AGENTTRUST
AI agents are about to start paying each other on Solana
Mohit ·
An AI agent calls another agent's API. It pays $0.42 in USDC. The payment goes through. The recipient is on a sanctions list the calling agent never knew about. The transaction settles. The dollar is gone. No identity check. No reputation read. No capability gate. That is the gap. Today's agent stack has no on-chain trust layer.
Agents are about to start paying each other. Your trust stack should be on chain.
The trillion-dollar trust gap
Stripe moves close to a trillion dollars a year between humans. KYC checks, fraud teams, ML scoring, chargeback flows, regulatory filings. None of that scaffolding exists for agents. The hosted-MCP wave from Anthropic, OpenAI, and every framework around them ships a signer to the operator. That is a security model dressed up as DX. The operator owns every PDA every user creates and the user has no recourse if the operator's signer is compromised or rotated without notice.
Agent payments are different from human payments in one structural way. There is no human in the loop to escalate to. A confused human can pause and call their bank. A confused agent fires the transaction and moves on to the next prompt. The decision has to be settled before the bytes leave the host. Async review does not work when the agent has already paid and the API has already returned the gated resource.
Prompt-time guardrails do not survive contact with adversarial input. A jailbreak, a tool-poisoning attack, a context that smuggles a payment instruction past the system prompt, an MCP server that returns a malicious description on its second call. All of these route around the agent's reasoning surface. The chain is the only surface where the rules cannot be argued with. A policy that lives in a PDA, signed by an authority you control, cannot be talked out of refusing a payment.
What a trust layer needs
Three orthogonal axes. Identity is who is signing. Reputation is what they have done before and how it went. Capability is whether they are authorized to receive this specific kind of payment. These are the three legs of ERC-8004, the emerging trust standard for autonomous agents.
Identity and Reputation already live on Solana. Quantu's agent_registry_8004 and atom_engine ship the first two legs as composable Anchor programs with stable PDAs. The third leg, ValidationRegistry, was archived in Quantu's v0.5.0 release. AgentTrust productizes it as a deployed program with a typed SDK, a hosted MCP, and Kani-verified gate properties.
The three legs are independent. An agent can have a strong identity and zero reputation. A long reputation history and a fresh capability claim. The trust layer composes them at gate time, not at registration time. A payment is gated by the policy the agent's authority signed, against the counterparty's live on-chain state, in one atomic instruction. The composer reads from all three registries in the same transaction that moves value, so the decision and the settlement share a slot and a signature.
Composing means PolicyVault evaluates the five active policy kinds against the counterparty's identity, the counterparty's reputation tier, and any active validation attestations. If every active policy returns Allow, the gate returns Allow. If any active policy returns Deny, the gate returns Deny with a reason code an integrator can route on. The three-disjoint-variants property is one of the six Kani-proven invariants.
Identity
Who is signing this transaction. Resolved against Quantu's agent_account PDA before value moves.
Reputation
What the counterparty has done before, what tier the chain assigns them, how confident the score is. Read byte-precise from atom_stats.
Capability
Whether the recipient is authorized for this specific kind of payment. Productized in the third ERC-8004 leg, ValidationRegistry.
Why Solana
Two reasons. First, Anchor program PDAs as primitives make composing identity plus policy plus feedback into one atomic transaction trivial. AgentTrust ships exactly that. A single init_policy call lands seven on-chain instructions and converges a fresh wallet to a fully atom-functional agent identity in one signature. Read /blog/bootstrap-an-agent-in-one-tx for the byte-level trace.
Second, Solana Foundation shipped Pay.sh with Google Cloud on May 5 2026. First x402 facilitator on the chain. AgentTrust ships a day-one Pay.sh adapter. The settlement rail and the trust layer arrive together. Anyone building agent payments on Solana right now can mount the SDK in five lines, point it at the facilitator, and gate every /verify call against an on-chain policy the agent's authority signed.
The combination is what makes the bet specific. EVM has the standards conversation. Solana has the live x402 rail. AgentTrust binds the chain-level trust primitives to the rail that is moving stablecoins this quarter. The result is a single signed transaction that gates, settles, and emits feedback. No off-chain coordinator. No multi-step retry script. No operator-owned signer.
Formally-verified gate properties, 635 sub-checks per PR
Identity, policy, kill-switch, and ledger in one signature
Pay.sh, the Solana Foundation's first x402 facilitator
What's live today
Three Anchor programs deployed on devnet. PolicyVault is the decision engine, with five composable policy kinds. KillSwitch, Spending, Velocity, CounterpartyTier, RequireValidation. TrustGate is the facilitator-side program with the atomic-settle path that bundles gate, transfer, and feedback emission into one instruction. ValidationRegistry productizes the third ERC-8004 leg as an on-chain attestation surface with per-policy accepted_attestors[] filters.
The SDK is on npm. The MCP server is on npm and live at mcp.agenttrust.tech. The hosted MCP is read-only by design. Thirteen tools, no shared signer. Your keypair stays on your machine and you own every PDA you create. The full surface comparison lives at /quickstart#two-mcp-surfaces. Six Kani-verified properties gate every payment decision. Read /blog/six-kani-proofs for what the proofs actually cover.
The demo runs a live x402 round-trip on devnet. A test client agent calls a gated endpoint, the facilitator hits /verify against the AgentTrust gate, the gate evaluates the policy, returns the decision, and the round-trip lands a settled transaction on Explorer. The whole loop runs in under three seconds at 402 Payment Required to 200 OK. The code is open and the program IDs are public, so any reader can verify the trace from their own machine.
@agenttrust-sdk/mcp on npm, live at mcp.agenttrust.techThe three programs compose. Read /architecture for the full diagram of how TrustGate, PolicyVault, and ValidationRegistry route a single gate_and_settle instruction.
What's next
Mainnet deploy is queued. More facilitator adapters land next, including Dexter, atxp, MCPay, and whatever x402 entrant ships after them. The shape of each adapter is small. About 150 lines, one config object, one /verify shim that maps the facilitator's payload onto the gate input. A wallet-adapter relay for hosted writes is on the v1.x roadmap so cloud agents can sign without ceding identity to the operator.
ValidationRegistry coverage expands next. KYC, AML, and capability claims that integrators downstream-filter via per-policy accepted_attestors[] arrays. The registry is open. Anyone can register as an attestor. Integrators choose which attestors they trust per policy, and the gate enforces the choice on chain.
Agent payments are arriving on Solana. The trust stack has to be on chain. I am shipping it.
Install the MCP and try it.
npx -y @agenttrust-sdk/mcp@latest