Sell-side roles

Seller Identity is the aggregate verified identity of the sell-side entities, encompassing the Human Principal, the Seller Agent Platform/Service, and the Seller Agent. This identity allows Buyer Agents to verify they are interacting with the correct counterparty, helping to establish trust regarding the quality and legitimacy of the service being consumed.

Seller Principal is the human individual or business entity that owns the product, service, or content being sold and serves as the ultimate beneficiary of the transaction. Verified identity at this tier allows the Buyer Agent to establish trust by knowing exactly who they are conducting business with, which is essential for accounting and regulatory compliance.

Seller Agent is the specific software process, website, API, or MCP server that acts as the programmatic interface for the seller, directly interacting with Buyer Agents to facilitate discovery and purchase. Typically running on Internet-connected infrastructure and discoverable via methods like web search or directories, this agent can register a machine identity—such as a Domain Name backed by an SSL certificate—to allow Buyer Agents to independently verify they are communicating with the authorized endpoint.

Seller Agent Platform / Service is the infrastructure provider that hosts the Seller Agent, providing the necessary runtime environment similar to the buy-side platform. As agentic technology matures, this tier allows Seller Agents to differentiate their machine identity from the broader platform identity under which they execute.

Payment Gateway / Payment Service Provider (PSP) serves as the downstream infrastructure for executing the actual movement of funds on traditional financial rails.

CIAM (Customer Identity and Access Management) is the system responsible for managing user identities, accounts, and login sessions on the sell-side. It can consume KYAPay tokens to programmatically create accounts or authenticate agent sessions using the verified data contained in the tokens. In the KYAPay architecture, its responsibilities are expanded to treat agents as first-class identities alongside human users:

• Frictionless Account Provisioning: The CIAM leverages the KYA token to facilitate agent account creation using familiar paradigms (e.g., unique identifiers such as email addresses) found in human workflows. Because the token is generated by a trusted Identity Token Issuer, the CIAM can provision accounts without requiring traditional secrets (such as passwords or OTPs), or alternatively, allow secrets to be generated by the agent or via human-in-the-loop interaction.
• Unified Identity Management: KYA tokens allow Sellers to move away from managing human principals and programmatic clients in distinct silos (CIAMs vs. API keys) . Instead, the CIAM manages both entities within a consistent system, ensuring that programmatic clients are tied to verified Human Principals for robust audit, security, and business compliance.
• Bidirectional Access and Oversight: The system enables seamless interoperability, allowing Human Principals to access accounts created by their verified agents and, conversely, verified agents to operate within accounts belonging to their Human Principals. This capability streamlines programmatic workflows and ensures human oversight is easily maintained.

Standardized Token Exchange: To make agentic access ubiquitous, CIAMs can use the KYA token as a standard authentication artifact. The CIAM may validate the token and extract data to create a session, or perform a formal token exchange to issue a standard access token to the agent.