Back to Kevros Governance API
Card snapshot
governance.taskhawktech.com
·
2026-05-22 00:18:33 UTC
·
c9d25a8d42f458f1c1f4d2018f079eb08a2e4a6628b8803e35c81226f5ab7596
This is a frozen copy of the agent's agent-card.json as we observed it at the timestamp above. We capture a new snapshot every time the card's content hash changes. Useful for: forensic drift analysis, verifying downstream callers see the right version, reproducing routing decisions made historically.
{
"name": "Kevros Governance API",
"description": "Runtime enforcement for autonomous agents. Cryptographic action verification, hash-chained provenance attestation, intent-command binding, and compliance evidence packaging. Every decision is recorded in a tamper-evident ledger. Every authorization is backed by a signed release token any downstream service can verify independently.",
"url": "https://governance.taskhawktech.com",
"version": "0.4.0",
"product_release_version": "4.6.0",
"provider": {
"organization": "TaskHawk Systems",
"url": "https://www.taskhawktech.com"
},
"availability": {
"regions": [
"US"
],
"geofence": "US-only",
"international_sales": "by-agreement",
"effective_from": "2026-04-19"
},
"identity": {
"scheme": "kevros-pqc-v1",
"description": "Cryptographic agent identity backed by dual-PQC-signed provenance chain. Identity is a hash, not a description. Trust is computed, not claimed.",
"algorithms": [
"ML-DSA-87 (FIPS 204)",
"SLH-DSA-SHA2-256f (FIPS 205)"
],
"identity_url": "https://governance.taskhawktech.com/governance/identity/{agent_id}",
"verify_url": "https://governance.taskhawktech.com/governance/verify-chain/{agent_id}",
"public_keys": "https://github.com/taskhawk-systems/kevros-formal-verification"
},
"capabilities": {
"streaming": false,
"pushNotifications": false,
"tags": [
"runtime-enforcement",
"provenance",
"compliance",
"media",
"security",
"prompt-injection"
],
"extensions": [
{
"uri": "https://www.x402.org",
"description": "Accepts x402 USDC payments on Base and Solana, L402 Lightning payments, and Stripe MPP for governance evaluations",
"required": true,
"params": {
"roles": [
"merchant"
]
}
}
]
},
"payment": {
"description": "Per-call payment for governance evaluations. Supports x402 (USDC/USDT on EVM + Solana), L402 (Lightning Network), and MPP (Stripe). Destination addresses are returned dynamically in the 402 response per request; agents should not pin static wallet addresses.",
"networks": [
"eip155:8453",
"eip155:1",
"eip155:42161",
"eip155:10",
"eip155:137",
"eip155:9745",
"eip155:988",
"solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdpKuc147dw2N9d"
],
"currencies": [
"USDC",
"USDT"
],
"protocols": [
"x402",
"l402",
"mpp"
],
"min_amount_usd": "$0.01",
"rails": {
"active": [
{
"id": "x402",
"transport": "USDC/USDT on Base + 5 EVM chains",
"no_signup": true
},
{
"id": "x402-solana",
"transport": "USDC on Solana",
"no_signup": true,
"conditional": {
"requires": [
"KEVROS_SOLANA_OFAC_ACK"
],
"description": "Disabled by the OFAC compliance gate unless the operator opts in. Live status is reflected in /payment/discovery and /.well-known/mpp."
}
},
{
"id": "l402",
"transport": "Lightning Network",
"no_signup": true
},
{
"id": "mpp",
"transport": "Stripe Machine Payments",
"no_signup": true
},
{
"id": "stripe-checkout",
"transport": "Stripe hosted Checkout (prepaid credits / subscription)",
"no_signup": false
}
],
"pending": [
{
"id": "tempo",
"transport": "Tempo (MPP method)",
"status": "pending",
"note": "Not currently integrated; do not select. When integration completes it will appear under payment.rails.active and in /.well-known/mpp / /payment/discovery as an enabled rail. Tracking: JM directive 2026-04-19."
},
{
"id": "stripe-projects",
"transport": "Stripe Projects provider",
"status": "pending",
"note": "Integration in progress. Until launch, the standard Stripe rail (mpp / stripe-checkout) is authoritative; do not select stripe-projects."
}
],
"selection_guidance": [
"Fetch /payment/discovery (single call) for live rail health + per-endpoint pricing. Cache for 30s using the returned ETag.",
"Filter rails where enabled=true. Pending rails (tempo, stripe-projects) are advertised under payment.rails.pending and MUST NOT be selected for live calls.",
"Per priced endpoint, /payment/discovery returns a recommended_rail. Prefer it unless your wallet capabilities exclude it.",
"Fallback order on rail failure: x402 (Base + EVM chains; substitute x402-solana within this step if Solana is enabled and your wallet supports it) -> l402 -> mpp -> stripe-checkout. Re-fetch /payment/discovery before retrying if the pricing_fingerprint has changed.",
"Fail-closed: if /payment/discovery is unreachable, do not invent rails. Stop and surface the error to the operator."
]
},
"health_url": "https://governance.taskhawktech.com/payment/health",
"discovery_url": "https://governance.taskhawktech.com/payment/discovery",
"wallets": {
"evm": "0x3190EC7811f9C0Ba8DD454E437C608FE60CDdEB7"
}
},
"authentication": {
"schemes": [
"apiKey",
"x402",
"l402",
"mpp"
],
"apiKeyHeader": "X-API-Key",
"x402": {
"protocol": "x402",
"version": 2,
"description": "Per-call payment via x402 (USDC/USDT across 7 EVM chains + Solana). No API key required.",
"facilitator": "https://facilitator.payai.network",
"amount_per_call": "10000",
"amount_decimals": 6,
"amount_human": "$0.01",
"networks": [
{
"network": "eip155:8453",
"asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
"name": "USDC on Base"
},
{
"network": "eip155:8453",
"asset": "0xfde4C96c8593536E31F229EA8f37b2ADa2699bb2",
"name": "USDT on Base"
},
{
"network": "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdpKuc147dw2N9d",
"asset": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
"name": "USDC on Solana"
},
{
"network": "eip155:1",
"asset": "0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48",
"name": "USDC on Ethereum"
},
{
"network": "eip155:1",
"asset": "0xdAC17F958D2ee523a2206206994597C13D831ec7",
"name": "USDT on Ethereum"
},
{
"network": "eip155:42161",
"asset": "0xaf88d065e77c8cC2239327C5EDb3A432268e5831",
"name": "USDC on Arbitrum"
},
{
"network": "eip155:42161",
"asset": "0xFd086bC7CD5C481DCC9C85ebE478A1C0b69FCbb9",
"name": "USDT on Arbitrum"
},
{
"network": "eip155:10",
"asset": "0x0b2C639c533813f4Aa9D7837CAf62653d097Ff85",
"name": "USDC on Optimism"
},
{
"network": "eip155:10",
"asset": "0x94b008aA00579c1307B0EF2c499aD98a8ce58e58",
"name": "USDT on Optimism"
},
{
"network": "eip155:137",
"asset": "0x3c499c542cEF5E3811e1192ce70d8cC03d5c3359",
"name": "USDC on Polygon"
},
{
"network": "eip155:137",
"asset": "0xc2132D05D31c914a87C6611C10748AEb04B58e8F",
"name": "USDT on Polygon"
},
{
"network": "eip155:9745",
"asset": "0xB8CE59FC3717ada4C02eaDF9682A9e934F625ebb",
"name": "USDT0 on Plasma"
},
{
"network": "eip155:988",
"asset": "0x779Ded0c9e1022225f8E0630b35a9b54bE713736",
"name": "USDT0 on Stable"
}
]
},
"l402": {
"protocol": "l402",
"description": "Per-call payment via L402 (Lightning Network). Send request, receive 402 with L402 macaroon and BOLT11 invoice, pay the invoice, retry with Authorization: L402 <macaroon>:<preimage> header.",
"pricing": {
"verify": {
"sats": 15,
"usd": "$0.01"
},
"attest": {
"sats": 30,
"usd": "$0.02"
},
"bind": {
"sats": 30,
"usd": "$0.02"
},
"bundle": {
"sats": 75,
"usd": "$0.05"
},
"shield_scan": {
"sats": 15,
"usd": "$0.01"
}
},
"macaroon_format": "dual (v2 binary + base64url JSON)",
"network": "mainnet"
},
"mpp": {
"protocol": "mpp",
"version": "1.0",
"spec": "https://paymentauth.org",
"payment_methods": [
"stripe",
"lightning"
],
"primary_method": "stripe",
"payment_methods_pending": [
{
"method": "tempo",
"status": "pending",
"note": "Tempo provider is not currently integrated. Agents must not select tempo; it will not respond to MPP challenges. Live status is reflected at /.well-known/mpp and /payment/discovery."
},
{
"method": "stripe-projects",
"status": "pending",
"note": "Stripe Projects provider integration is pending. Until launch, MPP-stripe runs against the standard Stripe rail."
}
],
"challenge_url": "https://governance.taskhawktech.com/stripe/mpp-challenge",
"description": "Machine Payment Protocol per paymentauth.org. POST without auth to get 402 with Payment challenge header, confirm payment, re-POST with Authorization: Payment <credential>. Solana (USDC) is conditionally advertised at /.well-known/mpp when the OFAC compliance gate permits.",
"discovery_url": "https://governance.taskhawktech.com/.well-known/mpp"
}
},
"skills": [
{
"id": "action-verify",
"name": "Action Verification",
"description": "Verify an action against policy bounds before execution. Returns ALLOW, CONSTRAIN, or DENY with a signed release token. Downstream services verify the token independently. Fail-closed: verification failure results in DENY.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "provenance-attest",
"name": "Provenance Attestation",
"description": "Record an action in a hash-chained, append-only evidence ledger. Each attestation extends the provenance chain. Block signatures issued every 100 records using ML-DSA-87 (FIPS 204). Third parties verify the chain without Kevros access.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "intent-bind",
"name": "Intent Binding",
"description": "Bind a declared intent to a command and verify the outcome matches. HMAC-signed binding proves the chain from intent to command to result is unbroken.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "trust-certificate",
"name": "Compliance Bundle",
"description": "Generate a portable compliance evidence package containing hash-chained provenance, intent binding proofs, post-quantum block signatures, and verification instructions. Independently verifiable without Kevros access.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "media-attest",
"name": "Media Hash Attestation",
"description": "Submit a media file hash for cryptographic attestation. Returns a signed certificate proving the hash was recorded at a specific timestamp in the provenance ledger. Useful for content provenance, media integrity, and audit trails.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "media-verify",
"name": "Media Hash Verification",
"description": "Verify a media file hash against a previously issued attestation certificate. Returns the attestation status and certificate details. No charge, no authentication required.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "media-verify-lookup",
"name": "Media Certificate Lookup",
"description": "Look up a media attestation certificate by its certificate ID. Returns the full certificate including hash, timestamp, and provenance chain position. No charge, no authentication required.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "shield-scan",
"name": "Prompt Injection Detection",
"description": "Prompt injection detection via ONNX DeBERTa-v3 classifier. Scans text for injection attacks, jailbreaks, and role hijacking attempts. Returns confidence score, risk level, and HMAC-signed result. $0.01/scan or 10 trial scans/day.",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "mpp-session",
"name": "MPP Session Create",
"description": "Create a governed streaming payment session. Declare budget, duration, spending rate limit, and allowed service categories. Returns a signed session token for continuous streaming payments within policy bounds. Every session is recorded in the provenance ledger. $0.02/session. POST /governance/mpp/session",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "mpp-heartbeat",
"name": "MPP Session Heartbeat",
"description": "Mid-session drift check during a streaming payment session. Reports current spend, transaction count, active service, and spending rate. Kevros checks for budget overruns, rate limit violations, and unauthorized service usage. Returns session status (active, warning, suspended, expired) and remaining budget/time. No charge. POST /governance/mpp/heartbeat",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
},
{
"id": "mpp-close",
"name": "MPP Session Close",
"description": "Close a streaming payment session and seal the provenance record. Reports final spend, transaction count, and close reason. Returns sealed provenance hash and compliance bundle availability. No charge. POST /governance/mpp/close",
"inputModes": [
"application/json"
],
"outputModes": [
"application/json"
]
}
],
"free_tier": {
"signup_url": "https://governance.taskhawktech.com/signup",
"method": "POST",
"body": {
"agent_id": "your-agent-id"
},
"included_calls": 1000,
"rate_limit_per_minute": 10,
"auto_signup": "SDKs and MCP auto-provision a trial key on first use."
},
"sdks": {
"python": {
"install": "REST API via /signup for trial access (1,000 calls/mo). First-party CLI is contract-gated - contact sales@taskhawktech.com.",
"usage": "See https://www.taskhawktech.com/quickstart for REST + MCP integration patterns."
},
"microsoft_agent_framework": {
"usage": "from kevros_agent_framework import KevrosGovernanceMiddleware, KevrosFunctionMiddleware",
"note": "AgentMiddleware for action authorization, FunctionMiddleware for intent binding. Compatible with agent-framework 1.0.0rc1+."
},
"langchain": {
"usage": "from kevros_tools import get_identity_tools; tools = get_identity_tools(agent_id='your-agent-id')"
},
"openai": {
"usage": "from kevros_openai import get_kevros_tools, handle_kevros_call",
"note": "Compatible with OpenAI, OpenRouter, LiteLLM, and any OpenAI-compatible provider"
},
"crewai": {
"usage": "from crewai_tools import get_identity_tools; tools = get_identity_tools(agent_id='your-agent-id')"
},
"mcp": {
"transport": "streamable-http",
"url": "https://governance.taskhawktech.com/mcp/",
"note": "Auto-provisions a trial key on first tool call. Use MCP discovery to enumerate available tools."
}
},
"verification": {
"description": "Public verification endpoints. Any agent or service can verify credentials without an API key.",
"endpoints": {
"verify_token": {
"url": "https://governance.taskhawktech.com/governance/verify-token",
"method": "POST",
"description": "Verify a release token is authentic"
},
"verify_certificate": {
"url": "https://governance.taskhawktech.com/governance/verify-certificate",
"method": "POST",
"description": "Verify a compliance bundle"
},
"reputation": {
"url": "https://governance.taskhawktech.com/governance/reputation/{agent_id}",
"method": "GET",
"description": "Public trust score lookup"
}
},
"trust_headers": {
"X-Kevros-Release-Token": "Signed release token from verify",
"X-Kevros-Agent-Id": "Agent identifier"
}
},
"mcp": {
"transport": "streamable-http",
"url": "https://governance.taskhawktech.com/mcp/",
"auth_header": "X-API-Key",
"note": "Use MCP discovery (tools/list, resources/list, prompts/list) for current counts"
},
"pricing": {
"model": "per-call",
"currency": "USD",
"endpoints": {
"verify": "$0.01",
"attest": "$0.02",
"bind": "$0.02",
"batch": "$0.01",
"verify_outcome": "free",
"bundle": "$0.05",
"media_attest": "$0.05",
"media_verify": "free",
"media_verify_lookup": "free",
"shield_scan": "$0.01",
"shield_scan_free": "free (10/day)",
"mpp_session": "$0.02",
"mpp_heartbeat": "free",
"mpp_close": "free"
},
"subscriptions": {
"starter": {
"monthly_usd": 29,
"included_calls": 5000
},
"professional": {
"monthly_usd": 149,
"included_calls": 50000
},
"enterprise": {
"monthly_usd": 499,
"included_calls": 500000
}
},
"payment_methods": [
"stripe",
"x402",
"l402",
"mpp"
],
"x402": {
"networks": [
{
"network": "eip155:8453",
"name": "Base",
"asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913"
},
{
"network": "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdpKuc147dw2N9d",
"name": "Solana",
"asset": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v"
}
],
"currency": "USDC",
"description": "Pay per call with USDC on Base or Solana. No subscription or API key needed. Include PAYMENT-SIGNATURE header.",
"discovery_url": "https://governance.taskhawktech.com/.well-known/x402"
},
"mpp": {
"payment_method": "stripe",
"currency": "usd",
"description": "Pay per call with Stripe via MPP. No subscription or API key needed. Include X-PAYMENT header with MPP credential.",
"discovery_url": "https://governance.taskhawktech.com/.well-known/mpp"
},
"kga": {
"description": "Kevros Governance Attestation - ML-DSA-87 signed, portable proof of governance. Returned in X-Kevros-KGA response header on paid calls. Any third party can verify with the public key.",
"public_key_url": "https://governance.taskhawktech.com/.well-known/mpp/pubkey",
"algorithm": "ML-DSA-87",
"standard": "FIPS 204"
}
},
"discovery": {
"agent_card": "https://governance.taskhawktech.com/.well-known/agent-card.json",
"agent_card_legacy": "https://governance.taskhawktech.com/.well-known/agent.json",
"ai_plugin": "https://governance.taskhawktech.com/.well-known/ai-plugin.json",
"openapi": "https://governance.taskhawktech.com/openapi.json",
"x402": "https://governance.taskhawktech.com/.well-known/x402",
"l402": "https://governance.taskhawktech.com/.well-known/l402",
"mpp": "https://governance.taskhawktech.com/.well-known/mpp",
"agent_budget": "https://governance.taskhawktech.com/.well-known/agent-budget",
"kga_pubkey": "https://governance.taskhawktech.com/.well-known/mpp/pubkey",
"mcp": "https://governance.taskhawktech.com/mcp/",
"for_agents": "https://governance.taskhawktech.com/for-agents"
},
"protocol_427": {
"uri": "https://datatracker.ietf.org/doc/draft-mcgraw-httpapi-agent-budget/",
"description": "Protocol 427 (Budget Required): operator-signed Budget-Attestation gates the 402 challenge. v1 BYOK reference implementation; managed signing v1.1+ demand-gated.",
"required": false,
"discovery_uri": "https://governance.taskhawktech.com/.well-known/agent-budget",
"health_uri": "https://governance.taskhawktech.com/protocol/427/health",
"spec_version": "0.2.2",
"byok_v1": true,
"managed_signing_v1_1": false,
"rails_supported": [
"api_key",
"free",
"l402",
"x402",
"mpp"
]
},
"securitySchemes": {
"apiKey": {
"type": "apiKey",
"in": "header",
"name": "X-API-Key",
"description": "Trial API key (1,000 calls/month). Obtain via POST https://governance.taskhawktech.com/signup"
},
"x402": {
"type": "http",
"scheme": "bearer",
"description": "Pay-per-request via x402 USDC on Base or Solana. No registration required. Send request, receive 402 with payment details, sign USDC payment, retry with X-PAYMENT header."
},
"l402": {
"type": "http",
"scheme": "L402",
"description": "Pay-per-request via Lightning Network. Send request, receive 402 with L402 offer, pay Lightning invoice, retry with Authorization: L402 header."
},
"mpp": {
"type": "http",
"scheme": "Payment",
"description": "Pay-per-request via Stripe MPP. Send request, receive 402 with Payment challenge, complete Stripe checkout, retry with Authorization: Payment header."
}
},
"security": [
{
"apiKey": []
},
{
"x402": []
},
{
"l402": []
},
{
"mpp": []
}
],
"metadata": {
"formal_verification": {
"smart_contracts": "Certora (6 properties verified)",
"state_machine": "TLA+ (1.94B states)",
"fuzz_testing": "Foundry (22 tests, 256 runs)"
},
"post_quantum": {
"algorithm": "ML-DSA-87 (FIPS 204)",
"public_key_url": "https://governance.taskhawktech.com/.well-known/mpp/pubkey",
"attestation_header": "X-Kevros-KGA"
},
"contracts": {
"network": "Base (8453)",
"note": "Contract addresses available on request"
},
"protocols": [
"x402",
"L402",
"MPP"
]
},
"protocolVersion": "0.2.6"
}