Protocols
Open standards. Vendor-neutral interfaces. No bespoke wire format.
Every surface that calls KarmanFlow is shaped around a published spec. UCP for capabilities, MCP for tools, RFC 9421 for signed transport, Standard Webhooks v1 for outbound delivery, GraphQL for reads and writes, OAuth 2.1 for CLI auth. Build against the standard; KarmanFlow keeps the implementation boundary honest.
Implemented and preview
Protocol surface with status attached.
These rows link to a public standard or hosted KarmanFlow guide. Implemented means the contract exists in the split proof; preview means hosted access or release evidence is still being proven.
Universal Commerce Protocol Phase 1Preview Open commerce protocol for capability discovery, signed transport, and schema-first request/response shapes. Vendor-neutral; the namespace is reverse-domain.
What KarmanFlow does: Discovery is documented for /.well-known/ucp with date-versioned adapters. Standard catalog aliases search_catalog, lookup_catalog, and get_product return UCP envelopes, and karmanflow.ucp.models exposes cart, checkout, order, payment, fulfillment, catalog, and extension UI model coverage without making UCP the core dependency.
Model Context Protocol Streamable HTTPPreview JSON-RPC tool-calling protocol for AI agents to discover and execute typed capabilities on remote systems. Streamable HTTP is the current web transport.
What KarmanFlow does: Command registry entries are documented as MCP tools for preview. Tool calls go through the same policy gate humans do; risky calls route through approval before the underlying command runs.
RFC 9421 HTTP Message Signatures RFC 9421 (IETF, 2024)Implemented Standardized cryptographic signing of HTTP requests and responses for integrity, identity binding, and replay defense.
What KarmanFlow does: UCP/MCP traffic is designed to verify RFC 9421 signatures when tenant or partner policy requires it, and to verify when signature headers are present. Signing keys can come from inline JWKs, PEM public keys, or JWKS URIs.
Standard Webhooks v1Implemented Open specification for HMAC-signed webhook delivery, replay protection, and idempotency headers. Lets subscribers use any conforming library (svix-libs, the reference TS impl, or hand-rolled HMAC).
What KarmanFlow does: Every outbound delivery carries webhook-id, webhook-timestamp, and webhook-signature: v1,<base64> headers. Signed string is `${webhook-id}.${webhook-timestamp}.${payload}`, HMAC-SHA256. Conformance covered by `test/webhook-standard-webhooks-conformance.test.ts`.
GraphQL October 2021Preview Typed query + mutation language for APIs. One contract that serves every read shape; mutations are type-safe and introspectable.
What KarmanFlow does: The generated reference mirrors the schema shape the operator console reads. Mutations wrap the command envelope so every write produces a receipt. GraphiQL at /developers/explorer is wired for the configured read-only sandbox endpoint when available.
OAuth 2.1 Device Authorization Grant RFC 8628Preview Browser-flow consent for a CLI or headless device that cannot host a redirect URI. Issues short-lived bearer tokens after the user authorizes the device code in their browser.
What KarmanFlow does: The CLI auth design uses Device Authorization Grant to mint scoped tokens. Tokens are tenant + environment + scope-bound; refresh tokens are opaque so revocation is server-side.
Server-Sent Events WHATWGPreview Plain HTTP one-way streaming. Lower-overhead than WebSockets when the stream only flows server-to-client, plays nice with HTTP/2, and survives proxies.
What KarmanFlow does: The operator console design subscribes to a tenant-scoped SSE stream for receipts, command status, approvals, and signal alerts. No polling. Works on the same fetch surface as the rest of the console.
JSON Schema 2020-12Implemented Schema definition language for typed data validation. Backs API contracts, event payloads, and capability shapes across tooling.
What KarmanFlow does: Every UCP capability ships a JSON Schema for its request and response. Event payloads validate against the catalog. MCP tool input + output schemas share the same public shape so agents know the contract before they call.
OpenTelemetry OTel 1.xImplemented Vendor-neutral distributed tracing, metrics, and log standard. One set of SDKs feeds Jaeger, Tempo, Grafana, Datadog, Honeycomb, or any backend that speaks OTel.
What KarmanFlow does: Commands, event relay hops, and webhook delivery paths are instrumented to emit spans. Traces stitch from the originating command id through downstream consumers via the W3C traceparent header.
W3C Trace Context RECImplemented Standard headers (traceparent, tracestate) for propagating distributed traces across service boundaries.
What KarmanFlow does: Commands, events, and webhook deliveries all carry traceparent. Inbound requests honor the caller's trace; outbound deliveries pass it forward so downstream consumers join the same trace.
CSV (RFC 4180) RFC 4180Preview Plain comma-separated text for tabular data. Boring, ubiquitous, the lingua franca for inventory feeds, partner exports, and legacy ERPs.
What KarmanFlow does: The file-drop pipeline shape accepts CSV uploads and converts each row into typed inventory commands. Receipts and per-row error reports come back through the same audit trail in the preview path.
Planned
Designed, not yet exposed.
We do not advertise conformance for protocols we have not shipped. The entries below have a written design and a target phase but are not callable in hosted production today. The doc link describes the posture and the trigger that promotes them.
Agent-to-Agent (A2A) Delegation designPlanned Cross-organization agent task delegation: discovery + a structured task object + capability negotiation + signed callbacks.
What KarmanFlow does: Designed for partner agents to delegate to KarmanFlow agents (and back). Same RFC 9421 signing posture; capability discovery rides on the existing UCP profile. Lands when the first signed A2A partner is on the platform.
Agent Payments Protocol (AP2) designPlanned FIDO Alliance-backed mandate spec for agent-driven payments. Intent + cart + payment mandates with cryptographic attestation.
What KarmanFlow does: Phase 3 surface. Lands as a mandate-attestation extension on UCP once autonomous checkout is in scope. Until then we point at the spec; we do not claim conformance.
Not in the stack
What we do not speak, and why.
A short stack is a feature. We pick standards that pull weight at the surface and partner with specialist providers for the rest. Below is what is intentionally out of scope.
- SOAP / XML-RPC. Envelope verbosity and namespace ceremony add nothing on top of REST + JSON Schema + RFC 9421. Partners that need SOAP go through a connector adapter.
- gRPC (external surface). gRPC's HTTP/2 + Protobuf assumption fights the web's HTTP/1.1 REST ecosystem. We use it for some internal control-plane RPC; we don't expose it externally.
- EDI (AS2 / X12). Domain-specific to legacy B2B procurement. Partner-led: an EDI provider posts to a connector worker that maps to typed KarmanFlow commands. The core platform stays clean.
Get started
Talk to KarmanFlow in the language of your tools.
Discover capabilities through UCP, call typed tools through MCP, subscribe to events through Standard Webhooks v1. The same audit trail covers all three.