Skip to main content

Authentication

KYA Token (Required for AP2)

AP2 endpoints require a valid X-KYA-Token header:

  1. GET /kya/challenge → receives {challenge, signature, ttl}
  2. Set header: X-KYA-Token: {challenge}:{signature}
  3. Gateway verifies: TTL (1h) + signature + rate limit (30 req/60s per agent)

Rate Limiting

  • 30 requests per minute per client IP
  • 429 Too Many Requests when exceeded
  • Per-agent rate limiting on AP2 endpoints

CORS

All origins allowed. Explicit methods: GET, POST, OPTIONS. Headers: Content-Type, X-Agent-Identity, X-KYA-Token.