Akamai and Skyfire have been working together since last September. The partnership we announced then was about a specific problem: AI bots and agents hitting publisher and ecommerce sites at scale, and the bot management systems at the edge having no good way to tell legitimate verified traffic from the scraping kind.The integration we built lets a KYA-verified agent present a signed identity token at the Akamai edge, get authenticated with low latency, and pass through without a redirect or proxy in the middle. Site owners get visibility into which agent is requesting access, who built it, who authorized it, and for what purpose.
That integration is in production today, capable of running Akamai scale, which is roughly 150 billion bot requests across its network on any given day.
Today’s news, announced by Experian, takes that foundation and extends it. Akamai is joining the Experian Agent Trust partner ecosystem, where Skyfire’s open KYA protocol serves as the identity layer, and Experian’s Human-to-Agent Binding adds the consumer identity and fraud-scoring layer on top. The three of us are also members of the KYAPay initiative. What we built with Akamai for the bot management and content monetization use case now plugs into a broader trust framework purpose-built for agentic commerce.
The reason this matters is structural, and it’s worth slowing down on.
For most of the last twenty years, Akamai’s bot management product worked because the binary was clean. Human traffic in, automated traffic out, with some nuance around scrapers and search crawlers in the middle. Their customers paid for that binary because it mapped cleanly onto their commercial reality. Humans were the buyers. Bots were the threat. When an automated request hit the edge, the right answer was almost always to block it or challenge it.
That binary doesn’t survive contact with agentic commerce.
An AI agent acting on behalf of a verified consumer, carrying that consumer’s tokenized payment credentials and explicit authorization, is automated traffic. By every technical signal a bot management system is trained to look at, it triggers. User agent, request rate, behavioral patterns, browser fingerprint. None of the heuristics the industry has spent two decades refining were designed to recognize automated, but legitimate, and accountable to a real human. So the agent gets blocked, the consumer’s transaction fails, and the merchant loses a sale they wanted to make.
The September integration solved the first half of that problem. KYA tokens give Akamai’s edge a signal it can act on. A verified agent presents a signed JWT, the token gets validated cryptographically without a round-trip through anyone’s proxy, and Akamai’s bot defense can make a different decision than it would for unverified automation. Legitimate agents pass through with their identity context attached. Unverified traffic gets handled the way it always has.
What the Experian Agent Trust integration adds is the consumer side of that picture.
A KYA token tells you the agent is verified and tells you, within consent boundaries, which human authorized it. Experian’s Human to Agent Binding takes those identity claims and enriches them against decades of consumer identity data and fraud prevention models trained on billions of transactions. It issues an Agent Trust Token that carries real-time risk scoring, and the Experian Agent Registry maintains dynamic trust scores for agents over time based on their behavior. The result is that an Akamai-protected merchant doesn’t just see a verified agent. They see a verified agent whose authorizing consumer has been validated, whose transaction risk has been scored in real time, and whose history is part of a registry that updates continuously.
For an enterprise running ecommerce or financial services traffic through Akamai’s edge, the practical effect is that the trust decision can be made before the request ever reaches origin. The signals come together at the layer where bot management already operates. There’s no new vendor at the application layer. There’s no checkout flow to rebuild. The infrastructure works the way it already worked, except now it can distinguish a verified agent transaction from anonymous automation and make a different decision accordingly.
There’s a broader pattern worth naming here. Every major piece of internet infrastructure built before 2024 is currently going through a version of this transition. Bot management systems built to keep automation out. Identity systems built around human credentials. Payment networks built around card-present and card-not-present binaries. Authentication systems built around session cookies and device fingerprints. Each of them was designed for an internet where the actor on the other end of a transaction was, eventually, a person.
That assumption is going away. The companies that operate the existing trust infrastructure are figuring out how to extend it rather than replace it, because replacing it isn’t actually possible. The infrastructure works, runs at scale, and is woven into how the internet functions. What it needed was a protocol-level layer that could carry verified identity for non-human actors across all of it.
That’s what KYA is, and it’s why we designed it as an open protocol from the start. The bet was that the winning architecture wouldn’t be one vendor’s stack. It would be modular, with each layer operated by the company that has the deepest expertise in that layer, and with open interfaces between them. Akamai handles bot defense and edge enforcement. Experian handles consumer identity and risk. Skyfire’s protocol carries the trust chain across both. Each company stays in its lane. The interfaces stay open. The merchant gets to choose which providers they work with at each layer.
Today’s announcement is one more data point that the architecture is holding and expanding.
If you’re a merchant or publisher running on Akamai, the path to enabling verified agent traffic now runs through infrastructure you already operate. The KYA verification happens at the same edge where you already manage bot protection. The Experian trust layer adds consumer identity context and real-time risk scoring on top of that. Your application stack doesn’t change.
If you’re building agents, the set of merchants where your KYA-verified agent can transact without friction just got considerably larger. The integration on your side is what it always has been. Your agent presents a KYA token. The merchant’s edge validates it. The transaction proceeds.
The live demonstrator is at skyfire.xyz. If you want to integrate, start there.
