What makes KYA different from regular IAM tools?

Traditional IAM (like Auth0, Okta) is designed for humans who log in. AI agents operate differently: they act continuously, autonomously, and at machine speed. KYA is built specifically for agent identity, with short-lived capability tokens, action-level verification, and cryptographic signatures on every request.

Yes. KYA is fully open-source (Apache 2.0) and ships with a Docker Compose setup. You can run the full stack (API + PostgreSQL + Redis) on your own infrastructure in minutes.

What latency does the /verify endpoint add?

The /verify endpoint targets a p99 latency under 20ms when self-hosted. KYA also supports a local verification mode with a Redis-backed policy cache that eliminates the network hop entirely.

How does revocation work?

Agent revocation is immediate. Within seconds, all subsequent verify calls for that agent return DENY. Capability revocation (for in-flight JWTs) uses a Redis blacklist with matching TTL. No waiting for token expiry.

What programming languages are supported?

KYA ships with official SDKs for JavaScript/TypeScript (@kya/sdk-js) and Python (@kya/sdk-python). Both include Ed25519 key generation, canonical JSON serialization, and typed API clients. The REST API works with any language.

Is the audit log tamper-proof?

Yes. Each workspace maintains a SHA-256 hash chain over its audit events. Any modification to historical events breaks the chain and is immediately detectable. This design satisfies the tamper-evidence requirements for SOC2 and ISO 27001 audits.

Know Your AgentDocs

Blog GitHub fr Get started

Use Case

Add Identity & Permissions to LangChain Agents

LangChain gives your agents tools. KYA controls what they're allowed to do with those tools. Add pre-execution verification, spend limits, and tamper-proof audit logs to any LangChain agent in minutes.

The problem with LangChain agents in production

LangChain makes it easy to give agents powerful tools: web search, database writes, Stripe charges, email sending. But there's no built-in mechanism to say 'this agent can charge up to €100 but no more' or 'this agent cannot delete records'. Every tool call goes straight through.

How KYA wraps LangChain tools

KYA integrates as a wrapper around LangChain's tool execution layer. Before any tool runs, KYA's verify gate checks the agent's identity, evaluates the policy, and returns ALLOW or DENY. Your LangChain code barely changes.

Code example

from langchain.agents import AgentExecutor
from kya import KYAClient, wrap_tools

kya = KYAClient(api_key="kya_...")

# Wrap your tools with KYA verification
secure_tools = wrap_tools(
    tools=[stripe_tool, crm_tool, email_tool],
    agent_id="agt_sales_assistant",
    kya_client=kya
)

agent = AgentExecutor(
    agent=your_agent,
    tools=secure_tools  # drop-in replacement
)

What you get

Every tool call is verified before execution. Unauthorized actions are denied with a reason code. Every decision is logged in the tamper-proof audit trail. Your LangChain agent is now a compliant, accountable system.

Add KYA to your agent

Get identity, permissions, and audit logs in under 5 minutes.

Quickstart guide →API Reference

OpenAI Function Calling Security with KYA →Tamper-Proof Audit Log for AI Agents →KYA vs Auth0 for AI Agents →KYA vs AWS IAM for LLM Agents →