AURA — Airline Integration Kit Full partner kit  ·  Airport edition  ·  One-pager  ·  Demonstrator  ·  Integration blueprint — biometrics simulated, DCS mocked  
Partner Onboarding · Airline Edition

Integrating your DCS with AURA

Automated Universal Recognition Architecture · KSIA Terminal 6
Audience: airline reservation / departure-control & integration teams Status: integration blueprint for onboarding discussions — not yet a live pilot

1. What AURA asks of an airline

AURA lets a passenger move through KSIA Terminal 6 on one verified identity, created once at enrollment and reused at security and boarding. The airline's role is narrow and well-bounded: confirm a booking is valid, and receive boarding status back — all of it coordinated through opaque tokens, never raw passenger identity or biometrics.

The core idea: a booking token, not a passenger record

AURA hands your DCS a meaningless claim-ticket (a token) and coordinates about a passenger using that token. Only AURA's on-premise vault at KSIA can resolve a token back to a real person. Your DCS never needs — and AURA never sends — a name, document number, or biometric.

The boarding-pass analogy. A boarding pass barcode is just a reference; the gate scanner reads "this reference is valid for this flight" without re-reading the passport. AURA's booking token works the same way — a reference both sides trust, with the real identity kept on-prem.
YOUR AIRLINE AURA (KSIA) ┌──────────────┐ booking token ┌─────────────────────────┐ │ Reservation │ ◄───────────────► │ Integration layer │ │ / DCS │ validity / status │ (speaks in tokens) │ └──────────────┘ └──────────┬──────────────┘ │ resolve token ▼ (ON-PREM ONLY) ┌──────────────────┐ │ KSIA VAULT │ │ identity+template│ └──────────────────┘

The promise on every call

2. DCS integration (INT-1) at a glance

INT-1 · Airline Reservation / Departure Control System (DCS)Phase 1 required
two-way · synchronous booking check + asynchronous boarding push · 🟡/🟠 tokenized/minimal · airline-hosted
PurposeConfirm a booking is valid (paid, today, this terminal); receive boarding status back. PatternsP1 (token issuance/resolution), P2 (inbound validation), P3 (outbound status push) AURA → DCSbooking token; boarding result { booking_token, status:"boarded", timestamp } DCS → AURA{ valid, flight, seat, status } You provideendpoint(s), per-partner credentials, booking-token scheme (preferred) or PNR contract, idempotency support Hard ruleNo raw passenger identity required; prefer an airline-issued booking token over a raw PNR; no biometrics ever.

INT-1 is the only AURA integration an airline owns. It is in the minimum credible pilot set — without it, a journey cannot be validated against a real booking. The other implemented connectors (airport AODB, document auth, staff SSO, on-prem matching, notification) are owned by the airport, a document provider, or are internal to KSIA.

3. Booking & token flows

These are the reusable contract "shapes" that govern how a booking is referenced and resolved. Field names below are illustrative and confirmed with your team during onboarding.

P1 · Token issuance & resolution (the core mechanism)

  1. AURA enrolls a passenger and mints an opaque token (e.g. tok_ab12cd34) tied to a booking.
  2. AURA shares only the token with your DCS — never the passenger's identity.
  3. When your DCS calls back (or AURA calls you), the token is resolved on-prem to act.
  4. Tokens are scoped (what they can do) and short-lived (auto-expire).

P2 · Inbound booking validation (AURA → DCS, synchronous)

Request{ booking_token, flight_number, date } Response{ valid: true, flight, seat, status } WhenAt enrollment / check-in, to anchor the journey to a real booking TimingSynchronous — must answer quickly so the passenger isn't kept waiting

P3 · Outbound boarding-status push (AURA → DCS, asynchronous)

Payload{ booking_token, status: "boarded", timestamp } BehaviorIdempotent (safe to retry); every push audited; queued if your DCS is briefly unavailable WhenAfter a successful (simulated) boarding decision at the gate

Booking-identifier preference

OptionAURA's stanceWhy
Airline-issued booking tokenPreferredOpaque, scoped, revocable; minimizes data crossing the boundary
Raw PNR referenceOnly if unavoidableAcceptable as a fallback contract, but a PNR is more sensitive and longer-lived
Passenger name / document #NeverForbidden field — blocked at the boundary (see §7)

4. Check-in & boarding status exchanges

Mapping the airline-touching moments of a passenger journey onto the DCS exchanges above.

ENROLL / CHECK-IN SECURITY BOARDING ┌───────────────────┐ ┌───────────────────┐ │ AURA → DCS (P2): │ (on-prem gate │ gate decision │ │ validate booking │ decision, INT-6, │ (INT-6, simulated)│ │ by booking_token │ no DCS call) │ │ │ │ │ │ │ ▼ │ │ ▼ │ │ AURA → DCS (P3): │ │ DCS → AURA: │ │ push "boarded" │ │ {valid,flight, │ │ by booking_token │ │ seat,status} │ │ (async, idempot.)│ └───────────────────┘ └───────────────────┘
Journey momentAirline exchangeDirection / timingData crossing
Enrollment / check-inValidate booking (P2)AURA → DCS · syncbooking token + flight/date → validity, flight, seat
Security checkpointNone — gate decision is on-prem (INT-6)n/anone crosses the airline boundary
BoardingPush boarding result (P3)AURA → DCS · asyncbooking token + status + timestamp

5. Failure & fallback behavior

Your DCS will sometimes be slow, down, or return an error. AURA is designed so that this never strands a passenger and never produces an unsafe decision.

Core failure principles

  1. Fail safe, not open. If booking validity can't be confirmed, the result is REFER to a human — never an automatic ALLOW.
  2. Gates keep working. Because the gate decision is on-prem (INT-6), a DCS outage doesn't stop checkpoints/boarding for already-validated journeys.
  3. Async never blocks. A failed boarding push is queued and retried; the passenger is unaffected.

Standard error contract

Every DCS response uses { error, code, retryable: true|false } so AURA can consistently choose retry (transient) vs. REFER/escalate (non-retryable).

DCS-specific fallback table

ExchangeIf it fails…AURA's fallback
P2 booking check (sync)can't validate bookingREFER to airline/airport staff for a manual booking check; journey not auto-activated
P2 booking check (sync)booking invalid / not foundDeterministic DENY/REFER; passenger directed to airline service desk
P3 boarding push (async)push fails / DCS downQueue + retry with backoff (idempotent); no double-boarding; passenger already cleared
Anytimeout / 5xxTreat as retryable:true within limits, then escalate to human fallback
The promise to your operation. A DCS outage degrades gracefully into an airline/airport-staffed manual process — it never denies a legitimate passenger silently and never auto-allows an unsafe one.

6. Auth, audit & token-handling rules

Authentication & encryption (what AURA asks of your DCS)

Token-handling rules (airline side)

Audit & logging expectations

7. Trust boundary & forbidden fields

Your DCS sits on the untrusted side of AURA's boundary. AURA validates everything inbound and resolves tokens to identity only on-prem.

── UNTRUSTED (your DCS) ──────────────┊── TRUSTED (AURA) ───────────── booking checks / boarding pushes ┊ integration layer (validates) speak only in tokens ┊ │ ┊ ▼ resolve token (on-prem) ┊ KSIA vault (most trusted)
Forbidden fields — enforced, not just stated. AURA's integration layer actively blocks a fixed set of fields from ever crossing to an external connector like your DCS. If any appear, the request is rejected and the attempt is audited. These include: template_data, raw_image, selfie, given_name, family_name, and document_number. The on-prem matching engine (INT-6) is the only component permitted to handle biometric data — and it never leaves KSIA.
RulePlain English (airline view)
No biometrics outboundTemplates/images never reach your DCS — ever.
Tokens, not identitiesYou coordinate via booking tokens; the token↔passenger map stays on-prem.
Inbound validationAURA treats all DCS responses as untrusted and validates before use.
Minimize what you sendPrefer booking token over PNR; never name or document number.

8. What's real today vs simulated

AspectState in this phase
DCS integration contract (INT-1)Real, working contract — runs as a contract-shaped mock you can exercise end-to-end
Booking token / boarding-status flowsReal flows against the mocked DCS (no production booking data)
Biometric capture & matching (INT-6)Simulated — on-prem engine returns a deterministic decision; no real biometrics
Live passenger / production booking dataNot used — synthetic / non-personal test data only
Gov/border (INT-4), analytics (INT-8)Designed, not built — out of the airline lane this phase

9. Sandbox & airline onboarding

What AURA provides you

What AURA asks of you

Airline onboarding checklist

10. Workshop questions for airline teams

The items AURA expects to resolve with your team. A privacy-first default is proposed for each; the workshop confirms or adjusts it.

#Open questionAURA's proposed default
1Booking identifier scheme?Airline-issued booking token; PNR reference only if unavoidable
2Booking-check timing budget (sync)?Fast enough to keep enrollment/check-in seamless; agreed SLA
3Token lifetime & scope for the DCS?Short (minutes–hours), single-scope (validate / receive status)
4Boarding-push retry & idempotency?Exponential backoff + idempotency keys; no double-boarding
5Contract style?Versioned REST for checks; async push for boarding status
6Auth mechanism for INT-1?Mutual TLS and/or signed short-lived tokens; per-partner keys
7Status vocabulary?Minimal set (e.g. boarded); agreed during onboarding
8Fallback ownership when DCS is down?Airline service desk + airport ops, with manual override & audit
9SLAs, support & incident escalation?Agreed per airline during onboarding
10Future alliance / multi-airline reuse?Out of Phase 1; token-based design keeps it open for later

Airline edition of AURA's partner onboarding kit, grounded in Stage 6 Integration Readiness and the working INT-1 connector mock in the current demonstrator. Connector scope this phase is INT-1, 2, 3, 5, 6 and 7. Field names and contract details are illustrative and confirmed per partner during onboarding. Biometrics remain simulated; this is an integration blueprint, not a live pilot.