What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

Know Your AgentDocs

Blog GitHub fr Get started

Comparison

KYA vs Auth0 for AI Agents — Why Traditional IAM Falls Short

Auth0 was designed for human logins. AI agents need a different model: per-action verification, short-lived capability tokens, and tamper-proof audit logs. Here's a detailed comparison.

The fundamental difference

Auth0 and Okta are session-based: a human authenticates once, gets a token valid for hours. AI agents don't log in — they spawn, execute actions at machine speed, and terminate. The session model doesn't apply.

Feature comparison

KYA is purpose-built for the agentic model: per-action verification, short-lived capability tokens (5-minute TTL), and a hash-chained audit log designed for machine-speed workloads.

Feature	KYA	Alternative
Identity model	Ed25519 keypair per agent	User account / service account
Token lifetime	5–30 minutes (capability token)	Hours / days (session JWT)
Permission scope	Per action (tool + spend + rate)	Per role (RBAC)
Verification	Pre-execution gate (ALLOW/DENY)	Post-authentication only
Audit log	Hash-chain, tamper-evident, every action	Login events only
Revocation	Seconds, per-capability	Session invalidation
Latency target	p99 < 20ms	Not designed for agent workloads
Open source	Yes (Apache 2.0)	No

When to use Auth0 vs KYA

Auth0 is the right choice for human authentication flows: login, SSO, MFA. KYA is the right choice when an autonomous AI agent needs to perform actions on production systems. The two are complementary: use Auth0 to authenticate your users, use KYA to control what your agents can do.

Getting started with KYA

KYA can be integrated in under 5 minutes with a single function call around your tool execution. The SDK is available for Python and JavaScript/TypeScript.

Try KYA for free

Add identity & permissions to your AI agents in under 5 minutes.

Read the quickstart →View on GitHub

KYA vs AWS IAM for LLM Agents →Why KYA? →