Partner Workshop ยท Leave-Behind
AURA on one page
Automated Universal Recognition Architecture ยท KSIA Terminal 6
INTEGRATION BLUEPRINT โ
NOT A LIVE PILOT ยท
BIOMETRICS SIMULATED
What AURA is
A privacy-first biometric identity platform that lets a passenger move through
the airport on one verified identity โ created once at enrollment and reused at
security and boarding โ without storing raw face images.
It coordinates with the systems an airport already runs (airline, AODB, document checks, staff
SSO) without leaking personal data or losing control of it. This document
describes the integration blueprint; biometrics are simulated and
partner systems are mocked to contracts in this phase.
Why token-based integration matters
AURA hands partners a meaningless claim-ticket (a token) โ never a passenger's
real identity or biometrics. Partners coordinate about a passenger using that token; only
AURA's on-prem vault at KSIA can resolve a token back to a person.
- Authenticated โ mutual on every call
- Encrypted โ TLS in transit, always
- Token-based โ references, not raw data
- Audited โ every exchange, by token
Minimum credible pilot integration set
| Integration | Why it's in the minimum set | Owner |
| INT-1 Airline DCS | Validate the journey against a real booking | Airline |
| INT-2 Airport AODB | Correct flight & gate context at the gate | Airport |
| INT-3 Document Auth | Anchor identity to a genuine document at enrollment | Provider |
| INT-5 Staff SSO | Trustworthy staff identities to drive RBAC | Airport |
| INT-6 Matching simulated | The deterministic gate decision โ on-prem only | KSIA (internal) |
| INT-7 Notification | Mobile-first passenger guidance (recommended) | Provider |
Gov/Border (INT-4) and Analytics (INT-8) are designed but not built this phase; INT-4 only enters the pilot if KSIA / the regulator mandates it.
Trust-boundary principle
โโ UNTRUSTED (partners) โโโโโโโโโโโโโโโโโ TRUSTED (AURA / KSIA) โโโโโโโโโโ
airline / airport / doc / cloud โ integration layer (validates) โ resolve token (ON-PREM)
โ KSIA vault + matching engine (crown jewels) โ never leave site
Two hard lines that never move & are enforced in code: (1) Biometric templates never
cross an external boundary โ only the on-prem engine (INT-6) touches them. (2) Raw identity
stays on-prem โ partners get tokens. Forbidden fields are actively blocked from external
connectors (request rejected + audited): template_data, raw_image,
selfie, given_name, family_name, document_number.
Real today vs simulated
REAL Integration contracts & flows (INT-1,2,3,5,6,7) as
contract-shaped mocks ยท token issuance/resolution ยท server-enforced RBAC ยท tamper-evident audit ยท
fail-safe fallback logic.
SIMULATED Biometric capture & matching (INT-6) โ deterministic
decision, no real biometrics, same contract a real engine will use later.
NOT USED Live passenger / production data โ synthetic, non-personal
test data only. NOT BUILT INT-4 gov/border & INT-8 analytics
(designed only).
Fail-safe in one breath
- Fail safe, not open โ a failed check โ REFER to human, never auto-ALLOW
- Gates keep working โ the decision is on-prem, so a cloud/partner outage doesn't strand validated journeys
- Async never blocks โ slow partners queue & retry; the passenger isn't held up
- Humans own edge cases โ manual override, fully audited
Partner workshop questions
- Booking identifier โ airline booking token (preferred) or PNR?
- Token lifetime & scope for partners?
- AODB delivery โ events/webhooks, read API, or both? Stale-data handling?
- SSO protocol & role/group mapping (OIDC/SAML)? MFA & break-glass?
- Auth per interface โ mutual TLS and/or signed short-lived tokens?
- Retry & idempotency policy on writes (e.g. boarding push)?
- Document-image handling (INT-3) โ discard raw after check?
- Is Gov/Border (INT-4) mandated for the pilot, or deferred?
- On-prem hosting for INT-6 / vault confirmed inside KSIA?
- SLAs, support, incident escalation & fallback ownership?