@declarion/embed 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +10 -4
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -28,7 +28,8 @@ npm install @declarion/embed
28
28
 
29
29
  ## How embedding works
30
30
 
31
- 1. The host backend mints a short-lived, scoped token for a user with
31
+ 1. The host backend mints a short-lived, scoped token for a target tenant and
32
+ user with
32
33
  `createEmbedSession` (`@declarion/embed/server`), which calls the
33
34
  `auth.create_embed_session` action with a server-held `dk:` API key.
34
35
  2. The host frontend embeds a screen with `createDeclarionEmbed` or
@@ -37,7 +38,10 @@ npm install @declarion/embed
37
38
  3. The SDK runs a `postMessage` handshake: the iframe asks for a token, the
38
39
  SDK delivers it, and refreshes it whenever the iframe reports expiry.
39
40
 
40
- The `dk:` API key never leaves the host backend.
41
+ The `dk:` API key never leaves the host backend. For multi-tenant hosts, use a
42
+ least-privilege `dk:_global` key whose service-account owner holds only
43
+ `action:auth.create_embed_session`; tenant-scoped keys can mint only in their
44
+ own tenant.
41
45
 
42
46
  ## Quickstart: browser core
43
47
 
@@ -82,8 +86,10 @@ import { createEmbedSession } from "@declarion/embed/server";
82
86
  // In a host backend route. The dk: API key is read from server config.
83
87
  const session = await createEmbedSession({
84
88
  declarionOrigin: "https://app.example.com",
85
- apiKey: process.env.DECLARION_API_KEY!, // dk:... - server-side only
86
- tenantCode: "acme",
89
+ // Prefer a least-privilege dk:_global key whose owner holds only
90
+ // action:auth.create_embed_session. Keep it server-side only.
91
+ apiKey: process.env.DECLARION_EMBED_API_KEY!,
92
+ tenantCode: "acme", // target tenant
87
93
  userEmail: "person@example.com",
88
94
  screenCode: "cases_list",
89
95
  });
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@declarion/embed",
3
- "version": "0.2.1",
3
+ "version": "0.2.3",
4
4
  "private": false,
5
5
  "license": "MIT",
6
6
  "description": "Host integration SDK for embedding Declarion screens as white-label iframes.",