Build authority-aware apps with KYE.
KYE Protocol™ is not just a specification — it's a build surface. Runtime Authority API, three SDKs, an MCP server, a connector framework, signed webhooks, Decision Maps™, and evidence packs. Add delegated authority, state-aware decisions, and replayable proof to AI agents, payment flows, checkout, wallets, IAM, SIEM, GRC, and enterprise workflows.
Open contracts. Paid operations.
Pick the surface that fits your stack.
POST /v1/runtime/authorize — allow / require_approval / require_step_up / quarantine / deny + reason code + obligations + evidence refs.view decision endpoint →
codeSDKsTypeScript, Python, Go. Schema types, validators, decision client, signing helpers, evidence-pack builder, taxonomy resolver, decision-map renderer, webhook verifier.view SDKs →
smart_toyKYE MCP Server™Expose KYE schemas, decisions, Decision Maps™ and evidence packs to MCP-compatible agents and developer tools — while production enforcement stays in the runtime gateway.explore MCP server →
extensionConnector Hub™Plug KYE into payment gateways, checkouts, wallets, IAM, policy engines, SIEM, GRC, agent runtimes, KYC/KYB/KYA. Open manifest schema; commercial managed connectors.view connector hub →
sendSigned Signals & Webhooks9 event families, ~70 well-known event types, canonical envelope, signed deliveries, idempotent + replayable + dead-letter-safe.view event reference →
verifiedEvidence PacksGenerate signed, replayable proof bundles. Public-key-verifiable offline. Bind decisions, audit chain, control mapping, and OSCAL projection in one artefact.inspect evidence pack →
Six high-leverage starters — and 15 more.
These are the products with the strongest pull from regulated buyers right now. Each composes from the surfaces above.
- P1KYE Checkout Guard™ — for merchants and commerce platforms. Detect agent-backed checkout flows and verify whether the agent is allowed to buy this basket from this merchant using this instrument under the customer's limits. Composes: Runtime API + Webhooks + Evidence Packs.
- P2KYE Payment Authority Gateway™ — for banks, issuers, IPGs, MPGs, PSPs, agentic-payment platforms. Verify delegated payment authority before the gateway processes the transaction. Composes: Runtime API + Payments connector + Evidence Packs.
- P3KYE MCP Server™ — for agent developers and internal AI platforms. Expose KYE authority objects, schemas, decisions, and evidence to MCP clients safely. Composes: MCP Server + Read-only tools + Gated decision tools.
- P4KYE CISO Console — for security and risk teams. View every agent, credential, capability, delegation, state, and revocation path. Composes: Authority Graph™ + Webhooks + Audit chain.
- P5KYE Evidence Viewer — for auditors and regulators. Replay decisions, verify evidence packs offline with public keys, map events to controls. Composes: Evidence Packs + OSCAL projection + Decision Maps™.
- P6KYE Partner Toolkit — for consultants, audit firms, SIs. Run authority mapping, readiness checks, conformance prep, pilot scoping. Composes: Readiness API + Conformance pack + Decision Maps™.
Other strong starters: agent purchasing apps · agent marketplace trust layers · wallet authority consoles · open-banking delegated-authority apps · enterprise service-account authority maps · GRC evidence automation · SIEM authority-signal feeds · certification portals · tool-governance gateways · capability registries · sector profiles for healthcare / custody / telco / federal.
One call, before the action executes.
The decision endpoint is the single most important surface. Your app asks; KYE answers in milliseconds.
POST /v1/runtime/authorize
{
"actor_entity_id": "kye:entity:agent:shopping_agent_456",
"principal_entity_id": "kye:entity:person:customer_123",
"subject": "kye:capability:payment_action:card_purchase",
"resource": { "merchant_id": "M-7104", "amount": 9999, "currency": "GBP" },
"scope": { "instrument": "kye:card_token:tok_abc..." },
"policy_decision_id": "kye:dec:01HX..."
}
→
{
"decision": "allow_with_constraints",
"reason": "scope_within_attenuated_authority",
"obligations": [ { "type": "audit.emit", ... }, { "type": "redaction.required", ... } ],
"stop_conditions": [ "actor.stop_signal", "delegation.revoked", "scope.attenuated" ],
"evidence_refs": [ "kye:evidence-pack:01HX..." ],
"decision_map_ref": "kye:decision_map:01HX..."
}
Eight decision codes are stable across versions: allow, allow_with_constraints, require_approval, require_step_up, require_human_review, require_recovery, quarantine, deny. Map to your own code-set via the conformance pack.
Same surface in TypeScript, Python, and Go.
- TypeScript —
npm install @kye-protocol/sdk· github.com/KYE-Protocol/sdk-typescript - Python —
pip install kye-sdk· github.com/KYE-Protocol/sdk-python - Go —
go get github.com/KYE-Protocol/sdk-go· github.com/KYE-Protocol/sdk-go
Each SDK ships: schema types · local validators · decision client · signing helpers · evidence-pack builder · taxonomy resolver · metadata classifier · graph traversal client · decision-map renderer · webhook verifier · idempotency helper · replay client.
Make KYE available to MCP-compatible agents.
Expose KYE schemas, dictionaries, authority checks, Decision Maps™, and evidence packs through a controlled MCP interface — while production enforcement stays in the KYE Runtime Gateway, never in MCP.
The boundary: MCP is a developer / agent integration surface. The Runtime Gateway is the enforcement surface. Don't conflate.
Plug KYE into the systems you already run.
A canonical connector manifest schema, 14 connector categories, and a hub for discovery. Open contracts — commercial runtime.
Open contracts. Paid operations.
| Open source · Apache 2.0 | KYE Cloud™ · commercial | |
|---|---|---|
| Schemas & dictionaries | Every entity / authority / decision / event / connector-manifest schema; reason codes; taxonomies | Sector-specific event packs and connector packs |
| SDKs | TypeScript / Python / Go — schema types, validators, signing helpers, webhook verifier, evidence-pack builder | SDK-bundled telemetry, advanced replay, hosted SDK distribution |
| MCP server | Skeleton + read-only tools + decision tools (gated) | Hosted MCP server, multi-tenant, audit-bound, SLA-backed |
| Connectors | Manifest schema, conformance tests, sample IPG / checkout / MCP connectors, local test harness | Managed Connector Hub™, enterprise connector engine, regulated-sector connector packs, BYOC / on-prem installer |
| Reference runtime | Reference Gateway: PEP middleware, embedded ePDP, conformance runner | Managed runtime gateway, decision engine, state engine, graph engine, signal bus, evidence engine |
| Operator UI | — | SaaS dashboard, Decision Map™ UI, Authority Graph™ UI, Evidence Pack Pro, replay console, blast-radius event trace |
| Conformance | 38 black-box fixtures, test vectors | Continuous conformance monitoring, certification workflow, partner registry |
Why this split? The contract has to be open or KYE Protocol™ isn't a protocol — partners and developers must be able to implement, integrate, and verify without depending on a hosted service. The runtime engine that scales decisions and signal delivery, manages multi-tenant operations, computes downstream impact, and ships connectors with SLAs is the operational moat — and it sits behind a paid layer.