Every KYE Protocol™ surface, live on the page.
Six interactive widgets in one place. Pick your role and self-route. Simulate an agent-backed purchase and watch the runtime decide. Explore the Decision Map™ chain. Search the KYE Connector Hub™. Map the blast radius of a compromise. Replay an evidence pack. No signup, no install — change the inputs and the runtime semantics become tangible.
Self-route in five seconds.
Nine role cards, each routing to the right entry page on the site. Banks land on the agent-purchase simulator. CISOs land on the Blast Radius Map™. Auditors land on the Evidence Pack Viewer™. Builders land on the Build surface.
Embed it
Drop the widget host into any HTML page and the role-router renders.
<!-- KYE Choose-Your-Role router -->
<div data-role-router></div>
<script type="module" src="https://kye-protocol.github.io/main.js"></script>Change the inputs. Watch KYE™ decide.
Seven inputs — agent state, customer authority, merchant, basket amount, approval threshold, card / token state, risk state. Four live outputs — runtime decision, Decision Map™, signed webhook event, evidence-pack preview. Decision logic is rule-based for clarity; production runtime mechanism stays on the patent track.
The real call
The simulator above is illustrative. In production, your app makes one POST to the KYE™ Runtime Authority API:
curl -X POST https://gateway.kye.example/v1/runtime/authorize \
-H 'Authorization: Bearer $KYE_TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"actor_entity_id": "kye:entity:agent:shopping_agent_456",
"principal_entity_id": "kye:entity:person:customer_123",
"subject": "kye:capability:payment_action:card_purchase",
"resource": { "merchant_id": "M-7104", "amount": 9999, "currency": "GBP" },
"scope": { "instrument": "kye:card_token:tok_abc..." }
}'
# → 200 OK
# {
# "decision": "allow_with_constraints",
# "reason": "scope_within_attenuated_authority",
# "obligations": [ { "type": "audit.emit" }, { "type": "basket_hash_binding" } ],
# "stop_conditions": [ "actor.stop_signal", "delegation.revoked", "scope.attenuated" ],
# "evidence_refs": [ "kye:evidence-pack:01HX..." ],
# "decision_map_ref": "kye:decision_map:01HX..."
# }SDK
import { KyeClient } from '@kye-protocol/sdk';
const kye = new KyeClient({ baseUrl: process.env.KYE_GATEWAY, token: process.env.KYE_TOKEN });
const result = await kye.runtime.authorize({
actor_entity_id: 'kye:entity:agent:shopping_agent_456',
principal_entity_id: 'kye:entity:person:customer_123',
subject: 'kye:capability:payment_action:card_purchase',
resource: { merchant_id: 'M-7104', amount: 9999, currency: 'GBP' },
scope: { instrument: 'kye:card_token:tok_abc...' },
});
if (result.decision === 'allow_with_constraints') {
// honour result.obligations + result.stop_conditions
} else if (result.decision === 'require_approval') {
// queue human approver, retry with same policy_decision_id
}Every decision comes with a map.
The runtime emits a signed Decision Map™ with every /v1/runtime/authorize response. Below: a sample chain — principal → delegation → actor → capability → scope → state → policy → decision, bound to audit_ref + evidence_refs.
Render it yourself
import { renderDecisionMap } from '@kye-protocol/sdk/widgets';
renderDecisionMap(document.querySelector('#dm-host'), {
decision: 'allow_with_constraints',
reason: 'scope_within_attenuated_authority',
nodes: [
{ type: 'principal', ref: 'kye:entity:person:customer_123', short: 'customer_123' },
{ type: 'delegation', ref: 'kye:delegation:tpp_to_agent_002', short: 'tpp_to_agent_002' },
{ type: 'actor', ref: 'kye:entity:agent:shopping_agent_456', short: 'shopping_agent' },
{ type: 'capability', ref: 'kye:capability:payment_action:card_purchase', short: 'card_purchase' },
{ type: 'scope', ref: 'kye:scope:eu_eea_corridor_below_500_gbp', short: '≤ £500 EU/EEA' },
{ type: 'state', ref: 'kye:state:active', short: 'active' },
{ type: 'policy', ref: 'kye:policy:agent_purchase_v1', short: 'agent_purchase_v1' },
],
audit_ref: 'kye:audit:event_001',
evidence_refs: ['kye:evidence-pack:authority_revocation_001'],
});Search ~45 reference connectors.
Six families, fourteen connector_type categories. Each row shows the type, status, and side_effect_level from the canonical manifest dictionary — so you can pick the right connector for the right risk envelope before you install.
Connector manifest shape
{
"schema_version": "kye.connector_manifest.v1",
"connector_id": "kye:connector:ipg:example_gateway",
"name": "Example IPG Connector",
"connector_type": "internet_payment_gateway",
"category": "payments",
"version": "1.0.0",
"supported_profiles": [
"kye.core.v1", "kye.payment_authority.v1",
"kye.agent_purchasing.v1", "kye.webhooks.v1", "kye.evidence.v1"
],
"risk": {
"risk_level": "high",
"side_effect_level": "move_money",
"requires_signature_verification": true,
"requires_idempotency": true,
"requires_audit_event": true
},
"events": {
"subscribes_to": ["kye.authority.revoked", "kye.decision.requires_approval"],
"publishes": ["kye.purchase_authority.allowed", "kye.purchase_authority.denied"]
},
"status": "active"
}See what breaks before it breaks.
Pick a compromised credential, agent, capability, delegation, or principal. The Blast Radius Map™ shows the downstream agents, payment authorities, capabilities, sessions, and webhooks that fan out — plus the required revocations a runbook should execute.
The cascade event
When KYE™ emits a revocation, every subscriber receives the same signed envelope:
{
"schema_version": "kye.webhook.v1",
"event_id": "kye:event:01HX...",
"event_type": "kye.authority.revoked",
"occurred_at": "2026-05-07T21:30:00Z",
"actor_entity_id": "kye:entity:agent:shopping_agent_456",
"principal_entity_id": "kye:entity:person:customer_123",
"subject_ref": "kye:authority:grant:purchase_001",
"reason_code": "principal_revoked_authority",
"data": {
"previous_state": "active",
"new_state": "revoked",
"affected_capabilities": ["kye:capability:payment_action:card_purchase"]
},
"audit_ref": "kye:audit:event_001",
"evidence_refs": ["kye:evidence-pack:authority_revocation_001"],
"delivery": { "idempotency_key": "kye:event:01HX...", "replayable": true },
"signature": { "algorithm": "ed25519", "key_id": "kye:key:webhook_signing_001",
"signature": "..." }
}Replay decisions, verify signatures, map to controls.
Pick a sample evidence pack. Verify its signature offline against the publisher's published JWKS. Replay the bound Decision Map™ against the snapshot inputs. Walk the audit chain. Project the pack onto SOC 2, ISO 27001, EU AI Act, PSD3, or DORA controls via the KYE Compliance Mapping Rail™.
Verify offline
import { verifyEvidencePack } from '@kye-protocol/sdk';
const pack = await fetch('/v1/evidence-packs/01HX...').then(r => r.json());
// Pull the publisher's JWKS once and cache it.
const jwks = await fetch('https://issuer.example/.well-known/jwks.json').then(r => r.json());
const result = await verifyEvidencePack(pack, jwks);
// result.valid // boolean
// result.algorithm // "ed25519"
// result.key_id // "kye:key:evidence_signing_001"
// result.replay_decision // re-run the bound /v1/runtime/authorize against the
// // snapshot inputs; returns the same decision the pack
// // recorded — a mismatch emits kye.decision.replay_mismatch.
if (!result.valid) throw new Error('evidence pack signature invalid');