KYE
Sandbox
$ demo · runs in your browser

What you get

A signed envelope your buyer can verify without calling us. No portal log-in. No vendor cooperation.

Example envelope

A representative shape. Your auditor verifies the signature over the canonical bytes.

loading...

CLI

Two commands. One to seal a period. One to verify what someone gave you.

$ kye report generate \
    --kind soc2_type2 \
    --framework soc_2

# → signed kye.report.v1 envelope returned in stdout

$ kye report verify --id kye:report:soc2_type2:acme:2026Q2
{"ok": true, "verified": true}

How you verify offline

Four steps. No KYE service contact required.

  1. Receive the envelope. Receive the signer's public key from the JWKS (JSON Web Key Set) at the publisher's well-known URL.
  2. Recompute the canonical bytes with JCS (JSON Canonicalization Scheme, RFC 8785).
  3. Run Ed25519.verify(pubkey, canonical_bytes, signature_b64).
  4. If the verify call returns true, you trust the report. If false, you reject it.

The derivation construction is proprietary and is not disclosed in this repository.