Consent is the only thing that lets the rest of the stack run safely.
UAP — the User Authority Protocol — sits at the foundation of the COYL stack. Without it, BIP / PAP / EAP can become manipulative or creepy. The AI must first know: what did the user authorize me to help with, and how far can I go? Every other layer reads from UAP before it fires. Every grant is bounded, revocable, kill-switch-first, and auditable. The other four layers are downstream of that answer.
MCP connected LLMs to software systems. The COYL stack connects them to the human behavioral system — and the only reason that’s not surveillance is because UAP sits underneath, defining what the user permits, refuses, and can override.
01 · The stack
UAP at the foundation. RAP as the override. Five orthogonal layers, each implementable independently.
UAP holds the user’s standing authority — what the model is permitted to do. BIP is the substrate that says what loop the user is in. PAP narrows action to behavioral interventions with safety guardrails. EAP carries action across devices, one action at a time. RAP sits at the override layer: when risk crosses the floor, it stops every other protocol and routes to a human. Each layer can be implemented independently.
Override layer · fires when risk crosses the floor
RAP v0.1 · draft
When the AI stops coaching and routes to a human. Overrides every other layer.
Action layer
EAP v0.1 · cross-device action
Per-action execution across the device fleet, with consent + reversibility envelopes.
Proposal layer
PAP v0.1 · proactive intervention
LLMs propose, coordinator arbitrates. Multi-vendor Switzerland for behavioral interrupts.
Substrate layer
BIP v0.1 · behavioral context
What loop is the user in right now. The primitive other layers read.
Foundation · what the user permits
UAP v0.1 · standing authority
The consent surface every other layer reads before firing. Bounded grants. Kill-switch first.
Bottom of stack
The user
Who issues UAP grants. Who any of this exists to serve.
02 · The specs
Read the substrate. Propose the moment. Act across the fleet. Hold standing authority.
BIP v0.1 · Apache 2.0
Behavioral Interrupt Protocol The substrate.
BIP is the consumer-side primitive. Apps emit behavioral signals (a tab-switch, an HRV spike, an open-fridge event). Apps consume a single read API that returns the user’s current behavioral state — archetype, danger-window status, excuse pattern, risk level. No PII. Only behavioral abstractions.
Wearables don’t need to understand psychology. Calendar apps don’t need to model attention. Each emits the signal it already collects; BIP coordinates the meaning. That coordination layer is what every LLM and every device today is missing.
BIP is the substrate both PAP and EAP consume. If you only ship a consumer app, you implement BIP. If you ship an LLM or a device fleet, you read BIP and emit through PAP or EAP.
Behavioral context (read)
GET /v1/context/{user_id}
Authorization: Bearer <token>
{
"spec_version": "0.1",
"archetype": "9PM_NEGOTIATOR",
"archetype_confidence": 0.83,
"danger_window_active": true,
"current_excuse_category": "DESERVER",
"self_trust_score": 74,
"risk_level": "HIGH",
"freshness": { "ttl_seconds": 60 }
}Signal emit (push)
POST /v1/signal
Authorization: Bearer <token>
{
"user_id": "u_2sj8xks0a",
"source": "apple_watch",
"type": "hrv_spike",
"magnitude": 0.71,
"captured_at": "2026-05-21T21:47:03Z"
}Outcome webhook
POST <your_webhook_url>
X-BIP-Signature: sha256=<hmac>
X-BIP-Event: INTERRUPT_RESOLVED
{
"event": "INTERRUPT_RESOLVED",
"user_id": "u_2sj8xks0a",
"outcome": "STOPPED",
"elapsed_seconds": 47,
"pattern_update": { "self_trust_score": 1 }
}PAP v0.1 · Apache 2.0
Proactive-Action Protocol The behavioral intervention layer.
PAP is how LLMs propose behavioral interventions. A model reads BIP context, decides the moment is right, and submits a Proposal envelope to the COYL Coordinator. The envelope declares the proposed intervention, the rationale, the scope, the channel, and a reversibility class. The Coordinator decides whether to FIRE, DEFER, or REJECT.
PAP exists because behavioral interventions are not free actions. They cost the user’s attention. They can be wrong. They can be overcorrected. The Coordinator enforces rate limits across competing LLMs, dedups proposals targeting the same behavioral moment, checks user scope grants, and respects quiet hours. The user is never spammed by every model on the market firing at the same moment.
PAP is the protocol foundation labs implement to make their assistants behaviorally aware without re-implementing the safety layer. Claude, GPT, and Gemini each emit Proposals. COYL Cloud arbitrates which one — if any — fires.
Proposal envelope
POST /v1/pap/proposal
Authorization: Bearer <llm_partner_key>
{
"spec_version": "0.1",
"user_id": "u_2sj8xks0a",
"proposing_llm": "claude-opus-4",
"intent": "INTERRUPT_LATE_NIGHT_EATING",
"rationale_summary": "9pm_negotiator pattern, danger window active",
"reversibility": "REVERSIBLE",
"channel_preference": ["push", "watch_haptic"],
"expires_at": "2026-05-21T21:50:00Z"
}Coordinator decision
→ 200 OK
{
"decision": "FIRE",
"proposal_id": "prop_7xj2k9q",
"dispatched_channels": ["push"],
"rate_limit_remaining": 8,
"competing_proposals_deduped": 2,
"audit_log_id": "log_aQ91xx"
}Scope grants (consent)
GET /v1/pap/scope/{user_id}
{
"grants": [
{
"llm_id": "claude-opus-4",
"scopes": ["read:context", "propose:intervention"],
"quiet_hours": ["22:30-07:00"],
"monthly_intervention_cap": 1000,
"revoked_at": null
}
]
}EAP v0.1 · Apache 2.0
Execution-Action Protocol The cross-device action layer.
EAP is the superset. An LLM authors an Action Request — vibrate this Watch, surface this Lock-Screen card, dim this room’s lights, draft this message in the user’s reply queue — and the Coordinator routes it to the right device bridge with the right consent, the right scope, and the right reversibility envelope.
PAP is a subset of EAP focused on behavioral interventions. EAP covers everything else: ambient nudges, calendar actions, browser-context cards, watch glances, surfacing-on-Lock-Screen. The same Coordinator engine governs both. Same audit log. Same revocation surface.
EAP is what makes “your AI” portable across devices without each device fleet needing a direct LLM integration. The LLM speaks EAP. The bridge translates. The user has one consent surface across every model, every device.
Action request
POST /v1/eap/action
Authorization: Bearer <llm_partner_key>
{
"spec_version": "0.1",
"user_id": "u_2sj8xks0a",
"action_type": "WATCH_HAPTIC_CARD",
"payload": {
"title": "Pause.",
"body": "9:47pm. You’re a deserver tonight.",
"primary_action": "ACKNOWLEDGE",
"secondary_action": "OVERRIDE"
},
"reversibility": "REVERSIBLE",
"scope": "behavioral_intervention",
"ttl_seconds": 180
}Device bridge dispatch
→ 200 OK
{
"action_id": "act_9k2x7p",
"bridge": "apple_watch_v1",
"dispatched_at": "2026-05-21T21:47:08Z",
"delivery_state": "DELIVERED",
"user_response_expected_until": "2026-05-21T21:50:08Z"
}Irreversible-action gate
POST /v1/eap/action
{
"action_type": "SEND_MESSAGE",
"reversibility": "IRREVERSIBLE",
...
}
→ 202 Accepted
{
"decision": "AWAITING_USER_CONFIRMATION",
"confirmation_surface": "lock_screen_card",
"confirmation_expires_at": "2026-05-21T21:48:00Z"
}UAP v0.1 · Apache 2.0
User-Authority Protocol The standing-authority layer.
UAP is the fourth layer of the COYL stack — the trust contract a user issues to an LLM when they want autonomous action without per-action consent. BIP, PAP, and EAP all assume the user is present: the model proposes, the user confirms, the action fires. UAP is for the moments the user is absent. Daily routines. Tomorrow’s calendar. Recurring purchases. Scheduled deliveries. The category every foundation lab is shipping in 2026, with no defensible consent model under it.
UAP defines exactly eight primitives — GRANT, REVOKE, KILL_SWITCH, PRECHECK, EXECUTE, EXPIRE, RULE_DECLARE, AUDIT_QUERY — and a small set of hard invariants. Every grant has a bounded expiry (90 days max, 7 days default). Irreversibles always re-confirm, even under standing grant. The kill switch supersedes every grant, every rule, every in-flight action, and propagates across all surfaces in five seconds. The audit log is append-only, cryptographically signed, and owned by the user — not the LLM, not COYL.
The strategic read is this: the capability for agentic AI exists today. The trust infrastructure does not. UAP is the layer that lets foundation labs ship agentic AI safely without each inventing a brittle ad-hoc consent model — and the layer that, by virtue of being open-spec, audit-defaulted, kill-switch-first, and cross-LLM portable, cannot be reasonably forked by any single lab without losing the portability that gives it value. The protocol is the trust contract. The trust contract is the moat.
GRANT request
POST /api/uap/v1/grant
Authorization: Bearer coyl_uap_<partner_id>_<secret>
{
"user_id": "u_2sj8xks0a",
"scopes": [
"calendar.write",
"messaging.routine",
"purchase.recurring"
],
"expires_at": "2026-05-29T17:00:00Z",
"rules": [
{ "kind": "spending_cap", "max_per_action_usd": 50 },
{ "kind": "quiet_hours", "from": "00:00", "to": "07:00",
"tz": "America/Los_Angeles" },
{ "kind": "irreversible_floor",
"always_confirm": ["money_transfer", "share_pii"] }
],
"consent_artifact": {
"version": "0.1",
"shown_to_user_at": "2026-05-22T16:58:00Z",
"user_response": "explicit_grant",
"ui_surface": "settings.standing_authority"
}
}KILL_SWITCH request
POST /api/uap/v1/kill-switch
Authorization: <user session, not partner token>
{
"user_id": "u_2sj8xks0a",
"reason": "user_initiated"
}
→ 200 OK
{
"killed": true,
"affected_grant_count": 7,
"propagation_deadline": "2026-05-22T17:02:19Z",
"audit_url": "https://coyl.ai/audit/uap/kill_aD9k2x"
}02b · Live
The coordinator. Not a diagram.
Pick a scenario. Slide a confidence. POST hits /api/v1/protocol/demo — which runs the same isAboveConfidenceThreshold function the production endpoint at /api/pap/v1/proposal uses. The decision you see is what the real coordinator returns.
No panic. Daytime. No rate limit. Decision turns on confidence.
One of the nine PAP scopes the user can grant per LLM partner.
DEFAULT_CONFIDENCE_THRESHOLD = 0.70 in production. Anything below denies with confidence_too_low.
02c · First production integration
COYL is the first PAP partner. Itself.
Every server-side render of /today emits a real PAPProposal row through the COYL Internal partner — partner id coyl_internal. The coordinator evaluates against the user’s real state (panic, quiet hours, rate limit, dedup, confidence). The row persists. The proof is the row count.
Foundation-lab Trust & Safety reviewers querying the audit table see real coordinator traffic from day one. The protocol is not aspirational. It is the production interrupt pipeline.
03 · Why four, not one
Four concerns. Four layers. One coordinator.
BIP — the substrate
Consumer-side. Read & emit.
BIP is what consumer apps and wearables implement. It carries behavioral signal in and behavioral state out. It is a substrate, not an action layer. Everything above it consumes it.
PAP — the behavior layer
LLM proposes. Coordinator arbitrates.
PAP is narrowed to behavioral interventions. The envelope demands rationale + reversibility + scope. The Coordinator enforces rate limits across competing LLMs. The user is not bombarded by every model at the same moment.
EAP — the action layer
Cross-device action with consent envelopes.
EAP carries one action at a time across watch, phone, browser, lock screen, and ambient surfaces. Per-action confirmation for irreversibles. Same audit. Same revocation. Same consent surface — while the user is present.
UAP — the standing-authority layer
User-level. Grant & revoke.
UAP is for the moments the user is absent. The user issues a bounded grant — scope-limited, time-limited, rule-governed. The model acts under it. Every execute is audit-signed. Expiry is hard. The kill switch revokes everything in five seconds. Foundation labs ship agentic AI on this layer or they ship it unsafe.
The layering
UAP holds standing authority. EAP carries one action. PAP narrows to behavior. BIP is the substrate all three consume.
The separation is what lets a wearable implement only BIP without taking on action responsibility. It is what lets a foundation lab implement PAP for behavioral assistants without committing to the full EAP surface. It is what lets a labs partner build agentic-AI features on UAP without re-inventing the consent UI, the audit log, or the kill-switch propagation guarantee. The user’s consent surface stays coherent across every model competing for the same moment and across every grant standing in the background.
04 · The reference engine
The specs are open. COYL Cloud is ours.
Anyone can implement BIP, PAP, or EAP. COYL Cloud is the proprietary reference engine — the same play Anthropic ran with MCP, OAuth ran with authorization, Stripe ran with checkout. Win on data quality and integration depth, not on closed specs.
The Coordinator engine
Rate limits. Dedup. Scope. Quiet hours.
Across every LLM proposing through PAP. Across every action firing through EAP. One arbitration loop. One audit log. One revocation surface. Foundation labs do not need to build this. They route through it.
Audit logs
Every proposal. Every decision. Every outcome.
Append-only. User-visible. Exportable. Required for the kind of consumer trust that lets people grant proactive authority to an LLM in the first place. Required for the compliance surface enterprises actually buy.
Device bridges
iOS. macOS. Watch. Browser.
A library of first-party bridges that translate EAP Action Requests into platform-native primitives. LLMs author EAP. The bridges deliver. New devices ship; the bridges expand; the LLMs don’t need to recompile.
Consent UI
One surface across every model.
The user sees every LLM that has authority, every scope granted, every quiet hour, every revocation. One mental model across Claude, GPT, Gemini, and whatever ships next. The thing every individual LLM’s app can’t build alone.
Pricing
Free up to 1K interventions / user / LLM / month.
- ·Free tier. 1,000 interventions per user, per LLM partner, per month. Zero cost.
- ·Usage. $0.001 per intervention above the free tier. Coordinator decisions, audit logs, and bridge dispatch included.
- ·Strategic seats. Foundation labs, large platforms, and category-defining device fleets — reach out. We size the contract to the integration depth.
05 · Get started
Two paths in. One stack underneath.
Path 01
I’m an LLM partner.
Foundation lab, model provider, or assistant platform. You want to make your model behaviorally aware and authorized to act with consent. Implement PAP + EAP, route through COYL Cloud, ship in weeks not quarters.
Get an API key →
Path 02
I’m an app developer.
Consumer app, wearable, telehealth, productivity, ADHD or GLP-1 tool. You want behavioral context without building the model layer yourself. Implement BIP, emit signals, consume context, ship the smarter product.
BIP SDK examples →
06 · The honest questions
What a corp-dev team actually asks.
Why publish the spec open-source if it’s your moat?
Because the moat is not the spec. The moat is the reference engine + the data quality + the integration library + the consent surface the user actually trusts. Anthropic open-sourced MCP. OAuth was open. Stripe Checkout integrations were open. The spec being open is what makes the category exist. The engine being ours is what makes the company exist.
What stops Anthropic from building this themselves?
Nothing stops them from implementing the spec — that’s the point. What stops them from owning the category is the cross-LLM coordination problem. The user’s consent surface has to span every model. The audit log has to be neutral. A single foundation lab cannot credibly arbitrate proposals from its competitors. The Coordinator has to be Switzerland. That’s the structural reason this layer is not first-party LLM work.
How do you handle rate limits across competing LLMs?
The Coordinator runs per-user, per-LLM, and per-moment rate limits. Per-user caps the total interventions the user receives in any window. Per-LLM enforces the partner’s grant. Per-moment dedups overlapping proposals targeting the same behavioral window — if Claude and GPT both detect the 9pm pattern, only one fires, chosen by user-set preference rules. The user can’t be spammed by every model on the market firing at once.
Can users revoke any LLM’s authority?
Yes — that’s the consent surface. The user sees every LLM that holds any scope, every grant, every quiet hour. Revocation is one tap, takes effect on the next proposal, and is persisted in the audit log. Without this surface, no user grants proactive authority. With it, they do.
How do you handle irreversible actions like “send a message” or “make a purchase”?
EAP requires every Action Request to declare a reversibility class — REVERSIBLE, REVERSIBLE_WITHIN_WINDOW, or IRREVERSIBLE. Irreversible actions never auto-fire. The Coordinator returns AWAITING_USER_CONFIRMATION and pushes a confirmation surface (lock-screen card, watch glance, app intent) with a short TTL. The LLM never directly executes irreversible action; the user does. Same envelope, hard guarantee.
What’s the latency for action firing?
Signal-to-decision is sub-200ms on the Coordinator. Decision-to-bridge-delivery depends on the device — watch haptic is sub-second, push is one to three seconds, lock-screen card is bound by the device’s next-render frame. We expose end-to-end latency in the audit log so partners can measure their own moments without instrumentation.
What about Apple? They won’t adopt this.
Apple doesn’t need to adopt the spec for the spec to work — the device bridges run inside our reference engine. We use the surfaces Apple already exposes (push, App Intents, Watch complications, Live Activities, Lock-Screen widgets). If Apple ever builds a first-party version, the spec is what their developers cite to argue for parity. The protocol is the policy lever.
What’s COYL Cloud’s pricing?
Free up to 1,000 interventions per user, per LLM partner, per month. $0.001 per intervention above that, with Coordinator, audit log, and bridge dispatch all included. Strategic seats for foundation labs and category-defining device fleets are sized to integration depth — reach out and we’ll size the contract together.
Stop being a chatbot. Become behavior-aware.
Four open specs. One reference engine. The trust infrastructure for proactive AI — read the substrate, propose the intervention, act across the fleet, hold bounded standing authority, with consent.