Concepts

How Fidacy Works

The model is small and composable. Principals own agents; agents act under mandates; every action is assessed against a policy, scored, signed, and recorded. Each piece is documented below.

The object model

ObjectWhat it is
principalThe accountable party, an organization or person an agent represents.
agentAn autonomous actor with a verifiable identity (a registered key, a W3C DID, or a SPIFFE JWT-SVID) and a status (active / suspended / revoked).
agent_keyA public key the agent signs with, indexed by its RFC 7638 thumbprint.
mandateThe user's signed intent, what the agent is allowed to do, captured at the moment of authorization.
assessmentA first-class verdict on one mandate: decision, score, signals, signed payload, audit pointer.
policyA versioned ruleset (amount, currency, geo, velocity) you control and backtest.

AP2 & the risk_data container

AP2 (Agent Payments Protocol) standardizes how an agent carries a user's payment intent. It defines a risk_data field on the Payment Mandate, an open container for a risk decision, but takes no position on who fills it. Fidacy fills it.

When you assess a Payment Mandate, the response's mandate comes back with risk_data populated by a signed Fidacy block, decision, score, and the JWS credential, ready to forward down the rail.

"risk_data": {
  "fidacy": {
    "decision": "approve",
    "score": 12,
    "vc_jws": "eyJhbGciOiJFZERTQSJ9…",   // the signed Risk Payload
    "signing_key_id": "key_…",
    "payload": { "issuer": "did:web:fidacy.com#key_…", "subject": "agt_…", … }
  }
}

KYA, Know Your Agent

Before anything is scored, the calling agent is identified. Fidacy matches the key that signed the request to a registered agent_key by its RFC 7638 JWK thumbprint, a single indexed equality lookup, O(1) regardless of how many keys exist.

  • ·A key presented out-of-band and registered to an agent is trusted.
  • ·A key merely embedded in the request (cnf.jwk) that isn't registered is self-asserted: it proves possession, not identity, and earns no trust boost and no Fidacy assertion.
  • ·No identifiable agent at all → anonymous: the request can never be approved.

Risk scoring

The score is deterministic, the same inputs always produce the same decision, and every assessment can be replayed from its stored record to the identical outcome. The heuristic blends policy outcome, agent status and trust tier, amount, and velocity into a 0-100 score and a banded decision.

The reasoning layer (optional)

For ambiguous cases (the review band), an optional LLM reasoner can refine the verdict. Critically, it runs after the verdict commits, off the hot path, it never adds latency to the response or holds a database connection, and the same guardrails apply: it can never turn an anonymous or hard-violating case into approve. When it changes a decision, it re-signs the payload and emits an assessment.refined webhook. The provider is pluggable (any OpenAI-compatible model or Anthropic).

Trust score

Each identified agent carries a continuous trust score and tier that move with behaviour, hard violations and velocity anomalies pull it down, clean history lets it recover. Tier changes are written to the audit trail and can trigger an agent.trust_changed webhook. Trust feeds back into scoring, so a well-behaved agent is assessed differently from a risky one.

Policies & the rules engine

Policies are versioned and org-owned. Rules cover amount ceilings, allowed currencies, geography, and velocity windows. You activate one policy at a time; older versions are retained.

Backtest before you activate. Run a candidate ruleset against your own historical mandates and see exactly what it would have decided, so you never break your own flow by shipping a rule blind.

Audit & verification

Every decision is appended to a per-organization, hash-chained, append-only log: each entry's hash covers the previous hash and all canonical fields, so any tampering, reordering, or deletion breaks the chain. Batches are sealed with Merkle anchors, and the head of the chain is committed to Bitcoin, so the record is tamper-evident and re-verifies offline, the non-repudiable evidence trail the EU AI Act expects.

Because hashing runs in a single-writer drain off the hot path, the audit guarantee costs the verdict nothing, see Scaling.