Brian Chappell

The Website

Find me on the web

Brian Chappell @ Bluesky

Follow this website

Brian Chappell @ Mastodon

Twitch

Resume

Fancy an email?

brianc *at* brianchappell dot com

The Agent Economy Needs Vetting. Blockchain Is Overkill.

By Brian Chappell on March 9, 2026

The agent-to-agent economy needs trust infrastructure. Blockchain is overkill. The answer is already in your DNS.

I’ve been watching the agent marketplace space evolve, and there’s a pattern I keep seeing: every new platform immediately jumps to blockchain-based reputation systems. It’s like we collectively forgot that we already solved this problem twenty years ago with email.

The Problem Nobody Wants to Solve Simply

Agent marketplaces are emerging everywhere. OpenAI’s GPT Store. Anthropic’s tool marketplace. Indie platforms letting you discover and hire AI agents for specific tasks.

But here’s the issue: How do you know the agent you’re hiring is legitimate? How does one agent verify another agent before engaging in a transaction?

The default answer I keep hearing: “Build a blockchain reputation system with token staking and on-chain reviews.”

That’s insane.

You’re telling me I need to:

Pay gas fees to verify an agent?
Wait for block confirmations before trusting a simple capability claim?
Stake tokens just to publish my agent’s credentials?
Navigate cross-chain complexity when agents live on different blockchains?

There’s a simpler way. It’s called domain-based verification, and it’s how email authentication works.

The Simple Solution: Borrow from Email

Email faced this exact problem in the early 2000s. How do you verify that an email actually came from who it claims? How do you prevent spoofing?

The answer: SPF, DKIM, and DMARC. Domain-based verification.

The trust model is elegant:

If you control the domain, you control what’s published at that domain
DNS is the source of truth
TLS infrastructure already secures the connection
No tokens, no gas fees, no blockchain needed

Why this works for agents:

Every agent is hosted somewhere (a domain)
That domain owner can publish verification information
Other agents can check that information programmatically
Trust is transitive: “I trust example.com, so I trust agents published by example.com”

Enter: Agent Cards (.well-known/agent.json)

The A2A protocol (Agent-to-Agent) already includes this concept. It’s called an Agent Card, and it lives at .well-known/agent.json on your domain.

Here’s what a basic Agent Card looks like:

{
  "agent": {
    "id": "research-agent",
    "name": "Research Assistant",
    "version": "1.0.0",
    "provider": "example.com",
    "capabilities": [
      "web-search",
      "document-analysis",
      "citation-generation"
    ],
    "endpoints": {
      "api": "https://api.example.com/agents/research",
      "verification": "https://example.com/.well-known/agent-verify"
    },
    "contact": {
      "email": "[email protected]",
      "support": "https://example.com/support"
    }
  }
}

Any agent can fetch this file and know:

What this agent can do
How to call it
Who to contact if something breaks

This is tier 1 verification: self-reported capabilities. Low barrier to entry. Anyone can publish this.

Adding DNS Verification (Tier 2)

But self-reported information isn’t enough for high-value transactions. You need proof that the Agent Card is actually authorized by the domain owner.

Enter DNS TXT records.

How it works:

Publish a TXT record at your domain:

_agent-verify.example.com. TXT "v=agent1; id=research-agent; hash=sha256:abc123..."

The Agent Card includes a hash of its contents
Other agents verify by:

– Fetching the Agent Card – Computing its hash – Looking up the DNS TXT record – Confirming the hash matches Code example (Python):

import dns.resolver
import hashlib
import json
import requests

def verify_agent(domain, agent_id):
    # Fetch Agent Card
    card_url = f"https://{domain}/.well-known/agent.json"
    response = requests.get(card_url)
    agent_card = response.json()

# Compute hash
    card_hash = hashlib.sha256(
        json.dumps(agent_card, sort_keys=True).encode()
    ).hexdigest()

# Check DNS
    txt_record = f"_agent-verify.{domain}"
    answers = dns.resolver.resolve(txt_record, 'TXT')

for rdata in answers:
        record = str(rdata).strip('"')
        if f"id={agent_id}" in record and f"hash=sha256:{card_hash}" in record:
            return True

return False

This is tier 2 verification: domain-proven authenticity. No blockchain needed.

DID:WBA – Decentralized Identity Without Blockchain

The newest proposal (2026) is DID:WBA (WebAgent DID). It’s a Decentralized Identifier spec that uses .well-known paths instead of blockchain ledgers.

Example DID:

did:wba:example.com:research-agent

Resolution:

Parse the DID to extract domain
Fetch https://example.com/.well-known/did/research-agent.json
Get public keys, service endpoints, verification methods
All verifiable via DNS TXT records

Advantages over blockchain DIDs:

No transaction costs (no gas fees)
Instant updates (edit file, done—no block confirmations)
Uses existing TLS infrastructure
Easier key rotation (just update the file)
Works offline (can cache .well-known responses)

When blockchain DIDs still make sense:

Cross-organizational reputation that nobody controls
Permanent, immutable audit trails
Token-gated agent access

For 95% of use cases? DID:WBA is simpler and cheaper.

The 3-Tier Implementation Model

Here’s how I’d implement agent verification progressively:

Tier 1: Agent Cards (Low Trust)

Use for: Public agent directories, capability discovery, low-risk interactions Implementation:

Publish .well-known/agent.json on your domain
List agent capabilities, endpoints, contact info
Any agent can fetch and discover what you offer

Trust level: Self-reported (agent claims what it can do) Barrier: 5 minutes to set up Cost: Free

Tier 2: DNS Verification (Medium Trust)

Use for: Paid services, agent-to-agent contracts, business transactions Implementation:

Start with tier 1 (Agent Card)
Add DNS TXT record with card hash
Other agents verify DNS before trusting claims

Trust level: Domain-proven (DNS confirms agent is authorized) Barrier: 15 minutes to set up DNS Cost: Free (DNS is free)

Tier 3: Verifiable Credentials (High Trust)

Use for: Financial transactions, data access, compliance-required operations Implementation:

Start with tier 2 (DNS verification)
Add cryptographic signatures to Agent Card
Issue W3C Verifiable Credentials for specific claims
Still domain-based (keys published at .well-known/jwks.json)

Trust level: Cryptographically signed (provable claims) Barrier: 1-2 hours for crypto setup Cost: Free (no blockchain needed)

Why This Beats Blockchain

I’m not anti-blockchain. I’m anti-complexity-where-it’s-not-needed.

Domain-based verification wins because:

No gas fees. You’re not paying per verification.
Instant updates. Change your Agent Card, it’s live immediately.
Familiar infrastructure. Developers already understand DNS and TLS.
Transitive trust. “I trust this domain” extends to all agents published there.
Works with existing tooling. HTTP clients, DNS libraries, JSON parsers.

Blockchain reputation wins when: