LIVE · AUDIT-CHAINED · EU-RESIDENT
SYSTEM · 99.99% UPTIME
v 1.0 ↗ MADE IN EU
Documentation

Branding API

NexBasira Branding API — white-label the SPA, invite emails, and PDF reports with your logo, colours, and product name.

Branding API

Customise the customer-facing surfaces — SPA chrome, invite emails, PDF report headers + footers — with your logo, accent colours, and product name. The Branding object is per-org and applies to every session minted under that org.

The Branding object

{
  "logo_url": "https://cdn.acme.com/logo.png",
  "wordmark_url": "",
  "favicon_url": "https://cdn.acme.com/favicon.ico",
  "primary_color": "#0F3D91",
  "accent_color": "#FFB400",
  "product_name_override": "Acme FieldView",
  "support_email": "support@acme.com",
  "support_url": "https://help.acme.com",
  "email_from_name": "Acme Claims",
  "pdf_footer_text": "Acme Insurance — claim report",
  "updated_at": "2026-05-10T14:00:00Z"
}
FieldTypeNotes
logo_urlURLSquare or landscape; rendered at 40px tall in the SPA header, 64px in the PDF header.
wordmark_urlURLOptional. Used alongside logo_url on wider chrome.
favicon_urlURL32×32 PNG / ICO. Served from your CDN; not mirrored.
primary_colorhex (#rrggbb)Main accent — used for buttons, links, and the PDF cover band.
accent_colorhex (#rrggbb)Secondary accent — used for highlights, badges, sparkline strokes.
product_name_overridestring ≤ 120Replaces "NexBasira" in user-visible strings (page title, email subject lines).
support_emailemailShown on error pages + in invite-email footers. Empty = platform default.
support_urlURLSame — links from the SPA help menu.
email_from_namestring ≤ 120From-name on outbound transactional mail (still routed via our authenticated domain to preserve DMARC alignment).
pdf_footer_textstring ≤ 255One-line footer on every page of the PDF audit report.

Empty string on any field = platform default. The Branding row is auto-created on first GET, so you never see a 404 here.

Read branding

GET /api/v1/public/branding — scope branding:read

curl https://app.nexbasira.com/api/v1/public/branding \
  -H "Authorization: Bearer nb_sec_..."

Update branding

PATCH /api/v1/public/branding — scope branding:write

Partial update — provide only the fields you want to change. Send "" on any field to revert it to the platform default. Hex colours are validated against #rrggbb; an invalid value returns 400. 

curl -X PATCH https://app.nexbasira.com/api/v1/public/branding \
  -H "Authorization: Bearer nb_sec_..." \
  -H "Content-Type: application/json" \
  -d '{
    "primary_color": "#0F3D91",
    "logo_url": "https://cdn.acme.com/logo-2026.png"
  }'

Returns the freshly-updated Branding object. The change is immediate on the next page load — there's no CDN cache to bust for the SPA. For invite emails + PDFs, the new branding applies to anything generated after the PATCH lands.

Common errors

StatusCodeWhen
400validation_errorInvalid hex colour, malformed URL, or string over the max length.
403permission_deniedCredential lacks the scope (branding:read for GET, branding:write for PATCH).

Notes

  • No image upload. The platform doesn't host your assets — provide HTTPS URLs to images you already serve from your CDN. This keeps cache invalidation in your control.
  • Same-origin enforcement. Logo + favicon URLs must serve Access-Control-Allow-Origin: * (or your SPA origin) so the browser can render them inside the iframe-embed widget.
  • Audited. Every PATCH lands an org.branding_updated audit event with the field-level diff, so a tampered logo is traceable to a credential + timestamp.