Today, Experian announced Know Your Agent, a trust framework for AI-driven commerce. Cloudflare is enforcing verification at the network edge. Skyfire’s open KYA protocol is providing the identity and payment infrastructure at the core of the system.
This is the kind of partnership we started building Skyfire to make possible.
I want to explain what this means in concrete terms, because the press release necessarily compresses a lot of technical architecture into a few paragraphs. If you build agents, run a merchant site, or work in identity and payments infrastructure, the details matter.
The Problem We Set Out to Solve
AI agents are transacting on the open internet. They browse merchant sites, compare prices, create accounts, and complete purchases. That’s not a prediction. It’s happening now, at a scale that doubles roughly every few months.
But the internet was built for humans with browsers. Every trust signal in commerce today assumes a person is on the other end: a login form, a CAPTCHA, a credit card with a name on it. When an agent shows up at a merchant’s checkout, the merchant has no reliable way to answer three basic questions. Is this agent real? Did a human authorize it? Can it pay?
We built KYA to answer all three at the protocol level.
What KYA Actually Does
KYA issues signed JSON Web Tokens that carry verified identity claims about an agent: who built it, which human authorized it, what it’s permitted to do, and how it can pay. The protocol is compatible with standard OAuth2 and HTTP infrastructure. Merchants don’t need to rip out their existing auth stack. They inspect a JWT, the same way they’d validate any bearer token, and get back a structured set of claims about the agent and the human behind it.
That’s the design principle that made the Experian partnership possible. Experian operates at a scale where “install our custom SDK” is a non-starter. The protocol had to meet existing enterprise infrastructure where it already lives. JWTs over HTTP with JWKS key rotation is infrastructure that every major web platform already supports.
How Experian and Cloudflare Fit
Experian brings something we don’t have and couldn’t build: decades of consumer identity data and fraud prevention models trained on billions of transactions. Their Human-to-Agent Binding (H2A) takes the identity claims in a KYA token and enriches them against Experian’s data, then issues a trust token that carries a real-time risk score. Their Agent Registry maintains dynamic trust scoring for agents over time, so a merchant isn’t just evaluating a single transaction. They’re evaluating an agent’s full history of behavior.
That’s a meaningful addition. A KYA token tells you the agent is verified. Experian’s layer tells you how much to trust it, based on patterns only a company processing that volume of identity data can see.
Cloudflare enforces all of this at the network edge. Their infrastructure handles roughly 60 percent of global web traffic, so when a KYA-verified agent hits a merchant site that sits behind Cloudflare, the trust signals are validated before the request ever reaches the merchant’s origin server. For merchants, this means agent verification happens at the same layer where they already manage bot protection and DDoS mitigation. No new infrastructure. No new vendor integration at the application layer.
Why This Architecture Matters
The three layers are deliberately separated.
Skyfire handles protocol-level identity and payment tokenization. Experian handles consumer identity enrichment and fraud scoring. Cloudflare handles network-level enforcement. Each company operates in the layer where it has the deepest expertise, and the interfaces between layers use open standards.
This is important because agentic commerce won’t converge on a single vendor’s stack. The merchants, payment networks, and identity providers involved are too large and too numerous for any walled garden to work. We designed KYA as an open protocol specifically because we believed the winning architecture would be modular, not monolithic. Today’s announcement validates that bet.
What This Means for Developers and Merchants
If you’re building agents: Skyfire’s KYA protocol gives your agent a verifiable identity that Experian and Cloudflare will recognize. Your agent can create accounts, authenticate, and complete purchases at merchants inside this ecosystem without a human needing to manually enter credentials or payment details. The technical integration is a JWT exchange. If your agent framework can make an HTTP request and attach a header, you can integrate.
If you run a merchant site: you can now distinguish between a verified agent acting on behalf of a real, authorized consumer and the automated traffic your bot management system currently blocks indiscriminately. The KYA trust token gives you the consumer’s identity (within consent boundaries), preserving your ability to maintain the customer relationship, serve loyalty programs, and personalize the experience. Williams-Sonoma and Bose are already piloting this.
Where We Go from Here
This announcement covers consumer-facing commerce, but the architecture isn’t limited to it. The same identity and payment token framework works for API access, MCP server monetization, agent-to-agent transactions, and B2B procurement. We’re already running those use cases through partnerships with F5, Cequence, Ory, and others.
The broader point is structural. For the first time, a major credit bureau, a global CDN, and an agentic commerce platform have agreed on a shared trust framework for AI agents. That’s not a proof of concept. It’s production infrastructure backed by companies that collectively touch the majority of consumer identity verification and internet traffic worldwide.
We’ve spent the last two years arguing that agents need identity and payments infrastructure built specifically for them. Today, the companies that operate the internet’s existing trust layers are agreeing with us and building on top of what we’ve created.
The live demonstrator is here. If you want to integrate, start at skyfire.xyz.
