss and a few milliseconds of crypto otherwise — early production reports from launch partners cite sub-5ms overhead after warm-up. The full architectural breakdown is in the Visa TAP explainer.
​

The directory model is what distinguishes TAP from competing standards. Visa operates the directory of registered agent public keys at launch — every agent operator has to register, prove its merchant-onboarding identity, and be assigned a directory entry before its requests verify against the network. The trade is rotation speed for federation: a compromised operator can be revoked across the network within minutes, but Visa is the single point of trust for the directory itself. The TAP specification on GitHub contemplates a federated directory model in future versions.
​

Skyfire ships KYAPay as a commercial KYA service built on signed JWTs. The KYAPay token is a standard JWT signed by Skyfire's identity service, naming the agent operator, the user delegation, and a scoped spend authorization. The agent attaches the JWT to outgoing HTTP requests as a bearer token; the merchant verifies the signature against Skyfire's public-key endpoint and applies the merchant-side spend rules.
​

The JWT model is closer to OAuth than to RFC 9421. The token carries claims — operator ID, user ID, expiration, scope, max amount, merchant binding — inside a signed payload, rather than signing the HTTP request itself. The trade-off is verification surface: a JWT verifies independently of the request, so it's easier to integrate into existing OAuth-aware backends, but it does not bind to the specific HTTP request the way TAP's signature-input header components do. A leaked JWT can be replayed against any endpoint accepting the same scope until it expires; a leaked TAP signature is bound to a specific canonical request.
​

Skyfire's architectural bet is that JWT-native infrastructure is already pervasive enough to make KYAPay the path of least resistance for backends that already verify access tokens. The early adopter list reflects that bet: agent platforms shipping fast iterations of payment integrations rather than incumbent payment processors. Skyfire raised $9.5M total funding across two seed rounds in 2024 and is one of the named Layer 3 vendors in Rye's agentic commerce stack framework.
​

Mastercard's KYA primitive is structurally different: instead of layering identity on top of HTTP, it embeds agent identity into the network token used for the card transaction itself. Mastercard unveiled Agent Pay on April 29, 2025, with a Citi and US Bank pilot starting September 2025 and a full US rollout in November 2025. The Agentic Token carries an agent-identity claim alongside the existing tokenized PAN, so the issuer can see at authorization time which agent operator made the request and apply network-level rules.
​

The architectural advantage is that no new merchant integration is required. Any merchant that accepts Mastercard tokens already accepts Agentic Tokens — the agent-identity claim is invisible to the merchant's checkout code, but visible to Mastercard's network and to the card issuer. The disadvantage mirrors the advantage: the identity claim only travels on Mastercard rails, which limits coverage to card-not-present authorizations going through that specific network. For the fuller mechanics, see the Mastercard Agent Pay explainer.
​

Google's AP2 (Agent Payments Protocol) is sometimes grouped with KYA, but it solves a different question. AP2 cryptographically signs the user's authorization for the agent to spend, not the agent's identity to the merchant. AP2 launched September 2025 with 60+ partners including American Express, Coinbase, Mastercard, and PayPal; the specification lives on GitHub.
​

AP2 mandates are signed by the user's wallet or identity provider and carry the spend scope (merchant, max amount, time window, item type). The agent attaches the mandate to the request body; the merchant verifies the user's signature and treats the mandate as a binding authorization to charge. The piece AP2 doesn't solve is identity — a mandate proves the user signed something, but doesn't prove the agent attaching the mandate is the agent the user intended. In practice, AP2 mandates compose with TAP-signed headers: TAP signs the agent identity at the HTTP layer, AP2 signs the user mandate inside the request body, and the merchant verifies both before settling. The AP2 protocol explainer details the composition.
​

The fraud-side KYA layer is where reputation enters the stack. Forter, Riskified, and HUMAN Security each launched agent-trust scoring layers in 2025–2026: HUMAN Security ships AgenticTrust as its named product; Forter launched Identity Monitoring for Agentic Commerce; Riskified extended its chargeback-guarantee product through a partnership with HUMAN to consume AgenticTrust signals. Each consumes the cryptographic identity claims from TAP, KYAPay, AP2, or Mastercard Agentic Tokens, then layers behavioral and reputational scoring on top. The output is a numeric trust score the merchant uses for risk decisioning, not a binary verify/reject.
​

Forter's Identity Monitoring for Agentic Commerce ingests TAP signatures, KYAPay JWTs, and the agent's transaction history across Forter's merchant network, returning a per-request trust score that merchants use to route high-risk orders to step-up review. Riskified, through its partnership with HUMAN Security, extended its existing chargeback-guarantee product to cover agent transactions verified through major identity standards. HUMAN Security's AgenticTrust adds bot-source attestation: the same engine that flags impersonation attacks now identifies legitimate agent traffic when the cryptographic proof is present, so merchants can apply different policies to verified-agent traffic versus the long tail of unverified bots.
​

The fraud-side layer is the answer to "cryptographic identity is necessary but not sufficient." A TAP signature only proves the request came from a registered operator. It says nothing about whether that operator's account is currently compromised, whether this specific request matches the operator's normal pattern, or whether the user's underlying credentials were stolen yesterday. Reputation scoring covers the gaps that pure crypto leaves open.
​

The five KYA standards split along four architectural dimensions: what they identify, who issues the keys, where the proof travels, and what kind of proof they carry. The table below compares all five, plus the underlying question each one answers.

The composition matters more than the comparison. A typical 2026 production stack uses Visa TAP for HTTP-layer agent identity, AP2 mandates for user authorization inside the request body, Mastercard Agentic Tokens or another payment instrument for the actual settlement, and Forter or HUMAN Security as the fraud overlay consuming all three signals. Skyfire KYAPay is the lighter-weight alternative for backends that already verify JWTs and don't want to operate full RFC 9421 verification.
​

The non-overlap is the design feature. TAP doesn't carry user authorization, so it composes cleanly with AP2. AP2 doesn't carry agent identity, so it needs TAP or KYAPay above it. Mastercard Agentic Tokens carry both inside the network token, but only on Mastercard rails. Reputation layers consume whatever the cryptographic standards produce and add the behavioral signal those standards by definition cannot capture. The agent payment protocols comparison covers the wider stack each KYA standard plugs into.
​

KYA standards in 2026 share three open architectural questions: centralized versus federated directories, key revocation latency, and privacy in the request path. None of the standards has fully landed on the answer, and each one accepts a different trade-off to ship.
​

The centralization question is the most visible. Visa runs the TAP directory; Skyfire runs the KYAPay key endpoint; Mastercard runs the Agentic Token issuance. Each operator is a single point of trust for its slice of the identity layer, and each has incentive to keep the directory small and reviewable in the early years. The TAP specification explicitly contemplates a federated directory model in future versions, and Skyfire's architecture allows third-party identity providers to issue compatible JWTs against a shared schema. The 2026 deployments use the centralized models because federation requires governance that doesn't exist yet.
​

Revocation latency is the unsexy trade-off that determines real security. A compromised operator's keys need to be revoked across every verifier that has cached them. TAP's reference implementation recommends a 60-second cache window with stale-while-revalidate semantics and immediate invalidation push on revocation, modeled on certificate transparency logs. Skyfire's JWT model relies on short token lifetimes — typical KYAPay tokens live for minutes, not hours, so a compromise window is bounded by token expiration even without a revocation event. Mastercard's Agentic Tokens piggyback on existing card-network revocation infrastructure, which is fast for active cards but never designed for the per-request revocation cadence agent traffic might require.
​

Privacy in the request path matters because KYA signatures are signed but not encrypted. Any intermediary — CDN, fraud system, regional regulator — can read which agent operator made which request to which merchant. For most commercial flows that's acceptable; for sensitive verticals (healthcare agents, regulated financial advice) the visibility is a downside. None of the 2026 KYA standards has a confidentiality-preserving variant in production, though privacy-preserving extensions using zero-knowledge attestation are an active research area.
​

The remaining open question is recourse. KYA gives merchants a cryptographically attributable identity to point at when fraud arrives, but the chargeback and liability rules for agent-driven transactions are still in flux. The card networks' draft rules for agent-attributed disputes anchor on the network token issuer (so Mastercard for Agentic Tokens, the issuer for traditional tokens), but the cryptographic identity layer is not yet a recognized liability shift on its own. The next two years of network-rule updates will determine whether a verified TAP signature meaningfully shifts liability away from the merchant — the regulatory question that ultimately drives KYA adoption.
​

Eco operates a stablecoin execution network across 15 chains, sitting beneath the KYA layer rather than inside it. KYA standards verify who the agent is and what the user authorized; Eco handles where the dollars actually settle once those checks pass. The two layers compose without conflict, and the production stacks emerging in 2026 use both.
​

KYA is an identity layer. It tells the merchant whether to trust the request, but it doesn't move money. The actual settlement runs on whatever rail the merchant has integrated — a Visa or Mastercard card-not-present authorization, a stablecoin payment over x402, an ACP Shared Payment Token, or a direct USDC transfer. For agents and merchants settling cross-chain in stablecoins, Eco handles the orchestration the KYA layer leaves untouched: a TAP-signed agent request paying USDC on Base can land in a treasury on Solana or Tron, with Eco's solver network choosing the route, the bridge, and the finality guarantees. Eco uses Hyperlane and CCTP for the underlying transport. The same logic applies for agent wallets running multi-chain balances and for the broader agentic wallet category that needs a stablecoin settlement layer behind whatever identity layer sits in front. Identity standards like TAP and KYAPay solve the "is this agent legitimate" question; orchestration networks like Eco solve the "where do the dollars actually land" question. Both are required to ship a production agent payment, and the stacks emerging in 2026 use them together.
​

Sources and methodology. Standard launch facts and partner lists verified against primary sources: Visa's October 14, 2025 TAP launch announcement, the TAP reference implementation on GitHub, Cloudflare's "Securing agentic commerce" technical writeup, the Google AP2 specification on GitHub, Mastercard's Agent Pay launch, Skyfire's product documentation, and Forter's AgenticTrust briefing. The HTTP Message Signatures specification is IETF RFC 9421; Web Bot Auth is an emerging IETF draft built on top of it. Adoption metrics reflect public processor and platform integrations as of Q1 2026; chargeback-and-liability framing reflects draft network rules in circulation rather than ratified policy.
​

For broader context on agent identity, payment protocols, and how the KYA layer composes with adjacent infrastructure: