Honest answers. Bounded posture vocabulary. No fake customers, no fake logos, no fake revenue, no fake certifications. If we built it, it’s here. If we haven’t, that’s here too.
A commerce control plane for AI agent traffic. Every agent request flows through a deterministic seven-stage pipeline (identity, policy, risk, payment, upstream, receipt, audit). The provider gets identity resolution, principal mapping, policy and budget control, payment challenge and verification, signed receipts, and a tamper-evident audit log from one integration.
Closer to Stripe + Cloudflare + Auth0 for machine customers, with zero custody. We coordinate the flow, we never hold funds. The category we are creating is the agent commerce control plane.
The thing that sits in front of an API and turns a raw agent call into a verifiable, paid, policy-checked, receipted transaction. Today nothing occupies this slot cleanly. Stripe handles human-card payments, Cloudflare handles edge routing, Auth0 handles human identity. None of them merge into a single integration for an API provider that wants to monetise agent traffic.
Credit cards assume a human verifying a charge. Agents do not have a human in the loop for every call, do not produce receipts you can verify offline, do not have a budget primitive scoped to a software identity. AgentTrust gives a provider one integration that handles all four (identity, budget, payment, receipt) without writing the plumbing themselves.
The primary customer is an API provider. Target segments in order: x402-curious data APIs and AI tools (onchain data vendors, research APIs, search, browser automation, LLM gateways), B2B data vendors (KYC/KYB, lead enrichment, web scraping, crypto data), and generic B2B SaaS exposing programmatic endpoints.
Consumer shoppers, retail traders, DAO participants, NFT collectors, end users of any kind. We sell to the API provider, not to the agent.
Self-serve sandbox without sign-up, durable Postgres-backed sandbox session, workspace, provider, and endpoint creation, custom gateway path, gateway-enforced disable, the canonical 401 + 402 + 200 with signed receipt flow, live session-correlated audit log with kind and stage filters, per-receipt detail page with verify and generate-proof actions, downloadable proof bundle that verifies offline.
A senior backend engineer or technical founder. Comfortable with Stripe, API keys, rate limiting. Wants agent monetisation to feel like the same mental model, not a new world.
A 401 if no identity, a 402 if no payment proof, a 200 with an X-AgentTrust-Receipt-Id header on success. The agent SDK handles the 402 challenge and retry; the agent application code stays the same shape as a normal HTTP call.
A Workbench at app.aisthetic.services with session-scoped counters, health cards, recent activity, per-receipt detail with verify and generate-proof, audit ledger with kind/stage chips, and a Proof Center that explains what is verifiable today.
124 milestones accepted. 169 ADRs in the log. About 1,564 api tests passing across 20 packages. Engineering surface for the public-beta sandbox path is closed end to end, from website to Workbench evidence home.
There is a live public sandbox at sandbox.aisthetic.services. Real 401 + 402 + 200 + signed receipt flow. The mainnet canary settled a real 0.01 USDC payment on Base mainnet through Coinbase CDP. That is verified on-chain. There is no real paying customer. We do not claim that.
Three live surfaces. Website at aisthetic.services (Vercel). Workbench at app.aisthetic.services (Vercel, custom domain bound). Sandbox API at sandbox.aisthetic.services (Fly.io, Postgres-backed durable sandbox store, ACME-managed TLS, fallback at agenttrust-sandbox.fly.dev).
Workspace tests across 20 projects, roughly 2,200 passing total. apps/api alone is 1,564. Every milestone ships with tests; product:ready emits a bounded posture report; sandbox:public:smoke proves five live checks pass against both production sandbox URLs on every commit.
TypeScript strict everywhere. Fastify for the gateway HTTP server. Next.js App Router for landing and dashboard. Drizzle ORM with PostgreSQL 16. Redis 7 for rate limit counters and idempotency keys. Zod at every input boundary. Vitest for unit and integration tests. pnpm workspaces, turbo-style orchestration via pnpm filters.
API to Fly.io with immediate-strategy redeploy. Dashboard and landing to Vercel. Custom domains bound at the registrar. ACME-managed TLS. Every milestone runs the full check battery before push.
Identity (resolve agent + principal). Policy (allow / deny / price ceiling / budget). Risk (velocity, denylist, reputation hooks). Payment (challenge plus verify, protocol-agnostic). Upstream (proxy to provider). Receipt (Ed25519 signed). Audit (append-only, hash-chained).
Every stage is its own decision with its own audit event. A provider can read why a request was denied without reverse-engineering the runtime. Adapters fail closed: unknown protocol or missing config means deny with reason adapter_unavailable, never silent passthrough.
Identity and policy decide whether the request is even allowed before we charge for it. Risk runs after policy because risk needs the resolved principal. Payment runs after risk because we don’t want to issue a payment challenge for a request risk would have refused anyway.
x402, MPP, AP2, MCP, A2A, and any future standard plugs in behind a stable adapter interface. The core pipeline doesn’t know which protocol is in use. Today x402 is the production-ready adapter; others are scaffolds.
The first version was in-memory, which broke refresh-recovery. SR-M93 introduced PostgresSandboxStore with sha256-only token storage and FK-cascaded session reset. That made selfServeDurability flip to durable_sandbox.
Ed25519. The signer is a port; production is KMS-backed. Dev uses an env-loaded local key. Production refuses ephemeral or env-loaded keys without explicit override. SR-M5 introduced the signer port, mock_kms, and key rotation. Retired keys still verify historical receipts; disabled keys fail with signing_key_disabled.
Don’t. Verify. Every receipt verifies offline against the published gateway public key. Every proof bundle is a downloadable ZIP that runs through pnpm proof:verify. The audit log is hash-chained per provider, so any tampering breaks the chain immediately.
Run the curl block at /docs/quickstart against the live sandbox. The 200 response carries X-AgentTrust-Receipt-Id. Open aisthetic.services/r?id=<that id> and the browser-side WebCrypto verifier checks the Ed25519 signature locally. No cookies needed.
A ZIP containing the signed receipt plus the audit chain segment that produced it plus a verifier-friendly manifest. SR-M21 shipped this for the admin path, SR-M121 added the public-beta sandbox path with a strict_public_beta redaction profile.
Yes, SR-M121.1 ships application/zip direct download with a bounded filename and zero signed URL exposure. The Workbench fetches the bytes via fetch().blob() and triggers a save anchor locally. The dashboard never sees a signed URL.
Four real third-party verification lanes round- tripped against external tenants: x402.facilitator.rs (signed webhook receiver, Cloudflare Worker), x402 funded testnet (Base Sepolia, real on-chain settle), Google Cloud Storage signed sandbox bucket round-trip, Grafana Cloud Mimir Alertmanager real tenant. All four now provider-native. externalOperatorVerified is ready, with caveat provider_native_all_lanes_passed.
SR-M97.2 settled a real 0.01 USDC payment on Base mainnet through Coinbase CDP. EIP-3009 signed payload, JWT-bound CDP request, verify-first / settle-once invariant held live. Receipt id was captured as a sha256-truncated fingerprint; on-chain delta confirmed.
M115 wires a sandboxSessionIdHash via a synthetic internal header that the audit dependency layer merges into payloads. Cross-session reads of receipts, proofs, audit events, and overview counters all return 404 by construction. Tests explicitly seed foreign-session data and prove nothing leaks.
Admin keys (pk_at_*) require role plus scope RBAC. Public-beta sandbox routes never accept admin keys. Cookie sessions never accept admin routes. The two surfaces share zero authorisation state.
Public-beta proof download does not return a signed URL. The response is direct application/zip bytes. The signed URL admin path exists for admin-RBAC use only and never reaches the dashboard for sandbox users.
Receipt id, request id, provider id, endpoint id, agent id, principal id, amount, currency, sha256 of the canonical payment proof, sha256 of input, sha256 of output, policy decision, risk decision, previous receipt hash, signing key id, issued-at, Ed25519 signature. No secrets. Receipts are meant to be third-party verifiable.
Raw payment payload. Raw Authorization header. Raw X-Payment header. Raw wallet signature. Cookies. CSRF tokens. Admin keys. Signed URLs. DB credentials. PII.
Payment proof replay protection is proven across the suite. Rate-limit consume() runs only on verified traffic so unpaid traffic never burns quota. The sandbox proof header (demo-paid) is triple-gated by env flag, mode literal, and slug allowlist; it never exists in production.
Three Sentry projects wired (api, dashboard, landing). beforeSend and beforeSendTransaction scrub Authorization, Bearer, X-Payment, pk_at_*, atsess_*, atcsrf_*, BEGIN PRIVATE KEY, private_key_id. sendDefaultPii is false. Events that match a forbidden pattern are dropped before transport.
No. None of those audits have been commissioned. Internal enterprise baselines (SAML, SCIM) ship in code; certification audits do not. We never say we are certified.
Templates are published under /legal. Each carries a banner: “Template, pending counsel review.” Counsel review is the next legal gate. We do not pretend the templates are counsel-approved.
The sandbox stores no PII. Cookie sessions hold sha256 token hashes only. The audit log carries bounded payloads, no raw IDs at the public-beta surface. Real production billing and customer accounts will require a counsel-reviewed DPA before launch; that is the same operator gate as legal in general.
A bounded posture field with two values: pending_counsel_review (today) or counsel_reviewed (after a real counsel sign-off). Flipping it requires a deliberate code change paired with an ADR. We never claim counsel_reviewed without the actual review.
Operator gate. Polar.sh handles KYB / KYC for paid plans when we wire it. Until that wiring happens publicBilling stays not_launched. We do not collect bank details, tax IDs, or business registration in the sandbox path.
The intended model is a per-call fee on agent traffic that flows through the gateway, plus a seat fee for the Workbench at scale. The exact pricing is a pilot conversation, not a published list price. publicBilling is not_launched today.
Because we have not signed a paying customer. Publishing fictional list prices to look like a real product is a form of marketing fraud we refuse to participate in. Pilot pricing is honest until pilot data justifies a list.
Five shapes documented in docs/PILOT_READINESS.md, ranging from no-credential sandbox (zero) to enterprise SSO plus SIEM (multi-week). Acceptance criteria are in docs/FIRST_SIGNED_PILOT_ACCEPTANCE_CRITERIA.md. First signed pilot flips enterprisePilot to ready. None signed yet. We do not claim one.
Per-call fee minus AWS / Fly / Vercel / Sentry cost. Sandbox is operationally near-zero (no real settlement). Mainnet canary cost was 0.01 USDC plus Coinbase CDP fee, paid out of the operator wallet, not a customer. At paid-plan scale we expect the per-call fee to be a thin take rate over an x402 facilitator fee.
Out of scope. Will never ship. We coordinate the flow, we never hold funds. No native token. No new chain. No L2. No rollup. No custody wallet. Receipts are signed JSON, not tokens.
Three layers. (1) Bounded posture vocabulary as truth lock: every claim ties back to live verification, which makes drifting the brand for short-term marketing painful. (2) Proof bundles that verify offline: removes the “trust me” ask from the sales conversation. (3) Adapter abstraction over x402, MPP, AP2: when the agent payments space converges on a winner, we’re the integration that survives the convergence.
Stripe handles human card payments and assumes a human to verify charges. Their primitives (3DS, chargeback, dispute) don’t map onto agent traffic, where there is no human to verify and no chargeback dispute. Stripe could pivot, but they would need to abandon a lot of card-network infrastructure. We bet on a different shape.
Cloudflare ships edge identity (Cloudflare Access), edge rate limiting, and edge logging. They do not ship per-call payment verification or signed receipts. They could add it. They have not today. AgentTrust’s value is the seven-stage composition, not any individual stage.
x402 is a payment protocol. AgentTrust is a gateway that integrates x402 plus identity plus policy plus risk plus receipt plus audit. The protocol cannot be the product; the product is the integration. We host x402 as one of several payment adapters, alongside MPP scaffolds and AP2 stubs.
Marketplaces. Different layer. AgentTrust sits above any marketplace and exposes the same seven-stage pipeline regardless of where the agent discovers the API.
MCP is a tool-calling protocol from Anthropic. AgentTrust runs perpendicular: an MCP server can front an AgentTrust-protected endpoint and the pipeline runs identically. SR-M62+ scoped a @agenttrust/mcp-server package for the converged case but did not ship it; pre-pilot work.
AgentTrust is the only thing that gives an API provider identity, policy, payment, signed receipt, and audit log from one integration, with offline-verifiable proof bundles, with zero custody.
Adoption. The market for agent-native API monetisation is forming faster than the integrations are being shipped. If the market converges on a single payment protocol owned by a hyperscaler before we sign a pilot, we face a race against a much bigger distribution channel.
The sandbox is durable, the receipt format is public-verifiable, the proof bundle works offline. Even with zero pilots the artefacts remain useful as reference for the standards conversation around x402, MPP, and AP2. The downside is bounded: no token to devalue, no custody to refund.
Each stage of the pipeline emits its own audit event. The hash chain breaks immediately on tampering. KMS-backed signers mean a leaked private key is rotated, not cryptographically burned. The Sentry scrub list catches secret patterns before transport. Public-beta sandbox holds zero PII, so the blast radius of a sandbox breach is bounded.
The payment adapter interface is protocol- agnostic. x402.facilitator.rs going down means swapping to Coinbase CDP’s facilitator (we already integrated for the mainnet canary) or to a self-hosted facilitator. The adapter swap is bounded and tested.
Every milestone is paired with an ADR. Engineering decisions are reproducible from the log. Fly + Vercel + Postgres + Sentry are all standard infra, not bespoke. The receipt format is signed JSON, third-party verifiable without needing the operator. Continuity risk is bounded.
Vercel and Fly cross-origin cookies were briefly the rate-limiting factor on M88 / M89. We debugged it through three failed deploys and landed a clean self-contained bundle deploy script. That kind of cross-cloud cookie problem is the most common production-deploy pain point. We have not hit it again since SR-M92.
Three signals converged in late 2025 and early 2026. (1) x402 published a working facilitator on Base mainnet. (2) Anthropic published MCP and the AI agent ecosystem coalesced on tool-calling APIs. (3) Coinbase opened a v2 x402 facilitator behind CDP keys. The integrations needed to monetise agent traffic exist; the gateway that composes them does not.
Because if we wait, a hyperscaler will own the integration before the standard settles, and the standard will conform to their integration. The correct posture is to ship a protocol-agnostic adapter today and let the standards converge around the integration that already works.
Real on-chain x402 settle on Base mainnet (us, in SR-M97.2). Real Cloudflare-fronted webhook receiver. Real provider-native Grafana Alertmanager tenant. Real durable Postgres- backed sandbox. Real public-beta proof generate and download surface. Real Workbench evidence home for returning users.
A solo technical founder shipping at high cadence (124 milestones in roughly six months of concentrated work). Engineering, ADRs, brand, and operator playbooks all by one person. The decision log proves the cadence; the test suite proves the engineering surface.
Founder-mode shipping is faster than a small team for a clearly-bounded category. The bounded posture vocabulary substitutes for headcount, every commit ties to an ADR, every claim ties to a verifiable artefact. The next hire shows up when the first signed pilot does, not before.
Solana builder, code-first, deep in the agent payments and crypto-native developer-tools space. Multiple shipped consumer and infra products. Comfortable with KMS, Postgres, edge deployment, JWT mint, on-chain payment flows. The repo is the resume.
One milestone per session, with an ADR, tests, and a deploy. The bounded posture register in docs/PUBLIC_BETA_STATUS.md and CLAUDE.md tracks every flip. A friend who reads CLAUDE.md can pick up the project on day one without a handoff call.
SR-M125: Controlled Public-Beta Provider Rehearsal plus Evidence Handoff. One real developer walks the 22-step flow under a bounded observation script. Outcome decides whether SR-M126 is a UX friction closure, a counsel review gate, or a first-signed-pilot push.
First signed pilot completed (operator gate). Counsel review of /legal templates flips legalGate to counsel_reviewed (operator gate). Polar.sh KYB plus paid-plan scaffolding lands; publicBilling moves from not_launched to a bounded launched state.
First signed enterprise pilot with a real SSO + SIEM integration. SOC 2 Type 1 commissioned. Public list price established from real pilot data. enterprisePilot flips to ready, separately from enterpriseGA.
Multi-tenant production isolation beyond cookie session. Real Okta / Entra / Google SAML certification. SCIM 2.0 conformance audit. Pricing-page list. enterpriseGA candidate surface, gated on real revenue and pilot count.
Never. Out of scope by design. We coordinate the flow, we never hold funds. Receipts are signed JSON, not tokens. There is no token roadmap and will never be one.
Every claim on the website resolves to a verifiable artefact (live URL, signed receipt, downloadable proof bundle, posture field in pnpm product:ready). If a claim doesn’t resolve, we don’t make it.
Public production billing (not launched). Real signed customer pilot (not yet completed). Enterprise GA (not claimed). SOC 2, ISO 27001, HIPAA, PCI (no commissioned audits). Official Okta / Entra / Google SAML certification (not claimed). Official SCIM 2.0 conformance (internal enterprise baseline only). Customer logos, revenue figures, testimonials, benchmarks (none invented). Token, L2, custody wallet (out of scope, will never ship).
docs/DECISIONS.md is append-only. The bounded posture vocabulary forces every flip to be a deliberate code change paired with an ADR. There is no “marketing override” path. If a field flips, the diff is in git.
The customer is a senior backend engineer. They can read a CHANGELOG. The fastest way to lose them is to overclaim and have them find out. The bounded posture register is faster sales than any sales deck.
The product is built, the proof is verifiable, the claims are bounded. The next gate is operator: a real human walking the flow, a real counsel reviewing the templates, a real customer signing a pilot. Engineering is done.
aisthetic·services