Enable the Skyfire integration in the Fastly Compute or F5 Distributed Cloud Bot Defense console; configure the KYAPay public key endpoint so the edge can fetch the JWKS for JWT verification
Write an edge function (Fastly Compute@Edge or F5 iRule/WAF policy) that extracts the KYAPay token from incoming requests and validates signature, expiry, and audience claim against the Skyfire JWKS
Define a routing policy: requests with a valid KYA token of sufficient trust level are forwarded to origin; requests with missing, expired, or low-trust tokens receive a 402 response with a Skyfire payment/identity challenge URL
Pass verified KYA identity claims as synthetic headers (X-KYA-Agent-DID, X-KYA-Trust-Level) to your origin so backend services can make access control decisions without repeating the JWT validation
Monitor the edge access logs for KYAPay validation failure rates; use spike alerts to detect bot campaigns that are probing with forged or replayed tokens
Known gotchas
Fastly Compute@Edge and F5 have different JWKS caching behaviors; if the edge caches Skyfire's public keys for too long and Skyfire rotates keys, valid agent tokens will be incorrectly rejected until the cache refreshes — set the JWKS cache TTL to match Skyfire's published key rotation interval
The edge validation adds latency to every request; for high-QPS AI agent workloads, use a local key cache at the edge with a background refresh rather than fetching the JWKS on every request
A valid KYAPay token proves identity but not authorization to access specific resources; enforce resource-level access control at the origin even after edge identity verification passes
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp