18. Integrator Onboarding

18.1 Onboarding Checklist

A single onboarding flow for all tenants. Steps are included based on the tenant's configuration.

1. Platform Admin creates tenant and provisions initial Tenant Admin account (see Section 4)
2. Generate client credentials (OAuth2 client_id + client_secret)
3. Configure auth methods (if using platform auth)
4. Configure KYC provider and level (if using platform KYC)
5. Configure palm vendor (defaults to X-Telcom BioWave Pass)
6. Register devices and pair scanners (mTLS certificates issued during pairing)
7. Configure Envoy JWKS (for internal verticals)
8. Implement challenge flow and device authentication
9. Configure webhooks for event notifications (optional)

All steps are available to all tenants. Steps 4–5 are typically skipped by integrators who handle auth and KYC in their own systems, but can be enabled at any time.