Documentation Index
Fetch the complete documentation index at: https://docs.narrativebanking.com/llms.txt
Use this file to discover all available pages before exploring further.
Trust signals
Tenant isolation enforced JWT bearer auth Token rotation enabled Request tracing availableAuthentication baseline
JWT access and refresh tokens are used for protected API sessions.
Refresh token rotation supports revoke and revoke-all controls.
Bearer token enforcement is required on protected endpoints.
Embedded integration security
Backend-only secrets
Connected app secrets stay in tenant backend secret stores only.
Short-lived embed tokens
Embed Tokens are short-lived and should not be persisted in browser storage.
Safe token handoff
Token handoff to embedded UI avoids URL query-string exposure.
Transport security
HTTPS is required end-to-end across tenant and NSDK boundaries.
Tenant isolation
Identity resolution and session issuance are tenant-scoped by design.
API access is bounded by authenticated user and tenant context.
Cross-tenant data access is disallowed by policy and enforcement controls.
v1.5.7 security update
v1.5.7 includes both standard web application security review and AI-specific security review work.
The release focuses on practical risk reduction: tenant isolation, safer assistant behaviour, sensitive-data handling, clearer error reporting, and privacy-aware session review tooling. High-priority findings from the reviews were addressed before release.
Operational controls
| Control | Purpose | External signal |
|---|---|---|
| Runtime error capture | Detect and triage integration issues quickly. | Stable error payloads with request_id |
| Request tracing | Correlate incidents across API and orchestration paths. | Traceable request lifecycle for support |
| Guardrail messaging | Inform users about known risk or uncertain states. | Explicit in-product safety messaging |
| Release-note governance | Track externally visible behaviour changes. | Public release notes and version policy |