Skip to main content

Concepts

SymbioticIQ is designed to be embedded as a reliable workflow execution layer. Host products keep their own user experience, customer data, and domain authorization, while SymbioticIQ owns runtime configuration, agent execution, tool orchestration, audit, and usage attribution.

Core Objects

  • Partner organization: the machine-to-machine administration boundary for a partner integration. Partner credentials can inspect linked Billing Accounts, linked Workspaces, OIDC issuer setup, and subject-based workspace membership.
  • Billing Account: the payment and spend-limit holder. Workspaces must be linked to an active Billing Account before production usage. Spend is reported in minor currency units and can be filtered by workspace and usage type.
  • Workspace: the runtime, policy, identity, memory, MCP, and cost attribution container for one customer, tenant, or operating context. Workspace creation requires billingAccountId.
  • Agent: the configured assistant used by chat or workflow execution.
  • MCP server: a workspace-scoped tool integration that exposes external capabilities to agents through configured endpoint, auth binding, protocol, session scope, and operation class.
  • Policy: a workspace/agent rule set that restricts external access, tool usage, and execution behavior.
  • Secret: a workspace-scoped credential value addressed by a stable secretRef and revisioned for rotation.

Responsibility Boundary

Host product owns:

  • End-user authentication before presenting embedded UI.
  • Customer or tenant records, payments, content, and operational resources.
  • Domain authorization inside its own APIs and MCP servers.
  • The embedded chat UI and customer-facing workflow.

SymbioticIQ owns:

  • Workspace, agent, policy, MCP, memory, and runtime configuration.
  • OIDC workspace membership checks for SymbioticIQ API calls.
  • Chat streaming, tool orchestration, audit, and usage attribution.
  • Billing Account spend visibility and quota enforcement signals.

Readiness Model

A headless workspace is production-ready only when these boundaries line up:

  • The Billing Account is active and has remaining money spend limit.
  • The Workspace is linked to that Billing Account and is not quota locked.
  • The Workspace trusts the intended OIDC issuer when browser clients call SymbioticIQ directly.
  • The intended OIDC subjects are active workspace members.
  • Required secrets, MCP servers, agents, and policies are configured.

Stored Identifiers

For each embedded customer or tenant, store:

  • billing_account_id: commercial and spend-limit boundary.
  • workspace_id: SymbioticIQ runtime boundary.
  • agent_id: assistant configuration used by the embedded UI.
  • Host-product customer or tenant reference for reconciliation.

The host-product tenant ID is not a replacement for workspace isolation. The workspace remains the SymbioticIQ runtime boundary.