Identity
Cryptographic Identity
Every agent gets a unique Ed25519 keypair. No more anonymous agents acting in your name.
1,200+ agents registered
Identity & Permission Layer
for Autonomous Agents
Define what AI agents can do. Verify every action. Revoke instantly.
Your AI agents act like root users on your production APIs. KYA gives them an identity, permissions, and a full audit trail. Just like you do for humans.
kya — terminal
# AI agents need identity too
$ pip install know-your-agent
Installing kya v0.3.1...
✓ Successfully installed
$ kya run-demo
ACTION charge_payment
AGENT agt_01JX8K...
POLICY max 50€ / transaction
AMOUNT 75€
RESULT ✗ DENY
REASON exceeds_max_per_tx
AUDIT ✓ event logged
CHAIN ✓ integrity verified
Focus on control, not chaos
Stop flying blind with your agents. Every action, every identity, every decision: under your control.
Permissions
Policy Engine
Define exactly what each agent can do. Set spend limits, tool restrictions, and rate limits per agent.
Verification
Pre-execution Verification
Every action passes through a ALLOW/DENY gate before execution. Stop bad actions before they happen.
Control
Instant Revocation
Revoke a compromised agent in seconds. No waiting, no propagation delays. Effective immediately.
Compliance
Tamper-Proof Audit Log
Hash-chain integrity on every event. Know who acted, what they did, when, and why it was allowed.
Security
Short-Lived Capabilities
JWT tokens scoped to specific actions with 5–30 min TTL. Principle of least privilege, enforced.
Up and running in 5 minutes
Three steps to go from anonymous agents to fully controlled, auditable workflows.
Register your agent
Give your agent a cryptographic identity. Generate an Ed25519 keypair and register it with KYA. Your agent now has a verifiable name.
kya agent register \
--name "payment-agent" \
--pubkey ./agent.pub
# ✓ Agent registered: agt_01J...Define its permissions
Create a policy that specifies exactly what this agent is allowed to do: which tools, how much to spend, how often it can act.
kya policy create \
--agent payment-agent \
--tools "charge_payment" \
--max-tx 50 --max-day 500
# ✓ Policy bound: pol_02K...Verify every action
Before any sensitive action, your service calls KYA's verify endpoint. Get ALLOW, DENY, or PENDING_APPROVAL with full reason codes.
POST /verify
{
"agent_id": "agt_01J...",
"action": "charge_payment",
"amount": 75
}
# → DENY: exceeds max_per_tx (50€)Apache 2.0
Free and open source
Self-host the full stack in minutes. Apache 2.0 license. No usage limits, no vendor lock-in.
Agent Registry
Register agents with Ed25519 keypairs. Every agent gets a unique, cryptographic identity.
Policy Engine
Define allowed tools, spend limits and rate limits per agent in YAML or JSON.
Verify Gate
One POST /verify call before each action. Returns ALLOW or DENY with a reason code.
Tamper-proof Audit Log
Append-only, hash-chained log of every decision. Integrity-checkable at any time.
Agent Revocation
Revoke an agent or capability in seconds. All subsequent verify calls return DENY.
JS & Python SDKs
Official SDKs with Ed25519 signing, canonical JSON, and typed API clients.
Loved by security-conscious builders
Teams building agentic systems trust KYA to keep their agents accountable.
“We went from 'hoping our agents behave' to having cryptographic proof of every action. KYA is exactly the missing layer we needed.”
Sarah ChenPlatform Lead, FinOps AI
“The 5-minute quickstart is real. We had our first agent registered and verified in under 10 minutes. The audit trail alone is worth it.”
Marcus WebbCTO, Agentic Labs
“We needed SOC2 compliance for our AI agents. KYA's tamper-proof audit log was exactly what our auditors were asking for.”
Priya SharmaSecurity Engineer, RevOps Cloud
“Finally an IAM system that understands AI agents aren't humans. The capability token model maps perfectly to how LLMs operate.”
Tom ErikssonAI Infrastructure, NordAI
Frequently Asked Questions
Everything you need to know about KYA.
Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.
Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.
The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.
Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.
KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.
Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.
Open source · Apache 2.0
Your agents need an identity
Stop running agents as anonymous root users. Give them identity, permissions, and accountability. Up and running in 5 minutes.