AURA β€” Partner Onboarding Kit Airline edition  Β·  Airport edition  Β·  One-pager  Β·  Brief  Β·  Deck  Β·  Demonstrator  Β·  Integration blueprint β€” biometrics simulated, partners mocked  
Partner Onboarding Kit

Integrating with AURA

Automated Universal Recognition Architecture Β· KSIA Terminal 6
Audience: airline, airport & implementation partner technical teams Status: integration blueprint for onboarding discussions β€” not yet a live pilot
Focused editions & one-pager. Tailored cuts of this kit are available for specific audiences: an airline / DCS edition, an airport / AODB edition, and a printable one-page workshop summary.

1. Overview β€” how AURA integrates

AURA lets a passenger move through the airport using one verified identity, created once and reused at security and boarding. To do that, AURA must coordinate with the systems an airport already depends on β€” but without leaking personal data or losing control of it.

The core idea: tokens, not identities

AURA hands partner systems a meaningless claim-ticket (a token) β€” never a passenger's real identity or biometric data. Partners coordinate about a passenger using that token; only AURA's on-premise vault at KSIA can resolve a token back to a real person.

The concierge analogy. A hotel concierge arranges a taxi, a restaurant and tickets using a booking code β€” never the guest's passport. Each vendor knows "code 4471", none of them see the real identity. AURA's integration layer is that concierge.
AIRLINE DCS AIRPORT AODB DOC-AUTH STAFF SSO \ | | / \ β–Ό β–Ό / β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ AURA INTEGRATION LAYER (the concierge) β”‚ β”‚ speaks in TOKENS, never raw identity β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ resolve token β†’ identity β–Ό (ON-PREM ONLY) β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ KSIA VAULT β”‚ identities, templates, β”‚ (crown jewels) β”‚ consent, audit, keys β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

The promise every integration keeps

Every connection β€” without exception β€” is:

Two hard lines that never move

  1. Biometric templates never cross an external boundary. The only system that touches them is the on-premise matching engine at KSIA.
  2. Raw identity stays on-prem. Partners receive tokens; only the KSIA vault resolves a token to a person.

2. Integration landscape β€” partner-facing systems & connectors

AURA defines eight integration points (connectors). Six are implemented as working, contract-shaped mocks in the current demonstrator (INT-1, 2, 3, 5, 6, 7); INT-4 and INT-8 are designed and scheduled. Sensitivity refers to the data crossing that boundary.

🟒 non-personal / operational  Β·  🟑 tokenized references  Β·  🟠 minimal personal data (regulated)  Β·  πŸ”΄ biometric (never crosses by default)

IDSystemPurposeDirectionSensitivityPlacementPhase
INT-1Airline Reservation / DCSConfirm booking validity; report boarding statustwo-way🟑 / 🟠partner / cloudP1 required
INT-2Airport Operational DB (AODB)Flight schedules, gates, delays, terminal statusinbound🟒partner / cloudP1 required
INT-3Document AuthenticationConfirm passport/ID is genuine at enrollmentinbound🟠 transientpartner / cloudP1 required
INT-4Government / Border / WatchlistMandated identity & security checkstwo-way🟠regulatedLater / if mandated
INT-5Staff Identity / SSOAuthenticate AURA staff to drive RBACinbound🟑partner / cloudP1 required
INT-6Matching Engine (simulated)Compare live capture to stored templateinternalπŸ”΄on-premP1 (simulated)
INT-7Notification ServicePassenger status/guidance messagesoutbound🟑partner / cloudP1 recommended
INT-8Analytics / Reporting SinkAggregated, non-personal operational reportingoutbound🟒cloudP1 optional

3. Minimum credible pilot integration set

To run a realistic Terminal 6 pilot, AURA needs the smallest set that can anchor identity to a real document, validate the journey against a real booking, give gates correct flight context, authenticate staff, and make a (simulated) gate decision:

IntegrationWhy it's in the minimum set
INT-1 Airline DCSWithout it, a journey cannot be validated against a real booking
INT-2 Airport AODBGates need accurate flight & gate context
INT-3 Document AuthIdentity must be anchored to a genuine document at enrollment
INT-5 Staff SSORBAC needs trustworthy staff identities
INT-6 Matching engine (simulated)The deterministic gate decision (on-prem; real engine integrated later)
INT-7 Notification recommendedSupports the mobile-first passenger experience
Gov/Border (INT-4) is included only if KSIA or the regulator mandates it for the pilot. Otherwise it moves to early Phase 2, keeping the pilot surface smaller and safer.

4. Token-based interface principles

These reusable contract "shapes" let every partner connect the same safe way. Shapes below are illustrative β€” exact field names are confirmed per partner during onboarding.

P1 Β· Token issuance & resolution (the core mechanism)

  1. AURA enrolls a passenger and mints an opaque token (e.g. tok_ab12cd34).
  2. AURA shares only the token with partners.
  3. When a partner calls back, AURA resolves the token on-prem to act.
  4. Tokens are scoped (what they can do) and short-lived (auto-expire).

P2 Β· Inbound validation (e.g. DCS booking check)

Request{ booking_token, flight_number, date } Response{ valid: true, flight, seat, status }

P3 Β· Outbound status push (e.g. boarding result β†’ DCS)

Payload{ booking_token, status: "boarded", timestamp } BehaviorIdempotent (safe to retry); every push audited

P4 Β· Verification result (gate ↔ matching engine, on-prem only)

Request{ identity_ref, live_capture (simulated), stage } Response{ decision: ALLOW | DENY | REFER, confidence (sim), reason } RuleNever returns a template or image. On-prem only.

P5 Β· Webhook / event subscription (e.g. AODB flight updates)

AURA subscribes to flight/gate change events. Each event is non-personal (🟒), validated, and applied to gate context.

Cross-cutting contract rules (every pattern)

RuleWhy
Versioned contracts (e.g. /v1/...)Partners can upgrade without breaking AURA
Idempotency keys on writesSafe retries; no double-boarding
Explicit scopes on every tokenLeast privilege at the API level
Standard error shape { error, code, retryable }Predictable failure handling
No personal data in URLs or logsURLs/logs leak; tokens go in the body

Synchronous vs asynchronous

SYNC (must be instant, mostly on-prem) ASYNC (background, retryable) β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ gate verify (INT-6) β”‚ β”‚ boarding push β†’ DCS (INT-1) β”‚ β”‚ booking check (INT-1) β”‚ ───────► β”‚ AODB events (INT-2) β”‚ β”‚ doc auth (INT-3) β”‚ queue + β”‚ notifications (INT-7) β”‚ β”‚ staff login (INT-5) β”‚ retry β”‚ analytics (INT-8) β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

5. Partner-by-partner requirements

For each integration: what it's for, what AURA sends out and receives in, the contract pattern that applies, and the firm rule on raw identity / biometrics.

Data-exchange matrix (at a glance)

IntegrationAURA sends OUTAURA receives INRaw identity crosses?Biometric crosses?
INT-1 Airline DCSbooking token, boarding resultbooking validity, flight/seat❌ token/minimal❌ never
INT-2 AODB(nothing personal)flight schedules, gates, status❌❌
INT-3 Doc Authdocument data for the check only"genuine/valid" + provider ref🟠 transient, then discarded❌
INT-4 Gov/Borderminimal mandated identity + tokeneligibility / screening result🟠 minimal, regulated, audited❌ never
INT-5 Staff SSOstaff login challengestaff identity + role❌ (staff, not passenger)❌
INT-6 Matching (on-prem)live capture + template refmatch resultstays on-premstays on-prem
INT-7 Notificationtoken + messagedelivery status❌❌
INT-8 Analyticsaggregated metrics(nothing)❌❌
INT-1 Β· Airline Reservation / Departure Control System (DCS)Phase 1 required
two-way · synchronous check + asynchronous push · 🟑/🟠 tokenized/minimal · partner-hosted
PurposeConfirm a booking is valid (paid, today, this terminal); report boarding status back. PatternsP2 (inbound validation), P3 (outbound status push) AURA β†’ partnerbooking token; boarding result { booking_token, status:"boarded", timestamp } Partner β†’ AURA{ valid, flight, seat, status } Partner providesendpoint(s), credentials, booking-token scheme (preferred) or PNR contract, idempotency support Hard ruleNo raw identity required; prefer an airline-issued booking token over a raw PNR.
INT-2 Β· Airport Operational Database (AODB)Phase 1 required
inbound (read) · asynchronous events · 🟒 non-personal · airport-hosted
PurposeFlight numbers, times, gates, delays, terminal status so gates show correct context. PatternsP5 (webhook/event subscription) and/or read API Partner β†’ AURAflight/gate events & schedule reads β€” non-personal only Partner providesevent feed or polling API, schema, change-notification mechanism Hard ruleLowest-risk integration β€” must contain no passenger personal data.
INT-3 Β· Document Authentication ProviderPhase 1 required
inbound (called at enroll) · synchronous · 🟠 transient · provider-hosted
PurposeConfirm a passport/ID is genuine and valid before AURA trusts it. PatternsP2 (inbound validation, transient) AURA β†’ providerdocument data for the check only Provider β†’ AURA{ genuine: true, valid: true, provider_ref } β€” AURA keeps result + reference Provider providesverification API, result/reference contract, SLA Hard ruleRaw document image is discarded after the check; only result + reference are retained.
INT-4 Β· Government / Border / Watchlist SystemsLater / if mandated
two-way · heavily audited · 🟠 minimal regulated · regulated environment
PurposeMandated identity & security checks (border eligibility, watchlist screening) where law requires. PatternsP2 with elevated auditing & human adjudication AURA β†’ authorityminimal mandated identity + token Authority β†’ AURAeligibility / screening result Hard ruleWatchlist hits are human-adjudicated β€” AI never auto-acts on them. In scope only if mandated for the pilot.
INT-5 Β· Staff Identity / SSOPhase 1 required
inbound · synchronous · 🟑 staff identity (no passenger data) · airport/IdP-hosted
PurposeAuthenticate AURA staff (which officer is logging in?) to drive RBAC. PatternsFederated sign-on (e.g. OIDC/SAML), role assignment Partner β†’ AURAstaff identity + role assignment Partner providesIdP metadata, role/group mapping, MFA expectations Hard ruleThis is staff identity, not passenger identity. No passenger data flows here.
INT-6 Β· Matching Engine (on-prem, simulated this phase)Phase 1 (simulated)
internal Β· synchronous Β· πŸ”΄ biometric Β· on-prem only β€” not a partner integration
PurposeCompare a live capture to a stored template β€” the actual gate decision. PatternsP4 (verification result; on-prem) ContractRequest { identity_ref, live_capture, stage } β†’ { decision, confidence, reason } Hard ruleTemplates & results never leave KSIA. A real engine slots into this same contract later with no re-architecture. Listed here for completeness; partners do not integrate to it.
INT-7 Β· Notification Service (passenger messaging)Phase 1 recommended
outbound · asynchronous · 🟑 tokenized · provider-hosted
PurposeMobile-first guidance ("you're enrolled", "head to gate B12"). PatternsP3-style outbound (best-effort) AURA β†’ providera token + a message (contact handled by the provider, minimized) Hard ruleAvoid putting personal data in message bodies.
INT-8 Β· Analytics / Reporting SinkPhase 1 optional
outbound · batched · 🟒 aggregated non-personal · cloud
PurposeAggregated operational reporting & dashboards. AURA β†’ sinkaggregated, non-personal metrics only Hard ruleCloud-friendly precisely because it is non-personal.

6. Security requirements β€” auth, encryption, audit, trust boundaries

Every door is a potential break-in point, so each one gets the same strong locks. These rules apply to all integrations.

Authentication & encryption (what we ask of partners)

Audit & logging expectations

Trust-boundary rules

RulePlain English
No biometrics outboundTemplates/images never cross an external boundary (hard line).
Tokens, not identitiesPartners coordinate via tokens; the token↔identity map stays on-prem.
Inbound validationTreat all inbound data as untrusted; validate before use.
Separation of channelsNon-personal (AODB, analytics) travels on different paths from regulated (gov/border).
Rate limiting & throttlingPartners are throttled; abusive/anomalous patterns are blocked.
Governed new sharingSending personal data to a new partner requires an internal approval gate before go-live.
Enforced, not just stated. AURA's integration layer actively blocks a fixed set of forbidden fields (such as raw names, document numbers, and biometric templates) from ever leaving on an external connector β€” the request is rejected and the attempt is audited. The on-prem matching engine is the only component permitted to handle biometric data.
── UNTRUSTED (partners) β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Šβ”€β”€ TRUSTED (AURA) ───────────── airline / airport / gov / providers β”Š integration layer (validates) β”Š β”‚ β”Š β–Ό resolve token (on-prem) β”Š KSIA vault (most trusted)

7. Error-handling & fallback expectations

Partners will sometimes be slow, down, or wrong. AURA must never strand a passenger and never make an unsafe decision because a partner failed.

Core failure principles

  1. Fail safe, not open. If a security-relevant check can't complete, the result is REFER to a human β€” never an automatic ALLOW.
  2. Gates keep working. Because the gate decision is on-prem (INT-6), a cloud or partner outage doesn't stop checkpoints/boarding for already-validated journeys.
  3. Human fallback owns the edge cases. Airport operations + airline/customer service handle fallbacks, with manual override and full audit.

Standard error contract

Every interface returns { error, code, retryable: true|false } so AURA can consistently decide retry (transient) vs. REFER/escalate (non-retryable).

Per-integration fallback behavior

IntegrationIf it fails…Fallback
INT-1 DCS (sync check)can't validate bookingREFER to staff for manual booking check; journey not auto-activated
INT-1 DCS (async push)boarding push failsqueue + retry (idempotent); passenger unaffected
INT-2 AODBflight data stale/unavailableuse last-known + flag "stale"; staff verify gate/flight manually
INT-3 Doc Authprovider down at enrollpause enrollment or route to kiosk-assisted manual document check
INT-4 Gov/Bordercheck unavailablefail safe β†’ REFER; never auto-clear a mandated check
INT-5 Staff SSOSSO downbreak-glass staff access (dual-control, alarmed, audited)
INT-6 Matching (on-prem)low confidence / poor capturedeterministic REFER; human officer + manual document fallback
INT-7 Notificationdelivery failsbest-effort retry; non-blocking; passenger can use kiosk/staff
INT-8 Analyticssink unavailablebuffer locally; backfill later; never blocks operations
The promise. A partner outage degrades gracefully into a human-assisted process β€” it never denies a legitimate passenger silently, and never auto-allows an unsafe one.

8. Phase 1 vs later integration scope

Build the minimum credible set first; add the rest as the platform matures.

IntegrationPhase 1 requiredPhase 1 optionalLater
INT-1 Airline DCSβœ…
INT-2 AODBβœ…
INT-3 Document Authβœ…
INT-5 Staff SSOβœ…
INT-6 Matching (simulated)βœ…
INT-7 Notificationβœ… (recommended)
INT-8 Analyticsβœ…
INT-4 Gov/Border(if mandated)βœ…βœ… deeper
Alliance / cross-airport reuseβœ…

Later phases

9. Test / sandbox expectations

Integration is validated against contracts before any production data is exchanged. The current AURA demonstrator already runs working, contract-shaped mocks of INT-1, INT-2, INT-3, INT-5, INT-6 and INT-7, so flows can be exercised end-to-end safely.

What AURA provides to partners

What AURA asks of partners

10. Onboarding checklist

A practical sequence for a partner to begin integration. Items a partner must confirm are marked.

A Β· Scope & contacts

B Β· Interface & contracts

C Β· Security

D Β· Test & sandbox

E Β· Go-live readiness

11. Open questions for partner workshops

These are the items we expect to resolve with each partner. AURA proposes a privacy-first default for each; the workshop confirms or adjusts it.

#Open questionAURA's proposed default
1Booking identifier scheme?Airline-issued booking token; PNR reference only if unavoidable
2Is Gov/Border (INT-4) in the pilot?Exclude unless KSIA/regulator mandates it
3Token lifetime & scope for partners?Short (minutes–hours), single-scope
4Contract style?Versioned REST + webhooks for events
5Retry & idempotency policy?Exponential backoff + idempotency keys on writes
6Document-image handling (INT-3)?Discard raw image after check; keep result + reference
7Analytics placement (INT-8)?Cloud, aggregated non-personal only
8Auth mechanism for your interface?Mutual TLS and/or signed short-lived tokens; per-partner keys
9SSO protocol & role mapping (INT-5)?OIDC/SAML federation with explicit role/group mapping + MFA
10SLAs, support & incident escalation?Agreed per partner during onboarding

This kit is grounded in AURA's Stage 6 Integration Readiness design and the working connector mocks in the current demonstrator. Field names and contract details are illustrative and are confirmed per partner during onboarding. Biometrics remain simulated and AI remains limited to two read-only features in this phase; neither is affected by any integration described here.