Embeddable View
Nected introduces a powerful framework for embedding users and providing pre-signed authentication. These features offer seamless integration and secure access control mechanisms, empowering organizations to embed Nected’s UI components and enable direct sign-ins with pre-signed URLs.
Overview Flow of Embedded Users
Below is the overview on how to generate pre-signed urls to embed rules and workflows within another product.
To integrate Embedded Users Flow with the Embedded View, here's how you can access and manage it for these users:
Add Users To Enable Embeddable Flow
Navigate to Workspace Settings:
Go to the Workspace section in the Nected platform.
Click on the Embedded Users tab under the Workspace menu.
Add Embedded Users:
Input the email address of the user in the "Add user by email" field.
Assign a role using the Select Role dropdown menu.
Click Add User to grant access.
Invitation Expiry & Token Lifecycle
When inviting a team member using the embedded user feature:
The invitation expires in 1 day.
To keep the session live, the admin must use the refresh token.
The refresh token itself expires in 30 days.
Generate Embeddable Signed URL for Users:
For each user added, you can provide access to Embedded Views through the pre-signed authentication URL.
Generate the Pre-signed Token using the provided API.
Endpoint:
(<https://api.nected.ai/dev/signed-token?email=>)<member-email>HTTP Method: GET
Authentication Parameters
email
String
Yes
User's email address for token generation
nected-api-key
String
Yes
Organization's unique API authentication key
Example Authentication Request
2. Response Structure
When successfully executed, the API returns a comprehensive JSON response containing the pre-signed authentication token:
Nected's pre-signed authentication supports targeted redirections, allowing administrators to guide users directly to specific platform sections:
/rules
Rule Management Interface
/workflow
Workflow Configuration Dashboard
Example Rule Url:
Embed Rule or Workflow listing UI inside your product via iframe
Embed Workflow Example
Hiding Features for Embedded Users
In on-prem deployments, admins can choose to hide specific UI elements from embedded users’ dashboards. The following can be disabled:
Custom Attribute button
Dependency Mapping
Version Control
API Settings
To configure this, update the following fields inside your konark.env file:
Embedded Logout (NEC_EMBED_LOGOUT)
This feature allows a parent application to programmatically sign out an embedded Nected session. It uses the browser’s postMessage API to communicate between the parent window and the embedded Nected iframe.
The parent application initiates the logout process. The embedded Nected application terminates the session, clears all authentication tokens, and responds with a confirmation event.
How does Embedded Logout work?
When Nected runs inside an iframe:
The parent application sends a logout request using
postMessage.The embedded Nected app receives the request and triggers its logout flow.
Nected invalidates the active session through the logout API.
The app clears stored credentials and user metadata.
The app sends a confirmation message back to the parent.
After completing the logout flow, the embedded app redirects the iframe to
/signin.
This mechanism ensures the parent application stays in control of the embedded user’s lifecycle.
Parent Application Integration
Below is the standard pattern for triggering logout in the host application.
Sending the Logout Command
Receiving Logout Confirmation
Example Implementation
Message Events
Parent → Nected
NEC_EMBED_LOGOUT
Requests the embedded Nected application to log out
Nected → Parent
NEC_EMBED_LOGGED_OUT
Confirms that logout has completed successfully
Important Behavior
Iframe-Only: Logout events apply exclusively to iframe-embedded sessions.
Open Origin Policy: The parent sends messages with
'*'as the target origin. This enables communication across any domain.Automatic Redirection: After logout, Nected redirects the iframe to
/signin.Session Termination: All tokens are removed, and the signer state resets.
Security Considerations
The parent application controls when logout occurs, so it must enforce its own checks before sending the logout command.
Recommended safeguards:
Validate the origin of confirmation messages before acting on them.
Restrict which components in your parent app can trigger logout.
For sensitive integrations, add an origin-verification layer around message handling.
Review your internal session rules and align them with the embedded logout flow.
Error Handling and Response Codes
Comprehensive Error Classification
The pre-signed authentication API implements a robust error management strategy, providing clear, actionable feedback across various potential failure scenarios:
401
UNAUTHORIZED
Invalid or expired API credentials
Verify API key and regenerate if necessary
500
INTERNAL_SERVER_ERROR
Unexpected system malfunction
Contact Nected technical support
429
TOO_MANY_REQUESTS
Authentication request quota exceeded
Implement exponential backoff strategy
413
REQUEST_ENTITY_TOO_LARGE
Malformed authentication request
Validate request parameters and ensure payload size is within limits
400
BAD_REQUEST
Malformed authentication request
Validate request parameters
INVALID_SIGNED_TOKEN
Triggered when the signed token has expired.
Admin must regenerate a new signed token.
REGENERATE_SIGNED_TOKEN
Triggered when the refresh token has expired.
Admin must regenerate the signed token again in this case.
Best Practices and Recommendations
Implement strict API key rotation policies
Utilize HTTPS for all API interactions
Generate pre-signed URLs dynamically and close to the point of use
Establish clear access governance policies
Regularly audit user access and permissions
Support and Additional Resources
For advanced implementation guidance, architectural consultations, or technical support, please get in touch with Nected's dedicated support team at [email protected]
Last updated