Security posture
This page summarizes the current external security baseline for Narrative SDK integration.Trust signals
Tenant isolation enforced JWT bearer auth Token rotation enabled Request tracing availableAuthentication baseline
JWT access and refresh tokens are used for protected API sessions.
Refresh token rotation supports revoke and revoke-all controls.
Bearer token enforcement is required on protected endpoints.
Embedded integration security
Backend-only secrets
Connected app secrets stay in tenant backend secret stores only.
Short-lived embed tokens
Embed Tokens are short-lived and should not be persisted in browser storage.
Safe token handoff
Token handoff to embedded UI avoids URL query-string exposure.
Transport security
HTTPS is required end-to-end across tenant and NSDK boundaries.
Tenant isolation
Identity resolution and session issuance are tenant-scoped by design.
API access is bounded by authenticated user and tenant context.
Cross-tenant data access is disallowed by policy and enforcement controls.
Operational controls
| Control | Purpose | External signal |
|---|---|---|
| Runtime error capture | Detect and triage integration issues quickly. | Stable error payloads with request_id |
| Request tracing | Correlate incidents across API and orchestration paths. | Traceable request lifecycle for support |
| Guardrail messaging | Inform users about known risk or uncertain states. | Explicit in-product safety messaging |
| Release-note governance | Track externally visible behavior changes. | Public release notes and version policy |