Integrations · what KYE™ composes with
KYE™ doesn’t replace your stack — it binds authority across it.
KYE™ composes with the identity, policy, agent runtime, payment rail, KYC / KYB / KYA, SIEM, GRC, and audit stack you already run. Each row carries a conformance status: shipping, reference pattern, or roadmap.
OAuth 2.0 · OIDC · SAML · SPIFFE · mTLS · passkeys.
| Integration | Connector type | Status | Notes |
|---|---|---|---|
| OAuth 2.0 + PKCE | oauth_oidc | Shipping | Token introspection feeds the actor + on-behalf-of binding. |
| OpenID Connect | oauth_oidc | Shipping | ID-token claims map into the principal entity. |
| SAML 2.0 | saml | Reference pattern | Federated identity assertion translated into KYE™ delegations. |
| SCIM 2.0 | scim | Reference pattern | Workforce provisioning into the entity registry. |
| SPIFFE / SPIRE | spiffe_spire | Shipping | SPIFFE ID becomes the workload entity URN; SVID feeds attestation. |
| mTLS | mtls | Shipping | Front-the-Gateway pattern: reverse proxy verifies; passes X-Client-Cert-Subject. |
| Passkeys / WebAuthn | passkey | Reference pattern | Passkey assertion as the “principal authenticated” factor in step-up flows. |
| Verifiable Credentials (W3C) | credential_issuer | Shipping | Native: kye-credentials-v1 profile. |
OPA · Cerbos · AWS Cedar.
| Integration | Connector type | Status | Notes |
|---|---|---|---|
| Open Policy Agent (OPA / Rego) | opa | Shipping | Reference policy bundles: Core (kye_authz.rego) + Payments (payments_spdp.rego). |
| Cerbos | cerbos | Shipping | Derived-roles + resource-policy bundles for the Core profile + sector overlays. |
| AWS Cedar | aws_cedar | Reference pattern | Cedar policy bundle for the Core profile. |
| AuthZEN (OpenID) | authzen | Reference pattern | KYE™ Decision API maps onto the AuthZEN authorization-API shape. |
MCP · agent frameworks · tool gateways.
| Integration | Connector type | Status | Notes |
|---|---|---|---|
| Model Context Protocol (MCP) | mcp_server | Roadmap (v1.1) | KYE MCP Server™ design specification published; reference implementation ships v1.1. |
| Agent runtime (LangChain / LlamaIndex / DSPy / custom) | agent_runtime | Reference pattern | SDK-level integration: the agent loop calls POST /v1/runtime/authorize before any external action. |
| Tool gateway (function-calling) | tool_gateway | Reference pattern | Each tool invocation becomes a capability invocation with a Decision Map™. |
IPG / MPG / card-token / wallet / open-banking initiation.
| Integration | Connector type | Status | Notes |
|---|---|---|---|
| Internet payment gateway (IPG) | internet_payment_gateway | Reference pattern | Pre-authorisation hook; KYE™ authorises the agent before the gateway processes the payment. |
| Mobile payment gateway (MPG) | mobile_payment_gateway | Reference pattern | Same shape as IPG; mobile-flow attestation. |
| Card token / vault | card_token | Shipping | Schema rejects raw PAN; token-only references; PCI null CDE. |
| Wallet | wallet | Shipping | Wallet-bound spend control; per-instrument scope intersection. |
| Open-banking payment initiation | open_banking | Reference pattern | PSD2 / PSD3 SCA binding; consent-to-authority mapping. |
| OpenBankProject (OBP) | open_banking | Roadmap | Sandbox connector pattern documented; managed connector planned. |
Verification providers feed the entity record; KYE™ binds authority.
Identity-verification vendors are upstream of the KYE™ entity record. KYE™ does not duplicate KYC; it consumes the verification result + the verifier’s evidence URI and binds the result into the entity’s authority surface.
| Integration shape | Connector type | Status | Notes |
|---|---|---|---|
| KYC provider (per-individual identity) | kyc_provider | Reference pattern | Persona / Sumsub / Onfido / Trulioo — result becomes a signed credential bound to the person entity. |
| KYB provider (business identity) | kyb_provider | Reference pattern | Middesk / Mesh / Companies House feed bound to the business entity record. |
| KYA provider (agent identity / passport) | kya_provider | Reference pattern | Agent passport schema; Skyfire / Coinbase x402-style agent identity feeds. |
| Agent passport | agent_passport | Shipping | Native: kye-attestation-v1 profile. |
Signed events stream into your security stack.
| Integration | Connector type | Status | Notes |
|---|---|---|---|
| Splunk HTTP Event Collector | splunk | Shipping | Reference exporter under plugins. |
| Microsoft Sentinel | sentinel | Shipping | Sentinel exporter plugin. |
| Datadog | datadog | Reference pattern | Logs API + custom-metric integration. |
| AWS CloudWatch | cloudwatch | Reference pattern | Log group + EventBridge fan-out. |
| Kafka / EventBridge / SNS | kafka | Reference pattern | Event bus fan-out for signed signals. |
Control mappings feed your governance system of record.
| Integration shape | Connector type | Status | Notes |
|---|---|---|---|
| GRC platform (AuditBoard / Vanta / Drata / OneTrust) | grc | Reference pattern | KYE™ evidence packs feed the platform’s evidence repository; control-mapping JSON exports. |
| Control-mapping export | control_mapping | Shipping | 266 control mappings across 13 horizontal frameworks (SOC 2, ISO 27001, PCI DSS, PSD2/3, DORA, NIS2, EU AI Act, ISO 42001, NIST AI RMF, NIST 800-207, NIST CSF, GDPR, FedRAMP) plus sector overlays. |
| Self-audit attestation | self_audit | Shipping | Native: kye-self-audit-attestation-v1 profile. |
Standards the auditor already accepts.
| Standard | Status | Notes |
|---|---|---|
| OSCAL (NIST SP 800-53A) — component definition / SSP / assessment results / POA&M | Shipping | Reference exporter under plugins; see oscal.html. |
| SCITT receipts (Supply-Chain Integrity, Transparency & Trust) | Reference pattern | Transparency receipt envelope aligns with SCITT; native via kye-transparency-v1. |
| RFC 8949 COSE_Sign1 | Shipping | Webhook signing profile; binary CBOR receipts. |
Ready to see your AI agents flagged?
Start in shadow mode. We’ll deliver your first Evidence Pack™ in 4–8 weeks.