Agentic commerce is growing fast. AI agents are buying API access, reserving compute, paying for data — all autonomously. ERC-8183 gives these agents a standard way to discover, negotiate, and settle jobs on-chain through the Agentic Commerce Protocol (ACP).

But there's a gap. When an agent shows up to work a job, how does the client know:

• Is this wallet sanctioned?

• Does the operator have real-world identity verification?

• Does the agent actually hold the funds it claims?

• Is there any reputation signal beyond on-chain history?

Without answers, every interaction is a trust-fall. A client either accepts anyone (risky) or builds custom verification for every provider (expensive).

ERC-8183 includes a powerful extension point: IACPHook. Hooks run beforeAction and afterAction callbacks on every job lifecycle event — setProvider, fund, complete, dispute. They're the enforcement layer.

AsterPay's KYA Hook is the first IACPHook implementation that consumes a third-party attestation API as part of its trust scoring.

You send conditions in, you get cryptographically signed results out. What matters for integrators is the output format and the guarantees it provides.

What the JWT contains

Every POST /v1/attest call with format: "jwt" returns an ES256-signed JWT. The payload contains:

• pass (boolean) — true only when ALL conditions are met

• results (array) — one entry per condition, each with:

  • met (boolean) — whether this specific condition passed

  • evaluatedCondition — the fully resolved condition that was checked

  • conditionHash — SHA-256 of the canonical (sorted-key) JSON of evaluatedCondition

  • blockNumber and blockTimestamp — the chain state at evaluation time

• Standard JWT claims: iss, sub (wallet address), jti, iat, exp (+1800s)

What "tamper-evident" means

The conditionHash is a SHA-256 hash of the exact condition logic that was evaluated, with keys sorted alphabetically before hashing. A verifier can recompute this hash from the evaluatedCondition object. If anyone modifies a condition result after signing, the recomputed hash won't match and verification fails.

The ECDSA signature covers the entire payload, so modifying any field invalidates the signature.

The 4 verification checks

insumer-verify (zero dependencies) runs 4 checks:

1. ES256 signature verified against JWKS

2. Condition hash integrity — each conditionHash matches its evaluatedCondition

3. Block freshness — blockTimestamp within maxAge seconds of now

4. JWT expiry — exp claim has not elapsed

InsumerAPI signs all attestations with a single ECDSA P-256 key:

• Algorithm: ES256 (ECDSA with P-256 and SHA-256)

• Key ID: insumer-attest-v1

• JWKS (API): https://api.insumermodel.com/v1/jwks (24h cache headers)

• JWKS (static): https://insumermodel.com/.well-known/jwks.json

The JWT is a standard ES256 JWT. Any library or gateway that supports ES256 + JWKS can verify it. insumer-verify adds condition hash integrity and block freshness checks on top.

The AsterPay Trust Score has 7 components, each weighted:

InsumerAPI provides signal for 4 of the 7 components — without requiring the agent operator to go through a manual KYB process.

One API call, 4 conditions, 1 credit:

const response = await fetch('https://api.insumermodel.com/v1/attest', {
  method: 'POST',
  headers: {
    'X-API-Key': apiKey,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    wallet: agentAddress,
    conditions: [
      { type: 'token_balance', contractAddress: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913', chainId: 8453, threshold: 100, decimals: 6, label: 'USDC on Base >= 100' },
      { type: 'eas_attestation', template: 'coinbase_verified_account', label: 'Coinbase KYC verified' },
      { type: 'eas_attestation', template: 'coinbase_verified_country', label: 'Coinbase country verified' },
      { type: 'eas_attestation', template: 'gitcoin_passport_score', label: 'Gitcoin Passport score' },
    ],
    format: 'jwt',
  }),
});

Coinbase KYC → Operator KYB (up to 15 points)

The hardest signal to get without manual review. If the operator wallet has a Coinbase verified account attestation on-chain (via EAS on Base), we know a real person passed identity verification. Combined with ERC-8004 registration, this yields 15/20 KYB points.

Country Verification → Identity (up to 20 points)

Country attestation stacks with ERC-8004 registration. An agent with both on-chain identity and verified jurisdiction gets full identity points.

Gitcoin Passport → Reputation (up to 4 points)

For agents without AsterPay transaction history, Gitcoin Passport provides a cross-platform reputation signal.

USDC Balance → Trust Bond (5 points)

Cryptographically attested token balance — the agent provably holds USDC on Base. No RPC call needed from our side; InsumerAPI handles the on-chain lookup and signs the result.

The integration is live in production:

{

"trustScore": 34,

"tier": "verified",

"breakdown": {

"walletAge": 8,

"walletActivity": 6,

"sanctionsClean": 20,

"erc8004Identity": 0,

"operatorKyb": 0,

"transactionHistory": 0,

"trustBond": 0,

"total": 34

},

"insumerAttestation": {

"available": true,

"tokenBalance": { "pass": false, "label": "USDC on Base >= 100" },

"coinbaseKyc": { "pass": false, "label": "Coinbase KYC verified" },

"coinbaseCountry": { "pass": false, "label": "Coinbase country verified" },

"gitcoinPassport": { "pass": false, "label": "Gitcoin Passport score" },

"signatureValid": true,

"checkedAt": "2026-03-10T09:35:46.004Z"

}

}

Even when all InsumerAPI conditions return false, the JWT signature is verified (signatureValid: true), and the agent still scores from on-chain signals. An agent with Coinbase KYC + ERC-8004 + USDC balance + Gitcoin Passport could score up to 85/100 (Enterprise tier) — purely from automated, cryptographically verified signals.

Step 1: Get an API Key — Free tier: 100 daily reads + 10 attestation credits.

Step 2: Define Your Conditions — Use templates for EAS attestations (coinbase_verified_account, coinbase_verified_country, gitcoin_passport_score). Up to 10 conditions per request, 1 credit.

Step 3: Call the Attestation API — POST /v1/attest with your conditions and format: "jwt".

Step 4: Verify the JWT — npm install insumer-verify or use any ES256 JWT library with the JWKS endpoint.

Step 5: Map Results — Each condition result has met: true/false. Cache the JWT (30-minute TTL).

• NFT ownership + Farcaster ID — additional trust score components

• On-chain oracle publishing — trust score consumable by any smart contract on Base

• Configurable thresholds — per-client minimum scores per condition

• KYA Hook contracts: github.com/AsterPay/erc8183-kya-hook

• InsumerAPI docs: insumermodel.com/developers

• insumer-verify: npmjs.com/package/insumer-verify

• ERC-8183 spec: eips.ethereum.org/EIPS/eip-8183

AsterPay is the Trust Layer for AI Agent Payments — 5 shields, one API. InsumerAPI provides privacy-preserving on-chain verification across 32 blockchains.

Agentic commerce is growing fast. AI agents are buying API access, reserving compute, paying for data — all autonomously. ERC-8183 gives these agents a standard way to discover, negotiate, and settle jobs on-chain through the Agentic Commerce Protocol (ACP).

But there's a gap. When an agent shows up to work a job, how does the client know:

• Is this wallet sanctioned?

• Does the operator have real-world identity verification?

• Does the agent actually hold the funds it claims?

• Is there any reputation signal beyond on-chain history?

Without answers, every interaction is a trust-fall. A client either accepts anyone (risky) or builds custom verification for every provider (expensive).

ERC-8183 includes a powerful extension point: IACPHook. Hooks run beforeAction and afterAction callbacks on every job lifecycle event — setProvider, fund, complete, dispute. They're the enforcement layer.

AsterPay's KYA Hook is the first IACPHook implementation that consumes a third-party attestation API as part of its trust scoring.

You send conditions in, you get cryptographically signed results out. What matters for integrators is the output format and the guarantees it provides.

What the JWT contains

Every POST /v1/attest call with format: "jwt" returns an ES256-signed JWT. The payload contains:

• pass (boolean) — true only when ALL conditions are met

• results (array) — one entry per condition, each with:

  • met (boolean) — whether this specific condition passed

  • evaluatedCondition — the fully resolved condition that was checked

  • conditionHash — SHA-256 of the canonical (sorted-key) JSON of evaluatedCondition

  • blockNumber and blockTimestamp — the chain state at evaluation time

• Standard JWT claims: iss, sub (wallet address), jti, iat, exp (+1800s)

What "tamper-evident" means

The conditionHash is a SHA-256 hash of the exact condition logic that was evaluated, with keys sorted alphabetically before hashing. A verifier can recompute this hash from the evaluatedCondition object. If anyone modifies a condition result after signing, the recomputed hash won't match and verification fails.

The ECDSA signature covers the entire payload, so modifying any field invalidates the signature.

The 4 verification checks

insumer-verify (zero dependencies) runs 4 checks:

1. ES256 signature verified against JWKS

2. Condition hash integrity — each conditionHash matches its evaluatedCondition

3. Block freshness — blockTimestamp within maxAge seconds of now

4. JWT expiry — exp claim has not elapsed

InsumerAPI signs all attestations with a single ECDSA P-256 key:

• Algorithm: ES256 (ECDSA with P-256 and SHA-256)

• Key ID: insumer-attest-v1

• JWKS (API): https://api.insumermodel.com/v1/jwks (24h cache headers)

• JWKS (static): https://insumermodel.com/.well-known/jwks.json

The JWT is a standard ES256 JWT. Any library or gateway that supports ES256 + JWKS can verify it. insumer-verify adds condition hash integrity and block freshness checks on top.

The AsterPay Trust Score has 7 components, each weighted:

InsumerAPI provides signal for 4 of the 7 components — without requiring the agent operator to go through a manual KYB process.

One API call, 4 conditions, 1 credit:

const response = await fetch('https://api.insumermodel.com/v1/attest', {
  method: 'POST',
  headers: {
    'X-API-Key': apiKey,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    wallet: agentAddress,
    conditions: [
      { type: 'token_balance', contractAddress: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913', chainId: 8453, threshold: 100, decimals: 6, label: 'USDC on Base >= 100' },
      { type: 'eas_attestation', template: 'coinbase_verified_account', label: 'Coinbase KYC verified' },
      { type: 'eas_attestation', template: 'coinbase_verified_country', label: 'Coinbase country verified' },
      { type: 'eas_attestation', template: 'gitcoin_passport_score', label: 'Gitcoin Passport score' },
    ],
    format: 'jwt',
  }),
});

Coinbase KYC → Operator KYB (up to 15 points)

The hardest signal to get without manual review. If the operator wallet has a Coinbase verified account attestation on-chain (via EAS on Base), we know a real person passed identity verification. Combined with ERC-8004 registration, this yields 15/20 KYB points.

Country Verification → Identity (up to 20 points)

Country attestation stacks with ERC-8004 registration. An agent with both on-chain identity and verified jurisdiction gets full identity points.

Gitcoin Passport → Reputation (up to 4 points)

For agents without AsterPay transaction history, Gitcoin Passport provides a cross-platform reputation signal.

USDC Balance → Trust Bond (5 points)

Cryptographically attested token balance — the agent provably holds USDC on Base. No RPC call needed from our side; InsumerAPI handles the on-chain lookup and signs the result.

The integration is live in production:

{

"trustScore": 34,

"tier": "verified",

"breakdown": {

"walletAge": 8,

"walletActivity": 6,

"sanctionsClean": 20,

"erc8004Identity": 0,

"operatorKyb": 0,

"transactionHistory": 0,

"trustBond": 0,

"total": 34

},

"insumerAttestation": {

"available": true,

"tokenBalance": { "pass": false, "label": "USDC on Base >= 100" },

"coinbaseKyc": { "pass": false, "label": "Coinbase KYC verified" },

"coinbaseCountry": { "pass": false, "label": "Coinbase country verified" },

"gitcoinPassport": { "pass": false, "label": "Gitcoin Passport score" },

"signatureValid": true,

"checkedAt": "2026-03-10T09:35:46.004Z"

}

}

Even when all InsumerAPI conditions return false, the JWT signature is verified (signatureValid: true), and the agent still scores from on-chain signals. An agent with Coinbase KYC + ERC-8004 + USDC balance + Gitcoin Passport could score up to 85/100 (Enterprise tier) — purely from automated, cryptographically verified signals.

Step 1: Get an API Key — Free tier: 100 daily reads + 10 attestation credits.

Step 2: Define Your Conditions — Use templates for EAS attestations (coinbase_verified_account, coinbase_verified_country, gitcoin_passport_score). Up to 10 conditions per request, 1 credit.

Step 3: Call the Attestation API — POST /v1/attest with your conditions and format: "jwt".

Step 4: Verify the JWT — npm install insumer-verify or use any ES256 JWT library with the JWKS endpoint.

Step 5: Map Results — Each condition result has met: true/false. Cache the JWT (30-minute TTL).

• NFT ownership + Farcaster ID — additional trust score components

• On-chain oracle publishing — trust score consumable by any smart contract on Base

• Configurable thresholds — per-client minimum scores per condition

• KYA Hook contracts: github.com/AsterPay/erc8183-kya-hook

• InsumerAPI docs: insumermodel.com/developers

• insumer-verify: npmjs.com/package/insumer-verify

• ERC-8183 spec: eips.ethereum.org/EIPS/eip-8183

AsterPay is the Trust Layer for AI Agent Payments — 5 shields, one API. InsumerAPI provides privacy-preserving on-chain verification across 32 blockchains.