Verifiable agent commerce.

Not just our word — the chain's.

AgentTrust ships on Solana mainnet today. SPL USDC settlement. On-chain Anchor receipt verifier program. No custody, no token, no new chain. The architecture is adapter-based and could ride other rails — for the first launch we are Solana-first.

AI agents are becoming economic actors. They call APIs, hold spend caps, settle payments, accept terms, and produce evidence on behalf of their principals. Every week brings another rail (x402, MPP, AP2), another wallet pattern, and another tool protocol (MCP, A2A). What is missing is not more intelligence. What is missing is trust: a way for an API provider to verify, charge, record, and prove every agent call without building a private gateway from scratch.

AgentTrust is the verifiable commerce control plane for AI agent traffic. It sits between the agent and the upstream service, enforces a deterministic seven-stage pipeline, and emits machine-readable evidence at every stage:

identity → policy → risk → payment → upstream → receipt → audit

Each stage answers one machine-readable question, not free text. Identity resolves who is calling on whose behalf, across API keys, wallet signatures (EVM and Solana), DIDs, Verifiable Credentials, and onchain registries. Policy enforces the principal's scope, budget, and rate with bounded matchers and refusal codes. Risk runs velocity, reputation, and anomaly hooks. Payment verifies the proof bound to this exact request — verify-first, settle-once, never-retry. Upstream forwards a clean gateway-shaped request to the provider's real backend; no funds touch us, no upstream key leaves the provider's environment. Receipt is an Ed25519-signed event linked to the previous receipt by hash. Audit is an append-only hash-chained log per provider, walkable end-to-end without contacting us.

The five problems we are part of

In November 2025, a16z published a category-framing post titled 5 Ways Blockchains Help AI Agents. The article does not mention AgentTrust. It does not endorse, invest in, or partner with us. What it does is articulate five concrete problems that practitioners across the ecosystem are now shipping against. AgentTrust speaks to each of them, with a clear line between what is live today and what is on the roadmap.

Identity for non-humans. Portable identity, wallet-native agents, KYA, and ERC standards linking agents to principals. AgentTrust ships a pluggable identity stage today: API key bridge, wallet signature, DID, VC, ERC-8004 registry, principal mapping. Wallet-native onboarding as the default and a KYA agent-manifest standard are roadmap.

Governing AI-run systems. Transparent execution and onchain governance of collective agent decisions. AgentTrust ships an append-only hash-chained audit log per provider with bounded refusal codes and offline-verifiable proof bundles. A DAO-governance evaluator stage requiring N-of-M signatures before an action reaches a provider's upstream is roadmap.

Filling payment gaps. Stablecoin payments to agent-facing services without merchant agreements; Stripe MPP, x402, and AgentKit-tier tooling as on-ramps. AgentTrust ships a protocol-agnostic payment adapter today: x402 verified live (Coinbase CDP and facilitator.x402.rs), MPP-shaped wire profile ready, AP2-compatible adapter interface. We do not move money. We verify proofs and forward verified-paid calls.

Repricing trust. Trust hardcoded into the architecture, not the brand. AgentTrust ships Ed25519-signed receipts, a hash-chained audit log, downloadable proof bundles, and an offline verifier today. The next step is an onchain anchor: a daily compressed-merkle root committed to a public ledger so the audit chain is verifiable without us being online. That step is named here as roadmap, not live.

Preserving user control. Scoped delegation, intent-based architectures, and contract-level limits on agent action. AgentTrust ships a policy DSL with bounded matchers, principal-bound budgets, per-call rate limits, and denylists today. A first-class intent envelope primitive — a signed envelope (principal + max budget + max steps + nonce + expires-at) carried through the pipeline — is roadmap.

What is live today

An invited provider creates a customer organization, mints a developer-tier API key, and creates a first endpoint from the workbench. The minted key bridges into the gateway's agent-identity stack on the same write, so a real agent call runs the full pipeline: 401 when identity is missing, 402 with a payment challenge bound to this exact request, and 200 with an X-AgentTrust-Receipt-Id header on the verified paid call. The receipt verifies offline. A strict-redaction proof bundle wraps the receipt and audit slice. Organization-scoped usage and entitlement surfaces show real counters and bounded caveats.

Outside the SaaS surface, the gateway runs four real third-party verification lanes (signed webhook, x402 funded testnet on Base Sepolia, GCS, Grafana Cloud Mimir Alertmanager). A single throwaway-funded x402 settle has been recorded on Base mainnet against Coinbase CDP as an evidence-pack proof point.

Where the chain enters

The category opens up further once the audit chain is anchored to a public ledger. We will commit a daily compressed-merkle root of the per-provider audit log to a public chain — Solana memo program is the leading candidate for cost and latency, with an EVM L2 anchor as a secondary lane — so an external verifier can prove that an audit row existed at a given moment without having to contact AgentTrust. This is roadmap. The chain anchor is not live today. We will not say it is until the anchor is verifiable from a public block explorer.

Where we sit in the stack

AgentTrust works beside the rails, not instead of them. Stripe MPP can be the settlement endpoint behind a 402 challenge. Coinbase AgentKit can be the wallet that signs the payment proof. NEAR Intents can be the cross-chain settlement primitive carried into a receipt. x402 is one payment adapter among several. MCP is an agent-side tool protocol that can call a paid AgentTrust-protected endpoint. AP2 messages can be policy inputs or evidence rows. The full complementor matrix lives in the security model.

What is deliberately not claimed

Not a wallet, not custody, not a marketplace, not a token, not a chain, not a payment processor. Public billing not launched. Enterprise pilot not started, enterprise GA not claimed. Not officially certified for SOC 2, ISO 27001, HIPAA, PCI, Okta SAML, Entra SAML, Google SAML, or SCIM 2.0 conformance — and we will not say we have until an audit firm puts that in writing. Legal templates are pending counsel review. The a16z article informs the category; it does not endorse or name AgentTrust. No signed customer pilot. No claimed logo, revenue, or traction figure. The on-disk evidence is the evidence.

How to read this site

Everything on these pages is something a developer can run in a public sandbox or read in a security model. The quickstart hits a live gateway. The receipt verifier runs offline against the published gateway public key. The posture surface emits the same bounded enums the engineering team observes. Where the line between live and roadmap is the cliff that actually matters in this category, we hold the line. That is the manifesto.