What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

Know Your AgentDocs

Blog GitHub fr Get started

Comparison

KYA vs AWS IAM for LLM Agents — What's Missing

AWS IAM controls what AWS services a role can call. It doesn't understand agent actions, capability tokens, or per-action spend limits. Here's how KYA fills the gap.

AWS IAM is infrastructure-level, not action-level

AWS IAM controls which AWS APIs a role can call. It has no concept of 'this agent can charge up to €50 per transaction' or 'this agent can write to the CRM but only for deals under €10k'. The granularity stops at the API level.

Feature comparison

KYA adds an action-level permission layer on top of any infrastructure — AWS or otherwise.

Feature	KYA	Alternative
Scope	Any action (tool call, API, external service)	AWS APIs only
Granularity	Per action with spend + rate limits	Per API method
Business logic policies	Yes (max_per_tx, max_per_day, conditions)	No
Agent identity	Ed25519 cryptographic identity	IAM Role ARN
Short-lived tokens	Yes, 5-min capability tokens	STS tokens (15min–12h)
Audit log	Hash-chain, every agent action	CloudTrail (API calls only)
Multi-cloud / on-premise	Yes	AWS only
Open source	Yes (Apache 2.0)	Proprietary

Using KYA with AWS

KYA and AWS IAM work together: use IAM to grant your agent the AWS roles it needs, and use KYA to enforce business-level policies on top. KYA intercepts every tool call before it reaches the AWS SDK.

Try KYA for free

Add identity & permissions to your AI agents in under 5 minutes.

Read the quickstart →View on GitHub

KYA vs Auth0 for AI Agents →Why KYA? →