Skip to main content
KŌJŌ Stack logo
KŌJŌ Stack
For Developers & Integrators

Developer Documentation

How to deploy, configure, and build against the KŌJŌ Stack edge runtime-from first boot to custom protocol modules and AI agent integration.

Quickstart

From zero to a running edge runtime

KŌJŌ Stack deploys as a single edge runtime process-ingestion, pipelines, and egress in one supervised binary, no separate services to orchestrate. Every deployment starts on a secure-by-default profile: authentication required and least-privilege access enforced from first boot.

Container Deployment

Run the edge runtime as a container image for edge nodes, staging environments, and CI-driven test rigs.

Native Installer

A host installer provisions the runtime as a system service on bare-metal or VM targets-suited to industrial hardware with no container runtime.

Secure by Default

Every install seeds an admin account and enforces authentication out of the box. Production deployments run the hardened security profile.

Same runtime, every environment: the container image and the host installer both run the identical edge runtime binary-what you validate in a container on your laptop is what ships to the plant floor.

API Overview

Every capability is API-accessible

120+ REST endpoints, an OpenAPI 3.0 specification, and an interactive Swagger UI ship with every deployment. Sources, pipelines, destinations, modules, workloads, secrets, and certificates are all configurable and observable through the same API surface the UI uses-built for automation, CI/CD, and infrastructure-as-code workflows.

120+ REST Endpoints

Full control-plane coverage-configuration, lifecycle management, and telemetry-available on your own deployment.

OpenAPI 3.0 Spec

A machine-readable spec generated from your running instance-import it into any API client or codegen toolchain.

Interactive Swagger UI

Browse and exercise the live API directly from your deployment-no separate hosted docs portal required.

Available on your deployment: the API reference, spec, and Swagger UI are served by your own edge runtime instance-not a public hosted site. Request access to walk through the API against a live or trial deployment.

Authentication & Access

JWT bearer tokens, default-deny by role

Programmatic API access uses JWT bearer tokens, and every route is governed by a three-role permission model. Access is default-deny-it must be explicitly granted by role, not assumed.

Admin

Full read/write access-configuration, secrets, certificates, user management, and system lifecycle.

Operator

Operational read/write-manage pipelines, modules, and workloads without access to secrets or user administration.

Viewer

Read-only visibility into configuration, telemetry, and system health-no mutation rights anywhere in the API.

SDK & Modules

Build your own protocol modules

Protocol drivers run as external, isolated processes talking to the core runtime over a typed interface. The module SDK lets you extend the data plane to any system without modifying core code-and without a module crash ever taking down the runtime.

Typed Module Interfaces

Implement the ingress or egress module interface-read/subscribe for sources, write/flush for destinations-and the runtime handles the rest.

Process Isolation

Every module runs as a separate process with its own resource limits and connection pooling-fault isolation by construction, not convention.

Hot Reload

Update or restart a module in place without disrupting other pipelines or the core runtime.

MCP Tools

Machine interfaces built for AI agents

An MCP-style tool surface exposes live and historical data, system state, and diagnostics to AI agents through policy-scoped, auditable interfaces-not unrestricted API access. Agents observe and act only within the scope they are explicitly granted.

Read-Only by Default

Agents query telemetry, UNS context, and system health without write access unless a scope explicitly grants it.

Policy-Scoped Access

Namespace- and capability-level policies define exactly what each agent can observe, query, or request.

Auditable by Design

Every agent interaction is logged against the same audit trail as human operators-no separate, opaque agent access path.

Configuration

Sources, pipelines, destinations

Every deployment is defined by the same three primitives: sources acquire data, pipelines transform and route it, destinations deliver it. Credentials in any config are never inline-they are @secret references, resolved at runtime and never written to disk or logs in plaintext.

Sources, Pipelines, Destinations

A consistent configuration model across every protocol adapter and destination-defined once, addressable through the same API and UI.

Secret References at Runtime

Reference credentials and certificates by name in configuration; the runtime resolves the actual value only when a module needs it.

See the API on a live deployment

The full API reference, OpenAPI spec, and Swagger UI ship with your KŌJŌ Stack deployment. Talk to us to request access and walk through it against a real or trial instance.