Integration basics
Do I need to install an npm package?
Do I need to install an npm package?
Not for the standard hosted integration path described in these docs. Load the SDK through
nsdk-loader.js, render a host container, and provide a short-lived Embed Token from your backend.Which frameworks are supported?
Which frameworks are supported?
The hosted SDK approach works with any frontend stack that can load a script, render a DOM container, and fetch a backend token route. React, Vue, Angular, and server-rendered applications can all support this pattern.
Can I embed multiple widgets on one page?
Can I embed multiple widgets on one page?
The standard documented integration path uses a single container and single mount target. If you need multiple widgets on one page, confirm the supported pattern and runtime constraints with Narrative before implementation.
What browsers are supported?
What browsers are supported?
Use a modern evergreen browser with standard support for secure iframes, HTTPS, and current JavaScript features. If you support older enterprise browsers, validate your exact host environment before launch.
Authentication
How long should the Embed Token live?
How long should the Embed Token live?
Keep it short-lived. Current guidance is typically 5–15 minutes, with
iat and exp expressed in Unix seconds.Should I store the Embed Token in the browser?
Should I store the Embed Token in the browser?
No. Treat it as a short-lived bootstrap credential. Do not store it in local storage or other long-lived browser persistence.
What happens when the Embed Token expires?
What happens when the Embed Token expires?
It can no longer be used to start a new embedded session. If the user needs to boot the SDK again, fetch a fresh token from your backend.
What makes a token valid?
What makes a token valid?
It must be an HS256 JWT with
aud = nsdk-embed and the required claims: iss, sub, aud, iat, exp, and jti. Include nsdk.user.name and nsdk.user.email so the session has the expected user context.When should the frontend fetch the Embed Token?
When should the frontend fetch the Embed Token?
Fetch it only after the tenant application has already established its own authenticated user session and shortly before mount or boot time.
Embedding runtime
Should I use declarative or imperative boot?
Should I use declarative or imperative boot?
Use declarative boot when you have a stable host page and container. Use imperative boot when your application needs explicit control over mount timing, route transitions, or cleanup.
How does the SDK handle SPA route changes?
How does the SDK handle SPA route changes?
Your application should treat route changes as part of the host lifecycle. If the mount container is removed or recreated, re-run the boot flow and clean up prior runtime state when needed.
Do I need to call NSDK('destroy') on unmount?
Do I need to call NSDK('destroy') on unmount?
Yes when you use imperative mode and your SPA unmounts or replaces the widget container. This helps prevent stale runtime state between navigations.
Can I delay boot until the page is fully ready?
Can I delay boot until the page is fully ready?
Yes. That is a common reason to choose imperative mode. Make sure the container exists, the user session is ready, and the Embed Token is fresh before calling
NSDK('boot', ...).Security
Can I sign tokens in the frontend?
Can I sign tokens in the frontend?
No. Keep the Connected App secret and all token-signing logic on your backend only.
What CSP headers do I need?
What CSP headers do I need?
At minimum, your host application must allow the SDK origin for the hosted loader script and embedded frame. Review
script-src, frame-src, and any related network policies used by your environment.Is the Embed Token visible to end users?
Is the Embed Token visible to end users?
It may be observable in the browser during normal page operation, which is why it must be short-lived, minimally scoped, and never contain secrets.
Can I include extra metadata in the token?
Can I include extra metadata in the token?
Yes, but keep it small and non-sensitive. Use optional metadata only for values the embedded experience actually needs at runtime.
API & data
How do I know if my integration is working?
How do I know if my integration is working?
Start with the basic path: the loader script loads, the token route returns a fresh token, the widget renders, and protected downstream requests succeed after boot.
What does a 401 after successful embed mean?
What does a 401 after successful embed mean?
It usually means bootstrap succeeded but the downstream request is still missing the expected user, tenant, or product-surface access state. Check the exact API or experience you are trying to reach next.
How often does data refresh?
How often does data refresh?
Data freshness depends on the upstream data source, synchronization timing, and the provisioned experience. If expected data is missing, verify environment, tenant-user mapping, and sync completion before assuming an auth problem.
Can I test with mock tenant users first?
Can I test with mock tenant users first?
Yes. That is often the fastest way to validate token minting, host-page boot logic, and environment wiring before moving to broader tenant-user coverage.
Getting help
If you are debugging a concrete failure, use Troubleshooting. If you still need help after self-service checks, use Support.