Whitepaper · Version 1.0 · April 2026 · github.com/KYE-Protocol

KYE Protocol^™: an open trust layer for the agentic economy

Cryptographic provenance for every action humans, businesses, AI agents, services, models and workflows take. One identity URN. One delegation chain. One decision vocabulary. One cascading audit bus. Open contracts that unify KYC, KYB and KYA — without locking adopters into a vendor.

Abstract

The agentic stack — AI agents, models, tools, workflows acting autonomously on behalf of humans and businesses — is reaching production at a velocity that has outrun the identity, authorization and audit infrastructure beneath it. KYC verifies humans. KYB verifies businesses. KYA (just emerging in 2026 from Visa, Skyfire, Persona, Sumsub, Trulioo) verifies agents. Each layer is siloed; each verifies once, at registration; none answers "is the answer still true 200 ms from now when the next call arrives?"

KYE Protocol™ — Know Your Entity™ — is the open contract that unifies these layers. Every entity (human, business, agent, service, model, tool, workflow) shares one URN format. Every action is bound to a delegation chain with attenuable scope. Every decision is recorded with a standardised reason code. Every revocation cascades through the trust graph in milliseconds. Every audit event hash-links to the previous one. Every decision can be exported as a signed proof bundle a regulator can verify with public keys alone. The result: provable trust at the speed of agentic commerce.

1 · Problem

Modern agentic workflows generate three classes of pain that legacy identity stacks cannot resolve.

1.1 Fragmented identity

One agent typically holds three or four identities at once: a SPIFFE SVID for workload attestation, an OAuth client_id for the API gateway, a vendor-specific KYA passport for payment rails, and a model card for inference governance. Each format is reconcilable only by hand. Auditors reconstructing an incident traverse four logging systems and stitch traces by timestamp.

1.2 Static authorization

OAuth scopes and KYC files describe state at issuance. Neither propagates a revocation. When a delegated agent is compromised, the human delegator may not learn about it until the next compliance review. Stop signals (entity stopped, credential revoked, attestation stale) need to ripple through dependent grants in real time, recursively, with cryptographic guarantees they were applied.

1.3 Unprovable history

Audit logs are usually JSON lines in a search engine. They are searchable but not provable: a malicious operator can edit the past. Regulators increasingly demand cryptographic non-repudiation — an append-only chain whose head hash is publicly committed.

2 · Prior art & gaps

Layer	Solves	Doesn’t solve
OAuth 2.1 / GNAP	Human authorization, token introspection	No agent identity, no delegation chain, no cascade
SPIFFE / SPIRE	Workload identity (SVIDs)	No first-class delegation, no decision vocabulary
Anthropic MCP	Agent ↔ tool communication	No identity, no policy, no audit
Google A2A / ADK	Agent registration metadata	No delegation, no cascade, no proof
OpenID AuthZEN	Standard decision API shape	No URN, no chain, no signals
OpenSSF SCITT	Transparency receipts	No identity, no scope, no cascade
OpenID SSF / CAEP	Stop-event distribution	No delegation chain, no proof bundle
Visa Trusted Agent / Skyfire / Persona KYA	Agent passport (AID), spend caps (TXG)	Vendor-specific, agent-only, no unified URN, no cascade

Each of these solves a slice. None composes into a single contract that an auditor can read end-to-end. KYE Protocol™ is that contract layer; it does not replace these, it composes them.

3 · Design principles

Entities are first-class. Humans, businesses, agents, services, models, tools, workflows are all entities. They share one URN, one lifecycle, one record format.
Delegation is a graph, not a flag. Every action sits inside a chain: agent on behalf of business, business on behalf of human. The chain is queryable and revocable.
Scope must attenuate, not extend. A delegated scope can only narrow what the parent permits. Attempts to extend are rejected at the contract layer.
Decisions are vocabulary, not free-text. A small, fixed set of decision codes (allow_with_constraints, require_approval, deny, …) makes inter-system reasoning possible.
Stop signals cascade. Revoking an entity revokes its delegations, payment authorities and access rights — recursively, atomically, with audit events emitted at each step.
Audit is an append-only chain. Each event hash-links to the previous one. Tampering is detectable end-to-end with one verify call.
Mechanism designs are private. The vocabulary, URN format, schemas and OpenAPI surface are open. The specific algorithms (decision evaluation, hash-chain construction, cascade ordering, attenuation propagation) sit behind the patent track and are not disclosed in public repositories.
Profiles, not forks. Sectoral overlays add vocabulary and conformance fixtures. Core never shifts under adopters.

4 · Conceptual model

KYE Protocol™ defines nine first-class records:

Entity — any actor or resource. Has a status, a lifecycle state, an immutable block, classification, assurance, optional sectoral profile.
Delegation — a record that actor may act for subject, granted by delegator, within scope, for allowed_actions.
Scope — named bundle of constraints + obligations. Attenuable through parent_scope_id.
AccessRight — fine-grained, resource-level grant.
Credential — signed assertion about an entity. Issuer + holder + subject + claims + Ed25519 signature.
Attestation — workload identity binding (SPIFFE / EAT / build provenance).
Signal — reactive event on the bus. Stop / quarantine / revoke / cascade.
PolicyDecision — record of an authorize call: decision, reasons, obligations, stop_conditions.
AuditEvent — append-only entry with previous_event_hash + event_hash.

Two derived records support proof & observability:

ProofBundle — signed export of decision + supporting audit events. Verifiable by external auditors with public keys alone.
TransparencyReceipt — signed receipt that a statement is included in the public log at a given index.

5 · Contract surface

The Core OpenAPI specification publishes 57 endpoints across nine resource families: Entities, Delegations, Scopes, Access Rights, Credentials, Attestations, Runtime, Signals, Audit, Proof Bundles, Transparency, Federation, Webhooks, Conformance. Every endpoint is defined with a JSON Schema 2020-12 contract; every schema has at least one validated example. The Payments profile adds a sector PDP (sPDP) with currency / amount / rail / approval gating. Conformance fixtures — 26 in v1.0 — assert deterministic behaviour under happy and edge-case paths.

Every state-changing endpoint accepts an Idempotency-Key header and returns the original response on replay; conflicting bodies under the same key return HTTP 409. Every state-changing endpoint emits an audit event whose correlation_id matches the originating request.

6 · Reference runtime

The reference deployment ships:

A reference Gateway in Node.js (no Express, no external runtime dependency) that implements every endpoint and demonstrates conformant cascade behaviour.
An embedded PDP library (@kye/epdp) for low-latency local decisions backed by signed bundles.
An Express PEP middleware (@kye/pep-express) that fails closed for high-risk actions when the central PDP is unreachable.
Three SDKs — TypeScript, Python, Go — each with idempotency-key support and webhook helpers.
A conformance runner that executes the fixture pack against any candidate Gateway.
A Docker image + docker-compose + Helm chart skeleton for production deployment patterns.

The reference is illustrative. It does not implement the patent-track decision algorithm; conformant production Gateways are expected to substitute that mechanism while preserving the open contract surface.

7 · Sectoral profiles

Profiles add sector-specific vocabulary and conformance fixtures to Core. v1.0 ships:

Federation — cross-trust-domain entity import with attenuated scope and origin metadata.
Credentials — issue / verify / present / revoke with Ed25519 detached signatures.
Attestation — SPIFFE / EAT / build-provenance bindings; explicit revocation; stale detection.
Signals — pub/sub bus with subscribe / ack / replay. Webhook delivery with HMAC signatures + replay window + key rotation.
Transparency — append-only statement log + signed inclusion receipts.
Payments — payment authorities, beneficiaries, intents; sPDP with currency / amount / rail / approval gating; PSD3-aligned obligations.

Profiles in design: Treasury, Custody, Healthcare, Payments-EU, Payments-Card, Payments-HighAssurance.

8 · Security & threat model

The reference implementation defends against:

Replay attacks — webhook signatures include a Unix timestamp and are rejected outside a 5-minute window. Idempotency keys cache responses for 24 hours.
Tampered audit events — each event’s canonical encoding includes its predecessor’s hash; the verify endpoint detects breaks end-to-end.
Stale revocations — cascade machinery propagates atomically to dependent records before the response returns; downstream PDPs that subscribe to the bus invalidate caches on signal receipt.
Forged credentials — Ed25519 signatures verified against the gateway’s published JWKS at /.well-known/jwks.json.
Approval timeout abuse — pending approvals carry a required_by deadline; the runtime expires them and emits a deny signal.

Out of scope for the reference: HSM-backed key custody, multi-tenant gateway hardening, transport-level mTLS configuration. These are deployment concerns; production Gateways must address them.

9 · Governance

Vocabulary, schemas, OpenAPI specs and reference Gateway behaviours are published openly under Apache License 2.0 in github.com/KYE-Protocol. Specific mechanism designs (decision algorithms, hash-chain construction, cascade ordering, attenuation propagation) are intentional placeholders pre-filing in private/mechanisms/ and are not disclosed publicly to preserve patent novelty. Conformant implementations may license the mechanism designs royalty-free for any conformant use; full terms are forthcoming with the Linux Foundation / OpenWallet Foundation track.

Trademark policy: KYE™, KYE Protocol™, and Know Your Entity™ refer to the protocol as published. Forks, modifications and unrelated projects must not use the marks to identify themselves.

10 · Roadmap

v1.1 — Treasury, Custody, Healthcare profiles. Extended signal bus durability options.
v1.2 — Conformance certification programme. Independent test-vector runners.
v2.0 — Federation v2 with multi-hop attenuation and cross-jurisdiction proofs. Patent-track algorithms moved to royalty-free open standard.

References

Visa. Trusted Agent Protocol.
Persona. Know Your Agent (KYA).
Sumsub. Agent Verification.
Trulioo / PayOS. Digital Agent Passport.
Anthropic. Model Context Protocol.
OpenID Foundation. AuthZEN, SSF, CAEP.
SPIFFE Project. SPIFFE Identity Specification.
OpenSSF. SCITT Architecture.
NIST. SP 800-207 Zero Trust Architecture.

Cite as: KYE Protocol Project. KYE Protocol™: an open trust layer for the agentic economy. Whitepaper v1.0, April 2026. https://kye-protocol.github.io/whitepaper.html