Developers

An API for agentic governance.

Submit agents for review, query lifecycle state, and receive signed webhooks. The KYA service is a small, focused surface — designed to slot into any agentic stack.

Request API access Browse the API

API

Five endpoints, two auth schemes.

A submission webhook, a small admin surface, and a callback. That's all.

MethodPathSummaryAuth

POST/kya/submissionsSubmit an agent for KYA review.HMAC
GET/admin/submissionsList submissions, optionally filtered by state.Bearer
GET/admin/submissions/{id}Get a submission with its KYA profile.Bearer
POST/admin/submissions/{id}/profileCreate or update the KYA profile (upsert).Bearer
POST/admin/submissions/{id}/decideApprove or reject a submission. Fires callback.Bearer

Authentication

Signed requests, not API keys in clear.

Inbound webhooks are HMAC-signed. The admin API uses short-lived bearer tokens. Both are constant-time compared.

HMAC

Webhooks

X-Signature = hex(HMAC-SHA256(raw_body, secret)). Constant-time compared on receipt.

Bearer

Admin API

Authorization: Bearer <jwt>. HS256 token from POST /admin/auth/login, 24 h TTL.

Internal

Callbacks

X-Internal-Secret on callbacks back to the platform. Static, rotatable.

signed-request.shbash

# Construct the signature input
TS=$(date +%s)
BODY='{"agent_id":"agt_01HEZ8K3W9XM2","spend_cap":50000,"spend_currency":"USD"}'
SIG=$(printf '%s' "$BODY" | openssl dgst -sha256 -hmac "$KYA_WEBHOOK_SECRET" -hex | awk '{print $2}')

# Send the request
curl -X POST "$KYA_URL/kya/submissions" \
  -H "Content-Type: application/json" \
  -H "X-Signature: $SIG" \
  --data "$BODY"

Submission

POST /kya/submissions

The platform posts a signed submission when an owner submits an agent for review. The endpoint is idempotent on agent_id — re-posting returns the existing record.

Idempotent on agent_id
Validates required fields
Rejects duplicate fingerprints with 409
Returns the created or existing submission

submission.jsonjson

{
  "agent_id": "agt_01HEZ8K3W9XM2",
  "owner_id": "own_01HEZ7Q83T",
  "owner_email": "[email protected]",
  "agent_name": "Procurement Bot",
  "fingerprint": "sha256:9a4f2c7e1d…b21c",
  "spend_cap": 500000,
  "spend_currency": "USD",
  "submitted_at": "2026-05-22T09:14:08Z"
}

decision-callback.jsonjson

{
  "decision": "approved",
  "reason": "Low risk score; oversight enabled.",
  "reviewed_by": "[email protected]"
}

Webhooks

Events you can subscribe to.

Every state transition produces a signed, append-only event. Delivery is at-least-once; the event_id is the deduplication key.

kya.submission.receivedoutbound

A new agent submission has been accepted for review.

kya.profile.collectedoutbound

An operator has filled or updated the agent's KYA profile.

kya.decision.approvedoutbound

Compliance review approved the agent. Activation allowed.

kya.decision.rejectedoutbound

Compliance review rejected the agent. Owner may resubmit.

agent.frozenoutbound

An owner or operator has revoked the agent's authority.

Early access

Ship agents that can be trusted.

Request API access and we'll set you up with a sandbox tenant.

Request API access See the operator view