> ## Documentation Index
> Fetch the complete documentation index at: https://docs.narrativebanking.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security posture

> Authentication, token handling, and tenant isolation baseline for Narrative SDK.

<Warning>
  This page describes public security controls and integration expectations for external SDK consumers.
</Warning>

## Trust signals

<Badge color="green" shape="pill" icon="shield-check">
  Tenant isolation enforced
</Badge>

<Badge color="blue" shape="pill" icon="key-round">
  JWT bearer auth
</Badge>

<Badge color="green" shape="pill" icon="refresh-cw">
  Token rotation enabled
</Badge>

<Badge color="blue" shape="pill" icon="activity">
  Request tracing available
</Badge>

## Authentication baseline

<Check>
  JWT access and refresh tokens are used for protected API sessions.
</Check>

<Check>
  Refresh token rotation supports revoke and revoke-all controls.
</Check>

<Info>
  Bearer token enforcement is required on protected endpoints.
</Info>

## Embedded integration security

<Columns cols={2}>
  <Card title="Backend-only secrets" icon="https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/server.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=4a767cfdcb6585e74810e5c286495132" width="64" height="64" data-path="SVG/server.svg">
    Connected app secrets stay in tenant backend secret stores only.
  </Card>

  <Card title="Short-lived embed tokens" icon="https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/timer.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=218100a8011939edb626ef3480a13724" width="64" height="64" data-path="SVG/timer.svg">
    Embed Tokens are short-lived and should not be persisted in browser storage.
  </Card>

  <Card title="Safe token handoff" icon="https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/link-handoff.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=710c716f96a2cf04ebe7fa38257b5ea1" width="64" height="64" data-path="SVG/link-handoff.svg">
    Token handoff to embedded UI avoids URL query-string exposure.
  </Card>

  <Card title="Transport security" icon="https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/lock.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=be29c8f389110e9dd5032501c0e8f00b" width="64" height="64" data-path="SVG/lock.svg">
    HTTPS is required end-to-end across tenant and NSDK boundaries.
  </Card>
</Columns>

## Tenant isolation

<Info>
  Identity resolution and session issuance are tenant-scoped by design.
</Info>

<Info>
  API access is bounded by authenticated user and tenant context.
</Info>

<Danger>
  Cross-tenant data access is disallowed by policy and enforcement controls.
</Danger>

## v1.5.7 security update

`v1.5.7` includes both standard web application security review and AI-specific security review work.

The release focuses on practical risk reduction: tenant isolation, safer assistant behaviour, sensitive-data handling, clearer error reporting, and privacy-aware session review tooling. High-priority findings from the reviews were addressed before release.

## Operational controls

| Control                 | Purpose                                                 | External signal                         |
| ----------------------- | ------------------------------------------------------- | --------------------------------------- |
| Runtime error capture   | Detect and triage integration issues quickly.           | Stable error payloads with `request_id` |
| Request tracing         | Correlate incidents across API and orchestration paths. | Traceable request lifecycle for support |
| Guardrail messaging     | Inform users about known risk or uncertain states.      | Explicit in-product safety messaging    |
| Release-note governance | Track externally visible behaviour changes.             | Public release notes and version policy |
