<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
<!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 3.4.9) -->
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-skyfire-oauth-kyapay-token-00" category="std" consensus="true" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.34.0 -->
  <front>
    <title>KYAPay Token</title>
    <seriesInfo name="Internet-Draft" value="draft-skyfire-oauth-kyapay-token-00"/>
    <author initials="A." surname="Agarwal" fullname="Ankit Agarwal">
      <organization>Skyfire Systems Inc.</organization>
      <address>
        <email>ankit_agarwal@yahoo.com</email>
        <uri>https://skyfire.xyz</uri>
      </address>
    </author>
    <author initials="M." surname="Jones" fullname="Michael B. Jones">
      <organization>Self-Issued Consulting</organization>
      <address>
        <email>michael_b_jones@hotmail.com</email>
        <uri>https://self-issued.info/</uri>
      </address>
    </author>
    <date year="2026" month="July" day="05"/>
    <keyword>agent</keyword>
    <keyword>identity</keyword>
    <keyword>agentic</keyword>
    <keyword>payment</keyword>
    <keyword>commerce</keyword>
    <abstract>
      <?line 73?>

<t>This document defines a token format for agent identity and payment tokens in
JSON Web Token (JWT) format. Authorization servers and resource servers from
different vendors can leverage this token format to consume identity and payment
tokens in an interoperable manner.</t>
    </abstract>
    <note removeInRFC="true">
      <name>About This Document</name>
      <t>
        The latest revision of this draft can be found at <eref target="https://skyfire-xyz.github.io/draft-skyfire-oauth-kyapay-token/draft-skyfire-oauth-kyapay-token.html"/>.
        Status information for this document may be found at <eref target="https://datatracker.ietf.org/doc/draft-skyfire-oauth-kyapay-token/"/>.
      </t>
      <t>Source for this draft and an issue tracker can be found at
        <eref target="https://github.com/skyfire-xyz/draft-skyfire-oauth-kyapay-token"/>.</t>
    </note>
  </front>
  <middle>
    <?line 80?>

<section anchor="introduction">
      <name>Introduction</name>
      <t>As software agents evolve from pre-orchestrated workflow automations to truly
autonomous or semi-autonomous assistants, they require the ability to identify
themselves -- and more importantly, identify their human principals -- to external
systems. Agents acting on behalf of users to discover services, create accounts,
or execute actions currently face significant operational barriers.</t>
      <t>The KYAPay token addresses these challenges by providing a standard envelope to
carry verified identity and payment information. By utilizing "kya" (Agent
Identity) and "pay" (Payment) tokens, agents can identify their human principals
to services, sites, bot managers, customer identity and access management (CIAM)
systems, and fraud detectors. This enables agents to bypass common blocking
mechanisms and access services that were previously restricted to manual human
interaction.</t>
      <t>KYAPay does not aim to define agentic identity in its entirety. Rather, it specifies
a standard and extensible JSON Web Token (JWT) <xref target="RFC7519"/> that can be used to securely share human
principal and agent identity information with websites and APIs. KYAPay tokens
provide a strong signal of human presence behind agentic requests that are
otherwise indistinguishable from programmatic and potentially malicious bot requests.</t>
      <t>Note that, in the future,
the payment token functionality could be split into a separate specification,
if desired by a working group adopting the specification.
It is retained here at present for ease of reviewing.</t>
      <section anchor="use-cases-for-the-kyapay-token">
        <name>Use Cases for the KYAPay Token</name>
        <t>Enabling agents to access websites and APIs on behalf of
the human principals they represent is a design goal of KYAPay tokens.
Today’s internet is designed primarily for humans, meaning that automated systems
are often classified as malicious and blocked by web security infrastructure.
However, the rise of AI agents has introduced a new paradigm where
programmatic clients legitimately access websites and APIs
on behalf of human principals.
Because these agents can be hard to distinguish from traditional bots,
they are often inadvertently blocked,
creating a need for the web security ecosystem to distinguish between
legitimate agentic traffic and truly malicious activity.
KYAPay tokens are designed to address this challenge by enabling agents to convey
verified identity and payment credentials.
These tokens can provide web security systems and merchants with
a strong signal that the requests are authorized by a human,
allowing them to safely permit legitimate programmatic transactions
while aggressively blocking undesired traffic.</t>
        <t>Enabling agents to create accounts and/or log in to accounts
on behalf of their human principals is a related design goal.
To achieve this, systems can utilize a token exchange workflow <xref target="RFC8693"/>.
In this process, a Security Token Service (STS), Identity Provider (IdP),
or OAuth Authorization Server verifies incoming KYA tokens
and extracts claims associated with the human principal, such as email addresses.
The authorization server then performs a token exchange,
swapping the KYA token for a standard OAuth Access Token,
which the agent subsequently uses to interact with the target service.
Crucially, this architecture allows the service to know
that the agent is acting on behalf of the user,
making it possible to differentiate between
direct, human-present sessions and human-initiated, agentic sessions
for authorization, auditing, and security purposes.</t>
        <t>Enabling agents to have ubiquity of access across the Internet just like their
human principals is a related design goal.
Automation typically scales as it achieves higher reliability and lower
cost-to-entry. Unlike the structured logic required by cron jobs or
low-code / no-code platforms, agentic automation leverages LLMs to execute
tasks via natural language, effectively removing the software-skill barrier.
As model reasoning improves and infrastructure scales, these agents become
increasingly dependable and affordable for the human principal.
To maximize utility, agents require ubiquitous Internet access, a feat made
possible by KYAPay Token Issuers. By providing a client-side verification
framework analogous to the server-side role of Certificate Authorities (CAs),
KYAPay builds a standardized network of acceptance across the web security
ecosystem. This allows for the seamless attestation of both the agent’s and
the human principal’s identity, ensuring secure, cross-domain task execution
without the friction of fragmented authentication silos.</t>
        <t>Enabling the ecosystem of web security vendors to engage in finer-grained and
deliberate bad-actor mitigation is a related design goal.
KYA tokens provide a layered, verified, and extensible identity stack
specifically engineered for autonomous agents. This framework
allows the web security ecosystem to distinguish among individual agent
instances, the platforms they run on, and the human principals behind them.
By establishing this level of granular visibility, security systems can
transition from broad defensive measures to specific mitigation; rather than
being forced to block an entire platform, administrators can now isolate
and neutralize a single malicious human user or a malfunctioning software
instance without disrupting legitimate traffic.</t>
        <t>Note that the protocols using these tokens to achieve these goals
are not defined by this specification.
The interoperable use of them for these purposes will require further specification.</t>
        <t>Early production deployments of KYAPay tokens are described at https://kyapay.org.</t>
      </section>
    </section>
    <section anchor="conventions-and-definitions">
      <name>Conventions and Definitions</name>
      <t>The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
"<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.</t>
      <?line -18?>

<t>The claims <tt>iss</tt>, <tt>iat</tt>, <tt>exp</tt>, <tt>aud</tt>, and <tt>jti</tt> are defined by <xref target="RFC7519"/>.
The header parameters <tt>alg</tt>, <tt>kid</tt>, and <tt>typ</tt> are defined by <xref target="RFC7515"/>.</t>
      <t>The <tt>alg</tt> value <tt>ES256</tt> is a digital signature algorithm defined in
<xref section="3.4" sectionFormat="of" target="RFC7518"/>.</t>
      <section anchor="roles">
        <name>Roles</name>
        <dl>
          <dt>Agent:</dt>
          <dd>
            <t>An application, service, or specific software process, executing on behalf
of a Principal.</t>
          </dd>
          <dt>Agent Identity:</dt>
          <dd>
            <t>A unique identifier and a set of claims describing an agent. Grouped into the
<tt>aid</tt> claim for convenience. Because an agent can be public or confidential
(as described in <xref section="2.1" sectionFormat="of" target="RFC6749"/>), the level of assurance for these
claims varies dramatically. Agents also vary in terms of longevity -- they can
have stable long-running identities (such as those of a server-side confidential
client), or they can be transient and ephemeral, and correspond to individual
API calls or compute workloads.</t>
          </dd>
          <dt>Agent Platform:</dt>
          <dd>
            <t>The service provider and runtime environment hosting the Agent, such as a
cloud compute provider or AI operator service. Assertions about the agent
platform are grouped into the <tt>apd</tt> claim, and are primarily used to identify
the Principal entity operating the platform, allowing consumers of the token to
apply reputation-based logic or offer platform-specific services.</t>
          </dd>
          <dt>Principal:</dt>
          <dd>
            <t>A legal entity (human or organization) on whose behalf / in whose authority
an agent or service is operating.</t>
          </dd>
        </dl>
        <section anchor="initiator-roles">
          <name>Initiator Roles</name>
          <dl>
            <dt>Initiator Agent:</dt>
            <dd>
              <t>An Agent performing tasks on behalf of an Initiator Principal, that has its own
Agent Identity, grouped into the <tt>aid</tt> claim.</t>
            </dd>
            <dt>Initiator Agent Platform:</dt>
            <dd>
              <t>The Agent Platform hosting the Initiator Agent. Some use cases require the Platform
to have its own verified identity assertions, grouped into the <tt>apd</tt> claim.</t>
            </dd>
            <dt>Initiator Principal:</dt>
            <dd>
              <t>A legal entity (human or organization) behind the purchase / consumption of a
product or service.
In buyer/seller transactions, the Initiator is the buyer.
The Principal typically interacts with the target via an
Initiator Agent. Many targets are required to be able to determine the Initiator
Identity in order to comply with KYC/AML regulations, accounting standards,
and to maintain a direct customer relationships. The initiator principal's
identity is grouped into the <tt>hid</tt> claim.</t>
            </dd>
            <dt>Initiator Identity:</dt>
            <dd>
              <t>The aggregate verified identity assertions of the initiator entities, typically
encompassing the Initiator Principal, the Initiator Agent Platform, and the Initiator Agent
itself. This composite identity is conveyed via the KYA token, allowing the
target to verify the entire chain of responsibility behind a request.
The initiator identity utilizes the <tt>hid</tt>, <tt>apd</tt>, and <tt>aid</tt> claims.</t>
            </dd>
          </dl>
        </section>
        <section anchor="target-roles">
          <name>Target Roles</name>
          <dl>
            <dt>Target Agent:</dt>
            <dd>
              <t>An Agent performing tasks on behalf of a Target Principal, directly interacting
with Initiator Agents to facilitate discovery and purchase. Typically runs on
Internet-connected infrastructure, and discoverable via service directories.
Target agent identity claims are also grouped into the <tt>aid</tt> claim
if KYA tokens are generated for the targets.</t>
            </dd>
            <dt>Target Agent Platform:</dt>
            <dd>
              <t>The Agent Platform that hosts Target Agents. Some use cases require the Platform
to have its own verified identity assertions, grouped into the <tt>apd</tt> claim.</t>
            </dd>
            <dt>Target Principal:</dt>
            <dd>
              <t>A human principal (individual or organization) that that owns the product,
service, API, website, or content being consumed or sold, and serves as the
ultimate beneficiary of a transaction.
In buyer/seller transactions, the Target is the seller.
The target principal's identity is grouped into the <tt>hid</tt> claim.</t>
            </dd>
            <dt>Target Identity:</dt>
            <dd>
              <t>The aggregate verified identity assertions of the target entities, typically
encompassing the Target Principal, the Target Agent Platform, as well as the
Target Agent Identity.
These various aspects of Target Identity allow Initiators and Initiator Agents to
perform reputation-based logic, to verify that they are interacting with
the authorized (and expected) counter-party, and to fulfill KYC/AML regulation
requirements.
The target identity utilizes the <tt>hid</tt>, <tt>apd</tt>, and <tt>aid</tt> claims.</t>
            </dd>
          </dl>
        </section>
        <section anchor="ecosystem-infrastructure-roles">
          <name>Ecosystem Infrastructure Roles</name>
          <dl>
            <dt>Identity Token Issuer:</dt>
            <dd>
              <t>A trusted neutral entity that conducts Know Your Customer (KYC) and Know Your
Business (KYB) (for organizations) verifications. It is responsible for issuing
cryptographically signed <tt>kya</tt> tokens that attest to the identity of the
Principal, Agent, and Agent Platform, for both Initiators and Targets.</t>
            </dd>
            <dt>Payment Token Issuer:</dt>
            <dd>
              <t>A trusted entity responsible for facilitating the exchange of payments and
credentials between the Initiator and Target. It issues signed <tt>pay</tt> tokens that
enable settlement via various schemes (Cards, Banks, Cryptocurrency), without
exposing raw credentials or secrets.</t>
            </dd>
          </dl>
        </section>
      </section>
    </section>
    <section anchor="kyapay-token-schemas">
      <name>KYAPay Token Schemas</name>
      <section anchor="common-claims">
        <name>Common Token Claims</name>
        <t>The following are claims in common, used within the KYA (Know Your Agent),
PAY (Payment), and KYA-PAY (combined Know Your Agent and Payment) Tokens.</t>
        <dl>
          <dt><tt>iss</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - URL of the token's issuer. Used for discovering JWK Sets for token
signature verification, via the <tt>/.well-known/jwks.json</tt> suffix mechanism.</t>
          </dd>
          <dt><tt>sub</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Subject Identifier. Must be pairwise unique within
a given issuer.</t>
          </dd>
          <dt><tt>aud</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Audience (used for audience binding and replay attack mitigation),
uniquely identifying the target agent.
A single string value.</t>
          </dd>
          <dt><tt>iat</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - as defined in <xref section="4.1.6" sectionFormat="of" target="RFC7519"/>.  Identifies the time
at which the JWT was issued.  This claim must have a value in the past and can
be used to determine the age of the JWT.</t>
          </dd>
          <dt><tt>jti</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Unique ID of this JWT as defined in <xref section="4.1.7" sectionFormat="of" target="RFC7519"/>.</t>
          </dd>
          <dt><tt>exp</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - as defined in <xref section="4.1.4" sectionFormat="of" target="RFC7519"/>.  Identifies the expiration
time on or after which the JWT <bcp14>MUST NOT</bcp14> be accepted for processing.</t>
          </dd>
          <dt><tt>tdm</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - Target domain, associated with the audience claim, the token is intended for.</t>
          </dd>
          <dt><tt>ori</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - URL of the token's originator.</t>
          </dd>
          <dt><tt>env</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - Issuer environment (such as "production" or "sandbox").  Additional values
may be defined and used.</t>
          </dd>
          <dt><tt>tsi</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - Target Service ID that this token was created for.</t>
          </dd>
          <dt><tt>itg</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - Initiator tag - an opaque reference ID internal to the initiator.</t>
          </dd>
        </dl>
        <t>Additional claims <bcp14>MAY</bcp14> be defined and used in these tokens.
The recipient <bcp14>MUST</bcp14> ignore any unrecognized claims.</t>
      </section>
      <section anchor="kya-token">
        <name>KYA Token</name>
        <t>The following identity related claims are used within KYA and KYA-PAY tokens:</t>
        <dl>
          <dt><tt>hid</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> (Required for human identity use cases) - A map of human identity
claims (individual or organization).</t>
          </dd>
          <dt><tt>apd</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - Agent Platform identity claims.</t>
          </dd>
          <dt><tt>aid</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Agent identity claims.</t>
          </dd>
          <dt><tt>scope</tt></dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - String with space-separated scope values, per <xref target="RFC8693"/></t>
          </dd>
        </dl>
        <t>The following informative example displays a decoded KYA type token.</t>
        <figure anchor="example-decoded-kya-token">
          <name>A KYA type token</name>
          <artwork align="left"><![CDATA[
{
  "kid": "YjFdJgFNWj9AkUmtoXILwoeb37PsBuGWVK6_QvFLwJw", // JWK Key ID
  "alg": "ES256",
  "typ": "kya+jwt"
}.{
  "iss": "https://example.com/issuer", // Issuer URL
  "iat": 1742245254,
  "exp": 1773867654,
  "jti": "b9821893-7699-4d24-af06-803a6a16476b",
  "sub": "bb713104-c14e-460f-9b7c-f8140fa9bea4", // Initiator Agent Account ID
  "aud": "7434230d-0861-46f2-9c2c-a6ee33d07f17", // Target Agent Account ID

  "env": "production",
  "tsi": "bc3ff89f-069b-4383-82a9-8cfe53c55fc3", // Target Service ID
  "itg": "4f6cbd39-215c-4516-bf33-cab22862ee60", // Initiator Tag (Internal Reference ID)

  "hid": {
    "email": "initiator@initiator.com"
  },
  "apd": {
    "id": "d3306fc0-602b-47e6-9fe2-3d55d028fbd2"
    "name": "Acme Shopping Agents", // Agent platform name
    "email": "platform@acme.com", // Email address for the agent platform
    "phone_number": "+12345677890", // Phone number for the agent platform
    "organization_name": "Acme Shopping Inc.", // Legal name of the agent platform
    "verifier": "https://www.verifier.com/", // URL of the Identity verifier
    "verified": true, // Outcome of the verifier's KYA verification
    "verification_id": "a23c1fe4-a4b7-442d-8bca-3c8fad5ec3a6" // Verifier's verification ID
  },
  "aid": {
    "name": "Acme Agent Extraordinaire",
    "creation_ip": "54.86.50.139", // IP Address where token was created
    "source_ips": ["54.86.50.139-54.86.50.141", "1.1.1.0/24",
      "2001:db8:abcd:0012::/64", "acme.com"]
      // IP addresses from which the initiator agent will make requests to the target
  }
}
]]></artwork>
        </figure>
        <section anchor="hid-human-identity-sub-claims">
          <name><tt>hid</tt> - Human Identity Sub-Claims</name>
          <t>The Human Identity (<tt>hid</tt>) claim contains sub-claims identifying the human
principal (individual or organization) as follows.</t>
          <dl>
            <dt><tt>email</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14> - Email address associated with the human individual or organization</t>
            </dd>
            <dt><tt>given_name</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Given name(s) or first name(s) of the human principal if they
are an individual.</t>
            </dd>
            <dt><tt>middle_name</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Middle name(s) of the human principal if they are an individual.</t>
            </dd>
            <dt><tt>family_name</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Surname(s) or last name(s) of the human principal if they are an
individual.</t>
            </dd>
            <dt><tt>phone_number</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Phone number associated with the human individual or organization.</t>
            </dd>
            <dt><tt>organization_name</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Name of the organization.</t>
            </dd>
            <dt><tt>verifier</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - URL of the Identity Verifier</t>
            </dd>
            <dt><tt>verified</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Boolean Verification status.  True if verified, otherwise false.</t>
            </dd>
            <dt><tt>verification_id</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Verification identifier. Identifier for the verification performed,
such as a GUID.</t>
            </dd>
          </dl>
          <t>Additional sub-claims <bcp14>MAY</bcp14> be defined and used.
The recipient <bcp14>MUST</bcp14> ignore any unrecognized sub-claims.</t>
        </section>
        <section anchor="agent-platform-identity-apd-sub-claims">
          <name>Agent Platform Identity <tt>apd</tt> Sub-Claims</name>
          <t>The <tt>apd</tt> claim is optional. If present, it contains the following sub-claims.</t>
          <dl>
            <dt><tt>id</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14> - Agent Platform identifier.</t>
            </dd>
            <dt><tt>name</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14> - Agent Platform name.</t>
            </dd>
            <dt><tt>email</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Email associated with agent platform.</t>
            </dd>
            <dt><tt>phone_number</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Phone number associated with agent platform.</t>
            </dd>
            <dt><tt>organization_name</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Legal name associated with agent platform.</t>
            </dd>
            <dt><tt>verifier</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - URL of the Identity Verifier</t>
            </dd>
            <dt><tt>verified</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Boolean Verification status.  True if verified, otherwise false.</t>
            </dd>
            <dt><tt>verification_id</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Verification identifier. Identifier for the verification performed, such as a GUID.</t>
            </dd>
          </dl>
          <t>Additional sub-claims <bcp14>MAY</bcp14> be defined and used.
The recipient <bcp14>MUST</bcp14> ignore any unrecognized sub-claims.</t>
        </section>
        <section anchor="agent-identity-aid-sub-claims">
          <name>Agent Identity <tt>aid</tt> Sub-Claims</name>
          <t>The <tt>aid</tt> claim is optional. If present, it contains the following sub-claims.</t>
          <dl>
            <dt><tt>name</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14> - Agent name. The name should reflect the business purpose of the agent.</t>
            </dd>
            <dt><tt>creation_ip</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14> - The public IP address of the system / agent that requested the token.
Its value is a string containing the public IPv4 or IPv6 address from where the
token request originated. It <bcp14>MUST</bcp14> be captured directly from the token request.</t>
            </dd>
            <dt><tt>source_ips</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Valid public IP address, or range of public IP addresses, from where
the system / agent's requests to merchants / services will originate. Array of
comma-separated IPv4 addresses or ranges, IPv6 addresses or ranges, or domain
names resolvable to an IP address via DNS. IPv4 and IPv6 addresses can be a
single IPv4 or IPv6 address or a range of IPv4 or IPv6 addresses in CIDR notation
or start-and-end IP pairs.</t>
            </dd>
          </dl>
          <t>Additional sub-claims <bcp14>MAY</bcp14> be defined and used.
The recipient <bcp14>MUST</bcp14> ignore any unrecognized sub-claims.</t>
        </section>
      </section>
      <section anchor="pay-token">
        <name>PAY Token</name>
        <t>The following payment related claims are used within PAY and KYA-PAY type tokens:</t>
        <dl>
          <dt><tt>tpr</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - JSON string representing target service price in currency units.</t>
          </dd>
          <dt><tt>tps</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - Target pricing scheme, which represents a way for the target list
how it charges for its service or content. One of <tt>pay_per_use</tt>,
<tt>subscription</tt>, <tt>pay_per_mb</tt>, or <tt>custom</tt>.  Additional values may be defined
and used.</t>
          </dd>
          <dt><tt>amt</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - JSON string representing token amount in currency units.</t>
          </dd>
          <dt><tt>cur</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Currency unit, represented as an ISO 4217 three letter code, such as "EUR".</t>
          </dd>
          <dt><tt>val</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - JSON string representing token amount in settlement network's units.</t>
          </dd>
          <dt><tt>mnr</tt>:</dt>
          <dd>
            <t><bcp14>OPTIONAL</bcp14> - JSON number representing maximum number of requests when <tt>tps</tt> is <tt>pay_per_use</tt>.</t>
          </dd>
          <dt><tt>stp</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Settlement type (one of <tt>coin</tt> or <tt>card</tt>).  Additional values may be defined and used.</t>
          </dd>
          <dt><tt>sti</tt>:</dt>
          <dd>
            <t><bcp14>REQUIRED</bcp14> - Meta information for payment settlement, depending on settlement.
type.</t>
          </dd>
        </dl>
        <section anchor="settlement-information-sti-sub-claims">
          <name>Settlement Information <tt>sti</tt> Sub-Claims</name>
          <t>The <tt>sti</tt> claim is optional. If present, it <bcp14>MAY</bcp14> contain the following sub-claims,
all of which are <bcp14>OPTIONAL</bcp14>.</t>
          <dl>
            <dt><tt>type</tt>:</dt>
            <dd>
              <t><bcp14>REQUIRED</bcp14> - "type" is dependent on the "stp" value; for "coin" - "usdc";
for "card" - "visa_vic" or "mastercard_scof".  Additional values may be defined and used.</t>
            </dd>
            <dt><tt>payment_token</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - String containing Virtual Payment Card Number in ISO/IEC 7812 format. 12-19 characters.</t>
            </dd>
            <dt><tt>token_expiration_month</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - String containing two-digit Expiration Month Number.</t>
            </dd>
            <dt><tt>token_expiration_year</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - String containing four-digit Expiration Year.</t>
            </dd>
            <dt><tt>token_security_code</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - String containing 3 or 4 digit CVV code.</t>
            </dd>
            <dt><tt>verifier</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - URL of the Payment Verifier</t>
            </dd>
            <dt><tt>verified</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Boolean Verification status.  True if verified, otherwise false.</t>
            </dd>
            <dt><tt>verification_id</tt>:</dt>
            <dd>
              <t><bcp14>OPTIONAL</bcp14> - Verification identifier. Identifier for the verification performed, such as a GUID.</t>
            </dd>
          </dl>
          <t>Additional sub-claims <bcp14>MAY</bcp14> be defined and used.
The recipient <bcp14>MUST</bcp14> ignore any unrecognized sub-claims.</t>
        </section>
        <section anchor="pay">
          <name>PAY Token Example</name>
          <t>The following informative example displays a decoded PAY type token.</t>
          <figure anchor="example-decoded-pay-token">
            <name>A PAY type token</name>
            <artwork align="left"><![CDATA[
{
  "kid": "FgT4q8c5IqbBCCjcho5JdeGQvuK1keMDFc9IwCm8J7Y", // JWK Key ID
  "alg": "ES256",
  "typ": "pay+jwt"
}.{
  "iss": "https://example.net/pay_token_issuer", // Issuer URL
  "iat": 1742245254,
  "exp": 1773867654,
  "jti": "b9821893-7699-4d24-af06-803a6a16476b",
  "sub": "8b810549-7443-494f-b4ad-5bc65871e32b", // Initiator Agent Account ID
  "aud": "37888095-2721-48d9-a2df-bfe4075f223a", // Target Agent Account ID

  "env": "sandbox",
  "tsi": "274efc47-024e-466f-b278-152d2ee73955", // Target Service ID
  "itg": "16c135ce-a99a-453d-a7b5-4958fd91de5f", // Initiator Tag (Internal Reference ID)

  "tpr": "0.01",
  "tps": "pay_per_use",
  "amt": "15",
  "cur": "USD",
  "val": "15000000",
  "mnr": 1600,
  "stp": "card",
  "sti": {
    "type": "visa_vic",
    "paymentToken": "1234567890123456",
    "tokenExpirationMonth": "03",
    "tokenExpirationYear": "2030",
    "tokenSecurityCode": "123",
    "verifier": "https://verifier.example.info", // URL of payment method verifier
    "verified": true, // Outcome of the verifier's payment method verification
    "verification_id": "3a6e1b76-8f78-4c24-b1bd-dc78a8cc3711" // Identifier for the verification performed, such as a GUID.
  }
}

]]></artwork>
          </figure>
        </section>
      </section>
      <section anchor="kya-pay-token">
        <name>KYA-PAY Token</name>
        <t>The following informative example displays a decoded KYA-PAY type token.</t>
        <figure anchor="example-decoded-kya-pay-token">
          <name>A KYA-PAY type token</name>
          <artwork align="left"><![CDATA[
{
  "kid": "YjFdJgFNWj9AkUmtoXILwoeb37PsBuGWVK6_QvFLwJw", // JWK Key ID
  "alg": "ES256",
  "typ": "kya-pay+jwt"
}.{
  "iss": "kya-pay.example.org", // Issuer URL
  "iat": 1742245254,
  "exp": 1773867654,
  "jti": "b9821893-7699-4d24-af06-803a6a16476b",
  "sub": "f24a431d-108c-46e6-9357-b428c528210e", // Initiator Agent Account ID
  "aud": "5e00177d-ff7f-424b-8c83-2756e15efbed", // Target Agent Account ID

  "env": "production",
  "tsi": "3e6d33a1-438e-482e-bba5-6aa69544727d", // Target Service ID
  "itg": "c52e0ef2-e27d-4e95-862e-475a904ae7b2", // Initiator Tag (Internal Reference ID)

  "hid": {
    "email": "maryjane@initiator.example.com",
    "given_name": "Mary",
    "middle_name": "Jane",
    "family_name": "Doe",
    "phone_number": "+1-425-555-1212",
    "verified": false
  },
  "apd": {
    "id": "4b087db2-b6e5-48b8-8737-1aa8ddf4c4fe", // Agent platform ID
    "name": "Acme Shopping Agents", // Agent platform name
    "email": "platform@acme.com", // Email address for the agent platform
    "phone_number": "+12345677890", // Phone number for the agent platform
    "organization_name": "Acme Shopping Inc.", // Legal name of the agent platform
    "verifier": "https://www.verifier.com/", // URL of the Identity verifier
    "verified": true, // Outcome of the verifier's KYA verification
    "verification_id": "a23c1fe4-a4b7-442d-8bca-3c8fad5ec3a6" // Verifier's verification ID
  },
  "aid": {
    "name": "Agentic Excellence Я Us",
    "creation_ip": "128.2.42.95", // IP Address where token was created
    "source_ips": ["54.86.50.139-54.86.50.141", "1.1.1.0/24",
      "2001:db8:abcd:0012::/64", "agentic-excellence.example.com"]
      // IP addresses from which the initiator agent will make requests to the target
  },

  "tpr": "0.01",
  "tps": "pay_per_use",
  "amt": "15",
  "cur": "USD",
  "val": "15000000",
  "mnr": 1600,
  "stp": "card",
  "sti": {
    "type": "visa_vic",
    "paymentToken": "1234567890123456",
    "tokenExpirationMonth": "03",
    "tokenExpirationYear": "2030",
    "tokenSecurityCode": "123"
  }
}

]]></artwork>
        </figure>
      </section>
    </section>
    <section anchor="token-validation">
      <name>Token Validation</name>
      <section anchor="validating-kya-and-pay-tokens">
        <name>Validating KYA and PAY Tokens</name>
        <section anchor="jwt-header-validation">
          <name>JWT Header Validation</name>
          <ol spacing="normal" type="1"><li>
              <t><tt>alg</tt> - JWTs <bcp14>MUST</bcp14> be signed using allowed JWA algorithms (currently, <tt>ES256</tt>).</t>
            </li>
            <li>
              <t><tt>kid</tt> - The <tt>kid</tt> claim <bcp14>MUST</bcp14> be present, and set to a valid Key ID discoverable
via the issuer's (payload <tt>iss</tt> claim) JWK Set.</t>
            </li>
            <li>
              <t><tt>typ</tt> - The <tt>typ</tt> header parameter value <bcp14>MUST</bcp14> be one of: <tt>kya+jwt</tt>, <tt>pay+jwt</tt>, or <tt>kya-pay+jwt</tt>.</t>
            </li>
          </ol>
        </section>
        <section anchor="jwt-payload-validation">
          <name>JWT Payload Validation</name>
          <ol spacing="normal" type="1"><li>
              <t><strong>Verify JWT Signature</strong> - Valid JWTs <bcp14>MUST</bcp14> be signed with a valid key belonging
  To the token's issuer (<tt>iss</tt> claim)</t>
            </li>
            <li>
              <t><strong>Validate <tt>iss</tt> Claim</strong> - Ensure that the token is signed by the expected
  valid issuer.</t>
            </li>
            <li>
              <t><strong>Validate the <tt>exp</tt> Claim</strong> - The verifier <bcp14>MUST</bcp14> validate that the token has
  not expired, within the verifier's clock drift tolerance.</t>
            </li>
            <li>
              <t><strong>Validate the <tt>iat</tt> Claim</strong> - The verifier <bcp14>MUST</bcp14> validate that the token was
  issued in the past, within the verifier's clock drift tolerance.</t>
            </li>
            <li>
              <t><strong>Validate the <tt>jti</tt> Claim</strong> - Ensure that the <tt>jti</tt> claim is present, and is
  a UUID.</t>
            </li>
            <li>
              <t><strong>Validate the <tt>aud</tt> Claim</strong> - Ensure that the <tt>aud</tt> identifies the recipient as the intended audience.</t>
            </li>
            <li>
              <t><strong>Validate the <tt>env</tt> Claim</strong> - Ensure that the Environment claim is set to
  an expected and use case appropriate value (such as <tt>production</tt> or <tt>sandbox</tt>)</t>
            </li>
          </ol>
        </section>
      </section>
      <section anchor="validating-pay-tokens">
        <name>Validating PAY Tokens</name>
        <t>For tokens of type <tt>pay+jwt</tt> or <tt>kya-pay+jwt</tt>, perform the steps described in
the Validating KYA and PAY Tokens section.</t>
        <t>In addition, perform the following steps.</t>
        <ol spacing="normal" type="1"><li>
            <t>The <tt>val</tt> claim is greater than 0.</t>
          </li>
          <li>
            <t>The <tt>amt</tt> claim is greater than 0.</t>
          </li>
          <li>
            <t>The <tt>cur</tt> claim is set to a currency the target supports (such as <tt>USD</tt>)</t>
          </li>
          <li>
            <t>The <tt>tps</tt> claim, if present, matches the pricing scheme that you configured in
  the target's service</t>
          </li>
          <li>
            <t>The <tt>tpr</tt> claim, if present, matches the price that you configured in the
  target's service</t>
          </li>
        </ol>
      </section>
    </section>
    <section anchor="security-considerations">
      <name>Security Considerations</name>
      <t>When validating the JWTs described in this specification, implementers <bcp14>SHOULD</bcp14>
follow the best practices and guidelines described in <xref target="RFC8725"/>.</t>
    </section>
    <section anchor="privacy-considerations">
      <name>Privacy Considerations</name>
      <t>KYAPay tokens are designed to convey the information that
an agent is acting on behalf of a principal - a person or organization.
To do this, they will necessarily contain information about that principal
that can be verified and utilized by participants in the system.
Participants should therefore only share these tokens with other legitimate
participants and not make their contents public or disclose them to
unknown or untrustworthy parties.</t>
      <t>Consent of the principal represented to participate in the interactions is vital.
If I authorize an agent to shop for a widget at given price,
it's legitimate for the agent to carry enough information about me
to the merchant to be able to do this for me.
Whereas, if an agent claims to be shopping for me but does not have my authorization
to do so, my privacy and possibly also my financial integrity are being violated.</t>
      <t>The principle of minimal disclosure should be employed.
Only the infomation needed to facilitate the intended interactions
should be placed in the tokens and conveyed to participants.</t>
    </section>
    <section anchor="iana-considerations">
      <name>IANA Considerations</name>
      <section anchor="json-web-token-claims-registration">
        <name>JSON Web Token Claims Registration</name>
        <t>This specification registers the following Claims in
the IANA "JSON Web Token Claims" registry <xref target="IANA.JWT.Claims"/>
established by <xref target="RFC7519"/>.</t>
        <section anchor="tdm-claim">
          <name>"tdm" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: tdm</t>
            </li>
            <li>
              <t>Claim Description: Target domain the token is intended for</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#common-claims) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="tsi-claim">
          <name>"tsi" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: tsi</t>
            </li>
            <li>
              <t>Claim Description: Target Service ID that this token was created for</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#common-claims) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="ori-claim">
          <name>"ori" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: ori</t>
            </li>
            <li>
              <t>Claim Description: URL of the token's originator</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#common-claims) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="env-claim">
          <name>"env" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: env</t>
            </li>
            <li>
              <t>Claim Description: Issuer environment (such as "production" or "sandbox")</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#common-claims) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="itg-claim">
          <name>"itg" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: itg</t>
            </li>
            <li>
              <t>Claim Description: Initiator tag, an opaque reference ID internal to the initiator</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#common-claims) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="hid-claim">
          <name>"hid" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: hid</t>
            </li>
            <li>
              <t>Claim Description: JSON structure containing human identity claims</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#kya-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="apd-claim">
          <name>"apd" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: apd</t>
            </li>
            <li>
              <t>Claim Description: JSON structure containing agent platform identity claims</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#kya-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="aid-claim">
          <name>"aid" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: aid</t>
            </li>
            <li>
              <t>Claim Description: JSON structure containing agent identity claims</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#kya-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="tpr-claim">
          <name>"tpr" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: tpr</t>
            </li>
            <li>
              <t>Claim Description: JSON string representing target service price in currency units</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="tps-claim">
          <name>"tps" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: tps</t>
            </li>
            <li>
              <t>Claim Description: Target pricing scheme, which represents a way for the target list how it charges for its service or content</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="amt-claim">
          <name>"amt" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: amt</t>
            </li>
            <li>
              <t>Claim Description: JSON string representing token amount in currency units</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="cur-claim">
          <name>"cur" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: cur</t>
            </li>
            <li>
              <t>Claim Description: Currency unit, represented as an ISO 4217 three letter code, such as "EUR"</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="val-claim">
          <name>"val" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: val</t>
            </li>
            <li>
              <t>Claim Description: JSON string representing token amount in settlement network's units</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="mnr-claim">
          <name>"mnr" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: mnr</t>
            </li>
            <li>
              <t>Claim Description: JSON number representing maximum number of requests</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="stp-claim">
          <name>"stp" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: stp</t>
            </li>
            <li>
              <t>Claim Description: Settlement type</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
        <section anchor="sti-claim">
          <name>"sti" Claim</name>
          <ul spacing="normal">
            <li>
              <t>Claim Name: sti</t>
            </li>
            <li>
              <t>Claim Description: Meta information for payment settlement, depending on settlement</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Reference: (#pay-token) of this specification</t>
            </li>
          </ul>
        </section>
      </section>
      <section anchor="media-types-registration">
        <name>Media Types Registration</name>
        <t>This section registers the following media types <xref target="RFC2046"/>
in the IANA "Media Types" registry <xref target="IANA.MediaTypes"/>
in the manner described in <xref target="RFC6838"/>.</t>
        <section anchor="kya-jwt-media-type">
          <name>application/kya+jwt</name>
          <ul spacing="normal">
            <li>
              <t>Type name: <tt>application</tt></t>
            </li>
            <li>
              <t>Subtype name: <tt>kya+jwt</tt></t>
            </li>
            <li>
              <t>Required parameters: n/a</t>
            </li>
            <li>
              <t>Optional parameters: n/a</t>
            </li>
            <li>
              <t>Encoding considerations: Uses JWS Compact Serialization as defined in <xref target="RFC7515"/></t>
            </li>
            <li>
              <t>Security considerations: See Security Considerations in in <xref target="RFC7519"/></t>
            </li>
            <li>
              <t>Interoperability considerations: n/a</t>
            </li>
            <li>
              <t>Published specification: (#kya-token) of this specification</t>
            </li>
            <li>
              <t>Applications that use this media type: Applications using Know Your Agent tokens</t>
            </li>
            <li>
              <t>Additional information:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Magic number(s): n/a</t>
                </li>
                <li>
                  <t>File extension(s): n/a</t>
                </li>
                <li>
                  <t>Macintosh file type code(s): n/a</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Person &amp; email address to contact for further information: TBD</t>
            </li>
            <li>
              <t>Intended usage: COMMON</t>
            </li>
            <li>
              <t>Restrictions on usage: none</t>
            </li>
            <li>
              <t>Author: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
          </ul>
        </section>
        <section anchor="pay-jwt-media-type">
          <name>application/pay+jwt</name>
          <ul spacing="normal">
            <li>
              <t>Type name: <tt>application</tt></t>
            </li>
            <li>
              <t>Subtype name: <tt>pay+jwt</tt></t>
            </li>
            <li>
              <t>Required parameters: n/a</t>
            </li>
            <li>
              <t>Optional parameters: n/a</t>
            </li>
            <li>
              <t>Encoding considerations: Uses JWS Compact Serialization as defined in <xref target="RFC7515"/></t>
            </li>
            <li>
              <t>Security considerations: See Security Considerations in in <xref target="RFC7519"/></t>
            </li>
            <li>
              <t>Interoperability considerations: n/a</t>
            </li>
            <li>
              <t>Published specification: (#pay-token) of this specification</t>
            </li>
            <li>
              <t>Applications that use this media type: Applications using Pay tokens</t>
            </li>
            <li>
              <t>Additional information:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Magic number(s): n/a</t>
                </li>
                <li>
                  <t>File extension(s): n/a</t>
                </li>
                <li>
                  <t>Macintosh file type code(s): n/a</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Person &amp; email address to contact for further information: TBD</t>
            </li>
            <li>
              <t>Intended usage: COMMON</t>
            </li>
            <li>
              <t>Restrictions on usage: none</t>
            </li>
            <li>
              <t>Author: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
          </ul>
        </section>
        <section anchor="kya-pay-jwt-media-type">
          <name>application/kya-pay+jwt</name>
          <ul spacing="normal">
            <li>
              <t>Type name: <tt>application</tt></t>
            </li>
            <li>
              <t>Subtype name: <tt>kya-pay+jwt</tt></t>
            </li>
            <li>
              <t>Required parameters: n/a</t>
            </li>
            <li>
              <t>Optional parameters: n/a</t>
            </li>
            <li>
              <t>Encoding considerations: Uses JWS Compact Serialization as defined in <xref target="RFC7515"/></t>
            </li>
            <li>
              <t>Security considerations: See Security Considerations in in <xref target="RFC7519"/></t>
            </li>
            <li>
              <t>Interoperability considerations: n/a</t>
            </li>
            <li>
              <t>Published specification: (#kya-pay-token) of this specification</t>
            </li>
            <li>
              <t>Applications that use this media type: Applications using KYA-Pay tokens</t>
            </li>
            <li>
              <t>Additional information:
              </t>
              <ul spacing="normal">
                <li>
                  <t>Magic number(s): n/a</t>
                </li>
                <li>
                  <t>File extension(s): n/a</t>
                </li>
                <li>
                  <t>Macintosh file type code(s): n/a</t>
                </li>
              </ul>
            </li>
            <li>
              <t>Person &amp; email address to contact for further information: TBD</t>
            </li>
            <li>
              <t>Intended usage: COMMON</t>
            </li>
            <li>
              <t>Restrictions on usage: none</t>
            </li>
            <li>
              <t>Author: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
            <li>
              <t>Change Controller: Michael B. Jones - michael_b_jones@hotmail.com</t>
            </li>
          </ul>
        </section>
      </section>
    </section>
  </middle>
  <back>
    <references anchor="sec-combined-references">
      <name>References</name>
      <references anchor="sec-normative-references">
        <name>Normative References</name>
        <reference anchor="RFC7515">
          <front>
            <title>JSON Web Signature (JWS)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and an IANA registry defined by that specification. Related encryption capabilities are described in the separate JSON Web Encryption (JWE) specification.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7515"/>
          <seriesInfo name="DOI" value="10.17487/RFC7515"/>
        </reference>
        <reference anchor="RFC7518">
          <front>
            <title>JSON Web Algorithms (JWA)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>This specification registers cryptographic algorithms and identifiers to be used with the JSON Web Signature (JWS), JSON Web Encryption (JWE), and JSON Web Key (JWK) specifications. It defines several IANA registries for these identifiers.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7518"/>
          <seriesInfo name="DOI" value="10.17487/RFC7518"/>
        </reference>
        <reference anchor="RFC7519">
          <front>
            <title>JSON Web Token (JWT)</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="N. Sakimura" initials="N." surname="Sakimura"/>
            <date month="May" year="2015"/>
            <abstract>
              <t>JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="7519"/>
          <seriesInfo name="DOI" value="10.17487/RFC7519"/>
        </reference>
        <reference anchor="RFC6749">
          <front>
            <title>The OAuth 2.0 Authorization Framework</title>
            <author fullname="D. Hardt" initials="D." role="editor" surname="Hardt"/>
            <date month="October" year="2012"/>
            <abstract>
              <t>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="6749"/>
          <seriesInfo name="DOI" value="10.17487/RFC6749"/>
        </reference>
        <reference anchor="RFC8693">
          <front>
            <title>OAuth 2.0 Token Exchange</title>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <author fullname="A. Nadalin" initials="A." surname="Nadalin"/>
            <author fullname="B. Campbell" initials="B." role="editor" surname="Campbell"/>
            <author fullname="J. Bradley" initials="J." surname="Bradley"/>
            <author fullname="C. Mortimore" initials="C." surname="Mortimore"/>
            <date month="January" year="2020"/>
            <abstract>
              <t>This specification defines a protocol for an HTTP- and JSON-based Security Token Service (STS) by defining how to request and obtain security tokens from OAuth 2.0 authorization servers, including security tokens employing impersonation and delegation.</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="8693"/>
          <seriesInfo name="DOI" value="10.17487/RFC8693"/>
        </reference>
        <reference anchor="RFC2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
            <abstract>
              <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>
        <reference anchor="RFC8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
            <abstract>
              <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>
      <references anchor="sec-informative-references">
        <name>Informative References</name>
        <reference anchor="RFC2046">
          <front>
            <title>Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="N. Borenstein" initials="N." surname="Borenstein"/>
            <date month="November" year="1996"/>
            <abstract>
              <t>This second document defines the general structure of the MIME media typing system and defines an initial set of media types. [STANDARDS-TRACK]</t>
            </abstract>
          </front>
          <seriesInfo name="RFC" value="2046"/>
          <seriesInfo name="DOI" value="10.17487/RFC2046"/>
        </reference>
        <reference anchor="RFC6838">
          <front>
            <title>Media Type Specifications and Registration Procedures</title>
            <author fullname="N. Freed" initials="N." surname="Freed"/>
            <author fullname="J. Klensin" initials="J." surname="Klensin"/>
            <author fullname="T. Hansen" initials="T." surname="Hansen"/>
            <date month="January" year="2013"/>
            <abstract>
              <t>This document defines procedures for the specification and registration of media types for use in HTTP, MIME, and other Internet protocols. This memo documents an Internet Best Current Practice.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="13"/>
          <seriesInfo name="RFC" value="6838"/>
          <seriesInfo name="DOI" value="10.17487/RFC6838"/>
        </reference>
        <reference anchor="RFC8725">
          <front>
            <title>JSON Web Token Best Current Practices</title>
            <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
            <author fullname="D. Hardt" initials="D." surname="Hardt"/>
            <author fullname="M. Jones" initials="M." surname="Jones"/>
            <date month="February" year="2020"/>
            <abstract>
              <t>JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.</t>
            </abstract>
          </front>
          <seriesInfo name="BCP" value="225"/>
          <seriesInfo name="RFC" value="8725"/>
          <seriesInfo name="DOI" value="10.17487/RFC8725"/>
        </reference>
        <reference anchor="IANA.JWT.Claims" target="https://www.iana.org/assignments/jwt">
          <front>
            <title>JSON Web Token Claims</title>
            <author initials="" surname="IANA" fullname="IANA">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
        <reference anchor="IANA.MediaTypes" target="https://www.iana.org/assignments/media-types">
          <front>
            <title>Media Types</title>
            <author initials="" surname="IANA" fullname="IANA">
              <organization/>
            </author>
            <date>n.d.</date>
          </front>
        </reference>
      </references>
    </references>
    <?line 939?>

<section numbered="false" anchor="document-history">
      <name>Document History</name>
      <t>[[ to be removed by the RFC Editor before publication as an RFC ]]</t>
      <t>-00</t>
      <t>Renamed draft-skyfire-kyapayprofile to draft-skyfire-oauth-kyapay-token.</t>
      <t>draft-skyfire-kyapayprofile-02</t>
      <ul spacing="normal">
        <li>
          <t>Changed terms buyer and seller to initiator and target to generalize applicability.
These claim names were changed: "sdm" to "tdm", "ssi" to "tsi", "btg" to "itg",
"spr" to "tpr", and "sps" to "tps".</t>
        </li>
        <li>
          <t>Updated Settlement Information sti Sub-Claims.</t>
        </li>
        <li>
          <t>Changed specification type from Informative to Proposed Standard.</t>
        </li>
      </ul>
      <t>draft-skyfire-kyapayprofile-01</t>
      <ul spacing="normal">
        <li>
          <t>Removed "srl" (Seller Resource Locator) claim.</t>
        </li>
      </ul>
      <t>draft-skyfire-kyapayprofile-00</t>
      <ul spacing="normal">
        <li>
          <t>Initial Internet Draft.</t>
        </li>
      </ul>
    </section>
    <section anchor="contributors" numbered="false" toc="include" removeInRFC="false">
      <name>Contributors</name>
      <contact initials="A." surname="Stitt" fullname="Andrew Stitt">
        <organization/>
        <address>
      </address>
      </contact>
      <contact initials="D." surname="Zagidulin" fullname="Dmitri Zagidulin">
        <organization/>
        <address>
      </address>
      </contact>
    </section>
  </back>
  <!-- ##markdown-source:
H4sIAAAAAAAAA+19a3LbSJrgf5wil47YlmoIik+RUk/PlCzLVXJZttuSy1vb
0WElgQQJiwTYeIhmV7hjrrH/9gZ7hz3BnmFPst8jM5EAKckuV407Yqs7oizi
kZnf+5kJ3/e9Ii4W6li0fvjp5JXciKv0RiUt75GcTjN1C9dbXiALNUuzzbHI
i9DzwjRI5BJeCTMZFX5+s4niTPmpLIu5f7ORK7nxCxzF73a9vJwu4zyP06TY
rOCd87Orp0I8EnKRpzB4nIRqpeA/SdFqi5YK4yLNYrnAH+cnj+GfNIO/Xl89
hSUl5XKqsmMvhPUce0Ga5CrJy/xYFFmpPFjrwIOBMyWPxcnrsxP4sU6zm1mW
lqtjcfXyyUvvRm3gUnjsCV/IGUyKf8Q4e1xs7MU4wD8BjKV+IkiXS5UFMIdK
SphaiFlczMspAGCg/7D5+8FD+AAQ4E1eztvv8Afj5C2sMk5m4ju8hZeXMl7g
I9+qD3K5WqgOLACvyyyYH4t5Uazy44MD5+YBDCfEAvCSF7Ao84SzuA6vuBOn
Dy7zwQc682K5aHke3kiBHj7MzRxxktzEhTiZyWwtF3A1zWYyif8uC6D/sbjk
EcXlJi/UMhfnSdCBhxSDK/Hdd5Lf/XYj52lKcAtRZnEFtV5WB2CiieMEGOCi
I56licrtQi7iYC7VQjyubjTWohaRf57npQrFKXBSuSiABNVqljzAu+m79/j+
t/O0wBs7V4RDxTRUJ06i9MBD3iyyeFoWTfSEmVqLS+C2wrn8ZBnD0+K/y1kc
los48YDWuVJ2Ak06pHMgp+nBTSaXYbpO/CwKDtbxTXxwuUkK+aH/iCmS+878
ueclabYEsG+Jc18/PR2PeqPqz0n155H+83A8NH9ODo8Gx56HcNUH6XeHh+bx
ycAMMhn3aejzkxcnnWdvrzqnCxkvc7wE7Kv5Bf/2Nez4IF0oZDZTRYXV9Xrd
iWUiO0C3AwkaZJagOOYH79cFv8B669nlyxfirZqy4hI8n1nBBSgUeQVC9quu
YImj+ii7ubsSmkzQbJ7X6XQ8z/dBo0zzIpNB4XlX8zgXoDxLHEWEKoqBsYQU
JFOC8Yv/sBKyagkEIzTKiJ/Ngem9Btx7gOx9PUhHnBCcmtmBl7JbleU0UKby
tARVZi9GGXB0GEeRynAC0HAhMI0IZCIWCp6AxYgCV15bZpEK1L8Ays51enad
cBX+W6gsXcFY04UC5ZYkKtPYWcZhuFDI8OfAsWlYBrhizzvJRZ5GxRq0OaMj
F+o2XdwqWq9YoV4CZagQtwWIMCr6aJGukcLpksDGFaNlWGxQUaVJukzLHM1J
rpax71xC0uaFhDnaAKnaAI7+VqKegh9AvniBwMFYDGi08eD6EoT+FqiHBAaw
lyk8Hi9XaYbjLDZt+zAOEmdiXgLYsOw4CeIV2D58EYZUHwAzCajKnFUiUI6B
BYZBiwDEm6q5XEQijUSZI73grTDOgxRIQzSMAwXrDsDqFbDaIEhLBMQDONUH
FZR0kdERlBmSeLERkUQGAH6OoxgIXQgiDj4lF2IqsyyGmTrIsUpot4CpL0NQ
YHkOgANYuRKgIxcLlczgwnQD4KW3cYjrlgIRGsosFCq5VQsYH0YARyLLNsBi
GcwLRNvJ4VbTpElHPN6IsgAC/B0HbYENaok9wpB3rt/dp5db8DbcesVj7Gsx
aRvWQWZ+gCDAsQ4687jAf6ZpgewKo2SI4zIH3gK019YNKAeM6McIgr3T85OL
fUPSNj0VZbIMQeYLFaBO7ghSBipBicjNMmEJ080K2JEcDqT9Ig3QM/CWCjCd
xPkyd+c06wWQQCTXIMAoGLcxMPUCuRiEIw5QOmBgWF8JxCWwPRJIZgugsqZw
mMJICUAMCpS4jBSU8YgqoEGmYxRH+JWpYtMRryWgNAOWL0S+UgHSNvccDsAV
I6MneYzyv1Nx/fyztkAfPzI0SLKpQp6n5efAypkCqPI5qgQGw1KPkVLXmg4f
iTUYUMDPlMhKD5+8OgciuLyde8y+ipg3S4HhUEJgcBA9wy3A8wmIDshkbGYE
1KC+AGRrOsD6vBQxso5BQuA5UC5AwzKGpSP8WoGlM7DiuL6A2T8tcDAQpw3Q
ahEHSEViQDM6UOoFPESTtJEKqJ6isgC8tFEl1W0E3EkClmjEBqiFRYgIzVfw
GzVyinCqlUT9aegWELraXhwB9XMgb4hiLUm7ogSS7wpKIF2RdsJJa292vHMY
O4clFxJ4JxRz5EnACWOOrZuSgBbAKXKqWsM4ANijR+INXD2VqFrwoaLSPMQm
nneGskK6xQqLFoMtwtbUJqFmS/1qPW/WFaMdRpBniZilTPMac3S8qzSUm//7
H/8jZ3OWKHqL3wFIYeylzGJUrqnWLiD6SwVSS5hCxmDTBA9r1eAhK4OVA2oF
C7RCpBVl7jAAgkRagEkBoLIoaA7PJLAq2EzggY73fbpGg01GTGQxY/nk3CBs
LmnpZGRxGpGAK4r0D+PZUqyRVF6NLYNFTC8uFDigMa4coLsL517NVDXx3fEe
q0CCMGu74ehl4Mk5agm2a0ZSWEoKXJwxSymaNaJbhbY4kSGAXLBZ04hqe2QN
2Q4lCmA1HFVDnwpSpkNz6qkq1gpYroLbSjosKIq0xJJr4ZIKxO0WBu54Nc6h
1Vo2Qa5lG8pOlTWgSF21zeLgZN2qjXe/yQRwQ1YeyKeEYD13QFRgtVYDXnMg
Oy8Q2s7R/SE96TXVH/EusZRRc+SUaQ/TqAiieNsDaNK11g2E2FxGyDbgX0CQ
47BSXQMCXpNc+yneeh4vEOUzRBMEHIayOGyZGMWkSdHZqRka7hCCeQA8sEhn
pDhTe6fOtnf4aqQdwPqQ7DpaApUCjDSPQeyInG2LV0Q8ey7KevjqA6IZSG2d
VbJ6GGF9/AiqM2GWAMSgiIHfAEGqJhebyku292Lv8upyvy2MCyReMYUzsXce
vton3+8lRgCNMOCSPH7jfqEyADcD8Qb8amygttXoHOSolOIl+cdpELObjYZ0
h0IFwMtgjqqLwufKTyR+tMzihiM4TIJ8gWY630JS28vXcrUyZsYukQOkyrnQ
gLJWIjS1kYECXib7BHk5zZF3SUmU5L2mwvhAFUwc/xmvquOdgmYlg9xmwmD2
JUYHrkT+R0bP2QRqssCgN0m69qzAaI9ktzePD6BH3/aWklgbxGOV5uwjkUbS
IRli3uqkEHg/APNP+PeN+coVZdhYnPlWnMT0Zti2yss85REKXZLAMyUq2mTG
3qpVE6sygzUhGXdJ2VwC35fTGKIleBZg0sZBBlmaM27Oja18D86zWMQ3ioXM
+wwhO7EhHebLwNVAHymHf9D85Ig3LYNg4+IZ2DEcJjaBG8IDpFKZB/q+8IvU
h+Vn4La+ScxyhDWi+OhMe3TG/QFgEvE+nWLs6MFIfpCCNj0AV5n/WsGSiYcr
TFdBqI2hc/H8+UXOMR+FZV4h85tc3MZgoyTMDZp2AYxfwrNtoYD2aE4U+fFL
EG/jbumg2M9v4oWN1ToYLy9hMQt4WuYp+RwQjoJe0Ca67ito7LXr1ngKFnGp
IDhA7ZnDEDA5Z2fJbyUfOwJI+aexqQ1Ckk5cyg/xElUfqcBiYwMxE1lrpkGz
aTmEmQfVXgTKG8YIwR8xAgF0cN1BQZk7jKMe18NO9ln8HA0eKzr2TD0Af6lQ
8QIcEoiMU2N+YG4yIfxOli7IbToFp4JfVkaLFqgz905PctCwei3TMl6EuaOO
yB4CMDSRFogV3AuUKxSuJfasG6JjQq1YDHpzJZcLEqoCk7vMVDAyuEOOiiO/
FJawy9lln1XbCmCtJIeJ0bxTSIWpA1iXHwLDomkEptQcilhD3ZiWrM0iDCb1
7IDNGboe6EeWqMgLjWdwGhZpTV3gq5WrBe/W/BCTbkK5SGaYa4JFYNyZ+eAd
UAyBYAFnx1NFocpUhr7EIFqAQxHPeNa7lUdl20QV3y3kBlQrqEbjV7WbQar1
swDlwY1noxxUPbBQWBgOILQmtZkk4nJNSMtxnmMrPs0DlUv0vzB0hAVj2M61
ijjJiZdYcCvFo6OZEkiTMCQ7Yx4dtaJnBv44TA+jAY3yOZMpzklZUewDuE/K
hQRnIQZ8aBnech7ByfHIcyMfnV32aZZKJEGEmATzABEQ8BubXINFh3J/FBll
D9DLTLypwqUATAG7yuT2YQaRkw0WYgAyBM8lpuyfyVaC6QU+SJEHyI1JVAm3
tQdG6kw53jpjBw2wIIcC7piImYRD61mLc2FEAeiUlRz/Ot5s5Y3aGJ1plKVF
GqSA/TLX0lB554XrPeJ1ZFmOCjEPwwkYskFEnUaojY5VPbNacshHrrfWH3DF
2HCAYLGwGjgqM8J7Y1DvTGYLUqk6FYsWYJFSnJFvRcUmtgkykM4QA32TO+dy
EWbOMbrHCsst0tD4KE8QtJjdfQLkBhgYK3O5aF28ubzC8h/+K168pL9fn/35
zfnrsyf49+X3J8+f2z88/cTl9y/fPH9S/VW9efry4uLsxRN+Ga6K2iWvdXHy
U4ulpvXy1dX5yxcnz1ucXnHT9QgpcqTGOXhepPxyrwIf3nl8+up//8/eEBz7
/4Ilkh7ls/jHpDcewg+Is7WMpgkgmn+i/Hrg7SqQOEyZA50CuYoL4IY2ujj5
PF0nlEwBbH7zF8TMX4/Fv06DVW/4b/oCAly7aHBWu0g4276y9TIjccelHdNY
bNauNzBdX+/JT7XfBu/OxX/99wVmH/3e5N//zWMe0eHIdZzn1234Rxb4j/qw
wn/Agb1mvF6/L+JrzZlWgJz8IkvOXEmMmDD/sQRSgg65losZjnQT25HA3bxz
pBGOREPRi+JWLkr4++yyPzq81gmleIY05EBaRw0z9CTmSztinHg//3ypWNYG
nSHKmK7L0QSPHonX4JOAmFDe+9jDKqIAXlmYbJ2JP6hUblWsrZ7YcFJbdTcO
waooOCkQQFrvjaexsSXNB1E3uGvGKIK9zNgZhJkLHEATRksCOWIJm6wO17QJ
Tva2YMprCRjml0hNUY4jiTGzCv6czhOZEUyOaFWCqQoEPx7FOt8Bo+3JXNRk
sEJnv9PT6MSC5seP+2w3rZWDwBb8blTuVlvCgBqaW5mhwxcCf2CKAi1/VZ1Z
5Ck+QMlwYJ4lqcYFGG2FGSAq7qBJRgMpOEwiW6voGR8sNXvojGTyK038DEaG
tbis+aUNoNnN3SeSm5kQS2yNSV+hP7MCSwC2YcHsHKQZGOJVmoQc/xrvAsY7
eXUuEMScEbxcYd0IfZcFWPPccsUrbX+RK66cyHdlEhBUYSxhlUuFhZ8YQifS
ngCUzRjTUFXCQBI4aRnaee1osJaTc12bSm21C6iQ5+iekzGZGvdUt3NYH4Hk
dtbgPuC9leE9RgqLiMndmnKDLfUJesvKh9Beoa6XaYgct8Skv3RxNMtNqM/J
iyKFEVF4KflcsjvvT2VuI0+AM8XA3w7qVyKtyz1ADrsglk9wRKq17bFrgwM5
HQ/7KPVrYi6dgzhA5uUrOhkA0YgVuwrfqMssvKSRsFhL2QV4SCun6oKrpphr
dI6HsEUxby0PAjNWL7+qEkrkQlHOGh2PNQpSXTW1d1HXapbO1pq2uLd+tcaj
jVc74hIiY/KvAipRuBViMwDyis6J6CXvqnRa1t25/NXO5f8SalfOPjqAwRyL
LgeaLVcmjEPZ066eQ3DsyTkHEpUQJGFzywLdcydB226gKObQhp7Hd69qElOl
bEzGLd9KuWEShFTlFt4vZLLRT7G3aTMz7IxJky1DG75Ej6G2NhzSqVuCg4mw
pKRq0PvCdfzw0+nBycVzGHkGIY+GUOeHKRTQsX3eRtlNdDUVgMF4GY08ZuSq
4jBFoTjIPF5RKIgeo4HKRmN/wM6RqlaZ72CG+W5edi0z5VYxTz7DGOQ+bjNq
qFqKMT3tikLY/YQ5YSxBb0tCTTa3RMSKQRWANp5AgAvsldLxMU6UYhGphgcu
eAAQyBO1zK+jXdmP0MwD+CLIN5xq4EgRGD5OuMqIFs8EsbZya4oZhl8rvNjF
6PR9XlGjzRKqncNK1+RaK17xgrRK1L8+Wx+aYRx8M485IsStasS+DSxTVBnJ
AMFFpjC9IrpipFVBB9uUtFiCvcYlkPRxKg7bxxJFnQP1vCFDboYk2UMyGUPB
y0zRbyK8MhyNurwpKpA3DG7UfUocWSZyyhNs01WiuOnH5Mi0fujUcf6QvmcD
k2JBy30t/yrKvklz1vSNFI7Yc1JCWxpf5xzgP7Ca3GQfULej4rJBArh6bVO+
bWt/GuungpMv2nEJyR6ki9AUBLJbzraz6GG35JLrEgkEMkGMvjAxr2MoPs2O
aMhjU0vBx4xUagl3tObn6Ew98pcpTL2ET9SW26LrXN3Sk1hGh1DfYrX2nFm2
xgVwI0Yk3K8GHiFnYxogsoasVAInW3ZoCLT7rIXu8EPbNbXKySwuvDsqiOvF
7CI79eA9zqWuSIPsCzKkEMdAqE2VALagUbmIMB+1bX1hQC1xlHRq8MIXqOcz
m249r1dDjA9rhnZLDCyI8GheKJtTNM4XdypBQFUiPX7ADORPaZmJU+MM7AF4
3KFmbwI4jzEXiDl9uP14X+xFDVnO92u1C9BIpq1G2zJdfsGeY7YEQbZZFVhP
X81NfYz7Da5vNvLa5hupC4XqCKb2YdHJ7A5DObyrIzVq8WjwLk5PJYgGr11Z
Vax78e5Bpp65CZU1XrZ6YOrmsEbd8sDFDuF2PpgSacP1qBalsQjryC12YLga
dkimya7lqigW3M+HJs7IXh5gSI11IPIIxWOZ3MA/p4R/brAMNhCX62wxjvcB
vRwAJZPr2nrJ4YYLhK1H9fLWJU4jc0r/nHIvoNveLH5+xB2CPjP4R05ERalx
kFBQtaEFN4ifbXN0iyvTzWNoWPcqriUa77e9Vyc/Va2UTH540qfLMNSU8laN
1+gp2355pXumPMrVIdVNMlL44s3r57WgGJU6cUcHe8DYqhsXA2F59vYHcYnu
P5l7agYTTkrNlZS29RqvDzqoW30syCcH79c3eed9nibXIi+jKP4gbEMlLjIv
p81FXpbT9+jWn9uUF8QiWMLGVJSMubdPp8UYoxgciFl8i11JDA6MjFnJxsgn
ZUipLrFXGmiluTRF+07pM2zUXi2AH0BcZXDjVEz20ZrzzOgQ6kSFkZXC8blQ
c56Yygf2gsIzlKUkwsiiuTJKpJmspJNGG3Z6ncMqL4kpVFEhhhUwZnwQA4Wo
mi+evb0Sa6mpG3aEdvsp77dEXJL7JHXmVPMkWFNmJs6dOS2g9RBPzkytA+dB
iDDt22Q1JtD5E34UZsc13QfnuA4nDIv55c9A1PABRMFwcWbsHOXJUoreZQTQ
NZBn0voU6FIlWTOMzulyPua6CJe0QpNFhxVqv4CLuu2dHTyW6XQyrEpSxdzi
mIQ8G04Blr05xQ4xhqdmcYJqlxCX3DbfYStQywzaxGerqjm1aNNXDlwwTT+0
9gGJJ6HtAyRuweh5iQX4KjWPPIOsQhjJt5arMWJaqIAltFtjdzYgq3LfmAU7
LmZbIFjLUsgZ8gJQbyWRyzJF/To8OPeIYvojrcfdmEutgNE6+gJU6w5QtEzY
giFXLiDGileU4yX+AEWImw8wT1ImcC+dJeSFWdcHbQhqejYgPz8Cj4C3cW1Z
DesMmEq6E6u5tgNHc60Cr+4YEIZuWE1Y9l6bfI1ti3VcOBNi7aNeBIKuqt7R
alOeWcV9wQ/p2lXYJFYj4mvEoPRSc8HmpR3Pgklaqev6DJesVkmq8pUMlG96
qiFowuc1v7bR33b7/bZwX22wEnpjH1pBtAHcm4y9RiHHwpuV5ghY1T/+8Q/v
Z0BS6yYOW8ei9dP7p+Gz2dMXb98fndy8WRbpfzt/vk7VdDB+lT8uv3v74w+H
7/58+/T5+tm61RYHB2RefwDf/vwJjiIXMxyFqlgttDQtmA2vANf8y/t10fI+
dmg6UOotZ6ehuxeRzR+PriUelAW9JAt4qTce9vvDUX80pAlAI9LF8WByOD7U
F0GZ4/DTo0m/Nzka+OPDoyN/GPaHvoy6h/6kO5CHsnc4HB9OeZlgw+mF6bg3
6HWHftAbKn942I38o+k48KNJb9iN5NFUyaFeWSN/dcIZP4OHkrA5Hg6G/UE3
9LuTwx4MF/X9o6Af+PJQqcEg7I6j3piHq8VuzlgEYXKLgzkKjjGbM4zBIIom
R5HfPTya+sPBZOBP+vLInwSRGg2C0SgKBrU5Kh1GOC2IYsPoMJiGgyO/3xsF
/nDUO/Sn0WDgB3La708O+0oddpuAX4EG2zs3muq1o7/2ad1zYqmfaY9bixo7
W7RlV7//baXUgOwteOwjwQWCWL3GXBkOBt3DKOj6h90+wDhWh/5RpPr+IByN
wm5/Ek3DfotfwE15+MpJALbxcp5yDyhHrgyAzqIZqcYXGks0976VMAgtjl48
c3tTbfZI1objkVbzNFHveL8xDvgvvf5gODocjydHGouv8AnBT9w7lKun3u0G
DvfB8qjPKbWPTxnbumtInbfIXAHEzYrmOkkhD+hYaRvemsdqgyGZcBs1vfWy
LLAV0LxpXgATj/qn1lfnjMFX3jHFZX8Q9CIF8jqcjv3hsB/6k2kg/UEwiWQ4
UgEIcAvn+rEa3B2GuVszlMuHNRQyK5xhw3KagesMnrki4YIHeRMALogU2GjY
mRx2Rt1Ob3CkBeEV+hXEC7T7YdsP4IF4wyQMgxrvL7WB/OrHsIf9Jb0O/r97
0B/qZcD7/W63dxxOJ8dyGoTH8KN/fHxwiGqoZfnzr/phXla1zY56qiqvsEpT
M19QS89S3jjN+drh4EAAUeh9ZCNxLB5pLe1ra+JbV0DIBfgRf2otVFS0eD/r
n1onDWvT+sh5FM6y+eJ7MtSWrSBk8vXuW7Jtjdt79Nq+9v8x6QiuaY692b6J
VBuxTHOT173ZT5lrY0qmmjRB07DXxf/urva7p4GRKcIjOW46G99R7Id39sCh
wURGnEEsYy9Eu7ryML9N3T+CM+Lu7AgI74/dOd8F3frE8XePHsllvNjsHP2y
zBxQFvKTIdEz0c58dy5XpTYnqynTX0IYjlEairY5ywtHrTZfNirunijHcrLR
WNVrW47n4zRdKFjxj65Gw+7dMsc4OMN4N3K6T6v9gpFc5KpakdWpzRlqI8dO
lqLKWFizVNOrOu+L26RE1YQhvntz/qQemziSeUd88lnxSDWcTsc2nHOLXi6M
NLWJUy7hhgReJcAbmd2FtAPVKpai5l7XZr++y+lvRAqEUHjcMtPdL+AjdcXj
0EorngZf1y37F4nI9lAPCoPjaTw82v+P0vFPIBuOSMQ7RSL+9UTibh4n1qYS
DHFLPqetxJmKFpgg5c4PXc/QrcY13xUHd1yx5hxXc9vbVzk+ZgBdrjnQLEkZ
G+3oqLBKPVGhschNIpE3ZGS6momg20YtM9HtEC0I/HtYhQPsaSku9FJ9Fx0j
PZ3NbWEi81yTc4rpixXvG7Ilet64apNpts/Au678yC12Bfcr3EYDlWczW/po
3sasQrVqXYero+wPec0xrHZ6HlSHB5APacHriJMsk1gPwsxLulxKJ6NBiKuc
U7M6WIeLyvodzOZTGlIfd0NlrHRxazp30EesCI/5+ycvLjt6qiRsjqwbHSXV
ACizvZOa1NNvUbfrEdoAKU7Pn7zGZnsTzGBRBlznwoepfUXTU74//8+Uf4FJ
NZOus6cubaWMzPbfB7J1OFgtW2cdekrZFasttU4nNGgJsnvkuV3F3SGJvl9A
iXtT+MK6BJWzYNQtJr+yxfyA1A9V0to6uLHToPCu5abR2yEWcY7BzBz3eBTY
3ZPN9EkB2H5hFlR1M3TEy4RIjyW+d6DV3wFKrtHlwWoPdguTtsSasXlgOb0m
br3mVq7rXWnnRtJZN4SZtLNcbtVU7kYlh11LyhPtRCFcaY526j7UrgbkUwNQ
ki5fimG/NwbUZQo7nQusKmCwV9mz1tmb1y2yoXIrRPrk5TrlUb3dDVSNXfoy
2c1T2n2pjUx7BculuUctW1pj4eYIQayESr1GSdKnxZY1uayWRWy+l2ouCNI4
uWbqygzC0E8gbo20+XZx6UIVsnbKCFVmtExW+GnrPZS68b66gVYLF6lNvrP0
c2dQmnnb9NPVh00/KidtA++0/rRpnzbmkSSi+jB0I0mGJTZBx6SwavH5F/r0
PoQNZ2gBVVqM0D8SRlqI+ha+VOZh0PojQM2XgQ50+TbO5TsQX676LCHSBCsF
N9/lQRq1PpdQmgDviGG3gtotr+DHOCswnjTdCljWFy+YFWOSp4Pzs1MxnvT6
9nCtXt/vHZEOkkHBByVd03TvquLeuyXMMX94fhAdn7aJiDP7rrjAd/Uqdg6+
UXJLwLbHjsDf2B78J3i3GtTs6XuHOuLhIQdIoyFvbBGnP/5IquUTIwSD4t8D
hF8hQKg8hDNdLCJP4ZeWlep+wY6y0tPZ1fBvk2B0/rfp49PT98E8HT0L1Xd/
vi1/6N2oiydPg6Pz9ely8mz802eVlWDNn1JWAhtzgOqfmfZrFpgm00mvOxoe
+ePhcOAPj4aRPx3K0B9Ng8PRZNxTg/70MwpMg/FkMukejfz+uN/zh5PwyJf9
EMaM1LA7HkX9/kB+coHJVMzd6lJ/PFRRMBz73T4VxA5h7P544vdG/bCv1Hhw
NBo9XF3qHQa9wShQvjw6kv5wNAh9OZ6OAP7RJAqPeqEaRZ9bXQLHE4fudro9
vWJKsLccM8/Xwa2iNYz4Jygs/Pnm8gn/BpvAt7v0P74IHgjS/LDbZeIVxG1k
c/SFuCopkDU7diyRriBoW8In4uIUXASaHHX5L/MccWWlYkl9E2iDO55AHUzE
6Q66tUfMgS+nIJV6RnN/V9HHFnyMnKC41wo/xh9ZqmKehl9U+tk51ANVIBAi
1ZuOQZ4i4LlhAOI17U1DPwzGEzkJgsG416Mq0BeoXS5x3FnjsPHTHTWOuurj
GoeNldyeibsDsU+v3fsPKtrfsH7v36Fs9S3LRGk2+zq6NeoP5XDQC/1edxKA
rsIq8WA0BgXbB9PTh9G66jN060h1u7Cy0I+iceQP+8OpPwkmA1C1I+DKkYqm
wPpfWLwfqMNwMJA9rNuDep30lT+dypF/KOXh0Wg4HPfH4cPqFYBTXRX1fQWP
+0MF9gBL9v5wPJJH3aFU42n/1yneL2W2eS8T5dTundYNo2uqIhe+cwHvmDtO
PQpvPYOhzC2nmIS3nqT2znY1Hagx8kejkd/r9/oNDYfLJjfuvoaC4bQ7GYfT
vj89VGCGwCr7k/Fg7PeknIRhNAyGkdrZLUB4/73N4Pc2g09tM9BHOp19CHBr
CkrY//lf4k1+R5dBrz/p9DvDfudo9M/TZMAg+MqCUJP537D1oP27o/cZjt5D
nkzNCbm7Y8Pf4dFoR4bqDLqTAbwc81MfAUgt/MbpyTnOxDbk7/moDPflXkef
euHjE7kth+h9FXzWDW1Ggl/P3p5UB1/kYs+eQ902x2Xsd7x+h0/e0CUh/psT
XGZwm9jiHWm0h4W6x+NQe0C1rYmIbbMdgCNGkP09QCCeacCniPAE+2aLQccb
dPShH3oV9HfzqBBdZzLL4hTjMW21QfdK55T1n5hydHyv606F11d6KQ3EfvPN
j7zvCp+5NPscvvnG1ol2YZwLtxoZeJjOVOFRE7w76CrdsdtC7LkoQPzDxLwS
pbFDGUea+AwPDXOONbKN4nr66cY0t9OmL5iTV2J2Qgxqo9MGDeyrd2a4cgwA
A3dbPV6bdS7pMw9pwb30GBI4e1ocIxLQ6VEh/EZWWSg66qPjDbfXgpshftFa
1rQW3uDg7mD4zCWNtpdEh9jcTQC+bxPANdGIcU1SvKHo6HB7aNyUct/QdD+u
b1uo8lS8W7HaIWD2EXS88Q4iJ7f3TXXmbASwsLBkU2nFMpTJmlG7OB6gkaWr
jA7GZFm0uwiuKz+d0/06J3K939R4rqZ7anYWceUZdacV4S0Jbtutk1RvLdSq
fgANncF3r2rFfV+68eicztSPefOSO66TqccZOqQaSCdh2abC1oycCD4/TXRJ
j3JvwLK456mBfgprTE3M4ymKps7kVODycoWfN3COqrkGywx4HeqxqE6jN5PE
ThkCAmP8UIPekOwW/5gRNmnJx9vMqJBOheJq3j/Y6h5KiZ4o+6SJ7hrf1Peb
43uPqgN38ZMweAaN1GeUvcVS1G1FVL1Fp3H00PYxbW08hpPLOngYDJ+h5TFx
uXcCmwtWtKE20Gd1zsoYzzvEj4M0DjbSH1jhg6Fwp+atDLbXev/x03zAgpbh
qs5Eux/t6S93nFkrnXY/H38BTOnW4SN0BGiYCj4RmXoCyVlMFG5a4oN2TFHK
XYI5y0c6O74992MAdr82aQPe/0u2B7cWx/g81o+11tWHanqv3Hu6eQXLBSrC
TDsdwsbfFHB32rA9pbKCc8qfV5uHzhikD0SYQ21N8Tl3TqtCj2SR8sHneM6j
Vya0JxHvlQlthV2DWM01EHS6zyl92aowcVGFc7fgC6S0yyns9jnnyw50pO4t
HkDW8c4jcV5t0a4O18JDGSE81Icqr+OQNg8Weh8jCVHbi1FInLMO62EoshR9
1kMlaTmb76AoxM06MjD9J83DW5hXaGBso3uL5JE5SXd1DhhXU/jN3MS0/IqY
4sGM5vsVtK1wuakfcezxPHnaxlsrLTr85QU6Y3bDx1HAzShOwCzH2NIK2JyR
PkAG4QMSbmM6YjLUh79p4vCpsXgm5RLe00Snk3bn5ssLaokHKeKLL5HpjABq
VOE59UxV5/COmqF1SetVw0LMHlTOhxF6Ou5Ln6TickqidxvjR4+2FAf6pbu+
piReA/HprE3yUa+2tBzu3o9z0nB123Vq9iCTUaRJWzunaOkhMjxgr/HxqI8f
PXtU6Y7T/MifbhXhssVjed43/Ac1/B4LuGOvPFG29eO4vkny7v2P+DLvPz/F
r2qleEDF9gfGhH/vJ8O+qTJ0x2Kvvnt73+5OrSHVAJbHdwGWx/cC9ul7Hb8y
iCCkd4AId3aDeO/u068MDmaMd4MDd3aD88s2xn5lODF5vRtOuHMHnO7u2fZn
b579ygBjSn03wHBnN8CmoUqfNOK0UjT2wvL8vwWAdpPP/cBhkn03cHDnc4Gr
p5P/maC8k4Ty80m482SrrwgcJlrvMBWr7H7gfmGr528BrE1xPgRsfiew+b12
8Zd3oH56/+lXRAxm0e9g8WXxuVxwb5fqVwQSawO7gYQ7u4H89ZpnvyLcWAPZ
DTfc+ULi3t3T+xUBxvrOboDhzj0Af16r8VcEkPpldwIId3YD2Ohy/qqLv8tz
hzu7F/+lbdNfB1qMjZ3v++6MiPUpQHfFwvTVYCJYzgEsfkEZYlsde3Jw7Myx
HRJXXzOuXuOv6e5IFOJHmW147JwXf6DLVLqrCf7yq+8Zf0Qy4gz628jXzovX
cOuynBbOXVPxInzqc16qE/WPRXIg4dZL3Z2+49ZZAurVHDtZpSKO8SQwPKzp
Ek8/W+FXuiCYjfFjHjqx1DiByR7Jj2s0OdzmmJeg1O9I8NJHTRM3rwADnVcf
14gXuwZkGF6VJjNR45lP8tu+EScVgvUBffyVRHi0Ypjj+mNcXm2ewKa/4PaN
2y/vyBl+9NoXFxIPGWcFuJfvMwx44yl+c09/ACdNarcuZIAnbOJHGfEhYgC0
ivYhwAEngv9r/fNvOt1cIP3oZD/9zRF3VeLq8RONa0q4lDl41WCsX15cvHxB
fMVfsSXA08TcT0CkEVT+nvfni/+Xq5AtudL1Ib1l64vkypSafper3XL1oL7+
Erlyvgj8uyx9JVly6q1O9+2X2ir/d7l62F79prJF7Um/y9d/unz5vi+m+CE7
75F4Yj5p9T04l2m2wV4zRrIK/9SizlvsGfvLX3Stjb4/WfX4AMeJMyAaHgDM
NVQudlpGh0gan/nrX2HabtfzXiuUwBC/pBMVfn6ziUDufP5A2CpLmU5p43aK
xTv9kG965e8Zwe/2PYuqUH+Th04e191ifPp46rYx4kHU9hMCfKo8fy2O+ZaF
qDp+m9skeAv7WvE3BnAy3HiDxScYhKpQbfiNNRv6DX/A7ylmyvE3psy5LRFT
dfTEKjNfH8sxo8XX8lYHoHmzCqlCc8fWUAixnI2hHQf8enGOhIC6Oc+djQow
0SvQFinuFL/Un7h4CMc9j7ic+aGVZ4uW2Ltk1ALvUwereJ4GiN59ewz7vSN2
PRIopMmi+hToE3yl4/0/4aMstJ6KAAA=

-->

</rfc>
