OPENAPI INITIATIVE · APPROVED EXTENSION

Our x-agent-trust extension is officially registered in the OpenAPI Extensions Registry

First vendor extension specifically designed for APIs serving autonomous AI agents · View live spec · JWKS endpoint · See it in the demo

The security layer for AI agents in financial services.

Secure agent access for banking and payments. Verified identity. Signed responses. Sanctions screening. SOC 2 mapped. Integrated into moov-io/watchman.

MCPS -- Secure MCP built for regulated finance. Learn more →

🛡 OFAC + HMT Sanctions (75K entries)

📱 Mobile SDKs (iOS, Python, Node)

🔒 ECDSA P-256 Signed Payments

⚖ L0-L4 Behavioural Trust Scoring

🔍 Challenge-Response Identity

📋 Hash-Chained Audit Trail

Get AgentPass How It Works

Integrated with:

moov-io/watchman

LIVE

SOC 2 Control Mapping

14 Trust Service Criteria mapped to AI agent operations. Submitted to AICPA, CSA, ISACA, and NIST. View mapping

McKinsey, October 2025

$3T–$5T in global agentic commerce value by 2030. Up to $1T of US retail revenue directed by AI agents. 75% of NRF 2026 retailers implementing agentic commerce.

The agentic commerce opportunity · someone has to verify every one of those payments.

📱 iOS SDK for Mobile Agent Payments -- Live Now

Live Demo -- AgentPass iOS SDK

Standards & Compliance

Built on open standards. 10 IETF Internet-Drafts including ATTP (Agent Trust Transport Protocol) and MCPS. OWASP MCP Top 10 contributor. OpenAPI Extensions Registry entry. Submitted to EBA, FCA, and PCI SSC.

🛡

OWASP MCP Security Cheat Sheet

Contributor -- Section 7: Message Integrity & Replay Protection

📜

IETF Internet-Draft

draft-sharif-agent-payment-trust-00

📜

IETF Internet-Draft

draft-sharif-mcps-secure-mcp

🏛

UK Patents (UKIPO)

Multiple patents filed covering agent trust, payment security, and cryptographic signing

⚖

FCA Regulatory Sandbox

Application submitted for autonomous agent payment oversight

💳

PCI DSS v4.0.1 Mapping

Complete compliance mapping submitted to PCI SSC

🏦

EBA Position Paper

PSD2 position paper on AI agent payments submitted

📋

SOC 2 Agent Controls Mapping

14-control mapping of Trust Service Criteria to AI agent operations. Submitted to AICPA, CSA, ISACA, and NIST.

🎓

Cited in Academic Research

MCPS listed as Defense Mechanism D5 in “A Formal Security Framework for MCP-Based AI Agents” (arXiv:2604.05969). Cited alongside Anthropic, Google, Microsoft, and NIST.

SDKs

🐍 Python (PyPI)📦 Node.js (npm)🍎 Swift (iOS)

🔒

Signed Payments

Every transaction signed with ECDSA P-256. Non-repudiable receipts proving which agent authorised what.

📊

Trust Scoring

5-dimension behavioural trust score (0-100). Agents earn spending authority through proven behaviour.

🛡

Spend Limits

Per-transaction and daily limits enforced by trust level. Agents cannot exceed their authority.

🔄

Replay Protection

Unique nonce per transaction. Captured payment requests cannot be re-sent.

📋

Audit Trail

Hash-chained tamper-evident log. JSON + RFC 5424 syslog. SIEM-ready.

⚠

Anomaly Detection

Magnitude, velocity, recipient, and timing anomalies detected. Trust automatically adjusts.

🛡

OFAC + HMT Sanctions

75,784 sanctions entries screened on every payment. UK HMT (57K) + US OFAC SDN (18K). Sanctioned recipients blocked in real time.

📱

Mobile Payments

Native iOS SDK with Keychain-secured ECDSA keys. Python and Node.js SDKs for server-side. Agents pay from any platform.

🌐

Agent Registry

DNS for agents. Register, resolve, and search agent identities. Anti-squatting protection. AgentSign-certified.

Deploy Your Way

Cloud or on-premise. Your compliance, your infrastructure.

☁

SaaS

Managed by us. Sign up, get an API key, start verifying agents in minutes. Zero infrastructure.

✓ Free sandbox with $10K test balance
✓ agentpass.co.uk API
✓ Automatic sanctions updates
✓ No ops required

New

🏢

Self-Hosted

Deploy in your own infrastructure. Docker image with everything included. Your data never leaves your network.

✓ Single Docker container
✓ Sanctions data baked in
✓ License key activation
✓ Full regulatory control

Agent PKI

Built-in certificate authority for AI agents. Issue, revoke, and verify agent identity certificates with OCSP and CRL -- no external CA required.

📜

X.509 Agent Certificates

Issue short-lived identity certs with trust level, scopes, and issuer embedded. ECDSA P-256 signed.

🛡

OCSP + CRL

Real-time certificate status checks. Instant revocation propagation. Verifiers query status before trusting any agent.

🔐

HSM Key Storage

CA keys stored in AWS KMS, GCP Cloud KMS, Azure Key Vault, or HashiCorp Vault. Your keys never touch disk.

Issue

Agent creates cert on registration

Verify

Third parties verify cert + trust score

Revoke

Instant revocation with CRL + OCSP

Renew

Auto-renew or manual with new trust level

PKI API

GET	/pki/ca	Download CA certificate	Public
GET	/pki/status/:serial	OCSP certificate status	Public
GET	/pki/crl	Certificate revocation list	Public
GET	/pki/cert/:serial	Fetch certificate by serial	Public
POST	/pki/verify	Verify a certificate PEM	Public
GET	/pki/certs	List your certificates	Auth
POST	/pki/renew/:serial	Renew certificate	Auth
GET	/pki/stats	CA statistics	Public

Available in Self-Hosted Pro and Enterprise tiers. Every agent created automatically receives an X.509 certificate.

AgentPass Self-Hosted

Docker container with license key. Deploy in minutes. Your infrastructure, your control.

Starter

agents

Built-in CA
Trust levels L0-L4
Scope enforcement
Sanctions screening
Agent dashboard
Signed audit trail

Get Starter

Pro