KYA Protocol
Know-Your-Agent — identity verification via RSA-2048 challenge/response.
How It Works
- Agent requests
GET /kya/challenge - Gateway returns signed challenge:
{"challenge", "signature", "ttl", "ts"} - Agent includes
X-KYA-Tokenheader on subsequent requests - Gateway verifies: TTL check (1h) + result cache (5min) + per-agent rate limit (30 req/60s)
Get a Challenge
curl -k https://localhost:8080/kya/challenge
Response:
{
"challenge": "kya:challenge:demo_agent:1712345678",
"signature": "abc123...512-char-hex",
"ttl": 3600,
"ts": 1712345678
}
Use KYA Token
TOKEN=$(curl -sk https://localhost:8080/kya/challenge | python3 -c "import sys,json; d=json.load(sys.stdin); print(f'{d[\"challenge\"]}:{d[\"signature\"]}')")
curl -k -X POST https://localhost:8080/api/v1/ap2/checkout \
-H 'X-KYA-Token: '"$TOKEN" \
-H 'Content-Type: application/json' \
-d '{"intent_id": "test", "caller_identity": "demo_agent", "action": "compute", "resource": "task_001"}'
Enforcement
- Enforced on:
POST /api/v1/ap2/checkoutandPOST /api/v1/ap2/charge - Missing/expired token: HTTP 401
- Rate limit exceeded: HTTP 429