A coding agent can build a product in minutes. The moment it needs a paid API, a database, a model endpoint, or a cloud resource, the workflow falls back to a human in a browser.
So you stop the agent and do all this — for every service:
↗ leave the editor, open the provider's site
📝 fill the signup form, accept the ToS
📧 switch to email, click the verification link
💳 decide who owns billing and spend limits
🔑 create credentials, copy them into the project
🧾 later, nobody knows which agent created what
Merchants fear abuse. Users fear leaked keys. Agents lose the thread.
HOW WE SOLVE IT
One consent chain for signup, payment, credentials, and proof.
Vyana sits between the agent, user, merchant, and payment rail. It turns commercial actions into signed, bounded, auditable workflows.
Merchant SDK returns credentials, receipts, and ownership proof.
ASP
Agent Signup Protocol creates merchant accounts and returns scoped credentials.
APP
Agent Payment Protocol authorizes quotes, checkout, receipts, and settlement evidence.
Control plane
Organizations, RBAC, agent groups, policies, revocation, and audit trails.
vyana.dev/signup
Get started with Vyana
Create the human root of trust for your agents, teams, and merchants.
vyana.dev/onboard/kyc
Verify your identity
One-time KYC unlocks higher spend tiers and merchant trust.
Aadhaar verification
XXXX-XXXX-1234 · verifying...
✓ Identity verified · KYC level 2 · GST-eligible
⌖ detecting device capabilities (WebAuthn)…
Enroll an authenticator
Passkeys bind approval to the human. The private key never leaves your machine; agents only receive bounded authority.
TYPE A
☝️
Platform passkey
Face ID · Touch ID · Windows Hello · Android biometric
Ed25519 in the Secure Enclave · biometric to sign
spend tier 1–2 · up to ₹50,000/mo
—
TYPE B
🔑
Hardware security key
YubiKey · Solo · Feitian — insert & tap
FIDO2 key · Linux desktops & high-security users
spend tier 1–2 · up to ₹50,000/mo
—
TYPE C
📱
Authenticator app
Google Authenticator · Authy — any phone
TOTP fallback · budget Android, no biometrics
spend tier 3–4 · up to ₹2,000/mo
—
User Consent Mandate
OrganizationAcme Labs · Builder role
Agent groupscodex, claude-code, ci-agents
Allowed servicesnimbus-db, lumen-stock, fal-ai
Allowed categoriesdatabase, media, AI infra
Monthly spending cap₹10,000
Per-transaction cap₹5,000
Valid until2027-05-27
✓ UCM signed · Ed25519 · stored at broker
terminal · MCP setup
codex / claude-code · ~/projects/myapp
vyana · broker activity
Waiting for activity...
CURRENT PLATFORM
ASP + APP + control plane.
The current Vyana application is a broker, MCP server, merchant SDK, sample merchant, and dashboard flow. ASP is the signup path; APP is the payment/provisioning path; the control plane governs who can do what.
BUILT · ASP
Agent Signup Protocol
SIT → merchant SDK → signed ACR + AOC → vault credentials → receipt and audit trail.
+
BETA · APP
Agent Payment Protocol
Quote → PET → merchant checkout or broker settlement → payment receipt → provisioned resource.
=
VYANA
Agent Commerce
Provision, pay, revoke, audit, and own — under one revocable consent chain.
01
MCP as the agent surface
Codex, Claude Code, Cursor, and custom agents call the same Vyana tools: quote, approve, provision, status, revoke.
02
Merchant SDK as the adoption path
API companies integrate once to accept bounded agents without giving up abuse controls or billing ownership.
03
Security hardening is explicit
Production path: signed amounts, signed webhooks, URL allowlists, persistent nonces, real auth, and settlement rails.
APP WORKFLOW
Quote, approve, pay, provision — from the agent.
For merchants like fal.ai, OpenRouter, Fireworks, Deepgram, Pinecone, Supabase, Neon, Railway, Render, and Qdrant Cloud, Vyana can mediate paid provisioning instead of exposing raw billing power to an agent.
terminal intent
"Create a fal.ai workspace with a ₹1,000 cap"
The agent asks Vyana MCP for a merchant quote. Vyana checks org policy, role, agent group, active UCM, merchant capability, and spend caps before minting a PET.
Merchant quote
Signed by merchant or rejected if key is not pinned.
quote
Payment execution token
Short-lived PET scoped to service, amount, mode, and mandate.
PET
Settlement
Merchant checkout is demo-ready; broker payout rails are next hardening.
beta
Credentials + receipt
Vaulted at broker, returned to agent only when policy allows.
proof
CONTROL PLANE
Built for teams, not just solo demos.
The platform direction is organizations, role-based access, agent groups, merchant policies, approval thresholds, revocation, and audit trails across tools.
🏢
Organizations
A company owns policy, billing rules, merchant allowlists, and audit history.
org → teams → users → service policies
🧑💻
Roles & approvals
Builder, admin, finance, security, and approver roles determine which actions need step-up.
RBAC · spend tiers · passkey step-up
🤖
Agent groups
Codex, Claude Code, CI agents, ADK, LangChain, and custom agents get separate scopes.
group caps · merchant scopes · revoke all
SECURITY POSTURE
Current demo works. Production needs hardening.
The demo is intentionally fast-moving. The production path is clear: close demo auth, bind every spend field into signatures, authenticate webhooks, pin merchant keys, and use persistent replay protection.
Attack surfaces we are closing
01
Demo sessions and admin routes must be disabled outside localhost.
02
APP checkout should require signed device intent or passkey step-up, not bearer alone.
03
Amounts, currency, merchant quote hash, and payment mode must be signed.
Production controls
04
Signed merchant webhooks, pinned merchant keys, URL allowlists, no private-network callbacks.
05
Redis/Postgres nonce stores for merchant SDK and APP PET replay defense.
06
Authenticated receipt, transaction, and KYC reads with ownership enforcement.
agents need a trust layer.
Vyana gives them consent, payment, credentials, and proof