Every major agent platform — Anthropic, OpenAI, Mistral, Google — is solving identity inside its own walls. Every bot-defense vendor — Cloudflare, DataDome, hCaptcha, Arkose — is trying to classify the resulting agent traffic without any cryptographic signal to anchor on. The web needs a neutral layer that lets the second group verify what the first group signed. That layer is what AgentPKI is.
Cloudflare, DataDome, hCaptcha, Arkose either overblock (frustrate humans whose agents are working on their behalf) or underblock (bleed data and revenue to actual abuse). They need a third bucket.
MCP, A2A, AP2 — each solves identity inside its own walls. Nobody is building the neutral cross-vendor layer the rest of the web needs to verify an agent that doesn't live in their stack.
1–12 second finality + gas fees + an audit story that doesn't pass SOC 2 or the EU AI Act. Fine for settlement; unusable for the 90% of agent traffic that's research, scheduling, reading, automation.
The classical-PKI answer is missing. That's what AgentPKI is — open spec, edge-verified, vendor-neutral, chain-agnostic. The rest of this page is the long form: why this exists, why the existing pieces don't add up, and what we deliberately do (and don't) build.
A real example. An enterprise customer of Reuters tells their Anthropic-built research agent: "summarize the headlines for me each morning." The agent fetches Reuters' API the way a browser would. Reuters' bot-defense vendor sees: datacenter IP, no mouse movements, programmatic timing, no cookies. Verdict: bot. Blocked.
The human user is paying both Reuters and Anthropic. The agent was operating with their explicit consent. But the bot-defense vendor had no way to know any of that, because there was no cryptographic signal saying "this is a legitimate AI agent acting on a paying user's behalf."
This problem has three faces:
Bot-defense vendors will tell you that ~15% of their false-positive rate is now agent-driven and rising fast. That's where the cost is.
Multiple groups are building agent-identity pieces. Each one solves something. None of them solve this.
Good for: letting agents call tools/APIs they've been granted access to inside their own ecosystem. Solves the "what can this agent do on my behalf" question.
Doesn't solve: when an Anthropic-built agent talks to a random site that doesn't speak MCP, the receiving site has no way to verify the agent. MCP is great inside the Anthropic ecosystem; orthogonal to whether arbitrary websites trust the agent.
Good for: agents from different ecosystems negotiating a task together. Strong on capabilities, intent-passing, contracts.
Doesn't solve: a website doesn't speak A2A. A retail site can't run an A2A handshake on every HTTP request. The protocol layer is too high; we need something that fits inside a bearer token a CDN can verify in microseconds.
Good for: the commerce case — agent-initiated transactions, programmable money, on-chain settlement, transparent dispute trails. Kite shipped real product in this space in April 2026 ($35M raise from PayPal Ventures + General Catalyst) and we think the commerce wedge is a real category.
Doesn't solve: 1–12 second finality, gas costs, and an audit story that doesn't pass SOC 2 or EU AI Act make blockchain unusable for the 90% of agent traffic that isn't commerce — research, scheduling, reading, automation. Bot-defense vendors verifying 100M+ requests/sec at the CDN edge cannot pay 1s of latency. We integrate WITH Kite as a payment hook (the passport ID can be the principal for Kite-settled transactions), not against it.
Good for: service-to-service identity inside a cluster or trust domain. Mature, battle-tested, well-spec'd.
Doesn't solve: SPIFFE is designed for closed trust domains (your services in your cluster). The agentic-web problem is the opposite — an agent from their trust domain talking to your website with no prior relationship. AgentPKI is the cross-trust-domain layer; SPIFFE is the inside-the-cluster layer. They compose.
Good for: a vendor's own decision pipeline. Their model gets smarter over time.
Doesn't solve: an enterprise running DataDome on one property and Akamai on another needs both vendors to trust the same agent. Vendor-specific allow-lists don't compose. Worse, vendor lock-in against agent traffic creates an anti-trust footprint that hurts the whole web. The trust root needs to be neutral — same role TLS plays for service-to-service trust everywhere else.
Good for: long-term standards alignment. Three IETF Internet-Drafts for "Agent Identity Protocol" were filed in 2026. W3C VCs are a strong credential envelope. OWASP ANS handles agent name service discovery.
Doesn't solve: none of these are shippable as a production wire format today. AgentPKI v0.1 picks the well-vetted primitives (PASETO v4, Ed25519, RFC 9421) that work in production right now, with a credential-envelope abstraction so a W3C VC mode slots in backward-compatibly later.
Five deliberate design choices, each one a deliberate trade. None of them are accidents.
The protocol is published, licensed permissively, with a patent grant. Anyone can implement an issuer or verifier without asking us. We sell convenience (hosting, compliance, support); the protocol is the public good.
PASETO v4 + Ed25519 + RFC 9421 HTTP Message Signatures. Verifiable in microseconds on existing edge infrastructure. No new VM to run. No gas fees. No chain finality. The math is the same math TLS already uses every day.
The reference verifier runs on Cloudflare Workers. Issuer public keys cache in Workers KV. A passport gets verified globally, at the edge, in less time than a TCP handshake to the origin. Sites can adopt without an extra round-trip in their critical path.
A passport signed by anthropic.com verifies the same way on Cloudflare, Akamai, Fastly, or your own NGINX. There's no AgentPKI middleman in the trust path. Bot-defense vendors integrate AgentPKI as a signal; their decision logic stays theirs.
The protocol doesn't depend on a blockchain. But the passport's sub field can be a Kite agent identity, a DID, an Ethereum address. AgentPKI handles identity verification at the edge; chain-anchored systems handle settlement and transparency. They compose cleanly.
Honest trade-offs, so you know if AgentPKI is the right tool.
If you need on-chain settlement, dispute resolution, or programmable payment, use Kite (or any L2). AgentPKI identifies who the agent is; you can pair it with whichever settlement system fits.
Passports are short-lived (≤ 24h), not per-request. For per-request integrity, use Mode B (RFC 9421 HTTP Message Signatures) — but that's optional, not the default.
v0.1 ships PASETO v4 for production speed. The spec has a credential-envelope abstraction so VC mode slots in backward-compatibly. v0.2+ adds it for stacks that need W3C compliance.
Issuers run on GCP Cloud KMS today. T3 hardware-attested issuance (HSM + TPM attestation) ships alongside paid tiers Q3 2026 for regulated industries that need it.
Two customer types where the value is sharpest right now. Everyone else still benefits — but these are who we're talking to in 2026.
Cloudflare, DataDome, hCaptcha, Arkose, Castle, Kasada. Their false-positive rate on AI-agent traffic is rising every quarter. AgentPKI is a clean signal input — never overrides their decisions, just adds a "this agent presented a cryptographically-verified passport at tier T" bit to their scoring layer.
What they get: measurable false-positive reduction on the traffic that's growing fastest. A neutral trust root that doesn't favor any one agent platform. Optional revenue share on verifies.
Banks, healthcare, insurance, anything under SOC 2 / HIPAA / EU AI Act / GDPR. They have agents acting on customer data and need to prove which agent did what to which data, with cryptographic attestation regulators will accept.
What they get: KYB-verified issuance (T2), hardware-attested keys (T3), audit-grade mint log, dedicated verifier with residency control. The paper trail their compliance team can hand to a regulator.
No proprietary crypto. No bespoke tokens. Just the well-vetted primitives the rest of the internet runs on.
Platform-Agnostic Security Tokens. Modern alternative to JWT — no algorithm-confusion footgun.
EdDSA curve. Fast, deterministic, side-channel resistant. The crypto every modern stack agrees on.
Mode B binds the passport to method, URL, and body — kills replay attacks within the signature window.
Standard X.509 public-key envelope. Drop into existing PKI tooling without translation.
Spec under Apache 2.0 (patent grant). SDKs and reference verifier under MIT. Forkable, embeddable, no rug-pull.
Credential-envelope abstraction in the spec lets a Verifiable-Credential mode slot in backward-compatibly.
See the protocol run live, or skip ahead to the dashboard. We'd also rather hear your honest pushback now than after you've integrated.
