This article provides a comprehensive overview of the KEBS Integration Layer — the middleware that connects KEBS with external systems. It covers the integration architecture, connector types, inbound and outbound data pipelines, the integration monitor, error handling, and OAuth 2.0 token lifecycle management.
Integration Architecture Overview
Understand the multi-layered architecture that ensures reliable, validated, and auditable data flows between external applications and KEBS.
The KEBS Integration Architecture is a middleware-based design that sits between external application servers and the KEBS platform. It handles authentication, payload validation, data transformation, error management, and audit logging — ensuring that data entering or leaving KEBS is always clean, consistent, and traceable.
Architecture Layers
Data flows through five distinct layers as it moves between systems:
Inbound Integration Pipeline
Ensure that every piece of data entering KEBS is validated, transformed, and stored correctly — with full error traceability at every step.
When an external system sends data to KEBS, the payload passes through a structured pipeline before being stored. This ensures data quality and consistency across all modules.
Step 1 — Payload Validation
Before any processing begins, the middleware performs two checks on the incoming request:
- Payload Size Validation — ensures the request does not exceed the allowed size limits.
- Payload Schema Validation — verifies the structure and format of the payload against the expected API schema. Malformed payloads are rejected immediately.
Step 2 — Data Processing Pipeline
Once the payload passes validation, the data moves through five sequential processing stages:
Validation
Verification
Transformation
Mapping
Storage
Step 3 — Staging & Consumption
After processing, data is written to the KEBS Staging Layer. The target application module (e.g., Employee Directory, Finance) then consumes data from the staging layer and makes it available to users. Staging data is cleared periodically based on the data lifecycle policy.
Supported Inbound Modules
| Module | Use Case | API Pattern |
|---|---|---|
| HR / Employee Directory | Employee Hire, Update, Exit | Real-time per-record API calls |
| Finance | Invoice sync, payment updates | Batch or real-time |
| Projects | Project creation, milestone updates | Real-time per-event |
| Timesheet | Time entry sync from external tools | Batch (daily/weekly) |
| CRM | Account & opportunity sync | Real-time or scheduled |
| Attendance | Clock-in/clock-out data from biometric or access systems | Batch (daily) |
Connectors & Outbound Sync
Connect KEBS to your existing tech stack — HRMS, ERP, accounting tools, and identity providers — with pre-built connectors or custom API integrations.
KEBS connectors are the bridge between the middleware layer and external systems. Each connector handles authentication, field mapping, error handling, and data transformation for a specific integration target.
Connector Types
HR / HRMS Connector INBOUND
Employee hire, update, and exit data from external HRMS platforms into KEBS Employee Directory.Finance Connector BOTH
Invoices, payments, and revenue data between KEBS Finance and external accounting systems.Project Connector BOTH
Project creation, milestones, and status updates between KEBS Projects and external PM tools.Timesheet Connector INBOUND
Time entries from external time-tracking tools synced into KEBS Timesheet module.Attendance Connector INBOUND
Biometric or access-system clock-in/out data synced into KEBS Attendance.SSO / Identity Connector INBOUND
Single sign-on via Azure AD, Okta, or other identity providers using email as the unique identifier.Outbound Sync
Outbound integrations push data from KEBS to external systems. Outbound sync is event-driven — triggered by specific actions within KEBS modules:
- Invoice finalization — when an invoice is approved in KEBS Finance, it can be pushed to an external accounting system.
- Project status changes — milestone completions or status updates in KEBS Projects can trigger notifications or updates in external PM tools.
- Timesheet approvals — approved time entries can be exported to external payroll or billing platforms.
- Employee data changes — certain KEBS-originated changes (e.g., project assignment, skill updates, calendar changes) can be synced outbound.
Integration Monitor & Outbound Pipeline
Get real-time visibility into every data flow — see what succeeded, what failed, and why — so you can resolve issues before they impact business operations.
The Integration Monitor provides a centralized view of all integration activity across every connector and module. It is accessible from the KEBS Reports module and captures both inbound and outbound data flows.
What the Monitor Tracks
| Metric | Description |
|---|---|
| API Call Logs | Every inbound and outbound API request with timestamp, payload summary, response code, and processing duration. |
| Error Traces | Detailed error records including error type, payload details, probable cause (if known), and suggested recovery steps. |
| Notification History | Log of all automated email notifications sent to stakeholders on errors, completions, or threshold alerts. |
| Staging Layer Status | Current state of data in the staging layer — pending consumption, processed, or cleared by lifecycle policy. |
| Connector Health | Status of each active connector — connected, degraded, or disconnected — with last successful sync timestamp. |
| Audit Logs | Full integration audit trail for compliance and troubleshooting, available as downloadable reports. |
Outbound Pipeline Stages
When KEBS pushes data to an external system, the outbound pipeline follows these stages:
Trigger
Assembly
Mapping
Dispatch
Logging
Error Handling & Recovery
Minimize downtime and data loss with automated error classification, stakeholder notifications, and a self-learning error repository that speeds up future resolutions.
All errors encountered during integration — inbound or outbound — are logged in KEBS and an error trace is created. Notifications are automatically dispatched to the relevant teams.
Error Classification & Resolution Flow
- 1The system checks whether the error is a payload validation error (malformed structure, missing required fields, size limit exceeded).
- 2If it is a payload error, the payload details are attached to the error trace and stakeholders are notified with the specific validation failure.
- 3If it is not a payload error, the system searches the Error Repository for the error code to find known resolutions.
- 4If a match is found, the probable cause and suggested recovery steps are added to the error trace, and stakeholders are notified with actionable guidance.
- 5If the error is unknown (not in the repository), a new support ticket is automatically created in KEBS for investigation.
- 6After investigation and resolution, RCA (Root Cause Analysis) and CAPA (Corrective and Preventive Action) are recorded in the Error Repository — so future occurrences resolve faster.
Common Error Scenarios
| Error Type | Cause | Resolution |
|---|---|---|
| Duplicate Record | Employee Hire API called for an existing employee | Use the Update API for existing records |
| Missing Dependency | Update or Exit API called before Hire API | Ensure the employee was created via the Hire API first |
| Invalid Master Data | Configuration or dropdown value not present in KEBS | Raise a support ticket to add the master data in KEBS |
| Schema Mismatch | Payload structure doesn’t match the expected API schema | Verify field names, types, and required fields against the API spec |
| Auth Failure | Expired or invalid OAuth token | Refresh the token using the token lifecycle flow (see below) |
| Race Condition | Parallel API calls for the same employee with different data | Group updates and send sequentially; KEBS does not support parallel hits |
OAuth 2.0 Token Lifecycle Management
Ensure uninterrupted, secure API communication between KEBS and external systems with automated token management — no manual credential rotation needed.
KEBS uses the OAuth 2.0 protocol for all API integrations — both inbound and outbound. This ensures that every API call is authenticated, authorized, and encrypted without exposing long-lived credentials.
Token Lifecycle Flow
Authorization: Bearer header. The middleware validates the token before processing.Token Best Practices
- Never hardcode tokens in source code or configuration files. Use secure vaults or environment variables.
- Implement automatic refresh — your integration client should detect 401 responses and automatically request a new token using the refresh token.
- Monitor token failures — repeated auth failures appear in the Integration Monitor and may indicate a revoked client, expired refresh token, or security incident.
- Rotate Client Secrets periodically — raise a support ticket in KEBS to rotate credentials. Plan a 48-hour window for the changeover.
- Use separate clients per integration — each external system should have its own Client ID/Secret pair for auditability and independent revocation.
SSO & User Authentication
For end-user access (as opposed to system-to-system API calls), KEBS uses Single Sign-On (SSO) in production environments. SSO leverages the employee’s email address as the unique identifier and integrates with identity providers such as Azure AD.
Master Data & Change Management
Avoid integration failures caused by mismatched configuration by following the proper change management process for master data and API field updates.
Master data (dropdown values, entity names, departments, regions, etc.) and API field configurations must be kept in sync between KEBS and the external system. Since these are maintained manually in both systems, a structured change management process is essential.
Change Management Rules
| Scenario | Process |
|---|---|
| New master data value | Raise a support ticket in KEBS. The value will be added and synced within 48 hours of ticket creation. |
| Change to existing master data | Raise a support ticket in KEBS. Updated values will reflect within 48 hours. |
| API field config change | Raise a support ticket in KEBS at least 48 hours before the change takes effect in the external system. |
| Unknown value in payload | If a dropdown or config value not present in KEBS is sent, the API returns an error response for that record. |
