Protocol Flow

KYA

• kya tokens present the verified identity credentials of the agent platform, agent, and the human principal behind the agent
• Skyfire conducts KYBs on the buy-side agent platforms that it onboards
  • This ensures that the buy-side agents are who they say they are
• Skyfire directly, or via the trusted agent platforms, verifies the identity of the human principals / businesses behind the agents
• The identity layer in kya tokens in extensible in case more intermediaries need to be verified on the buy-side e.g. in case of referral sales

Tokens

• kya tokens are RFC-7515 and RFC-7519 compliant signed JWTs
  • Skyfire publishes its JWKS file at https://app.skyfire.xyz/.well-known/jwks.json
  • Signing ensures that the JWTs are tamper-proof
  • e2e HTTPS encryption ensures that malicious intermediaries cannot extract tokens from the request headers

Token Transport

• Tokens are sent directly from the buyer to the seller
  • There is no intermediary
  • Skyfire recommends end-to-end encryption for these connections e.g. HTTPS
• Tokens are typically contained in a custom HTTP header e.g. skyfire-pay-id
  • HTTP headers are encrypted by the HTTPS protocol

Token Verification

• Sellers and their Bot Managers verify the validity of the tokens - both signature and claims
  • See: Verify and Extract Data from Tokens
• Replay attacks
  • Audience and Seller Service Identitier
    • The aud, ssi, srl, and sdm claims make it so that stolen / copied tokens are only valid at the specified seller
  • Expiry
    • exp claim
    • Sellers can set the maximum expiry of tokens created for them
    • Shorter expiry times lower the threat of replay attacks but also add friction for buyers
    • Sellers can select what is optimal for them
  • JTI
    • The jti claim can be used to de-duplicate tokens at the seller
    • The seller can require the buyer to create a new token for each request
    • This does add friction for buyers so instead the seller could use shorter expiry times.
  • IP addresses
    • The IP address from which the agent created the token is included in the KYA token in the aid.creation_ip claim.
    • The Agent Platform can further set IP address ranges from which it originates its traffic. This is carried in the aid.source_ips claim.
    • The seller and/or their bot manager can independently verify whether the incoming traffic from the buyer matches one of these IP addresses. If it does not, then the seller can use that as a signal to decline / block the requests.

Token Acceptance

• kya tokens are not a free pass
  • Sellers and their Bot Managers inspect them for validity and can then grant access selectively

Token Creation

• KYAPay is NOT meant as a requirement to identify each and every agent, bot, or crawler regardless of use case. It is meant to enable merchants, content publishers, and other sellers to conduct commerce with humans via their designated agents by making such transactions easy to identify and verify.