Integrating with AURA
1. Overview β how AURA integrates
AURA lets a passenger move through the airport using one verified identity, created once and reused at security and boarding. To do that, AURA must coordinate with the systems an airport already depends on β but without leaking personal data or losing control of it.
The core idea: tokens, not identities
AURA hands partner systems a meaningless claim-ticket (a token) β never a passenger's real identity or biometric data. Partners coordinate about a passenger using that token; only AURA's on-premise vault at KSIA can resolve a token back to a real person.
The promise every integration keeps
Every connection β without exception β is:
- Authenticated β mutual; AURA knows which system is calling and the partner knows it's really AURA.
- Encrypted β protected in transit, always.
- Token-based β exchange tokens/references, not raw personal data, wherever possible.
- Audited β every exchange writes a tamper-evident audit record (referenced by token).
Two hard lines that never move
- Biometric templates never cross an external boundary. The only system that touches them is the on-premise matching engine at KSIA.
- Raw identity stays on-prem. Partners receive tokens; only the KSIA vault resolves a token to a person.
2. Integration landscape β partner-facing systems & connectors
AURA defines eight integration points (connectors). Six are implemented as working, contract-shaped mocks in the current demonstrator (INT-1, 2, 3, 5, 6, 7); INT-4 and INT-8 are designed and scheduled. Sensitivity refers to the data crossing that boundary.
π’ non-personal / operational Β· π‘ tokenized references Β· π minimal personal data (regulated) Β· π΄ biometric (never crosses by default)
| ID | System | Purpose | Direction | Sensitivity | Placement | Phase |
|---|---|---|---|---|---|---|
| INT-1 | Airline Reservation / DCS | Confirm booking validity; report boarding status | two-way | π‘ / π | partner / cloud | P1 required |
| INT-2 | Airport Operational DB (AODB) | Flight schedules, gates, delays, terminal status | inbound | π’ | partner / cloud | P1 required |
| INT-3 | Document Authentication | Confirm passport/ID is genuine at enrollment | inbound | π transient | partner / cloud | P1 required |
| INT-4 | Government / Border / Watchlist | Mandated identity & security checks | two-way | π | regulated | Later / if mandated |
| INT-5 | Staff Identity / SSO | Authenticate AURA staff to drive RBAC | inbound | π‘ | partner / cloud | P1 required |
| INT-6 | Matching Engine (simulated) | Compare live capture to stored template | internal | π΄ | on-prem | P1 (simulated) |
| INT-7 | Notification Service | Passenger status/guidance messages | outbound | π‘ | partner / cloud | P1 recommended |
| INT-8 | Analytics / Reporting Sink | Aggregated, non-personal operational reporting | outbound | π’ | cloud | P1 optional |
3. Minimum credible pilot integration set
To run a realistic Terminal 6 pilot, AURA needs the smallest set that can anchor identity to a real document, validate the journey against a real booking, give gates correct flight context, authenticate staff, and make a (simulated) gate decision:
| Integration | Why it's in the minimum set |
|---|---|
| INT-1 Airline DCS | Without it, a journey cannot be validated against a real booking |
| INT-2 Airport AODB | Gates need accurate flight & gate context |
| INT-3 Document Auth | Identity must be anchored to a genuine document at enrollment |
| INT-5 Staff SSO | RBAC needs trustworthy staff identities |
| INT-6 Matching engine (simulated) | The deterministic gate decision (on-prem; real engine integrated later) |
| INT-7 Notification recommended | Supports the mobile-first passenger experience |
4. Token-based interface principles
These reusable contract "shapes" let every partner connect the same safe way. Shapes below are illustrative β exact field names are confirmed per partner during onboarding.
P1 Β· Token issuance & resolution (the core mechanism)
- AURA enrolls a passenger and mints an opaque token (e.g.
tok_ab12cd34). - AURA shares only the token with partners.
- When a partner calls back, AURA resolves the token on-prem to act.
- Tokens are scoped (what they can do) and short-lived (auto-expire).
P2 Β· Inbound validation (e.g. DCS booking check)
{ booking_token, flight_number, date }
Response{ valid: true, flight, seat, status }
P3 Β· Outbound status push (e.g. boarding result β DCS)
{ booking_token, status: "boarded", timestamp }
BehaviorIdempotent (safe to retry); every push audited
P4 Β· Verification result (gate β matching engine, on-prem only)
{ identity_ref, live_capture (simulated), stage }
Response{ decision: ALLOW | DENY | REFER, confidence (sim), reason }
RuleNever returns a template or image. On-prem only.
P5 Β· Webhook / event subscription (e.g. AODB flight updates)
AURA subscribes to flight/gate change events. Each event is non-personal (π’), validated, and applied to gate context.
Cross-cutting contract rules (every pattern)
| Rule | Why |
|---|---|
Versioned contracts (e.g. /v1/...) | Partners can upgrade without breaking AURA |
| Idempotency keys on writes | Safe retries; no double-boarding |
| Explicit scopes on every token | Least privilege at the API level |
Standard error shape { error, code, retryable } | Predictable failure handling |
| No personal data in URLs or logs | URLs/logs leak; tokens go in the body |
Synchronous vs asynchronous
5. Partner-by-partner requirements
For each integration: what it's for, what AURA sends out and receives in, the contract pattern that applies, and the firm rule on raw identity / biometrics.
Data-exchange matrix (at a glance)
| Integration | AURA sends OUT | AURA receives IN | Raw identity crosses? | Biometric crosses? |
|---|---|---|---|---|
| INT-1 Airline DCS | booking token, boarding result | booking validity, flight/seat | β token/minimal | β never |
| INT-2 AODB | (nothing personal) | flight schedules, gates, status | β | β |
| INT-3 Doc Auth | document data for the check only | "genuine/valid" + provider ref | π transient, then discarded | β |
| INT-4 Gov/Border | minimal mandated identity + token | eligibility / screening result | π minimal, regulated, audited | β never |
| INT-5 Staff SSO | staff login challenge | staff identity + role | β (staff, not passenger) | β |
| INT-6 Matching (on-prem) | live capture + template ref | match result | stays on-prem | stays on-prem |
| INT-7 Notification | token + message | delivery status | β | β |
| INT-8 Analytics | aggregated metrics | (nothing) | β | β |
{ booking_token, status:"boarded", timestamp }
Partner β AURA{ valid, flight, seat, status }
Partner providesendpoint(s), credentials, booking-token scheme (preferred) or PNR contract, idempotency support
Hard ruleNo raw identity required; prefer an airline-issued booking token over a raw PNR.
{ genuine: true, valid: true, provider_ref } β AURA keeps result + reference
Provider providesverification API, result/reference contract, SLA
Hard ruleRaw document image is discarded after the check; only result + reference are retained.
{ identity_ref, live_capture, stage } β { decision, confidence, reason }
Hard ruleTemplates & results never leave KSIA. A real engine slots into this same contract later with no re-architecture. Listed here for completeness; partners do not integrate to it.
6. Security requirements β auth, encryption, audit, trust boundaries
Every door is a potential break-in point, so each one gets the same strong locks. These rules apply to all integrations.
Authentication & encryption (what we ask of partners)
- Mutual authentication β partner identity and AURA identity are both verified on every connection (e.g. mutual TLS and/or signed tokens).
- Encryption in transit, always β modern TLS; no plaintext, no exceptions.
- Per-partner credentials β every partner has its own keys; any one can be revoked without affecting others.
- Least-privilege scopes β a partner's credentials can do only their integration's job.
- Short-lived tokens β tokens expire quickly; a leaked token soon becomes useless.
- Key rotation β credentials and keys are rotatable on a defined schedule and on demand.
Audit & logging expectations
- Every exchange is audited β AURA writes a tamper-evident audit entry for each call, referenced by token, never by raw identity.
- No personal data in logs or URLs β identifiers travel as tokens in the request body; logs hold tokens and outcomes only.
- Correlation IDs β each request carries a correlation/idempotency id so both sides can trace a transaction without sharing personal data.
- Anomaly alerting β unusual call patterns (volume, timing, scope) raise alerts; partners may be rate-limited.
Trust-boundary rules
| Rule | Plain English |
|---|---|
| No biometrics outbound | Templates/images never cross an external boundary (hard line). |
| Tokens, not identities | Partners coordinate via tokens; the tokenβidentity map stays on-prem. |
| Inbound validation | Treat all inbound data as untrusted; validate before use. |
| Separation of channels | Non-personal (AODB, analytics) travels on different paths from regulated (gov/border). |
| Rate limiting & throttling | Partners are throttled; abusive/anomalous patterns are blocked. |
| Governed new sharing | Sending personal data to a new partner requires an internal approval gate before go-live. |
7. Error-handling & fallback expectations
Partners will sometimes be slow, down, or wrong. AURA must never strand a passenger and never make an unsafe decision because a partner failed.
Core failure principles
- Fail safe, not open. If a security-relevant check can't complete, the result is REFER to a human β never an automatic ALLOW.
- Gates keep working. Because the gate decision is on-prem (INT-6), a cloud or partner outage doesn't stop checkpoints/boarding for already-validated journeys.
- Human fallback owns the edge cases. Airport operations + airline/customer service handle fallbacks, with manual override and full audit.
Standard error contract
Every interface returns { error, code, retryable: true|false } so AURA can
consistently decide retry (transient) vs. REFER/escalate (non-retryable).
Per-integration fallback behavior
| Integration | If it fails⦠| Fallback |
|---|---|---|
| INT-1 DCS (sync check) | can't validate booking | REFER to staff for manual booking check; journey not auto-activated |
| INT-1 DCS (async push) | boarding push fails | queue + retry (idempotent); passenger unaffected |
| INT-2 AODB | flight data stale/unavailable | use last-known + flag "stale"; staff verify gate/flight manually |
| INT-3 Doc Auth | provider down at enroll | pause enrollment or route to kiosk-assisted manual document check |
| INT-4 Gov/Border | check unavailable | fail safe β REFER; never auto-clear a mandated check |
| INT-5 Staff SSO | SSO down | break-glass staff access (dual-control, alarmed, audited) |
| INT-6 Matching (on-prem) | low confidence / poor capture | deterministic REFER; human officer + manual document fallback |
| INT-7 Notification | delivery fails | best-effort retry; non-blocking; passenger can use kiosk/staff |
| INT-8 Analytics | sink unavailable | buffer locally; backfill later; never blocks operations |
8. Phase 1 vs later integration scope
Build the minimum credible set first; add the rest as the platform matures.
| Integration | Phase 1 required | Phase 1 optional | Later |
|---|---|---|---|
| INT-1 Airline DCS | β | ||
| INT-2 AODB | β | ||
| INT-3 Document Auth | β | ||
| INT-5 Staff SSO | β | ||
| INT-6 Matching (simulated) | β | ||
| INT-7 Notification | β (recommended) | ||
| INT-8 Analytics | β | ||
| INT-4 Gov/Border | (if mandated) | β | β deeper |
| Alliance / cross-airport reuse | β |
Later phases
- Deeper border/government interoperability
- Airline-alliance / multi-airline integration
- Cross-airport identity reuse (with consent + governance)
- Richer partner ecosystem (lounges, bag-drop, retail) β all token-based
9. Test / sandbox expectations
Integration is validated against contracts before any production data is exchanged. The current AURA demonstrator already runs working, contract-shaped mocks of INT-1, INT-2, INT-3, INT-5, INT-6 and INT-7, so flows can be exercised end-to-end safely.
What AURA provides to partners
- Versioned contract definitions for each relevant interface (request/response shapes, error contract).
- A sandbox environment where partner endpoints are mocked to those contracts.
- Observable request/response traces and audit entries for every simulated call.
- Test scenarios including success, partner-down (fallback), and forbidden-field (trust-boundary) cases.
What AURA asks of partners
- A non-production / sandbox endpoint and test credentials per integration.
- Representative non-personal / synthetic test data (no real passenger data in test).
- Confirmation of contract field names, scopes, token scheme, and error semantics.
- Agreement on idempotency keys, retry/backoff behavior, and rate limits.
- A technical point of contact for joint testing and issue triage.
10. Onboarding checklist
A practical sequence for a partner to begin integration. Items a partner must confirm are marked.
A Β· Scope & contacts
- Confirm which integration(s) you own (INT-1 / INT-2 / INT-3 / INT-5 / INT-7).
- Confirm Phase 1 participation and whether INT-4 (gov/border) is mandated for the pilot.
- Name technical, security, and business points of contact.
B Β· Interface & contracts
- Agree the versioned contract (fields, scopes, error shape) for each interface.
- Confirm the token scheme (preferred) or reference contract (e.g. booking token vs PNR).
- Agree sync vs async behavior, idempotency keys, retry/backoff, and rate limits.
C Β· Security
- Exchange and validate mutual-authentication material; confirm encryption standards.
- Provision per-partner credentials and least-privilege scopes; agree key-rotation policy.
- Confirm no personal data in URLs/logs; agree correlation-ID convention.
D Β· Test & sandbox
- Provide sandbox endpoint + test credentials; supply synthetic test data.
- Run contract tests, then connectivity/auth tests, then fallback & error scenarios.
- Validate audit/trace visibility on both sides.
E Β· Go-live readiness
- Confirm SLAs, support/escalation paths, and incident handling.
- Confirm fallback ownership for the relevant flow (ops / customer service).
- Complete privacy/regulatory sign-off for any regulated data (with KSIA/authorities).
11. Open questions for partner workshops
These are the items we expect to resolve with each partner. AURA proposes a privacy-first default for each; the workshop confirms or adjusts it.
| # | Open question | AURA's proposed default |
|---|---|---|
| 1 | Booking identifier scheme? | Airline-issued booking token; PNR reference only if unavoidable |
| 2 | Is Gov/Border (INT-4) in the pilot? | Exclude unless KSIA/regulator mandates it |
| 3 | Token lifetime & scope for partners? | Short (minutesβhours), single-scope |
| 4 | Contract style? | Versioned REST + webhooks for events |
| 5 | Retry & idempotency policy? | Exponential backoff + idempotency keys on writes |
| 6 | Document-image handling (INT-3)? | Discard raw image after check; keep result + reference |
| 7 | Analytics placement (INT-8)? | Cloud, aggregated non-personal only |
| 8 | Auth mechanism for your interface? | Mutual TLS and/or signed short-lived tokens; per-partner keys |
| 9 | SSO protocol & role mapping (INT-5)? | OIDC/SAML federation with explicit role/group mapping + MFA |
| 10 | SLAs, support & incident escalation? | Agreed per partner during onboarding |
This kit is grounded in AURA's Stage 6 Integration Readiness design and the working connector mocks in the current demonstrator. Field names and contract details are illustrative and are confirmed per partner during onboarding. Biometrics remain simulated and AI remains limited to two read-only features in this phase; neither is affected by any integration described here.