Skip to main content

Enterprise Onboarding Guide

This guide is for Enterprise teams adopting WordLift as part of their semantic SEO, content, data, or AI infrastructure.

It is written for the people who need to make onboarding work in practice: SEO leads, platform engineers, data teams, AI teams, security owners, and executive sponsors. The goal is not only to log in or configure a graph. The goal is to reach a point where the customer team can safely operate a Knowledge Graph, populate it with trusted data, connect it to workflows, and expand it without creating governance or security debt.

Onboarding outcomes

A successful Enterprise onboarding gives the customer clear answers to these questions:

  • Who owns WordLift access, credential storage, and recovery?
  • Which Knowledge Graphs belong to the subscription, and which environments do they represent?
  • Which domain and dataset URI strategy will be used?
  • Which team owns each authentication path, including Dashboard access, SAML SSO, Graph Key or WordLift Key access, OAuth2 Bearer tokens, and third-party authorization?
  • Which ingestion path will be validated first?
  • What is the first production-ready milestone, and who approves it?

Phased journey

PhaseGoalCustomer output
AlignmentConfirm business use case, owners, graph topology, and environment strategy.Named owners, first use case, and topology decision.
Access validationConfirm Dashboard access, enterprise SSO requirements, key ownership, and third-party authorization owners.Access map and recovery path.
Graph populationChoose one primary ingestion path and validate it with a controlled dataset.First ingestion workflow and validation loop.
OperationsDefine governance, monitoring, change management, escalation, and expansion rules.Production-ready operating model.

Enterprise onboarding should be treated as a phased journey rather than a feature checklist. Start narrow, validate quickly, and expand incrementally.

Enterprise readiness checklist

AreaDecisionTypical ownerOutput
Business use caseWhat outcome should the first graph support?Executive sponsor, SEO lead, product ownerOne-sentence success case
Subscription ownershipWho owns the Enterprise relationship and escalation path?Account owner, procurement, sponsorNamed business owner
Access ownershipWho can access WordLift and recover access?Customer admin, identity ownerAdmin and backup admin list
Graph topologyHow many graphs are needed for production, staging, brands, countries, or business units?SEO lead, data owner, platform ownerTopology worksheet
Dataset URI strategyWill the graph use a WordLift domain or customer-controlled domain?Platform owner, DNS owner, SEO leadDomain decision and DNS owner
Ingestion pathWhich workflow is validated first?Data owner, engineering lead, SEO leadFirst ingestion path decision
Validation loopHow is graph quality checked before production use?SEO lead, data owner, application ownerAcceptance criteria

Graph topology worksheet

Use the smallest graph topology that supports the first use case. Expanding from a clean single-graph or production-staging model is easier than cleaning up fragmented graph architecture later.

QuestionWhy it mattersDecision
Which graph is production?Prevents accidental testing on live data.Record the production graph and owner.
Is there a staging or sandbox graph?Supports safer validation and experimentation.Record the non-production graph and test policy.
Are graphs mapped to brands, countries, regions, or business units?Defines naming, governance, and reporting rules.Record each mapping and accountable owner.
Which dataset URI strategy is used?Affects linked data, integrations, structured data, and long-term namespace ownership.Choose WordLift-hosted or customer-controlled domain.
Who owns DNS and domain changes?Custom domains require customer-side ownership and coordination.Record DNS owner and approval path.

For Knowledge Graph concepts and population options, see Knowledge Graph.

Access and credential ownership

Treat access as operational infrastructure, not as a personal account owned by one individual.

Access typePurposeTypical ownerWhere it is usedSecret or source handlingLifecycle or approval questionCanonical route
Dashboard accessHuman access to subscription and graph configuration.Customer admin, SEO lead, account ownerWordLift Dashboard at https://my.wordlift.ioManaged through customer-approved admin process.Who is primary admin, backup admin, and recovery contact?Contact the WordLift account team if access is missing.
SAML SSOEnterprise identity and centralized access governance.Identity owner, security ownerEnterprise login flowManaged by the customer's identity provider.Is SSO required, and who owns IdP configuration and access review?SAML Single Sign-On
Graph Key / WordLift KeyProgrammatic access to graph-backed APIs and automation.Platform, data, or engineering ownerAPI, GraphQL, SDK, MCP, automation, and selected toolsStore only in a customer-approved secret manager. Use Authorization: Key ... where product docs require Key authentication.Who can retrieve, rotate, revoke, and audit key use?GraphQL support and Monitoring API Guide
OAuth2 Bearer tokensDelegated access for product-specific APIs and workflows.Identity owner, application owner, system ownerProduct-specific APIs that require Bearer tokensUse the identity and security pattern approved by your organization.Which application owner approves the flow, scopes, token storage, and revocation path?Follow the relevant product documentation after your identity and security owners approve the pattern.
Third-party service authorizationAuthorization to external services such as Google Search Console.Service owner, analytics owner, security ownerAnalytics, search, or connector workflowsAuthorized by the external service owner through the current product or support path.Who owns the third-party account, scopes, consent, and revocation?See Analytics API for product-specific implementation details.

Security operating rules

Use these rules before any production integration:

  • Store Graph Keys, WordLift Keys, tokens, and third-party credentials in a customer-approved secret manager.
  • Do not expose keys in client-side code.
  • Do not store keys in documentation, tickets, chat threads, shared spreadsheets, or repositories.
  • Separate staging and production credentials when environments are separate.
  • Name the owner who can rotate, revoke, and audit each credential.
  • Define a periodic access review before production use.
  • Define a break-glass or admin recovery path for Dashboard and SSO access.
  • Confirm the identity provider owner, MFA expectations, and role or group mapping when SAML SSO is required.
  • Confirm third-party service authorization with the actual service owner before connecting analytics or search data.

First ingestion path

Choose one primary ingestion path for the first phase. Multiple paths can coexist later, but onboarding should prove one path first.

Customer situationBetter starting pointValidation outputCanonical route
Existing CMS or publishing workflowGraph Sync or product-supported integrationControlled content or entity sync into the graphProduct or support path
Strong internal engineering teamAPI or GraphQL-backed workflowOne query or integration that downstream systems can consumeGraphQL support
Data science or batch enrichment workflowSDK or scripted workflowRepeatable import and validation processProduct or support path
Agentic or AI-native architectureMCP or worai-assisted workflowControlled graph operation through approved toolingworai install and worai configuration
Analytics or search performance workflowProduct-specific analytics workflowAuthorized source connection and validation runAnalytics API implementation details
Monitoring or quality checksMonitoring workflowRepeatable quality signal for selected URLs or graph outputsMonitoring API Guide

Avoid starting with API, SDK, MCP, worai, analytics, and Graph Sync all at once unless there is a clear architectural reason.

Production-ready milestone

The first meaningful milestone is not only the creation of a graph. A graph can exist before it is useful.

A production-ready milestone proves that:

  • trusted data enters the graph through one approved workflow;
  • the customer validates graph quality with an agreed method;
  • at least one downstream system, report, content workflow, or AI workflow can consume the result;
  • owners are clear for access, credentials, data quality, and escalation;
  • staging and production behavior are separated where needed;
  • the next expansion step is understood and intentionally scoped.

Example milestone:

The staging graph receives product data from the source system, exposes validated entities through the dataset URI, and supports one downstream GraphQL query used by the application team.

Suggested first-week plan

TimeframeOwnerActivityOutputDone when
Day 1Account owner, customer adminConfirm Dashboard access, subscription owner, primary admin, backup admin, and escalation path.Access ownership recordAdmin and recovery path are documented.
Day 2SEO lead, platform owner, data ownerConfirm graph topology, environments, and dataset URI strategy.Topology worksheetProduction and non-production graph decisions are recorded.
Day 3Security owner, identity owner, platform ownerValidate credential ownership, SAML needs, key storage, OAuth ownership, and third-party authorization owners.Credential ownership matrixEvery access path has an owner and lifecycle question answered.
Day 4Engineering lead, data owner, SEO leadSelect the first ingestion path and smallest test dataset.First ingestion decisionOne path is selected and unnecessary parallel paths are deferred.
Day 5Business owner, data owner, application ownerDefine first validation loop and production-ready milestone.Acceptance criteriaOwners agree what production-ready means for the first use case.

Canonical resources