# First IACPHook with Third-Party Attestation: AsterPay KYA + InsumerAPI > Co-authored by AsterPay and Insumer Model **Published by:** [AsterPay](https://paragraph.com/@asterpay/) **Published on:** 2026-03-10 **URL:** https://paragraph.com/@asterpay/first-iacphook-with-third-party-attestation-asterpay-kya-insumerapi ## Content The Problem: AI Agents Can't Prove Who They AreAgentic commerce is growing fast. AI agents are buying API access, reserving compute, paying for data — all autonomously. ERC-8183 gives these agents a standard way to discover, negotiate, and settle jobs on-chain through the Agentic Commerce Protocol (ACP). But there's a gap. When an agent shows up to work a job, how does the client know:Is this wallet sanctioned?Does the operator have real-world identity verification?Does the agent actually hold the funds it claims?Is there any reputation signal beyond on-chain history?Without answers, every interaction is a trust-fall. A client either accepts anyone (risky) or builds custom verification for every provider (expensive).The Solution: IACPHook + Third-Party AttestationsERC-8183 includes a powerful extension point: IACPHook. Hooks run beforeAction and afterAction callbacks on every job lifecycle event — setProvider, fund, complete, dispute. They're the enforcement layer. AsterPay's KYA Hook is the first IACPHook implementation that consumes a third-party attestation API as part of its trust scoring.How InsumerAPI Attestations WorkYou send conditions in, you get cryptographically signed results out. What matters for integrators is the output format and the guarantees it provides. What the JWT contains Every POST /v1/attest call with format: "jwt" returns an ES256-signed JWT. The payload contains:pass (boolean) — true only when ALL conditions are metresults (array) — one entry per condition, each with:met (boolean) — whether this specific condition passedevaluatedCondition — the fully resolved condition that was checkedconditionHash — SHA-256 of the canonical (sorted-key) JSON of evaluatedConditionblockNumber and blockTimestamp — the chain state at evaluation timeStandard JWT claims: iss, sub (wallet address), jti, iat, exp (+1800s)What "tamper-evident" means The conditionHash is a SHA-256 hash of the exact condition logic that was evaluated, with keys sorted alphabetically before hashing. A verifier can recompute this hash from the evaluatedCondition object. If anyone modifies a condition result after signing, the recomputed hash won't match and verification fails. The ECDSA signature covers the entire payload, so modifying any field invalidates the signature. The 4 verification checks insumer-verify (zero dependencies) runs 4 checks:ES256 signature verified against JWKSCondition hash integrity — each conditionHash matches its evaluatedConditionBlock freshness — blockTimestamp within maxAge seconds of nowJWT expiry — exp claim has not elapsedJWKS / JWT ArchitectureInsumerAPI signs all attestations with a single ECDSA P-256 key:Algorithm: ES256 (ECDSA with P-256 and SHA-256)Key ID: insumer-attest-v1JWKS (API): https://api.insumermodel.com/v1/jwks (24h cache headers)JWKS (static): https://insumermodel.com/.well-known/jwks.jsonThe JWT is a standard ES256 JWT. Any library or gateway that supports ES256 + JWKS can verify it. insumer-verify adds condition hash integrity and block freshness checks on top.How InsumerAPI Fits the Trust ScoreThe AsterPay Trust Score has 7 components, each weighted:ComponentMax PointsSourceWallet age15RPC — block historyWallet activity15RPC — transaction countSanctions clean20Chainalysis OracleERC-8004 identity20On-chain registry + InsumerAPI countryOperator KYB20Manual whitelist / InsumerAPI Coinbase KYCTransaction history5AsterPay DB + InsumerAPI Gitcoin PassportTrust bond5InsumerAPI USDC balanceTotal100 InsumerAPI provides signal for 4 of the 7 components — without requiring the agent operator to go through a manual KYB process.The Attestation CallOne API call, 4 conditions, 1 credit:const response = await fetch('https://api.insumermodel.com/v1/attest', { method: 'POST', headers: { 'X-API-Key': apiKey, 'Content-Type': 'application/json', }, body: JSON.stringify({ wallet: agentAddress, conditions: [ { type: 'token_balance', contractAddress: '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913', chainId: 8453, threshold: 100, decimals: 6, label: 'USDC on Base >= 100' }, { type: 'eas_attestation', template: 'coinbase_verified_account', label: 'Coinbase KYC verified' }, { type: 'eas_attestation', template: 'coinbase_verified_country', label: 'Coinbase country verified' }, { type: 'eas_attestation', template: 'gitcoin_passport_score', label: 'Gitcoin Passport score' }, ], format: 'jwt', }), });Mapping Conditions to Score ComponentsCoinbase KYC → Operator KYB (up to 15 points) The hardest signal to get without manual review. If the operator wallet has a Coinbase verified account attestation on-chain (via EAS on Base), we know a real person passed identity verification. Combined with ERC-8004 registration, this yields 15/20 KYB points. Country Verification → Identity (up to 20 points) Country attestation stacks with ERC-8004 registration. An agent with both on-chain identity and verified jurisdiction gets full identity points. Gitcoin Passport → Reputation (up to 4 points) For agents without AsterPay transaction history, Gitcoin Passport provides a cross-platform reputation signal. USDC Balance → Trust Bond (5 points) Cryptographically attested token balance — the agent provably holds USDC on Base. No RPC call needed from our side; InsumerAPI handles the on-chain lookup and signs the result.Live ExampleThe integration is live in production: { "trustScore": 34, "tier": "verified", "breakdown": { "walletAge": 8, "walletActivity": 6, "sanctionsClean": 20, "erc8004Identity": 0, "operatorKyb": 0, "transactionHistory": 0, "trustBond": 0, "total": 34 }, "insumerAttestation": { "available": true, "tokenBalance": { "pass": false, "label": "USDC on Base >= 100" }, "coinbaseKyc": { "pass": false, "label": "Coinbase KYC verified" }, "coinbaseCountry": { "pass": false, "label": "Coinbase country verified" }, "gitcoinPassport": { "pass": false, "label": "Gitcoin Passport score" }, "signatureValid": true, "checkedAt": "2026-03-10T09:35:46.004Z" } } Even when all InsumerAPI conditions return false, the JWT signature is verified (signatureValid: true), and the agent still scores from on-chain signals. An agent with Coinbase KYC + ERC-8004 + USDC balance + Gitcoin Passport could score up to 85/100 (Enterprise tier) — purely from automated, cryptographically verified signals.How to Integrate InsumerAPI into Your Own IACPHookStep 1: Get an API Key — Free tier: 100 daily reads + 10 attestation credits. Step 2: Define Your Conditions — Use templates for EAS attestations (coinbase_verified_account, coinbase_verified_country, gitcoin_passport_score). Up to 10 conditions per request, 1 credit. Step 3: Call the Attestation API — POST /v1/attest with your conditions and format: "jwt". Step 4: Verify the JWT — npm install insumer-verify or use any ES256 JWT library with the JWKS endpoint. Step 5: Map Results — Each condition result has met: true/false. Cache the JWT (30-minute TTL).What's NextNFT ownership + Farcaster ID — additional trust score componentsOn-chain oracle publishing — trust score consumable by any smart contract on BaseConfigurable thresholds — per-client minimum scores per conditionSource CodeKYA Hook contracts: github.com/AsterPay/erc8183-kya-hookInsumerAPI docs: insumermodel.com/developersinsumer-verify: npmjs.com/package/insumer-verifyERC-8183 spec: eips.ethereum.org/EIPS/eip-8183AsterPay is the Trust Layer for AI Agent Payments — 5 shields, one API. InsumerAPI provides privacy-preserving on-chain verification across 32 blockchains. ## Publication Information - [AsterPay](https://paragraph.com/@asterpay/): Publication homepage - [All Posts](https://paragraph.com/@asterpay/): More posts from this publication - [RSS Feed](https://api.paragraph.com/blogs/rss/@asterpay): Subscribe to updates