KYE Connector Hub™ · open contracts, paid runtime

Connect KYE to the systems that already run your business.

Payment gateways, checkouts, wallets, MCP servers, agent runtimes, IAM, policy engines, SIEM, GRC, KYC/KYB/KYA providers, cloud event buses. The KYE Connector Hub™ is one canonical manifest schema, 14 connector categories, and a public registry. Open contracts; commercial managed runtime.

category 14 categories star Flagship connectors data_object Manifest schema menu_book Dictionaries api Endpoints send Events balance OSS / paid publish Publish a connector

14 categories

Six families, fourteen categories.

paymentsPayments & commerceinternet_payment_gateway · mobile_payment_gateway · payment_gateway · checkout · shopping_cart · card_token · wallet · open_banking · merchant_risk · chargeback

smart_toyAI & agent runtimemcp_server · agent_runtime · tool_gateway · capability_registry · model_registry · prompt_registry · workflow

keyIdentity & accessoauth_oidc · saml · scim · spiffe_spire · iam · pam · passkey · credential_issuer

policyPolicy & governanceopa · cerbos · aws_cedar · grc · control_mapping · certification · self_audit

manage_searchSecurity & observabilitysiem · soar · splunk · sentinel · datadog · cloudwatch · kafka · eventbridge · webhook

badgeVerificationkyc_provider · kyb_provider · kya_provider · agent_passport · credential_verification

Connector explorer

Search the Connector Hub™ reference set.

Search by name, type, or description. Filter by category. Each row shows the connector_type, current status, and side_effect_level from the canonical manifest dictionary — so you can pick the right connector for the right risk envelope before you install.

Flagship connectors

Three connectors that open the most doors.

credit_cardIPG / MPG ConnectorAdd KYE authority checks to internet and mobile payment gateways. Verify delegated agent authority, customer scope, payment-instrument state, merchant category, approval thresholds, and risk state before the gateway processes the payment. KYE authorises the agent before the gateway processes the payment.view payment connector → shopping_cartCheckout Guard™Detect agent-backed checkout flows and verify whether the agent is allowed to buy this basket, from this merchant, using this payment instrument, under this customer's limits. Per-checkout signed Decision Map™ + evidence-pack delta.explore checkout integration → smart_toyMCP Server & ConnectorExpose KYE authority checks, schemas, dictionaries, Decision Maps™, and evidence packs to MCP-compatible agents, IDEs, and developer tools — while production enforcement stays inside the KYE Runtime Gateway.explore MCP integration →

Connector manifest

One canonical schema for every connector.

Every connector ships a kye.connector_manifest.v1 document. The manifest declares what the connector does, which profiles it supports, which integration points it exposes, what it subscribes to, what it publishes, what side effects it can produce, and how it authenticates. Schema: https://schemas.kye.dev/connector-manifest.json.

{
  "schema_version": "kye.connector_manifest.v1",
  "connector_id":   "kye:connector:ipg:example_gateway",
  "name":           "Example IPG Connector",
  "display_name":   "Example Internet Payment Gateway Connector",
  "connector_type": "internet_payment_gateway",
  "category":       "payments",
  "version":        "1.0.0",
  "publisher": {
    "publisher_entity_id":  "kye:org:kye_protocol",
    "maintainer_entity_ids": ["kye:user:maintainer_001"]
  },
  "description": "Adds KYE authority pre-checks to IPG flows.",
  "supported_profiles": [
    "kye.core.v1", "kye.payment_authority.v1",
    "kye.agent_purchasing.v1", "kye.webhooks.v1", "kye.evidence.v1"
  ],
  "integration_points": [
    { "name": "pre_authorisation_check", "direction": "outbound_to_kye",
      "method": "POST", "path": "/v1/authority:decide", "required": true },
    { "name": "payment_result_webhook",  "direction": "inbound_to_kye",
      "method": "POST", "path": "/v1/events", "required": false }
  ],
  "capabilities": [
    "agent_purchase_check", "payment_authority_check",
    "basket_hash_binding", "merchant_category_scope",
    "approval_threshold", "evidence_pack_generation"
  ],
  "auth": {
    "auth_type": "api_key_or_oauth_client_credentials",
    "supports_key_rotation": true,
    "supports_mtls": true
  },
  "events": {
    "subscribes_to": [
      "kye.authority.revoked", "kye.decision.requires_approval",
      "kye.payment_authority.revoked"
    ],
    "publishes": [
      "kye.purchase_authority.allowed",
      "kye.purchase_authority.denied",
      "kye.purchase_authority.requires_approval"
    ]
  },
  "risk": {
    "risk_level":                    "high",
    "side_effect_level":             "move_money",
    "requires_signature_verification": true,
    "requires_idempotency":          true,
    "requires_audit_event":          true
  },
  "runtime": {
    "deployment_modes":   ["hosted", "byoc", "on_prem"],
    "supported_languages": ["typescript", "python", "go"]
  },
  "integrity": {
    "manifest_hash":     "...",
    "signature_required": true,
    "signature_ref":     "kye:signature:connector_manifest_001"
  },
  "status":     "active",
  "created_at": "2026-05-06T00:00:00Z",
  "updated_at": "2026-05-06T00:00:00Z"
}

Dictionaries

Stable enums, governed openly.

Five dictionaries underpin the manifest. Additions land via the RFC process; existing values never change semantics.

connector_type — the 30+ types listed in the categories grid above (internet_payment_gateway, mcp_server, iam, opa, siem, kyc_provider, etc.).
connector_category — payments · commerce · agent_runtime · identity · policy · security · observability · governance · verification · audit · compliance · developer_tools.
connector_status — draft · submitted · validating · active · deprecated · quarantined · revoked · archived.
integration_point_type — pre_authorisation_check · post_authorisation_event · decision_request · event_subscription · webhook_receiver · webhook_sender · evidence_export · audit_import · policy_sync · identity_sync · capability_sync · credential_binding · approval_callback.
side_effect_level — read_only · audit_only · decision_only · write_internal · send_external_message · execute_transaction · move_money · modify_authority · admin_action · destructive. Higher levels require stricter auth, idempotency, and audit guarantees.

Endpoints

Register, install, monitor, replay.

Connector registry endpoints (publishers):

POST /v1/connectors · GET /v1/connectors · GET /v1/connectors/{id} · PATCH
POST /v1/connectors/{id}:validate · :publish · :deprecate · :quarantine · :revoke

Connector installation endpoints (operators):

POST /v1/connector-installations · GET · GET .../{id} · PATCH · DELETE
POST /v1/connector-installations/{id}:test · :rotate-credentials

Connector event endpoints:

POST /v1/connectors/{id}/events · GET /v1/connectors/{id}/events · POST /v1/connectors/{id}:replay-events

Connector events

12 connector-lifecycle events.

Connector lifecycle events fan out via the KYE Signal Bus™. Subscribers monitor connector health, gate installations behind validation, and receive credential-rotation prompts before signatures expire.

kye.connector.registered · validated · validation_failed · published
kye.connector.deprecated · quarantined · revoked
kye.connector.installed · installation_failed · health_degraded
kye.connector.credential_rotation_required · event_replay_requested

OSS / paid split

Connector schemas open. Connector runtime commercial.

	Open source · Apache 2.0	KYE Cloud™ · commercial
Schemas	Connector manifest schema, dictionaries (type / category / status / integration-point / side-effect), event schemas	Sector-specific connector packs (regulated-industry presets)
Reference connectors	Sample IPG, sample checkout, sample MCP, sample SIEM — full source, MIT/Apache licensed	Maintained production connectors with SLAs
Test harness	Local connector test harness, conformance fixtures, signature verifier	Continuous conformance monitoring, partner certification workflow
Hub	—	Managed Connector Hub™ · partner registry · install / configure / monitor UI
Runtime	—	Enterprise connector engine · high-volume routing · per-tenant rate limits · multi-region failover
Health	—	Connector health monitoring · SLA dashboards · alerting · degraded-state automation
BYOC / on-prem	Self-hosted reference impl	BYOC / on-prem deployment automation, regulated-sector compliance packs

Why this split? The schema must be open or the ecosystem doesn't grow. Anyone can author, test, and publish a connector against the manifest without depending on a hosted service. The managed runtime, health monitoring, hub UI, and SLA-backed connectors are where the operational moat sits and is part of the patent track.

Publish a connector

Five steps from idea to public registry.

P1Author the manifest. Fill in connector_type, supported profiles, integration points, capabilities, side-effect level, auth modes.
P2Run conformance. Local test harness validates the manifest, the integration points, and the event signatures.
P3Sign & submit. POST /v1/connectors with the signed manifest. Programme runs :validate.
P4Programme review. Schema, behaviour, side-effect classification, auth, audit emission. ~5 working days.
P5Publish. :publish — connector lands in the public registry and the Connector Hub™.

handshake Partner programme → workspace_premium Certification code Reference connectors forum Talk to the programme

Adjacent reading

Where to go next.

construction Build → smart_toy MCP server send Signal Bus extension Composition with adjacent standards handshake Partner programme