Confidential: shared with Rezonate partners and clients. Do not redistribute.
Platform architecture (always available)
ComponentWhat it doesStatus
POST /mcp gatewayMCP JSON-RPC endpoint; Kira-issued bearer credential resolves tenant; routes tools/list and tools/callAvailable today
Permission gatingEvery tool call checked against the tool permission registry using integration:view / integration:manage slugsAvailable today
Audit ledgerEvery tool invocation logged: tenant, agent, conversation, tool, input, output, duration, status. Immutable.Available today
Client-credentials helperGeneric OAuth 2.0 token fetch with redirect following and timeout. Reused for any system that issues bearer tokens.Available today
Reference connectorOur first external-system connector (EHR) is code-complete, merged, and the template to clone. Typed connection, token cache, SSRF gate, request builder, reachability test, read actions, MCP tool layer.Available today
Ingress webhook patternShared-secret bearer auth; schedule-and-202 pattern; the per-partner route is configured during onboardingPartner onboarding
Per-tenant connector tableAlternative storage when the partner hosts their own MCP serverAvailable today
Partner checklist: what Kira needs
#What Kira needsPhase gate
1External system sandbox API endpoint (base URL and region)Phase 2
2Auth credentials for a service account or app registration (client ID and secret, or API key; any tenant/directory IDs the token endpoint requires)Phase 2
3Service account permissions: least-privilege role scoped to entities the integration readsPhase 2
4Schema / entity metadata: real field names, logical names, or endpoint pathsPhase 2
5Seeded test record in sandbox matching the demo personaPhase 2
6Write permissions on target entities, and an idempotency mechanism (alternate key or deduplication field)Phase 3
7Service-protection / rate-limit expectations; API access model; residency / regionPhase 2–3
8Ability to call an outbound HTTPS endpoint from the external system, and store a Kira-issued ingress secretPhase 4
Build phases
PhaseScopeKira workPartner gate
1: Demo-simAgent, KB-onlyTenant, agent, knowledge baseNone
2: Connect and readAuth reachability, read toolsReachability test, read tools, entity mapping (cloned from reference connector)Items 1–5
3: Write-backInteraction log, opt-in, intent captureWrite tools, audit, idempotent upsert, canonical mappingItems 6–7
4: InboundPOST /webhooks/<partner>/{connectionId}Ingress webhook route and workflow triggerItem 8
Decided together at onboarding

The platform mechanics above are fixed and shipped. The items below are deliberately left open: they are decisions we make with your engineering team during onboarding, tuned to your environment rather than imposed as defaults.

DecisionHow we align
Schema mappingTool contracts are finalized against your actual entity metadata (a machine-readable schema export), never guessed field names
Environment topologyConnection design sized to your footprint: one environment or many, with per-environment app registrations and credentials
Auth baselineClient secret for sandbox speed; certificate-based auth where your security policies require it, with rotation owned and scheduled
Consent modelOpt-in writes matched to how your platform models consent, whether preference columns or a dedicated consent entity
Caller verificationAn identity verification step ahead of any tool that returns member data, tuned to your channel mix
Inbound event deliveryWebhook mechanism and payload signing agreed with your platform team, including retry and deduplication behavior
Throughput budgetTool-call concurrency planned against your API service-protection limits before go-live
Residency, retention, auditData residency, log retention, and audit access documented per deployment during joint security review
Badge legend
Available todayImplemented in the Kira platform now
Partner onboardingConfigured during your specific partner onboarding