Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.narrativebanking.com/llms.txt

Use this file to discover all available pages before exploring further.

Use this page to choose the right authentication pattern before implementation. For embedded runtime setup, use SDK integration and Tenant embedding guide. For request-level API handling, use Authentication guide.

Authentication patterns at a glance

https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/link-handoff.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=710c716f96a2cf04ebe7fa38257b5ea1

Embedded auth

Use this when Narrative SDK runs inside your application shell and your backend mints a short-lived Embed Token for the current tenant user.
https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/frontend-shell.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=13c676d362a2a3a7a60bfa0fae245ad6

Azure OIDC auth

Use this when a user signs in through the configured Azure AD OIDC flow and the platform establishes a session after the identity provider callback completes.
https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/server.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=4a767cfdcb6585e74810e5c286495132

API auth

Use this when your application calls protected Narrative SDK APIs after a user session has already been established through embedded or Azure OIDC auth.

Pattern selection guide

PatternWhen to use itWho issues the first credentialPrimary reference
Embedded authYou embed SDK UI into a tenant-owned page or iframe.Tenant backendSDK integration
Azure OIDC authUser signs in through the configured Azure AD OIDC flow.Azure AD OIDC + Narrative SDK platformAuthentication guide
API authYour app makes protected API requests after sign-in.Narrative-issued internal access token obtained through embedded exchange or Azure OIDC sign-inAuthentication guide

Shared security expectations

Keep long-lived secrets server-side only, use HTTPS end-to-end, and fail closed whenever token validation or refresh cannot be completed safely.
https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/lock.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=be29c8f389110e9dd5032501c0e8f00b

Server-side trust boundary

Never expose Connected App secrets, refresh secrets, or signing keys in browser code.
https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/timer.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=218100a8011939edb626ef3480a13724

Short-lived access

Treat access credentials as short-lived and refresh them through an authenticated backend or platform-managed flow.
https://mintcdn.com/narrative-b13c445c/qi6sqKB_OLTe8ty2/SVG/server.svg?fit=max&auto=format&n=qi6sqKB_OLTe8ty2&q=85&s=4a767cfdcb6585e74810e5c286495132

Tenant scope verification

Confirm tenant and user scope during bootstrap, refresh, and high-risk transitions.

Pattern details

Embedded auth is the standard choice when Narrative SDK is rendered inside a tenant application. The tenant backend validates the existing tenant user session, mints a short-lived Embed Token, and passes that token to the embedded runtime during boot. Narrative SDK verifies the token and establishes a tenant-scoped runtime session.
Azure OIDC auth applies when a user signs in through the configured Azure AD OIDC flow instead of receiving an Embed Token from a tenant shell. The platform redirects the user to Azure AD, receives the callback with identity claims, and then establishes the Narrative SDK session. This is the current non-embedded sign-in path supported by the platform.
API auth applies after a valid user session already exists, whether established through embedded token exchange or Azure OIDC sign-in. Protected Narrative SDK APIs require a Narrative-issued internal access token, not a raw identity-provider token. The backend also validates tenant and user binding before allowing access.

Token lifecycle

The same lifecycle concepts apply across embedded, Azure OIDC, and API auth, even though the first credential is issued differently in each mode.

1. Acquisition

ModeAcquisition summary
Embedded authTenant backend mints a short-lived Embed Token for the current tenant user after validating the local user session.
Azure OIDC authUser completes sign-in through the configured Azure AD OIDC flow; the platform receives the identity callback and establishes the initial session.
API authClient or backend receives a Narrative-issued internal access token after a successful embedded token exchange or Azure OIDC sign-in.

2. Active use

  • Use the acquired credential only for the session and scope it was issued for.
  • Keep access tokens in a controlled runtime store. The current web client uses persisted state management for access and refresh tokens; if your integration does the same, ensure the store is not exposed to untrusted code.
  • Re-check user and tenant scope before calling sensitive capabilities.

3. Refresh

  • Refresh should happen only after the caller detects a genuine expiry or explicit authentication failure.
  • Attempt a bounded refresh once, then retry the protected call once.
  • If refresh fails, clear local auth state and require the user to sign in again.

4. Expiry

  • Embed Tokens are bootstrap credentials and should remain short-lived.
  • Access tokens should also remain short-lived and be replaced through the approved refresh path.
  • Do not continue retrying expired tokens after the platform signals that the credential is no longer valid.

5. Error handling

Current API handling should follow a single-refresh policy rather than relying on fine-grained 401 classifications from the backend.
ConditionExpected handling
Any protected request returns 401 UnauthorizedAttempt one controlled refresh, then retry once.
Retry still returns 401 UnauthorizedFail closed, clear session state, and return the user to sign-in.
Invalid signature, malformed token, or tenant/context mismatchTreat as authentication failure and re-establish the correct session instead of assuming the server will expose a stable subcategory.

Embedded auth contract

Narrative embedded auth uses a token-exchange pattern:

Embed Token requirements

FieldRequirementNotes
JWT standardRFC 7519Use a normal JWT envelope.
AlgorithmHS256Must match connected app secret configuration.
audnsdk-embedRequired exactly as shown.
exp5-15 minute lifetime recommendedKeep the embed token short-lived.
issConnected app client idIdentifies issuing tenant backend.
subTenant user identifierStable user identifier in tenant scope.
jtiUnique token idSupports uniqueness and replay controls.
nsdk.user.name / nsdk.user.emailRecommendedProvides user identity context for the embedded session. Omitting these fields may limit personalisation features.