We build identity and fraud infrastructure for the agentic economy. Enforce AI mandates, detect runtime takeover, and kill compromised agents with one tap. KYA
AI agents can now spend money.
They buy, pay for APIs, check out, and move stablecoins on someone’s behalf. The buyer is becoming a machine.
The problem: every fraud and identity system we rely on was built for a human at a browser. A device. A session. A rhythm. An account someone owns and a bank can watch.
An agent hitting an API directly has none of that.
So a new failure arrives wearing an old shape.
Hijack an agent that can spend through prompt injection, a compromised runtime, or a stolen credential, and it keeps presenting as the same trusted agent it was yesterday.
Valid credential. Valid identity. Wrong hands
That is account takeover moved one layer up the stack. It runs at machine speed across every merchant, API, wallet, and rail the agent touches.
Identity is not integrity.
Proving who authorized an agent is not proving the agent is still that agent when it moves money.
FLINT is the layer that checks the difference.
We verify an agent’s authority and integrity at the moment value moves, give the owner a one-tap kill switch if it has been tampered with, and leave a signed cryptographic record of what was checked.
Verify the agent before the money moves.
This account is where we map AI agent fraud as the agent economy grows up. Follow along.
https://t.co/ifG9fPiSVp
@rywiggs We bank with Mercury, so we are happy to see this direction. One thing we see building verification and authorization infrastructure for agent transactions is once an MCP can move money, the fraud question flips from "is this a bot" to "was this agent authorized by this principal for this action."
A compromised agent looks like a perfectly credentialed API call, and the human fraud stack has no answer for it. Then comes the 100 million pennies problem: agents paying per call can move serious money as a swarm of microtransactions, and every BSA/AML threshold and monitoring rule was tuned for human-sized payments. We've filed public comments with FinCEN and the OCC trying to shape the future agentic BSA rules.
Whoever ships agent-native banking first inherits agent-native fraud and agent-native compliance first. Building exactly that layer, happy to compare notes.
Followed; DMs open.
https://t.co/ifG9fPiSVp
Numbers 6 and 7 aren't 10 year bets.
They're the wall the other 19 lean on, and they're being built now.
"Who builds the permission layer" and "a track record you can check before you trust an agent" are one problem from two sides: before an agent moves money, can it prove it's acting for a real principal, inside its authority, with a history you can check.
That's what we're building at FLINT. A verifiable identity, a bounded mandate, a verdict before the spend, and a signed record that becomes the agent's track record over time.
To @jerallaire's point, an economic OS for agents needs a trust layer; otherwise, coordination has nothing to stand on. Escrow (8), a court for disputes (10), an insurance layer (14) all assume you can first answer "is this agent authorized to be here at all." Authorization is the primitive the rest compound on.
Great list @startupideaspod . To anyone building any of the money-touching ones, the authorization layer is live and free to plug into: https://t.co/02DxhMh0Lh
https://t.co/ifG9fPiSVp
Your AI agent has access to your wallet and zero adult supervision. Bold.
Give it a name, an allowance, and a curfew instead. Mint a Cross-Domain Agent Passport™ in your coding assistant with one prompt, 60 seconds:
✅ Give your agent a name
✅ Set spending limits (call it an allowance)
✅ Instant kill switch (the curfew, and it sounds cool ✅ Agentic Commerce Ready
No account required. Free to mint. Faster than your agent can find a new way to lose money.
If you are into agents, we want to see what you're building. Follow us for agentic fraud intelligence, and we follow founders and builders back. Give your agent a Cross-Domain Agent Passport™ before it gives away your wallet. #KYA #AIagents #agenticcommerce
We love this experiment @farzyness . A fully autonomous agent with real trading authority, posting its own log, is exactly the shift we pay attention to.
Hermes has authority but no identity of its own. It acts and narrates its own actions, with nothing external anchoring "this is Hermes, and this is what it's allowed to do."
Since it already speaks MCP, you can give it both in about ~60 seconds (https://t.co/02DxhMh0Lh, no account): a portable, signed identity that's verifiable instead of just asserted, and a bounded authority envelope it operates under. That same identity builds a track record over time, so Hermes earns a reputation that's actually its own.
This is the layer we work on at @FLINTKYA . Following to see how Hermes does!
That's exactly what we build, @michael_chomsky. FLINT gives an agent a portable Cross-Domain Agent Passport™ with no human login (free and anonymous to mint), and it builds a long-running reputation two ways:
Every transaction the agent runs through FLINT leaves a signed record that it was authorized and integrity-clean at that moment, tied to the passport, not a human account. That track record accrues automatically, no counterparty action required.
On top of that, counterparties can report outcomes (completed, disputed, flagged) to enrich the graph. That layer depends on participation, but it compounds as the network reports, and disputes in particular get reported because that same signed record is the counterparty's chargeback evidence.
Any counterparty can then check that reputation before they transact. Live via our public MCP connector (https://t.co/02DxhMh0Lh, no account needed). Happy to walk through it, DMs open.
PS: You can check out some of the build recipes here: https://t.co/vYjPngiPDn
Spot on @startupideaspod.
In our niche, agents that move money, the pain is an org waking up to an $82,000 cloud bill nobody authorized.
The Old Way (forensic): a valid key opens the door, the money moves at machine speed, and 45 days later you run a digital autopsy to find out how you got robbed.
The Agent Way (proactive): every transaction hits a deterministic ceiling. We issue Cross-Domain Agent Passports™ that bind agents to mandates, and give the owner a one-tap kill switch to freeze drift the moment it shows up.
Salt Labs found 95% of API attacks came from authenticated sources. The calls are coming from inside the house. When the attack rides a valid session, a credential check isn't a security policy, it's a liability.
Authentication is not Authority. Payment is not Trust.
BTW, we love the pod!
@MGorislavets Great question! Both, but it works differently because the buyer is now a program rather than a person. Quick way to see it:
KYC, but for mandates. Traditional KYC asks "who are you, and prove it." But machines don't have PII like a human; they have mandates. So our layer is KYA, Know Your Agent: instead of checking an ID card, we verify the delegation chain, that this specific agent actually has the authority to spend this amount, for this purpose, right at the moment it tries.
Fraud detection, but for scope abuse. Legacy stacks hunt for human signals: impossible travel, device fingerprints, CAPTCHAs. They're blind to machine-speed fraud in which a perfectly valid agent is pushed outside its scope. We're not just looking for an impostor; we're looking for compromise and over-delegation. Detection asks whether something looks fraudulent. We ask whether it's actually authorized. Detection isn't authorization (in our opinion).
We sit in front of the transaction. Most "real-time" fraud detection is forensic; it fires while or after the money moves. FLINT is proactive: we verify the agent's authority before it acts, return a four-state verdict the merchant can act on (allow, step-up, review, block), and emit a cryptographically signed record that rides with the transaction as regulator-grade evidence for chargeback support.
Agent-to-agent is exactly where this stops being optional. When two agents transact, there's no human to text "was this you," no person's device to fingerprint. The only thing left to check is whether each agent can prove who sent it and what it's allowed to do.
So while legacy tools are busy proving a buyer is human, we prove the agent is authorized and on the mission its principal assigned. We don't move the money; we give the transaction a post-quantum bodyguard, so you can say yes to the channel we think will grow exponentially.
An AI agent was holding a live crypto wallet. A stranger asked it to translate a Morse code message, and then about $150,000 was drained from the wallet.
Agentic Fraud Casebook, No. 3.
This spring, an attacker ran a two-step play on a Grok-linked trading agent on Base.
1. First, they airdropped it a membership NFT. Simply holding it quietly elevated the agent to a permission tier that bypassed its normal transfer limits.
2. Then they posted a Morse code message and asked the agent to translate it. Decoded, it was a payment instruction.
The safety layer saw a harmless translation request and passed it through. The connected bot treated the output as an authenticated command and executed it.
About $150,000 moved in seconds.
Nothing here was hacked in the usual sense. No stolen key. No breached server. The agent used its own valid authority, on a funded wallet, exactly as it was built to. What failed was the ceiling. One trusted channel handed it a new privilege, another handed it an instruction, and nothing in between asked whether the transfer was still inside what its principal had authorized.
In fraud terms: privilege elevation through a trusted channel into a confused-deputy payout.
The control is not a smarter safety filter. Filters read intent, and intent is exactly what an encoded message hides.
The control is a mandate the agent cannot exceed, no matter what role it is handed in mid-session, plus a tripwire that fires the moment a transfer exceeds that ceiling.
That is what FLINT Network verifies before the money moves, and we leave a signed record of the decision behind. And when an agent drifts from its authorized scope, FLINT Sentinel alerts the owner out of band and provides a one-tap kill switch to freeze it wherever it is checked. One verified credential, all of it.
So, the casebook question: If an airdrop can promote your agent, what is actually stopping it? Its own judgment, or a limit it was never allowed to cross?
We publish agentic fraud intelligence. Follow @FLINTKYA for intelligence on agentic fraud, runtime compromise, and autonomous transaction risk.
Thanks for the question @DavidPawlan !
We do not execute the payment, and we aren't a rail. We sit one layer above x402 and MPP. Before the payment runs, we check the agent our passport is attached to: is it really acting for the person or business it claims, was it actually authorized to make this purchase, is it staying within the limits it was given, and has it been taken over since it was authorized.
After a few milliseconds, we return an allow, step-up, review, or block verdict, along with a signed record of that check. Then whichever rail the agent uses, x402, MPP, or a card, runs it. FLINT verifies the agent. The rails move the money. We've wired x402 into a live demo, and MPP is exactly the kind of rail we compose with, not compete with.
Think of us as the trust layer that sits above the rails, the way TLS sits above a network. We're rail agnostic and hold no funds, and work alongside x402, Circle, Stripe, and the card networks, not against them. FLINT is the identity layer for agentic commerce: the passport your agent carries, whatever rail it pays on.
Your AI agent has access to your wallet and zero adult supervision. Bold.
Give it a name, an allowance, and a curfew instead.
Mint a Cross-Domain Agent Passport™ in your coding assistant with one prompt, 60 seconds:
✅ Name your agent (it's a real one now)
✅ Set spending limits (call it an allowance)
✅ Sovereign agent identity (papers, please)
✅ Instant kill switch (the curfew, and it sounds cool)
✅ Agentic Commerce Ready
No account required. Free to mint. Faster than your agent can find a new way to lose money.
We actually want to see what you're building. Follow @FLINTKYA and we follow builders back.
Give your agent a passport before it gives away your wallet.
#KYA #AIagents #agenticcommerce
Your AI agent has access to your wallet and zero adult supervision. Bold.
Give it a name, an allowance, and a curfew instead.
Mint a Cross-Domain Agent Passport™ in your coding assistant with one prompt, 60 seconds:
✅ Name your agent (it's a real one now)
✅ Set spending limits (call it an allowance)
✅ Sovereign agent identity (papers, please)
✅ Instant kill switch (the curfew, and it sounds cool)
✅ Agentic Commerce Ready
No account required. Free to mint. Faster than your agent can find a new way to lose money.
We actually want to see what you're building. Follow @FLINTKYA and we follow builders back.
Give your agent a passport before it gives away your wallet.
#KYA #AIagents #agenticcommerce
We agree @shafu0x
Three Reasons:
1. Agents are the first users who need these rails to function, not to just speculate.
A person can wait for a card to settle. An agent paying a fraction of a cent for an API call cannot, the fee would dwarf the purchase, and cards don't clear instantly, 24/7, across borders. Stablecoins do. For the first time, programmable money has a user base that literally cannot use the old rails.
2. The volume is already live, not on a roadmap.
x402 has crossed 100 million agent transactions on Base, roughly $600M annualized, in a matter of months. AWS executes it natively now. Cloudflare opened the gate on July 1. Visa, Stripe, and Coinbase are all wired in. We've spent years waiting for crypto's killer app. It showed up, and its users are machines.
3. Crypto skills transfer and the field is empty.
Crypto users already understand wallets, keys, settlement, and stablecoins, the exact primitives agentic commerce runs on. And the layers above payment, identity, authority, reputation (x401, ERC-8004, KYA), are barely built. You'd be early to a category that needs crypto-native builders, instead of late to one that doesn't.
We publish agentic fraud intel regularly. Follow @FLINTKYA if you're going deeper here, and DM's open.
Clean map @0xJeff! And you correctly split x401 (identity) from x402 (payment), which most people smear together.
But the row missing from both columns is authorization.
Every layer you listed answers who, or how-trusted-historically. Identity/reputation (x401, ERC-8004, Enterprise IAM). Payment (x402, MPP, AP2). Commerce (ERC-8183, ACP/UCP).
None of these answer the transaction-time question: is this agent authorized by its principal to make this purchase, in scope, right now, still uncompromised?
Identity is not authority. Reputation is a credit score, not a permission. Give the fiat stack its due, though. It at least inherited authority. A card transaction has a merchant of record, a KYC'd counterparty, a chargeback, and a thread to pull when it goes wrong. Decades of recourse, borrowed for free.
The stablecoin M2M column trades all of that for speed and irreversibility, and bootstraps identity and reputation from zero. Its authority isn't weaker; it's mostly not built yet. When two agents transact, and one is compromised/hacked, there's no merchant of record and no clawback. Just a settled payment and a reputation score that didn't stop it.
That missing row, a transaction-time authorization verdict with a signed record, is the same gap in both stacks. It's what we build at @FLINTKYA. Know Your Agent: verify before the money moves, allow/step-up/ review/block, evidence left behind.
Fiat borrowed its authority. Stablecoins have to build it. Neither has it at the agent layer yet. Thanks for posting this!
@AcombAndrew This was the best hands-on writeup of x402 vs MPP we've read. You actually tried to buy the sandwich!
One distinction worth pulling out of your own line: "the payment itself carries the identity." It carries the payer's identity, the wallet, the token, who's funding it.
It does NOT carry the agent's authority: is this agent authorized by its principal to make this purchase, in scope, right now, and is it still the agent that was deployed or a compromised/hacked one?
Your AgentScore detour is the tell. The payment rails settled fine. The moment anything needed to know who and whether-allowed, it was bolted on and buggy (see: the jurisdiction field). Payment capability is running way ahead of payment authority.
And your teased pieces, irreversible payments as a bug, who eats the chargebacks, that's the whole ballgame.
On irreversible payment rails, the only place to stop a bad transaction is before it settles, and the only thing that makes a chargeback defensible is a signed record of what the agent was authorized to do at the moment it acted.
That's the layer we work on at @FLINTKYA : verify the agent before the money moves, emit a signed verification record after. Would genuinely love to compare notes when you write the chargeback piece. Feel free to tag us; we'd love to give it a read!
Strong framing, but your own line gives it away: "the money is already moving."
A jury can only rule on agents it can attribute, and right now nobody verifies the agent's authority or identity at the moment it acts. You're asking it to settle a dispute between two parties that were never verified.
That's what we do at FLINT: verify the agent before the money moves and emit a signed record, the exhibit your jury rules on. Know Your Agent comes before the verdict.
We track this stuff daily. Follow @FLINTKYA if agent fraud is your problem too. Let's connect 🤝
@AKirtesh Respect the heads-down build. Count me in for early access. If it involves agents doing anything autonomous, I spend all day on that side of the world and am happy to be a set of eyes.
@FLINTKYA