Case Study: AsterPay KYA Wires
InsumerAPI into ERC-8183 Agent Trust Scoring

AsterPay is building trust infrastructure for AI agent payments. Their "Know Your Agent" (KYA) trust score engine evaluates agent wallets across 7 dimensions before allowing them to participate in ERC-8183 agentic commerce. In March 2026, AsterPay wired InsumerAPI into their KYA Hook, replacing manual KYB processes with cryptographically verifiable attestations. One API call, 4 conditions, 1 credit. If the wallet qualifies, the trust score can reach "verified" or higher without any human review.

For the broader picture of what KYA actually requires across the open multi-attestation spec (now ten signed dimensions across nine independent issuers, seven with shipped signature-layer wallet binding), see Would You Trust Your Agent? KYA Is Real.

curl -X POST https://api.insumermodel.com/v1/attest \
  -H "x-api-key: YOUR_KEY" \
  -d '{"wallet":"0x...","conditions":[...],"format":"jwt"}'

npm install insumer-verify

import { verifyAttestation } from 'insumer-verify';
const result = await verifyAttestation(jwt);
// result.valid → map to your trust score

The problem: agents cannot prove identity at scale

ERC-8183 standardizes how AI agents discover, negotiate, and settle jobs on-chain through the Agentic Commerce Protocol (ACP). The spec includes IACPHook, an extension point that runs beforeAction and afterAction callbacks on every job lifecycle event.

But when a new agent wallet shows up to provide a job, the client has limited information. Wallet age and transaction count tell you something, but not enough. Sanctions screening tells you what the wallet is not, not what it is. Manual KYB verification does not scale when agents are registering autonomously.

AsterPay needed automated, cryptographically verifiable attestation signals that could feed into a trust score without requiring human review.

The integration: 4 attestation conditions, 1 API call

AsterPay's KYA Hook calls POST /v1/attest with 4 conditions in a single request (1 credit):

POST https://api.insumermodel.com/v1/attest
{
  "wallet": "0x...",
  "conditions": [
    { "type": "token_balance",
      "contractAddress": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
      "chainId": 8453, "threshold": 100, "decimals": 6 },
    { "type": "eas_attestation",
      "template": "coinbase_verified_account" },
    { "type": "eas_attestation",
      "template": "coinbase_verified_country" },
    { "type": "eas_attestation",
      "template": "gitcoin_passport_score" }
  ],
  "format": "jwt"
}

The first condition verifies USDC holdings on Base. The next three use templates, which auto-resolve to the correct EAS schema, attester address, and chain. No raw schemaId or attester values needed. Available templates are discoverable via GET /v1/compliance/templates (public, no auth required).

The response is an ES256-signed JWT containing per-condition results with met: true/false, condition hashes for tamper detection, and the block number and timestamp at evaluation time.

How attestations map to the trust score

The AsterPay Trust Score has 7 components totaling 100 points. InsumerAPI attestations feed 4 of them:

Coinbase KYC to Operator KYB (up to 15 points). The hardest signal to automate. If the agent's operator wallet has a Coinbase verified account attestation on-chain (via EAS on Base), the system knows a real person passed identity verification. Combined with ERC-8004 registration, this yields 15/20 KYB points without any manual process.

Country verification to Identity (up to 20 points). Country attestation stacks with ERC-8004 registration. An agent with both on-chain identity and verified jurisdiction gets full identity points.

Gitcoin Passport to Reputation (up to 4 points). For agents without AsterPay transaction history, Gitcoin Passport provides a cross-platform reputation signal. Note: gitcoin_passport_score resolves on Optimism (chainId 10), not Base. If your parsing filters by chain, account for this.

USDC balance to Trust Bond (5 points). Cryptographically attested token holdings on Base. InsumerAPI handles the on-chain lookup and signs the result. The KYA Hook never makes its own RPC call for this check.

An agent with all four conditions met, plus ERC-8004 registration and clean sanctions screening, could score up to 85/100 (Enterprise tier). Purely from automated, cryptographically verifiable signals.

They trust the cryptography, not us

AsterPay installed insumer-verify (v1.3.6, zero dependencies) and verifies every attestation JWT before mapping it to trust score components:

import { verifyAttestation } from 'insumer-verify';

const result = await verifyAttestation(jwt, {
  jwksUrl: 'https://insumermodel.com/.well-known/jwks.json',
  maxAge: 300,
});

// result.valid -- true only if all 4 checks pass
// result.checks.signature.passed -- ES256 verified against JWKS
// result.checks.conditionHashes.passed -- SHA-256 integrity
// result.checks.freshness.passed -- recent block
// result.checks.expiry.passed -- JWT not expired

Four independent checks: ECDSA P-256 signature against the JWKS endpoint, condition hash integrity (SHA-256 of the evaluated condition matches the signed hash), block freshness (evaluated against a recent block), and JWT expiry. If any check fails, the attestation is not used for scoring.

The JWT is a standard ES256 token verifiable with any library or gateway that supports JWKS. insumer-verify adds the condition hash and freshness checks on top. The JWKS endpoint is at https://api.insumermodel.com/v1/jwks (24h cache headers), with a static mirror at https://insumermodel.com/.well-known/jwks.json.

Architecture

The KYA Hook fits into the ERC-8183 lifecycle as a beforeAction callback:

1. Agent requests to provide a job.
2. AsterPayKYAHook.beforeAction() fires.
3. Five checks run: Chainalysis sanctions oracle (on-chain, fail-closed), ERC-8004 agent identity (on-chain registry), InsumerAPI attestation (4 conditions, 1 call), wallet age and activity (RPC), AsterPay transaction history (off-chain DB).
4. Each check feeds its components into the trust score (0-100).
5. Score meets the client's minimum threshold: allow. Below threshold: revert.

The insumerAttestation.available field in the trust score response indicates whether InsumerAPI returned data for the wallet. AsterPay's findCondition logic handles missing conditions gracefully, returning null if a specific condition is not found in the response.

Contracts are deployed on Base Sepolia: AgentTrustScoreOracle at 0x055dda2623Cd901fd00C4FB3c2c02D2EE36B3BeE and AsterPayKYAHook at 0x7023aF3441657C8D555bdB0477bF155052197B04.

Live example

The integration is live in production. Here is a real response from the AsterPay trust score endpoint:

GET https://x402-api-production-ba87.up.railway.app/v1/agent/trust-score/0x...

{
  "trustScore": 34,
  "tier": "verified",
  "breakdown": {
    "walletAge": 8,
    "walletActivity": 6,
    "sanctionsClean": 20,
    "erc8004Identity": 0,
    "operatorKyb": 0,
    "transactionHistory": 0,
    "trustBond": 0,
    "total": 34
  },
  "insumerAttestation": {
    "available": true,
    "tokenBalance": { "pass": false, "label": "USDC on Base >= 100" },
    "coinbaseKyc": { "pass": false, "label": "Coinbase KYC verified" },
    "coinbaseCountry": { "pass": false, "label": "Coinbase country verified" },
    "gitcoinPassport": { "pass": false, "label": "Gitcoin Passport score" },
    "signatureValid": true,
    "checkedAt": "2026-03-10T09:35:46.004Z"
  }
}

Even when all InsumerAPI conditions return false, the JWT signature is verified (signatureValid: true), and the agent still scores from on-chain signals (wallet age, activity, sanctions). The attestation layer adds signal when the wallet qualifies. It never subtracts.

Cache strategy

InsumerAPI JWTs expire after 30 minutes (exp claim). AsterPay aligned their cache TTL to match: re-attest only when the JWT expires. Their maxScoreAge default is 3600 seconds (1 hour), so the JWT refreshes twice per score cache cycle.

Build your own IACPHook with attestations

If you are building an ERC-8183 hook and want to add third-party attestations:

Get an API key. Free tier includes 100 daily reads and 10 attestation credits. One call with up to 10 conditions costs 1 credit. Sign up at insumermodel.com/developers to get a free API key instantly — no credit card required.

Browse templates. GET /v1/compliance/templates returns all available EAS templates with their provider, chain, and description. Currently 5 templates across Coinbase (Base) and Gitcoin (Optimism).

Define your conditions. Mix condition types freely: token_balance, nft_ownership, eas_attestation, and farcaster_id. Up to 10 per request. Results return in input order (condition: 0, condition: 1, etc.).

Verify the JWT. Install insumer-verify from npm or use any ES256 JWT library with the JWKS endpoint at https://api.insumermodel.com/v1/jwks.

Map results to your scoring logic. Each condition result has met: true/false. Cache the full JWT (30-minute TTL) and re-attest only when it expires.

Source code and links

The KYA Hook contracts and integration code are open source at github.com/AsterPay/erc8183-kya-hook. The live trust score endpoint is at https://x402-api-production-ba87.up.railway.app/v1/agent/trust-score/{address}. The integration was built by AsterPay (Timo Petteri Leinonen, founder).

AsterPay is a Circle Alliance partner providing EUR settlement infrastructure for AI agent commerce (stablecoins to EUR via SEPA Instant, under 10 seconds, 36 EU countries). This is the first IACPHook implementation to consume a third-party attestation API.