What is SIMOSphere AI?

SIMOSphere AI is a European AI orchestration platform that connects CRM, ERP, and documents with large language models. It is GDPR-compliant, EU-AI-Act-ready, and Made in Germany.

Is SIMOSphere AI GDPR-compliant?

Yes. All data is stored in Germany (Hetzner), PII is automatically redacted before external model calls, and per-tenant encryption keys ensure data isolation. SIMOSphere AI is compliant with GDPR Art. 5, 6, 13, 17, 25, 28, 30, 32, and 35.

Which AI models does SIMOSphere AI support?

SIMOSphere AI supports Mistral (EU-hosted), OpenAI (GPT-4o, GPT-4o-mini), Anthropic (Claude), and self-hosted models. The platform routes requests to the optimal model for each task through a single, OpenAI-compatible API.

Can SIMOSphere AI be deployed on-premise?

Yes. The Enterprise plan includes an on-premise deployment option with dedicated tenant isolation, custom SSO integration (SAML, OIDC), and a 99.9% uptime SLA.

Is there a free trial?

Yes. All plans include a 14-day free trial with no credit card required. Register at onboarding.simosphereai.com to get started.

What is the Model Context Protocol (MCP) server?

The MCP server connects SIMOSphere AI to your existing business systems. It provides four built-in tools: search_documents (SharePoint, DMS), query_database (D365, CRM), create_record, and send_notification (email, Teams, Slack). Available from the Professional plan.

Security

Authentication

The SIMOSphere AI platform supports multiple authentication methods designed for different integration scenarios — from simple API key authentication to OAuth 2.0 flows for multi-tenant applications.

API Key Authentication

API keys are the primary authentication method for server-to-server communication. Every request to the SIMOSphere AI API must include a valid API key in the Authorization header using the Bearer token scheme.

Authorization: Bearer sk_live_your_api_key_here

Key Formats

SIMOSphere AI uses prefixed keys to distinguish between environments:

Prefix	Environment	Description
`sk_live_`	Production	Full access to production models and endpoints. Usage is billed.
`sk_test_`	Sandbox	For development and testing. Rate-limited, not billed.

Key Management

API keys are managed through the dashboard at app.simosphereai.com. Each key can be individually named, scoped to specific permissions, and revoked instantly. The platform supports creating multiple keys per account, allowing you to use separate keys for different services, environments, or team members. Key rotation is recommended every 90 days for production deployments.

Permission Scopes

API keys can be restricted to specific permission scopes. This follows the principle of least privilege — grant only the permissions that a particular integration needs. Available scopes include:

chat:completions

Create chat completions. This is the most commonly used scope for applications that only need to generate text responses.

models:read

List available models and their metadata. Useful for applications that need to present model selection to users.

usage:read

Query token usage and billing statistics. Required for monitoring dashboards and cost tracking integrations.

keys:manage

Create, list, and revoke API keys programmatically. This scope should be restricted to administrative integrations only.

OAuth 2.0 Discovery

For applications that require user-delegated access, SIMOSphere AI provides an OAuth 2.0 discovery endpoint. This is particularly useful for third-party integrations, marketplace applications, and multi-tenant platforms where you need users to explicitly grant access to their SIMOSphere AI resources.

GET https://api.simosphereai.com/.well-known/oauth-authorization-server

{
  "issuer": "https://api.simosphereai.com",
  "authorization_endpoint": "https://api.simosphereai.com/oauth/authorize",
  "token_endpoint": "https://api.simosphereai.com/oauth/token",
  "scopes_supported": [
    "chat:completions",
    "models:read",
    "usage:read"
  ],
  "response_types_supported": ["code"],
  "grant_types_supported": ["authorization_code", "client_credentials"]
}

The OAuth flow uses PKCE (Proof Key for Code Exchange) by default for enhanced security. Access tokens are JWTs with a configurable expiration and can be refreshed using the standard refresh token grant.

Agent Authentication

AI agents connecting through the MCP protocol or the Agent API use a dedicated authentication flow. Each agent receives an agent_token that is scoped to the specific tools and resources the agent is permitted to access. Agent tokens are short-lived (default: 1 hour) and automatically refreshed by the MCP server runtime.

# Agent authentication via MCP is handled automatically.
# For direct API access, use the agent token:

curl https://api.simosphereai.com/v1/chat/completions \
  -H "Authorization: Bearer agent_tok_abc123..." \
  -H "X-Agent-ID: my-analysis-agent" \
  -H "Content-Type: application/json" \
  -d '{"model":"mistral-small-latest","messages":[...]}'

Agent tokens inherit the permissions of the parent API key that created them, but can be further restricted. This ensures that an agent can never exceed the permissions of its creator, maintaining a clear security boundary within multi-agent architectures.

Security Best Practices

Use Environment Variables

Never hardcode API keys in source code. Store them in environment variables or a dedicated secrets manager such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. If your codebase is open-source, ensure .env files are listed in .gitignore.

Rotate Keys Regularly

Establish a key rotation schedule of at most 90 days for production keys. The dashboard supports creating a new key before revoking the old one, allowing for zero-downtime rotation. Automate this process using the keys:manage API scope.

Apply Least Privilege

Create separate API keys for each service or integration, each with the minimum required scopes. A frontend application should never have the keys:manage scope, and a monitoring service does not need chat:completions.

Monitor Key Usage

The dashboard provides real-time usage metrics per API key. Set up webhook notifications for unusual usage patterns, such as spikes in request volume or requests from unexpected IP ranges. Enable audit logging for all key management operations.

Back to Documentation