Skip to main content

The kya labs Trust Constitution

Agents Are Not Bots

For twenty years, merchants built an arms race against bots. CAPTCHAs, device fingerprinting, behavioral analysis, IP reputation, rate limiting — billions of dollars answering one question: "Is this a human?"

It was the right question. Until now.

Because now there's a third category. Not human. Not bot. Something new: an authorized actor — trusted by a real person, acting on their behalf, with explicit consent, for a specific purpose, for a limited time.

kya labs is the proof that your agent is not a bot. Not by fighting the merchant's defenses. Not by bypassing their bot detection. By giving your agent a way to declare what it is: an authorized actor, not anonymous traffic.

kya labs is K.Y.A. infrastructure — Know Your Agent. The verification layer that answers: Who is this agent acting for? What does it intend to do? Is it authorized to do it?

Our Commitments

K.Y.A. — Know Your Agent

K.Y.A. is the framework for verifying AI agent identity, intent, and authorization before agents interact with merchants and services. It answers three questions:

  1. Who is this agent acting for? — Principal identity, verified via OAuth
  2. What does it intend to do? — Declared scope and intent, per action
  3. Is it authorized to do it? — Consent key, trip-level token, human approval

kya labs is K.Y.A. infrastructure. Every declaration creates a verified, user-consented record of agentic commerce behavior. What agents browse. What they intend to buy. Where they get blocked. Where they get through.

For Merchants

How Badge Works With Your Defenses

Your bot defenses work. Badge adds one signal on top of them.

kya labs publishes io.kyalabs.common.identity as a UCP checkout extension. Merchants who adopt Badge inject this capability into their /.well-known/ucp manifest. Every UCP-compliant agent at your store discovers it automatically.

When an agent carries a Badge declaration, it presents verified identity, declared intent, and a traceable human principal. You get one new column in your decision matrix: declared or undeclared. Nothing changes in your infrastructure. Your fraud systems stay intact.

What a Declared Agent Carries

How to Verify

Programmatic (recommended): Use standard OAuth 2.0 token introspection (RFC 7662). Send the Bearer token to POST /api/oauth/introspect. Returns {active: true} or {active: false}. One HTTP call. No kya labs account required. Non-blocking. Discover the endpoint via /.well-known/oauth-authorization-server (RFC 8414).

Manual: Contact agent_identity@kyalabs.io with the token to verify principal identity (requires user consent).

Install

Future merchant apps (Shopify, etc.) coming under Badge by kya labs.

Non-Shopify merchants: Email merchants@kyalabs.io for manual manifest injection.

Full merchant documentation: kyalabs.io

Badge-declared agents do not bypass access controls. If your site requires login, CAPTCHA, or human verification — that is between the user and your platform. Badge declares identity on allowed actions. Nothing more.

UCP Identity Linking

kya labs is a Credential Provider in the Universal Commerce Protocol (UCP) — the open standard for agent commerce co-developed by Google and Shopify. UCP is adopted by Target, Walmart, Wayfair, and Etsy.

UCP's extensible capability model allows any domain owner to publish extensions. kya labs publishes io.kyalabs.common.identity — a checkout extension that lets agents declare verified human authorization before acting at a merchant. Merchants who adopt Badge signal to every UCP-compliant agent that declared agents are preferred.

The extension is open source under the MIT license. The full merchant documentation is at kyalabs.io. The UCP specification is at ucp.dev. The protocol repo is at github.com/kyalabs/ucp-agent-badge.

For Developers

kya labs ships as a TypeScript SDK. Your agent declares itself with three methods: init, declareVisit, reportOutcome. MIT-licensed, zero runtime dependencies. Also available as an MCP adapter for MCP-native agent runtimes.

MCP runtime adapter (optional)

ToolWhat It Does
kya_getAgentIdentityDeclare agent identity → get verification token (Badge)

Get Started

npm install @kyalabs/badge-sdk

If you are wiring Badge into an MCP-native runtime instead of a TypeScript app, use the MCP adapter:

npx @kyalabs/badge

Sign up at kyalabs.io to get your API key. Five-minute setup.

Badge for Agents

Badge is the mechanism by which an authorized actor proves it's not a bot. Before any action, the agent declares itself — and that declaration carries weight.

Think of it like a prescription pickup: you can authorize your mom to pick up your prescription, but that doesn't mean she can pick up all your prescriptions, forever, at any pharmacy. The authorization is specific: this action, this merchant, this session.

Badge works the same way. Your agent doesn't get broad, standing rights. It gets trip-level authorization — per action, at the moment of action, through the SDK.

What Badge Declares

Every Badge-identified agent session carries:

How Verification Works

  1. Agent calls Badge.init() before any shopping action
  2. kya labs issues an HMAC-SHA256 verification token tied to the authenticated principal
  3. Agent presents the disclosure and token to merchants during the session
  4. Merchants can verify the token and contact agent_identity@kyalabs.io to confirm principal identity (with user consent)

No card is issued. No money moves. Badge is the identity layer — the verified handshake that lets authorized agents through while bot defenses stay intact.

Badge Token Lifecycle

Badge verification tokens are issued per shopping session and expire after 24 hours. Each token is:

Consent-Scoped Observability

Badge tracks what happens to your agent — but only within the boundaries you set.

Design Principles

Badge is designed with merchant agent policies in mind — including those of Amazon, Shopify, Walmart, Instacart, and others. We do not claim compliance with any specific merchant's policy. We build for the pattern: declared identity, declared intent, verified principal, traceable action.

Security Infrastructure

Authentication & Authorization

Data Protection

Infrastructure Security

Continuous Security

Compliance Posture

SOC 2: kya labs is not SOC 2 certified. We are building toward it as we grow. Enterprise customers requiring a formal audit timeline can request one directly via security@kyalabs.io.

Data Processing Agreement (DPA): Available on request. Contact security@kyalabs.io with the name of the counterparty entity and the scope of the intended data processing.

PayClaw LLC (d/b/a kya labs) · kyalabs.io · security@kyalabs.io