KYE Connector Hub · one manifest, six families

Plug KYE into the systems you already run.

One canonical manifest schema. Six families. A public registry. Apache 2.0. You ship a signed connector and your buyers wire it in.

category Six families star Flagship data_object Manifest menu_book Dictionaries api Endpoints send Events check_circle What ships publish Publish
Six families

Six connector families.

Six families cover the gateways, runtimes, identity stacks, policy engines, security pipes, and verification vendors you already deploy. Pick a family. Ship a manifest. Bind to KYE™.

paymentsPayments & commerceinternet_payment_gateway · mobile_payment_gateway · payment_gateway · checkout · shopping_cart · card_token · wallet · open_banking · merchant_risk · chargeback
smart_toyAI & agent runtimemcp_server · agent_runtime · tool_gateway · capability_registry · model_registry · prompt_registry · workflow
keyIdentity & accessoauth_oidc · saml · scim · spiffe_spire · iam · pam · passkey · credential_issuer
policyPolicy & governanceopa · cerbos · aws_cedar · grc · control_mapping · certification · self_audit
manage_searchSecurity & observabilitysiem · soar · splunk · sentinel · datadog · cloudwatch · kafka · eventbridge · webhook
badgeVerificationkyc_provider · kyb_provider · kya_provider · agent_passport · credential_verification
Connector explorer

Search the Connector Hub reference set.

Search by name, type, or description. Filter by family. Each row shows the type, the current status, and the side-effect level — so you pick the right connector for the right risk envelope.

Flagship connectors

Three flagships. Three top pain points.

Payments, checkout, and agent tooling are where buyers feel the gap first. These three connectors solve the most common KYE™ wiring jobs and ship as Apache 2.0 reference builds.

credit_cardIPG / MPG connectorAdd KYE authority checks to internet and mobile payment gateways. KYE™ authorises the agent before the gateway charges the card.view payment connector → shopping_cartCheckout GuardDetect agent-backed checkouts. Verify the agent is allowed to buy this basket, from this merchant, for this customer. Signed Decision Map per checkout.explore checkout → smart_toyMCP server & connectorExpose KYE authority checks, schemas, and Evidence Packs to MCP-compatible agents and IDEs. Enforcement stays inside the KYE Gateway.explore MCP →
Connector manifest

One canonical schema. Every connector.

Every connector ships a kye.connector_manifest.v1 document. The manifest declares what it does, which profiles it supports, what it subscribes to, what it publishes, and how it authenticates.

{
  "schema_version": "kye.connector_manifest.v1",
  "connector_id":   "kye:connector:ipg:example_gateway",
  "name":           "Example IPG Connector",
  "display_name":   "Example Internet Payment Gateway Connector",
  "connector_type": "internet_payment_gateway",
  "category":       "payments",
  "version":        "1.0.0",
  "publisher": {
    "publisher_entity_id":  "kye:org:kye_protocol",
    "maintainer_entity_ids": ["kye:user:maintainer_001"]
  },
  "description": "Adds KYE authority pre-checks to IPG flows.",
  "supported_profiles": [
    "kye.core.v1", "kye.payment_authority.v1",
    "kye.agent_purchasing.v1", "kye.webhooks.v1", "kye.evidence.v1"
  ],
  "integration_points": [
    { "name": "pre_authorisation_check", "direction": "outbound_to_kye",
      "method": "POST", "path": "/v1/authority:decide", "required": true },
    { "name": "payment_result_webhook",  "direction": "inbound_to_kye",
      "method": "POST", "path": "/v1/events", "required": false }
  ],
  "capabilities": [
    "agent_purchase_check", "payment_authority_check",
    "basket_hash_binding", "merchant_category_scope",
    "approval_threshold", "evidence_pack_generation"
  ],
  "auth": {
    "auth_type": "api_key_or_oauth_client_credentials",
    "supports_key_rotation": true,
    "supports_mtls": true
  },
  "events": {
    "subscribes_to": [
      "kye.authority.revoked", "kye.decision.requires_approval",
      "kye.payment_authority.revoked"
    ],
    "publishes": [
      "kye.purchase_authority.allowed",
      "kye.purchase_authority.denied",
      "kye.purchase_authority.requires_approval"
    ]
  },
  "risk": {
    "risk_level":                    "high",
    "side_effect_level":             "move_money",
    "requires_signature_verification": true,
    "requires_idempotency":          true,
    "requires_audit_event":          true
  },
  "runtime": {
    "deployment_modes":   ["hosted", "byoc", "on_prem"],
    "supported_languages": ["typescript", "python", "go"]
  },
  "integrity": {
    "manifest_hash":     "...",
    "signature_required": true,
    "signature_ref":     "kye:signature:connector_manifest_001"
  },
  "status":     "active",
  "created_at": "2026-05-06T00:00:00Z",
  "updated_at": "2026-05-06T00:00:00Z"
}
Dictionaries

Stable enums. Governed openly.

Five dictionaries underpin the manifest. New values land via the public RFC process. Existing values never change meaning, so your audit trail stays valid under DORA Art. 6.

  • connector_type — the 30+ types listed in the family cards above.
  • connector_category — payments · commerce · agent_runtime · identity · policy · security · observability · governance · verification · audit · compliance · developer_tools.
  • connector_status — draft · submitted · validating · active · deprecated · quarantined · revoked · archived.
  • integration_point_type — pre_authorisation_check · decision_request · event_subscription · webhook_receiver · webhook_sender · evidence_export · audit_import · policy_sync · identity_sync · approval_callback.
  • side_effect_level — read_only · audit_only · decision_only · write_internal · send_external_message · execute_transaction · move_money · modify_authority · admin_action · destructive.
Endpoints

Register, install, monitor, replay.

Three endpoint families cover the lifecycle. Publishers register and version connectors. Operators install and rotate credentials. Subscribers replay events when an audit firm asks.

Publisher endpoints:

  • POST /v1/connectors · GET /v1/connectors · GET /v1/connectors/{id} · PATCH
  • POST /v1/connectors/{id}:validate · :publish · :deprecate · :quarantine · :revoke

Operator endpoints:

  • POST /v1/connector-installations · GET · GET .../{id} · PATCH · DELETE
  • POST /v1/connector-installations/{id}:test · :rotate-credentials

Event endpoints:

  • POST /v1/connectors/{id}/events · GET /v1/connectors/{id}/events · POST /v1/connectors/{id}:replay-events
Connector events

Twelve lifecycle events.

Lifecycle events fan out on the KYE Signal Bus over signed webhooks. You monitor health, gate installs behind validation, and rotate keys before signatures expire. (The signature suite is part of the patent track and not disclosed here; SDK helpers ship the verification path.)

  • kye.connector.registered · validated · validation_failed · published
  • kye.connector.deprecated · quarantined · revoked
  • kye.connector.installed · installation_failed · health_degraded
  • kye.connector.credential_rotation_required · event_replay_requested
What ships today

Open contracts. Apache 2.0.

The schema must be open or the ecosystem will not grow. You can author, test, and publish a connector against the manifest without paying for a hosted service.

SurfaceWhat you get
SchemasConnector manifest schema, five dictionaries, event schemas
Reference connectorsSample IPG, sample checkout, sample MCP, sample SIEM — full source, Apache 2.0
Test harnessLocal connector test harness, conformance fixtures, signature verifier
Self-hosted runtimeKYE Reference Gateway: PEP middleware, embedded ePDP, conformance runner
Publish a connector

Five steps. Idea to registry.

From draft to public registry in roughly five working days. Each step is signed and audited under ISO 42001 plus the KYE Conformance Pack.

  1. P1Author the manifest. Fill in type, supported profiles, integration points, capabilities, side-effect level, and auth modes.
  2. P2Run conformance. The local test harness validates the manifest, the integration points, and the event signatures.
  3. P3Sign & submit. POST /v1/connectors with the signed manifest. The programme runs :validate.
  4. P4Programme review. Schema, behaviour, side-effect class, auth, and audit emission. About five working days.
  5. P5Publish. :publish — your connector lands in the public registry and the Connector Hub.
handshake Partner programme → workspace_premium Certification code Reference connectors forum Talk to the programme
Adjacent reading

Where to go next.

If you want to build first, head to Build. If you want to integrate with adjacent standards, head to Integrations. If you want to partner, head to Partners.

construction Build → smart_toy MCP server extension Adjacent standards

Ready to see your AI agents flagged?

Start in shadow mode. We’ll deliver your first Evidence Pack in 4–8 weeks.

rocket_launch Apply for pilot → science Try the sandbox →