Engagement model · protocol adoption, not SaaS sales

Learn → Review → Build → Pilot → Conform → Certify.

KYE Protocol is an open specification with a commercial trust layer. We do not sell first; we publish, we invite review, we ship a reference implementation, we pilot in regulated sectors, and we certify. Seven distinct engagement paths — pick the one that fits how you want to engage.

menu_book Experts code Developers business_center Buyers verified_user Auditors gavel Regulators handshake Partners apartment Enterprises
The model in one diagram

Six stages, seven audiences.

  1. 1LearnRead the protocol, the concepts, the open-banking flow.
  2. 2ReviewExperts critique the authority / on-behalf-of / scope / state / audit model.
  3. 3BuildDevelopers run the schemas, the SDKs, the conformance fixtures.
  4. 4Pilot2–4-week KYE Authority Finality Pilot in one regulated use case.
  5. 5ConformRun the conformance pack against your gateway. KYE Conformant badge.
  6. 6CertifyAudited certification. KYE Certified registry listing.
Path 1 / 7 · Experts

Review the authority & on-behalf-of model.

You are: open-banking architect, payments specialist, identity / IAM lead, OAuth/OIDC committee member, AI-governance researcher, audit / cybersecurity / regulated-finance expert, legal-tech reviewer.

You want: the protocol primitives surfaced clearly enough that you can critique the model end-to-end — and tell us where it breaks.

What we ask: not “what do you think?” — specific questions, against specific artefacts.

  • Does the chain actor → principal → capability → scope → state → decision → evidence map cleanly to your domain?
  • Is on-behalf-of modelled correctly — particularly for delegated authority, consent, payment initiation, agent operations?
  • What breaks in open banking, payments, regulated finance, healthcare, critical infrastructure?
  • What should be mandatory in the spec vs. optional in a profile overlay?
  • What would make this credible to banks, auditors, regulators, infrastructure providers in your jurisdiction?
menu_book Read the 6 primitives → payments Open-banking flow shield Threat model forum Book a 30-min review call
Path 2 / 7 · Developers

Try KYE in 10 minutes.

You are: engineer, architect, platform-team lead, agentic-runtime developer, MCP integrator.

You want: to touch the protocol — not read marketing — in one sitting.

The 10-minute path:

  1. Create an actor entityPOST /v1/entities
  2. Create a principal entity — same endpoint, different class
  3. Create a delegation binding actor to principal — POST /v1/delegations
  4. Grant a capability authority with attenuated scope — POST /v1/authority-grants
  5. Request a decisionPOST /v1/runtime/authorize
  6. Receive allow_with_constraints / require_approval / deny
  7. Inspect the Decision MapGET /v1/decisions/{id}/map
  8. Export an evidence packGET /v1/proof-bundles/{id}
code Developer quickstart → category Concepts (schema + endpoint per primitive) open_in_new GitHub: schemas + SDKs checklist Readiness self-test
Path 3 / 7 · Buyers

Map your first agent authority chain.

You are: board / CIO / CISO / risk / compliance / legal / finance lead. AI agents already touch your business; nobody has shown you the chain of authority behind their actions.

You want: to know what KYE reduces — liability, audit cost, incident-response time, regulatory ambiguity — before any procurement conversation.

What we run: the KYE Authority Mapping Workshop. 60–90 minutes. We work through one of your real agent flows live.

You walk away with: an authority map, a delegation map, a capability map, the risk areas, the evidence gaps, and a written pilot recommendation. No slides; the artefact is the deliverable.

business_center Book the workshop → trending_up Buyer ROI page lightbulb Use cases
Path 4 / 7 · Auditors

Inspect a replayable evidence pack.

You are: internal audit, GRC, 3PAO assessor, SOC 2 / ISO 27001 lead auditor, EU AI Act notified body, FedRAMP assessor.

You want: to verify a real signed artefact end-to-end with public keys alone — no read-access to the customer’s runtime.

What you get: sample evidence pack · sample Decision Map · sample control-mapping projection · sample conformance report · sample self-attestation · sample audit-trail replay. Each downloadable, each signed, each verifiable offline.

verified_user Auditor page → integration_instructions OSCAL exporter badge AI System Compliance Card download Request an evidence-pack sample
Path 5 / 7 · Regulators

Review the control mappings.

You are: supervisor / examiner at a financial-services authority, data-protection authority, AI Act notified body, NIS2 CSIRT, sector regulator.

You want: to know exactly which obligations the protocol claims to evidence — and which it does not.

What we publish: 266 control mappings across 13 frameworks (SOC 2 · ISO 27001:2022 · PCI DSS 4.0 · PSD2/PSD3 · DORA · NIS2 · EU AI Act · ISO 42001 · NIST AI RMF · GDPR · NIST CSF · FedRAMP · NIST 800-207 · HIPAA). Honest non-goals are documented in the threat-model page. We deliberately do not say “KYE makes you compliant”; we say KYE produces evidence; certifications remain the customer’s.

gavel Regulator page → fact_check Per-framework mapping shield Threat model + non-goals forum Briefing request
Path 6 / 7 · Partners

Build a KYE integration profile.

You are: IAM vendor, KYC/KYB/KYA vendor, open-banking platform, payment gateway, agent platform, MCP host, wallet provider, policy engine, SIEM/GRC tool, audit firm, consultancy.

You want: KYE to recognise your product as a first-class integration with a documented profile, a conformance fixture, and a public listing.

The integration ladder:

  • L1KYE Self-Tested — you pass the conformance fixtures locally; self-declared.
  • L2KYE Self-Attested — signed self-attestation published to the registry.
  • L3KYE Conformant — conformance report reviewed by the KYE programme; badge issued.
  • L4KYE Certified — full third-party-audited certification with public registry listing.
handshake Certification programme → extension Integrations & composition forum Propose a partnership
Path 7 / 7 · Enterprises

Run a KYE Authority Finality Pilot.

You are: a regulated enterprise — bank, insurer, asset manager, custody desk, hospital network, telecom, energy operator, federal agency — with at least one AI agent in production or imminent.

You want: a 2–4 week proof that KYE answers who acted, on whose behalf, with what authority, in what state, with what evidence for a real flow.

The pilot scope — pick one:

  • AI payment agent (open-banking / payment-initiation)
  • Open-banking consent + delegation
  • MCP tool governance
  • Internal service-account authority
  • Healthcare data-access agent
  • Critical-infrastructure operator action

Deliverables — produced live, not slides:

  • Authority model · entity graph · delegation chain · capability registry
  • Live /v1/runtime/authorize decision endpoint
  • Per-decision Decision Map
  • Audit-event stream into your SIEM
  • Signed evidence pack (replayable)
  • Conformance report against the 38-fixture pack
  • Gap report · sector-overlay recommendation

Outcome: a single-paragraph artefact you can put in front of your regulator, board, or external auditor — “Here is exactly how KYE proves who or what acted, on behalf of whom, using which capability, under what authority, in what state, and with what evidence.”

apartment Scope a pilot → lightbulb Sector use cases checklist Readiness self-test first
Working groups · open governance

Where the protocol gets shaped.

KYE Protocol is governed in the open. Six working groups meet on GitHub Discussions; minutes + decisions are public; profile RFCs are accepted via the standard contribution process. Membership is open to anyone with operational expertise in the relevant domain.

architectureKYE CoreSpec evolution: vocabulary, schemas, runtime, state model.github discussions → paymentsOpen BankingConsent, delegated payment-initiation, PSD3 / DORA mappings.github discussions → smart_toyAgent GovernanceMCP capability profiles, model cards, agent identity.github discussions → verifiedEvidence & AuditAudit chain, evidence-pack format, OSCAL projection.github discussions → extensionCapability ProfileFirst-class capability schemas, parameter-level scopes.github discussions → ruleCompliance Mapping280 controls across 13 frameworks; KYE Compliance Mapping Rail.github discussions →
RFC contribution

Propose a profile, an endpoint, a binding.

  1. RFC-1Open a discussion. File a GitHub Discussion in the relevant working group. Describe the gap, the proposed shape, the worked example.
  2. RFC-2Spec PR. Once the WG has consensus, open a PR against private/specs/ (or the public mirror) with the schema + OpenAPI op + at least one example.
  3. RFC-3Conformance fixture. Add at least one black-box fixture under private/specs/conformance/fixtures/.
  4. RFC-4Sign-off. Two WG maintainers approve. Schema gets a stable $id. Profile lands in the next minor release.
  5. v2.0Foundation track. Move governance to a neutral foundation (Linux Foundation / OpenWallet Foundation candidate) at v2.0; royalty-free patent grant; trademark policy unchanged.

Security disclosure: see SECURITY.md. Trademark policy: see legal page.

Where to go next

Adjacent reading.

category The 6 primitives → checklist Readiness self-test lightbulb Use cases shield Threat model rule Conformance & certification