What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

Know Your AgentDocs

Blog GitHub fr Get started

Use Case

Tamper-Proof Audit Logs for AI Agents — SOC2, GDPR, HIPAA

AI agents acting in production need audit evidence. KYA provides a hash-chained, append-only audit log of every agent action — ALLOW or DENY — with the policy version that authorized it. SOC2 and GDPR ready.

Why standard logging is not enough

Standard logging records what happened. It doesn't prove it. A malicious actor with write access to your logs can alter or delete records. For compliance — SOC2, GDPR, HIPAA — you need tamper-evident evidence that the log hasn't been modified.

KYA's hash-chain audit log

Every KYA audit event includes a SHA-256 hash of the previous event. Modifying any historical record breaks the chain — and KYA detects it. You can cryptographically prove to an auditor that the log is complete and unaltered.

What gets logged

Every verify decision includes: agent identity (cryptographic), action requested, payload hash, policy version evaluated, decision (ALLOW/DENY), reason code, timestamp (nanosecond precision), and the hash of the previous event.

Compliance use cases

SOC2 Type II requires evidence of access control enforcement. GDPR requires records of who accessed personal data and why. HIPAA requires audit trails for PHI access. KYA's audit log provides all three — automatically, for every agent action.

Add KYA to your agent

Get identity, permissions, and audit logs in under 5 minutes.

Quickstart guide →API Reference

LangChain Agent Permissions with KYA →OpenAI Function Calling Security with KYA →KYA vs Auth0 for AI Agents →KYA vs AWS IAM for LLM Agents →