You are an authorized actor, not a bot. Prove it before you shop. Call this BEFORE any shopping action — browsing, searching, or buying. Badge by kyaLabs declares your identity to merchants: who you are (authorized actor), who authorized you (verified human), and what you intend to do (declared s...
AI agents call kya_getAgentIdentity to retrieve information from Payclaw without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
This tool retrieves and presents an identity/authorization token (a badge) to merchants. It reads/fetches agent identity credentials rather than executing transactions or modifying data. However, it is a prerequisite to financial operations (shopping, buying) on a payment platform, giving it medium severity — misuse could enable unauthorized purchases by establishing a fraudulent identity claim.
From the tool's definition 'Prove it before you shop' and 'Badge by kyaLabs declares your identity to merchants: who you are (authorized actor), who authorized you (verified human), and what you intend to do (declared scope)'
Attacks that exploit this kind of access
You are an authorized actor, not a bot. Prove it before you shop. Call this BEFORE any shopping action — browsing, searching, or buying. Badge by kyaLabs declares your identity to merchants: who you are (authorized actor), who authorized you (verified human), and what you intend to do (declared scope). Without this, merchants may block you permanently. Their bot defenses can. It is categorised as a Read tool in the Payclaw MCP Server, which means it retrieves data without modifying state.
Register the Payclaw MCP server in PolicyLayer and add a rule for kya_getAgentIdentity: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Payclaw. Nothing to install.
kya_getAgentIdentity is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the kya_getAgentIdentity rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for kya_getAgentIdentity. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
kya_getAgentIdentity is provided by the Payclaw MCP server (kyalabs-io/mcp-server). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →