What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

All articles

January 29, 202610 min read

Agent Authorization vs Human IAM: Why They're Not the Same Problem

Auth0, Okta, and AWS IAM were built for humans who log in. AI agents don't log in — they spawn, act at machine speed, and terminate. The authorization model must be fundamentally different.

When teams start thinking seriously about AI agent security, the first instinct is to reach for existing IAM infrastructure. Auth0 for authentication. AWS IAM roles for service access. Okta for policy management. It seems reasonable — these tools handle identity and access control for complex systems, so why not for agents?

The answer is architectural. Human IAM was designed around a session model. AI agents don't have sessions.

The Session Model and Why It Breaks #

Human IAM is fundamentally about answering one question at the start of an interaction: Is this person who they claim to be, and what are they allowed to do?

Auth0 authenticates a user, issues a JWT valid for 8 hours, and the application trusts that token for the session duration. AWS STS issues temporary credentials valid for 15 minutes to 12 hours. Okta issues an access token, and the user's session carries it until expiry or logout.

The security model works because:

Humans initiate sessions deliberately (they have to type a password or use MFA)
Sessions have bounded scope (the user is doing one thing at a time)
Sessions can be terminated (logout, session invalidation, admin revocation)

AI agents have none of these properties.

No deliberate session initiation. An agent spawns programmatically, often thousands of times per day, without any human authentication step. There is no login event. There is no MFA prompt. The agent simply exists and starts executing.

Unbounded scope. In a single LangGraph execution, an agent might call Stripe, then Salesforce, then send an email, then query a database, then make an external API call — all in under 10 seconds. The scope of each action is determined by the LLM's output at runtime, not by a pre-declared permission set.

Continuous operation. A human session ends when the user closes their browser. A production agent runs indefinitely. It might process 10,000 requests per hour for months without any human intervention.

The RBAC Mismatch #

Role-Based Access Control is the dominant model for human IAM. A user is assigned one or more roles. Roles grant access to resources. The authorization decision is: Does this user's role include permission for this resource?

For AI agents, the granularity is wrong.

Consider a payment processing agent. In RBAC terms, you might give it a "payment-processor" role with access to the Stripe API. That role-to-resource binding says nothing about:

The maximum transaction amount this agent can process
Whether this agent can issue refunds as well as charges
How many transactions per minute this agent can initiate
Whether this agent can process non-EUR currencies
What the cumulative daily spend limit is

RBAC grants access to a resource. Agent authorization needs to control how that resource is used — with quantitative limits, rate constraints, and conditional logic that depends on the payload of each specific request.

# What RBAC gives you:
role: payment-processor
permissions:
  - stripe:charge
  - stripe:refund

# What agent authorization needs:
agent: checkout-assistant-v2
allowed_tools:
  - create_charge
  - issue_refund
spend_limits:
  max_per_tx: 500
  max_per_day: 10000
rate_limits:
  max_calls_per_minute: 30
deny_conditions:
  - field: amount
    op: gt
    value: 500
  - field: currency
    op: not_in
    values: [EUR, USD, GBP]
  - field: refund_ratio
    op: gt
    value: 0.15  # deny if refund rate exceeds 15% of charges today

This is not a role. This is a policy engine that evaluates every individual action request against quantitative business rules.

Latency: The Invisible Constraint #

Human authentication happens once per session. Adding 200ms to a login flow is noticeable but acceptable. The overhead is amortized over the entire session.

Agent authorization happens on every action. An agent processing 50 decisions per minute cannot absorb a 200ms authorization overhead — that's 10 seconds of latency per minute, or 16.7% overhead on the agent's throughput.

Production agent IAM has hard latency requirements:

p50: under 5ms
p99: under 20ms
p99.9: under 50ms

Traditional IAM systems were not designed for these constraints. Auth0's average token validation time is in the 50–200ms range for API calls. AWS IAM policy evaluation, when it requires a remote call, adds similar overhead.

Agent authorization requires a local policy cache — a Redis-backed store of the current policy state that can evaluate ALLOW/DENY decisions in memory without a network round-trip:

# Local verification mode: policy cached in Redis
# Network hop eliminated; p99 < 5ms
result = kya.verify_local(
    agent_id="agt_01JXMK9P2Q3R4S5T6U7V",
    action="create_charge",
    payload={"amount": 150}
)

The remote verify endpoint (p99 < 20ms) handles initial requests and cache misses. The local mode handles high-throughput steady-state operations.

Audit: Who Did What vs. What Was Allowed and Why #

Human IAM audit logs record authentication events: who logged in, from where, when, and whether MFA was used. For human access control, this is sufficient — the authorization decision happened at login, and subsequent access is covered by the session.

For agent authorization, the audit requirement is fundamentally different. Every individual action must be logged with:

The agent's cryptographic identity (not just a username or role)
The exact payload of the action request (or a hash of it)
The policy version that was evaluated
The decision and reason code (ALLOW, DENY, DENY_SPEND_LIMIT_EXCEEDED, etc.)
The state at decision time (daily spend used, rate limit window, etc.)
A hash of the previous audit entry (tamper-evidence)

Human IAM audit logs are event streams. Agent IAM audit logs are hash chains — each entry cryptographically linked to the previous one, making any modification to historical records immediately detectable.

{
  "event_id": "evt_01JXMK9P...",
  "agent_id": "agt_01JXMK9P2Q3R4S5T6U7V",
  "action": "create_charge",
  "payload_hash": "sha256:a7f3c9d2...",
  "policy_version": "pol_03",
  "decision": "ALLOW",
  "reason": "within_daily_limit",
  "state": {
    "daily_spend_before": 2340,
    "daily_spend_after": 2490,
    "daily_limit": 10000
  },
  "timestamp": "2026-01-29T14:23:01.442881Z",
  "prev_hash": "sha256:b8e4d1f7..."
}

This is the evidence format that SOC 2 Type II auditors are increasingly requesting for AI agent systems.

Revocation: Session Invalidation vs. Agent Termination #

Human IAM revocation invalidates a session or rotates credentials. The blast radius is limited: one user, one session, one credential set.

Agent revocation is more complex. At any point, there may be:

Multiple instances of the same agent type running in parallel
In-flight capability tokens that have already been issued
Distributed caches that have already evaluated recent policy decisions

Effective agent revocation requires a multi-layer approach:

Layer 1: Agent registry revocation. Mark the agent ID as revoked. All subsequent verify calls return DENY immediately.

Layer 2: Capability token blacklist. Add all capability tokens issued to this agent to a Redis blacklist, with TTL matching the token expiry. Any service that validates capability tokens will reject blacklisted tokens regardless of their signature validity.

Layer 3: Policy cache invalidation. Broadcast a cache invalidation to all nodes running local verification mode, forcing them to re-fetch policy state from the registry.

This three-layer approach achieves effective revocation in under 10 seconds — faster than most credential rotation workflows, and with surgical precision that doesn't affect other agents or services.

The Complementary Model #

Human IAM and agent IAM are not competing solutions. They address different threat surfaces in the same system.

Use Auth0 or Okta for human authentication flows: login, SSO, MFA, session management. These tools are well-suited for users who authenticate once and maintain sessions.

Use an agent IAM layer for autonomous process authorization: every action verification, policy enforcement, capability tokens, and tamper-proof audit trails. These requirements are specific to agents and are not addressed by human-oriented IAM systems.

The architecture is:

Human User → Auth0 → Your Application
AI Agent → Agent IAM (KYA) → Your Application's Tools and APIs

The human authentication layer and the agent authorization layer coexist. The agent IAM layer does not replace Auth0 — it fills the gap that Auth0 was not designed to address.

The Session Model and Why It Breaks#

The RBAC Mismatch#

Latency: The Invisible Constraint#

Audit: Who Did What vs. What Was Allowed and Why#

Revocation: Session Invalidation vs. Agent Termination#

The Complementary Model#