Vocabulary · canonical reference

The words the protocol uses.

Entity types, action types, decision codes, reason codes, capability kinds, side-effect levels, data classes, signal types, redaction fields, taxonomies, graph types — the vocabulary every conformant implementation reads from. The canonical machine-readable source lives at github.com/KYE-Protocol/vocabulary; this page is the human-readable index.

Entity types

What KYE recognises as an entity.

Every URN starts with one of these classes — kye:<class>:<trust-domain>:<subclass>:<local>.

  • human — natural person; KYC-verified
  • org — legal entity / business; KYB-verified
  • agent — AI agent (LLM-backed, autonomous, supervised, etc.)
  • service — software service / workload (SPIFFE-equivalent)
  • model — foundation / fine-tuned model
  • tool — capability instance (MCP tool, function, connector, playbook, model_profile)
  • workflow — orchestrated sequence of actions
  • capability — named capability declaration
  • credential — verifiable credential / attestation / key
  • resource — wallet / dataset / document / vehicle / vessel / shipment
  • workload — attested runtime instance
  • payload — signed evidence artefact
Action types

What KYE sees an entity do.

  • read / write / execute — baseline data + capability operations
  • delegate / attenuate / revoke — authority lifecycle
  • authorize / attest / vouch — decision-producing operations
  • payment / transfer / trade — money-rail operations (Payments + Treasury profiles)
  • redact / tombstone / recover — data-lifecycle operations
  • quarantine / break_glass / cascade — incident-response operations

Sector profiles add domain-specific actions (e.g. Healthcare adds consent, disclose; Custody adds co_sign, recover_key).

Decision codes

The eight ways KYE answers an authorize call.

  • allow — unconditional permission
  • allow_with_constraints — permission subject to obligations the caller must honour (e.g. redaction, rate-limit, dual approval)
  • require_approval — dual-control / human-in-the-loop step required before the action proceeds
  • require_step_up — additional credential (re-authn, MFA, attested workload) required
  • require_human_review — explicit human review (used by EU AI Act high-risk workflows)
  • require_recovery — recovery / break-glass flow required (compromised state)
  • quarantine — entity placed in restricted state pending investigation; partial operations may continue
  • deny — refused; the audit chain records the reason code
Reason codes

Why the runtime decided what it decided.

Reason codes are namespaced. Every decision carries at least one. Examples:

  • authority.delegation_chain_invalid — the chain back to a human / business is broken
  • scope.amount_exceeds_cap — the action is within scope type but exceeds the value limit
  • state.entity_quarantined — the actor is in a quarantine state
  • state.credential_expired — the credential carrying the action’s justification has lapsed
  • obligation.redaction_required — the action proceeds with a redaction obligation attached
  • policy.deny_by_default — no matching allow rule
  • recovery.break_glass_required — the operation needs the break-glass workflow

Full canonical list: github.com/KYE-Protocol/vocabulary/reason-codes.md (~120 codes).

More vocabularies

The rest of the canonical word-list.

  • Capability kindsskill, tool, mcp_tool, function, connector, playbook, model_profile, payment_action.
  • Side-effect levelsnone, read, write, money, physical, irreversible.
  • Data classespublic, internal, confidential, pii, phi, pci, restricted.
  • Signal typesstop, pause, quarantine, cascade_revoke, step_up_required, attestation_invalidated.
  • Redaction fieldspii.redacted, phi.redacted, credential.redacted, payload.redacted.
  • Taxonomies — 16 V1 canonical taxonomies covering entity_type, capability_type, action_type, resource_type, data_class, side_effect_level, risk_state, environment, decision, reason_code, evidence_type, compliance_framework, sector, jurisdiction, plus state taxonomies.
  • Graph types — Authority Graph (entity / authority / delegation / scope / capability / state / decision / evidence nodes; typed edges between them).

All vocabularies ship as Apache 2.0 markdown + JSON Schemas in github.com/KYE-Protocol/vocabulary. New entries follow the v1.x process documented in the whitepaper §9 Governance.