Confidential — shared with KeyReply partners and clients under NDA. Do not redistribute.
Platform spine (always available)
ComponentWhat it does
POST /mcp gatewayMCP JSON-RPC endpoint; WorkOS bearer resolves tenant; routes tools/list and tools/call
Permission gatingEvery tool call checked against the tool permission registry using integration:view / integration:manage slugs
Audit ledgerEvery tool invocation logged: tenant, agent, conversation, tool, input, output, duration, status. Immutable.
Client-credentials helperGeneric OAuth 2.0 token fetch with redirect following and timeout. Reused for any system that issues bearer tokens.
Reference connectorA production EHR connector ships today as the template to clone. Typed connection, token cache, SSRF gate, request builder, reachability test, read actions, MCP tool layer.
Ingress webhook patternShared-secret bearer auth; schedule-and-202 pattern; per-partner route is Partner onboarding
Per-tenant connector tableAlternative storage when the partner hosts their own MCP server
Partner checklist — what Kira needs

Nothing in Phase 2+ starts without items 1–5. Full detail in Integration Guide §6.

#What Kira needsPhase gate
1External system sandbox API endpoint (base URL + region)Phase 2
2Auth credentials for a service account or app registration (client ID + secret or API key; any tenant/directory IDs the token endpoint requires)Phase 2
3Service account permissions — least-privilege role scoped to entities the integration readsPhase 2
4Schema / entity metadata — real field names, logical names, or endpoint pathsPhase 2
5Seeded test record in sandbox matching the demo personaPhase 2
6Write permissions on target entities + idempotency mechanism (alternate key or deduplication field)Phase 3
7Service-protection / rate-limit expectations; API access model; residency / regionPhase 2–3
8Ability to call an outbound HTTPS endpoint from the external system + store a Kira-issued ingress secretPhase 4
Build phases
PhaseScopeKira workPartner gate
1 — Demo-simAgent, KB-onlyTenant, agent, knowledge baseNone
2 — Connect + readAuth reachability, read toolsReachability test + read tools + entity mapping (cloned from reference connector)Items 1–5
3 — Write-backInteraction log, opt-in, intent captureWrite tools + audit + idempotent upsert + canonical mappingItems 6–7
4 — InboundPOST /webhooks/<partner>/{connectionId}Ingress webhook route + workflow triggerItem 8
Badge legend
Available todayImplemented in the Kira platform now
Partner onboardingConfigured during your specific partner onboarding
Confirm with partnerRequires partner sandbox access or confirmation