StablecoinAtlas.com Resolve Your Own Path

StableKYA.com · StableDID.com

Know Your Agent

The bottleneck for the agent economy is shifting from intelligence to identity. Non-human identities outnumber human employees 96-to-1 in financial services — yet these identities remain unbanked ghosts. This page maps where agent identity verification fires in the stablecoin payment lifecycle.

"Just as humans need credit scores to get loans, agents will need cryptographically signed credentials to transact — linking the agent to its principal, its constraints, and its liability. The industry that built KYC infrastructure over decades now has just months to figure out KYA."

— Sean Neville, cofounder of Circle and architect of USDC; CEO of Catena Labs
KYA CHECKPOINTS × STP STAGESWhere agent identity verification fires in the payment lifecycleS1IntentS2IdentityS3DiscoveryS4NegotiationS5TransportS6AuthorizationS7FacilitationS8FinalityKYA-1Resolve Principal"its principal"KYA-2Verify Delegation"its permissions"KYA-3Evaluate Capability Envelope"its constraints"KYA-4Run Compliance Pipeline"its liability"KYA-5Credential Health"its reputation"Gate (code-enforced)Obligation (policy-enforced)Solid = codeDashed = policy

Reading the Stage Map

Each row is a KYA checkpoint — one of five verification steps an agent must pass. Each column is an STP stage. Hexagons are gates (code-enforced); diamonds are obligations (policy-enforced). The first three checkpoints concentrate at Stages 2–4, the identity and discovery phases. The compliance pipeline spans S2–S7 — the full transactional surface. Credential health fires at S8, Finality — an ongoing obligation that outlives any single transaction.

Neville's framing maps directly: principal resolves at S2, permissions verify at S2–S3, constraints evaluate at S3–S4, liability runs S2–S7, and reputation persists at S8. Hover any lit cell for the checkpoint detail.

KYA-1 · Gate · S2 C1 Identity & Due Diligence

Resolve Principal

The foundational layer. Before any agent transacts, the counterparty needs to know: who is the human or organization behind this agent? The DID document is the KYA credential — it links the agent to its principal through cryptographic verification, not an API call to a centralized directory. Six DID methods compete for this role, each with different trust anchors and resolution speeds. Catena's ACK-ID uses did:web with service endpoints for both identity and payment — the first preset in the resolver below is did:web:catena.inc.

DID Input
Quick Select
Regulatory: W3C DID Core 1.1 · ACK-ID · GENIUS Act §6 · BSA Beneficial Ownership
KYA-2 · Gate · S2–S3 C1 Identity · C5 Licensing

Verify Delegation

Non-human identities outnumber human employees 96-to-1 in financial services. Each operates under delegated authority — a principal grants an agent a subset of permissions, the agent may sub-delegate further, and authority must attenuate at every level. A payroll bot should not be able to spend more than its parent operations agent. The delegation tree below shows this attenuation: spend limits narrow, permission sets shrink, and expiration dates shorten as you move from principal to sub-agent. This is the ACK Rulebook principle: every delegation is a narrowing, never a widening.

PrincipalAcme Corp Treasury$1000kExpires: 2027-01-01AgentOperations Agent$50kExpires: 2026-07-01Sub-AgentPayroll Bot$10kExpires: 2026-04-15AgentAnalytics AgentRead-onlyExpires: 2026-06-01
Regulatory: BSA Beneficial Ownership · GENIUS Act Authorized Agents · ACK Delegation Framework
KYA-3 · Gate · S3–S4 C1 Identity · C16 Programmable Compliance

Evaluate Capability Envelope

The capability envelope is the programmable constraint set that defines what an agent can and cannot do. Five checks evaluate in real time: per-transaction limit, daily aggregate limit, permitted asset types, permitted action types, and temporal window. This is where programmable compliance (C16) becomes concrete — the rules are not in a policy document, they are in code that executes before every transaction. Tighten the per-transaction limit to $1,000 below and watch a $3,500 transfer get rejected. This is what Catena's ACK Rulebook enforces at the protocol level.

Agent Capability Envelope
$0 — $100,000
$0 — $500,000
Test Transaction
TRANSACTION APPROVED
Per-Transaction Limit
amount <= $5,000
$3,500
Daily Limit
(used + amount) <= $25,000
$12,000 (8,500 used)
Asset Permitted
asset in [USDC, USDT]
USDC
Action Permitted
action in [transfer]
transfer
Temporal Bound
2026-03-01 to 2026-06-01
2026-04-17
Vendors: Coinbase AgentKit, Catena Labs ACK Rulebook
Regulatory: ACK Rulebook · AML Transaction Limits · GENIUS Act §6 (BSA programs)
KYA-4 · Gate · S2–S7 C1 · C2 · C3 · C4 · C7

Run Compliance Pipeline

The full KYA compliance lifecycle in one view. Seven gates and obligations execute in sequence: resolve the principal's DID, verify the delegation chain, check the capability envelope, apply jurisdiction-specific rules, screen against OFAC and EU/UN sanctions lists, verify credential revocation status, and assess cryptographic health. Each step cites the regulatory anchor that requires it. The pipeline produces an exportable audit trail — the JSON artifact a compliance officer needs to demonstrate that every checkpoint was evaluated before the transaction was authorized. Try entering a DID with "sanctioned" in the string and watch the pipeline halt at Step 5.

Compliance Pipeline Input
Powered by: Coinbase AgentKit • Catena Labs ACK • Circle Arc/CCTP • Chainalysis • Elliptic • TRM Labs
Regulatory: W3C DID Core · ACK-ID · ACK Rulebook · GENIUS Act §4–§6 · BSA/AML · OFAC · FATF Travel Rule · MiCA · NIST PQC
KYA-5 · Obligation · S8 C8 Operational Resilience

Credential Health

Reputation in an agent economy is anchored to the integrity of the agent's cryptographic material. If the key is compromised, the identity is compromised. This tool checks a real Ethereum address against the Cloudflare Ethereum Gateway — if the address has ever sent a transaction, its ECDSA public key is permanently visible on-chain. A sufficiently powerful quantum computer could derive the private key. The migration path from ECDSA and Ed25519 to post-quantum schemes (ML-KEM, ML-DSA, SLH-DSA) is an active obligation. See StableZKP.com for how zero-knowledge proofs make the entire KYA pipeline privacy-preserving — the same checkpoints, with selective disclosure.

Regulatory: NIST FIPS 203 (ML-KEM) · NIST FIPS 204 (ML-DSA) · NIST FIPS 205 (SLH-DSA) · CISA PQC Migration

KYA + ZKP: Prove compliance, keep your data

The Compliance Engine above shows the KYA pipeline with full data visibility — every field, every check, every evidence string. In production, agents need to prove they passed these checkpoints without revealing the underlying data. That's what zero-knowledge KYC delivers: the same five checkpoints with selective disclosure. The verifier sees boolean predicates — isOver18, isNotSanctioned, kycLevelMet — not passport numbers.

StableZKP.com → zkKYC Proof Explorer

Explore the architecture

Agentic Rail C-Domain Matrix GENIUS Act Vendor Coverage Resolve a Path