Core Concepts
Understanding these fundamental concepts will help you effectively integrate with AS2aaS and build robust AS2 messaging solutions.
Table of Contents
AS2 Protocol Overview
What is AS2?
AS2 (Applicability Statement 2) is a specification for the secure and reliable transport of business data over the internet. It's widely used in industries like healthcare, retail, and manufacturing for exchanging EDI documents and other business-critical information.
Key AS2 Features
| Feature | Purpose | Implementation |
|---|
| Message Encryption | Protect sensitive business data | Uses partner's public key to encrypt payloads |
| Digital Signatures | Ensure message authenticity and integrity | Uses sender's private key to sign messages |
| Message Compression | Reduce transmission time and bandwidth | ZLIB compression before encryption |
| Delivery Confirmation | Verify successful message delivery | MDN (Message Disposition Notification) responses |
| Non-repudiation | Legal proof of message exchange | Cryptographic signatures and audit trails |
AS2 Message Flow
Account-Based Architecture
Hierarchical Structure
AS2aaS uses an account-based architecture that provides operational efficiency and centralized management:
Account (Billing Entity)
├── Master Partners (Shared Resources)
│ ├── McKesson Corporation
│ ├── Cardinal Health
│ └── AmerisourceBergen
├── Master Certificates (Shared Security)
│ ├── Account Identity Certificate
│ └── Master Partner Certificates
├── Tenants (Operational Units)
│ ├── East Coast Division
│ │ ├── Inherited Master Partners
│ │ ├── Tenant-Specific Partners
│ │ └── Configuration Overrides
│ ├── West Coast Division
│ └── Manufacturing Division
└── Users (Access Control)
├── Account Owners
├── Tenant Administrators
└── Tenant Members
Key Benefits
| Benefit | Description | Impact |
|---|
| Operational Efficiency | Single partner configuration shared across tenants | 80% reduction in partner management overhead |
| Cost Savings | Shared certificates and consolidated billing | Significant cost reduction for multi-tenant organizations |
| Centralized Control | Account-level policies and governance | Consistent security and compliance across all tenants |
| Scalability | Easy addition of new tenants with instant partner access | Rapid expansion capabilities |
Account vs Tenant Operations
| Operation | Account Level | Tenant Level |
|---|
| Billing | Consolidated invoicing | Usage attribution |
| Partners | Master partner creation | Partner inheritance and overrides |
| Certificates | Shared certificate management | Tenant-specific certificates |
| API Keys | Account-wide access | Tenant-scoped access |
| Users | Account user management | Tenant role assignments |
Trading Partners
Partner Types
AS2aaS supports two types of trading partners that work together in the account-based architecture:
Master Partners (Account-Level)
Shared trading partners managed at the account level:
- Scope: Available to all tenants in the account
- Management: Created via
/v1/accounts/{account}/partners - Use Case: Common industry partners (McKesson, Cardinal Health, etc.)
- Benefits: Single configuration, shared certificates, reduced operational overhead
Tenant Partners
Tenant-specific trading partners:
- Scope: Limited to individual tenant
- Management: Created via
/v1/partners - Use Case: Tenant-specific suppliers, regional partners, testing partners
- Benefits: Tenant isolation, specialized configurations
Partner Resolution and Inheritance
When tenants access partners, they receive both types:
graph TD
A[Tenant Request] --> B{Partner Resolution}
B --> C[Tenant-Specific Partners]
B --> D[Inherited Master Partners]
C --> E[Combined Partner List]
D --> E
E --> F[Partner with Override Capability]
Partner Configuration Elements
| Element | Description | Master Partners | Tenant Partners |
|---|
| Name | Human-readable identifier | "McKesson Corporation" | "Regional Supplier" |
| AS2 ID | Unique AS2 protocol identifier | "MCKESSON" | "REGIONAL-001" |
| Endpoint URL | Partner's AS2 receiving endpoint | Shared across tenants | Tenant-specific |
| Security Settings | Encryption, signing, compression | Centrally managed | Tenant controlled |
| Algorithms | Cryptographic preferences | Account standard | Tenant customizable |
| MDN Mode | Delivery confirmation method | Consistent policy | Tenant preference |
| Certificates | X.509 certificates | Shared certificates | Tenant certificates |
Configuration Override Capability
Tenants can override master partner settings when needed:
| Override Type | Use Case | Example |
|---|
| Endpoint URL | Tenant-specific endpoint | Different EDI gateway |
| Security Settings | Custom security requirements | Different encryption level |
| MDN Mode | Operational preferences | Sync vs async MDN |
| Custom Headers | Integration requirements | Tenant-specific routing |
Partner Relationship Types
| Relationship | Master Partner Usage | Tenant Partner Usage |
|---|
| Major Suppliers | McKesson, Cardinal Health as master partners | Regional suppliers as tenant partners |
| Industry Standards | Standard EDI partners shared across tenants | Custom integration partners per tenant |
| Corporate Partners | Parent company relationships | Division-specific relationships |
Messages and Payloads
Message Structure
AS2 messages consist of multiple layers:
Message Components
| Component | Purpose | Contents |
|---|
| Business Payload | The actual business document | EDI transaction, XML document, JSON data |
| AS2 Headers | Protocol-level metadata | AS2-From, AS2-To, Message-ID |
| Security Envelope | Cryptographic protection | Encryption and signature wrappers |
| Transport Headers | HTTP-level information | Content-Type, Content-Length |
Content Types
| Category | MIME Types | Use Cases |
|---|
| EDI Documents | application/edi-x12, application/edifact | Purchase orders, invoices, shipping notices |
| XML Documents | application/xml | Custom business documents, SOAP messages |
| Structured Data | application/json | Modern API-style data exchange |
| Text Files | text/plain, text/csv | Simple data files, reports |
| Binary Files | application/pdf, application/zip | Documents, compressed archives |
Message Lifecycle
| Status | Description | Duration | Next Steps |
|---|
queued | Message accepted for processing | Seconds | System prepares message |
processing | Message being prepared and secured | Seconds to minutes | Transmission to partner |
sent | Successfully transmitted to partner | Immediate | Await delivery confirmation |
delivered | Delivery confirmed via MDN | Minutes to hours | Process complete |
failed | Transmission or processing failed | Immediate | Review error and retry |
X.509 Certificates
Certificate Architecture
AS2aaS implements a hierarchical certificate management system aligned with the account-based architecture:
Master Certificates (Account-Level)
- Scope: Shared across all tenants in the account
- Management: Via
/v1/accounts/{account}/certificates - Benefits: Single certificate renewal, consistent security policies
- Use Case: Account identity certificates, master partner certificates
Tenant Certificates
- Scope: Limited to specific tenant
- Management: Via
/v1/certificates - Benefits: Tenant-specific security requirements
- Use Case: Tenant identity certificates, tenant-specific partner certificates
Certificate Types and Scoping
| Type | Account-Level | Tenant-Level | Purpose |
|---|
| Identity Certificate | Master identity for all tenants | Tenant-specific identity | Organization's signing/decryption certificate |
| Partner Certificate | Master partner certificates | Tenant partner certificates | Trading partner's public certificates |
Certificate Resolution Priority
When processing AS2 messages, certificates are resolved in this order:
- Tenant-specific certificate (highest priority)
- Account master certificate (inherited)
- System default certificate (fallback)
Certificate Usage by Scope
| Operation | Master Certificate Usage | Tenant Certificate Usage |
|---|
| Sign outbound messages | Account identity shared by all tenants | Tenant-specific signing identity |
| Decrypt inbound messages | Account identity for all tenants | Tenant-specific decryption |
| Encrypt outbound messages | Master partner certificates | Tenant partner certificates |
| Verify inbound signatures | Master partner certificates | Tenant partner certificates |
Certificate Inheritance Benefits
| Benefit | Description | Impact |
|---|
| Cost Efficiency | Single certificate purchase for multiple tenants | 70-80% cost reduction |
| Operational Simplicity | One renewal process instead of per-tenant | Reduced administrative overhead |
| Consistency | Uniform security policies across tenants | Better compliance management |
| Scalability | New tenants instantly inherit certificates | Rapid tenant onboarding |
Certificate Lifecycle
Message Disposition Notifications (MDN)
MDN Purpose
MDNs provide cryptographic proof that a message was successfully received and processed by the intended recipient. They serve both technical and legal purposes in business communications.
MDN Modes
| Mode | Timing | Use Case | Implementation |
|---|
| Synchronous | Immediate response | Real-time confirmation needed | MDN returned in HTTP response |
| Asynchronous | Delayed response | Standard business messaging | MDN sent as separate message |
| None | No confirmation | Fire-and-forget messaging | No delivery confirmation |
MDN Content
| Field | Description | Example |
|---|
| Disposition | Processing result | "automatic-action/MDN-sent-automatically; processed" |
| Received Content MIC | Message integrity check | Cryptographic hash of received content |
| Reporting UA | Receiving system identifier | "Partner AS2 System/2.1" |
| Original Message ID | Reference to original message | Links MDN to original message |
API Keys and Authentication
Authentication Model
AS2aaS uses API key-based authentication with Bearer token format. API keys can be scoped to either account-level or tenant-level access, supporting the account-based architecture.
Key Types and Scoping
| Key Type | Scope | Access Level | Use Case |
|---|
| Account Keys | Account-wide | All tenants within account | Enterprise management, multi-tenant operations |
| Tenant Keys | Single tenant | Specific tenant only | Application integrations, tenant-specific workflows |
Account-Scoped Keys (pk_live_..., pk_test_...)
- Access: All tenants within the account
- Master Partners: Can manage account-level master partners
- Billing: Account-level usage tracking
- Use Case: Administrative operations, cross-tenant management
Tenant-Scoped Keys (tk_live_..., tk_test_...)
- Access: Single tenant only
- Master Partners: Can view inherited master partners (read-only)
- Billing: Tenant-level usage attribution
- Use Case: Application integrations, tenant-isolated operations
Key Environments
| Environment | Key Prefix | Behavior | Billing |
|---|
| Test | pk_test_, tk_test_ | Messages simulated, no real transmission | No charges |
| Live | pk_live_, tk_live_ | Real AS2 messages sent to partners | Billable usage |
Permission Scopes
Account-Level Scopes
| Scope | Access Level | Operations |
|---|
* | Full account access | All operations across all tenants |
accounts:read | Account information | View account details and settings |
accounts:write | Account management | Modify account settings |
tenants:read | Tenant information | View tenant details |
tenants:write | Tenant management | Create and modify tenants |
users:read | User information | View account users |
users:write | User management | Manage account users |
Tenant-Level Scopes
| Scope | Access Level | Operations |
|---|
* | Full tenant access | All operations within tenant |
messages:read | Read-only messages | View message status and history |
messages:write | Message operations | Send messages, modify message data |
partners:read | Read-only partners | View partner configurations |
partners:write | Partner management | Create and modify tenant partners |
certificates:read | Read-only certificates | View certificate information |
certificates:write | Certificate management | Upload and manage certificates |
Webhooks and Events
Event-Driven Architecture
AS2aaS uses webhooks to provide real-time notifications about message status changes, partner events, and system events. This eliminates the need for constant API polling.
Event Categories
| Category | Events | Purpose |
|---|
| Message Events | message.queued, message.sent, message.delivered, message.failed, message.received | Track message lifecycle |
| Partner Events | partner.created, partner.updated, partner.deleted | Monitor partner changes |
| Certificate Events | certificate.uploaded, certificate.expiring, certificate.expired | Certificate lifecycle management |
| Account Events | account.created, account.updated | Account-level changes |
| Tenant Events | tenant.created, tenant.updated | Tenant management |
| Billing Events | billing.usage_threshold, billing.limit_exceeded | Usage monitoring |
Webhook Security
| Security Feature | Implementation | Purpose |
|---|
| HMAC Signatures | SHA-256 with secret key | Verify webhook authenticity |
| HTTPS Only | TLS encryption required | Secure transmission |
| Retry Logic | Exponential backoff | Reliable delivery |
| Timeout Handling | 30-second limit | Prevent hanging requests |
Multi-tenant Architecture
Account-Tenant Relationship
AS2aaS implements a hierarchical multi-tenant architecture where tenants exist within accounts:
Account (acme-corp)
├── Tenant: East Coast Division (tnt_east)
├── Tenant: West Coast Division (tnt_west)
├── Tenant: Manufacturing Division (tnt_mfg)
└── Tenant: European Operations (tnt_eu)
Tenant Concept
A tenant represents an operational unit or business division within an account. Tenants provide operational isolation while benefiting from shared account-level resources.
Resource Sharing and Isolation
| Resource | Account-Level | Tenant-Level | Sharing Model |
|---|
| Messages | Usage aggregation | Complete isolation | No sharing |
| Partners | Master partners (shared) | Tenant partners (isolated) | Inheritance with overrides |
| Certificates | Master certificates (shared) | Tenant certificates (isolated) | Inheritance with overrides |
| API Keys | Account-scoped | Tenant-scoped | Hierarchical access |
| Webhooks | Account events | Tenant events | Scoped notifications |
| Billing | Consolidated invoicing | Usage attribution | Account-level billing |
Tenant Benefits from Account Architecture
| Benefit | Description | Impact |
|---|
| Instant Partner Access | New tenants inherit all master partners | Immediate operational capability |
| Shared Certificate Costs | Master certificates used by all tenants | Reduced certificate expenses |
| Consistent Security | Account-level security policies | Uniform compliance |
| Simplified Onboarding | Pre-configured master resources | Rapid tenant deployment |
Tenant Context and Switching
Using Account-Scoped Keys
GET /v1/partners HTTP/1.1
Authorization: Bearer pk_live_account_key
X-Tenant-ID: tnt_000002
Using Tenant-Scoped Keys
GET /v1/partners HTTP/1.1
Authorization: Bearer tk_live_tenant_key
# Automatically scoped to tenant
Tenant Management Operations
| Operation | Endpoint | Scope | Purpose |
|---|
| List Tenants | GET /v1/tenants | Account | View all account tenants |
| Create Tenant | POST /v1/tenants | Account | Add new operational unit |
| Switch Context | POST /v1/tenants/{id}/switch | Account | Change active tenant |
| Inherit Master Partner | POST /v1/tenants/{id}/partners/inherit | Account | Add master partner to tenant |
Data Flow Concepts
Outbound Message Flow
Inbound Message Flow
Security Concepts
Defense in Depth
AS2aaS implements multiple security layers:
| Layer | Protection | Implementation |
|---|
| Transport Security | Encryption in transit | TLS 1.3 for all communications |
| Application Security | Authentication and authorization | API key-based access control |
| Message Security | AS2 protocol security | Encryption, signing, compression |
| Data Security | Encryption at rest | AES-256 for stored data |
| Network Security | Infrastructure protection | DDoS protection, firewall rules |
Certificate Management
| Aspect | Consideration | Best Practice |
|---|
| Key Size | Cryptographic strength | 2048-bit minimum, 4096-bit recommended |
| Algorithm Selection | Security vs compatibility | SHA256withRSA for signing, AES256-CBC for encryption |
| Certificate Rotation | Regular renewal | Annual rotation recommended |
| Key Storage | Secure key management | Hardware security modules for high-security environments |
Integration Patterns
Common Integration Approaches
| Pattern | Description | Use Case |
|---|
| Direct Integration | API calls from your application | Real-time message sending |
| Batch Processing | Scheduled bulk operations | High-volume daily processing |
| Event-Driven | Webhook-triggered processing | Responsive message handling |
| Middleware Integration | Through integration platforms | Enterprise system integration |
Error Handling Strategies
| Strategy | Implementation | Benefit |
|---|
| Retry Logic | Exponential backoff for transient failures | Improved reliability |
| Circuit Breaker | Stop requests after repeated failures | System protection |
| Dead Letter Queue | Store failed messages for review | No message loss |
| Monitoring | Track error rates and patterns | Proactive issue resolution |
| Factor | Impact | Optimization |
|---|
| Message Size | Linear processing time | Enable compression for large messages |
| Encryption | Moderate overhead | Choose efficient algorithms |
| Partner Response Time | Affects delivery confirmation | Monitor partner performance |
| Network Latency | Geographic distance | Consider regional deployment |
| Aspect | Consideration | Best Practice |
|---|
| Request Rate | Plan-based limits | Implement request queuing |
| Pagination | Large result sets | Use appropriate page sizes |
| Filtering | Reduce data transfer | Apply specific filters |
| Caching | Reduce API calls | Cache stable data locally |
Compliance and Auditing
Audit Trail
AS2aaS maintains comprehensive audit logs for compliance requirements:
| Event Type | Information Logged | Retention Period |
|---|
| Message Events | Transmission details, status changes | 7 years |
| Authentication | API access, user actions | 7 years |
| Configuration Changes | Partner and certificate modifications | 7 years |
| System Events | Platform operations, maintenance | 7 years |
Compliance Features
| Requirement | AS2aaS Implementation |
|---|
| SOC 2 Type II | Independently audited security controls |
| GDPR Compliance | Data protection and privacy controls |
| HIPAA Ready | Healthcare data protection (Enterprise plans) |
| AS2 RFC 4130 | Full protocol compliance |
Business Use Cases
Healthcare and Pharmaceuticals
| Use Case | AS2 Implementation |
|---|
| DSCSA Compliance | Track and trace document exchange |
| Prescription Processing | Secure pharmacy communications |
| Clinical Data Exchange | Patient information sharing |
| Supply Chain Visibility | Pharmaceutical distribution tracking |
Retail and Supply Chain
| Use Case | AS2 Implementation |
|---|
| EDI Transactions | Purchase orders, invoices, ASNs |
| Inventory Management | Stock level synchronization |
| Drop-ship Operations | Multi-party fulfillment coordination |
| Vendor Onboarding | Automated partner setup |
Manufacturing
| Use Case | AS2 Implementation |
|---|
| Production Scheduling | Manufacturing order coordination |
| Quality Certifications | Certificate of analysis exchange |
| Supplier Integration | Supply chain coordination |
| Compliance Reporting | Regulatory document submission |
Error Handling Concepts
Error Categories
| Category | Scope | Examples |
|---|
| Authentication Errors | API access | Invalid API key, expired token |
| Validation Errors | Request format | Missing required fields, invalid data |
| Transmission Errors | AS2 protocol | Partner unreachable, certificate issues |
| Business Logic Errors | Application logic | Partner limits exceeded, invalid configurations |
Recovery Strategies
| Error Type | Recovery Approach | Implementation |
|---|
| Transient Failures | Automatic retry with backoff | Built into AS2aaS platform |
| Configuration Issues | Manual intervention required | Update partner or certificate configuration |
| Partner Problems | Coordination required | Contact partner to resolve endpoint issues |
| Capacity Limits | Plan upgrade or optimization | Monitor usage and upgrade as needed |
Monitoring and Observability
Key Metrics
| Metric | Purpose | Monitoring Method |
|---|
| Message Success Rate | Overall system health | Dashboard analytics |
| Delivery Time | Performance monitoring | Message status tracking |
| Partner Availability | Relationship health | Connection testing |
| Certificate Expiry | Security maintenance | Automated alerts |
| Usage Patterns | Capacity planning | Billing and usage reports |
Alerting Strategy
| Alert Type | Trigger | Response |
|---|
| Message Failures | High failure rate for specific partner | Investigate partner connectivity |
| Certificate Expiry | 30 days before expiration | Initiate renewal process |
| Usage Thresholds | Approaching plan limits | Consider plan upgrade |
| System Issues | Platform-wide problems | Check status page, contact support |
Development Best Practices
Environment Management
| Environment | Purpose | Configuration |
|---|
| Development | Initial integration work | Test API keys, sandbox partners |
| Testing | Integration testing | Test API keys, real partner configurations |
| Production | Live business operations | Live API keys, production certificates |
Testing Strategy
| Test Type | Scope | Tools |
|---|
| Unit Tests | Individual API calls | SDK test suites |
| Integration Tests | End-to-end message flow | AS2aaS testing tools |
| Partner Tests | Real partner connectivity | Connection testing features |
| Load Tests | High-volume scenarios | Batch processing simulation |
Code Organization
| Component | Responsibility | Implementation |
|---|
| AS2 Client | API communication | Centralized AS2aaS SDK usage |
| Message Handler | Business logic | Process incoming and outgoing messages |
| Webhook Processor | Event handling | Process real-time notifications |
| Error Handler | Exception management | Centralized error processing and recovery |
Next Steps
After understanding these core concepts, proceed to:
- Quick Start Guide - Hands-on tutorial
- Authentication - API key setup
- Messages API - Detailed API reference
- Partners API - Partner management
- Webhooks - Event notifications