@nexbasira/node
Server-side TypeScript SDK. Covers every public-API resource with typed request + response shapes, cursor-pagination helpers, and a webhook-signature verifier that runs in constant time.
Install
npm install @nexbasira/nodeRequires Node 18+. ESM + CommonJS both supported.
Initialise
import { NexBasira } from "@nexbasira/node";
const nb = new NexBasira({
apiKey: process.env.NB_PUBLIC_KEY!, // nb_pub_*
apiSecret: process.env.NB_SECRET_KEY!, // nb_sec_*
// baseURL: "https://app.nexbasira.com/api/v1/public", // default
// timeout: 30_000, // default
});Resources
Every public-API resource has a typed client on the cvp instance:
nb.sessions // create / list / retrieve / end / invite
nb.evidence // list / retrieve / signed download URL
nb.whiteboards // list per session
nb.webhooks // register / rotate-secret / test-fire / constructEvent
nb.branding // read-only
nb.org // read-onlyCommon patterns
Create + invite
const session = await nb.sessions.create({
notes: "Vehicle damage claim CL-2026-0042",
scheduled_for: "2026-05-23T10:00:00Z",
locale: "fr",
});
const invite = await nb.sessions.invite(session.id, {
recipient_email: "alex@policyholder.com",
send_email: true,
});
console.log(invite.url); // shown ONCEAsync-iterator pagination
Listing endpoints return an async iterator that pages
transparently. No more "remember to pass cursor from
the previous response":
for await (const session of nb.sessions.list({ limit: 50 })) {
console.log(session.id, session.status);
}
// Or a single page if you want pagination control:
const page = await nb.sessions.listPage({ limit: 25 });
// page.data, page.has_more, page.next_cursorIdempotent POST
Pass an idempotencyKey to make a write retry-safe:
const session = await nb.sessions.create(
{ notes: "..." },
{ idempotencyKey: crypto.randomUUID() },
);The backend caches the response by (key, credential) for 24 hours. A retried POST with the same key returns the original response without re-creating the resource.
Verifying a webhook
import express from "express";
import { NexBasira, InvalidSignatureError } from "@nexbasira/node";
const app = express();
const nb = new NexBasira({ apiKey: "...", apiSecret: "..." });
// IMPORTANT: use express.raw() — constructEvent needs the untouched
// bytes the signature was computed over.
app.post("/nb-webhook", express.raw({ type: "application/json" }), (req, res) => {
try {
const event = nb.webhooks.constructEvent(
req.body,
req.header("NB-Signature")!,
process.env.NB_WEBHOOK_SECRET!,
);
// event.type is type-narrowed; event.data is the resource shape
switch (event.type) {
case "session.completed":
return onCompleted(event.data, res);
case "audit.anchored":
return onAnchored(event.data, res);
}
res.status(204).end();
} catch (err) {
if (err instanceof InvalidSignatureError) {
return res.status(401).send("bad signature");
}
throw err;
}
});Typed errors
The SDK throws a small hierarchy of typed errors so you can handle each class deliberately:
| Class | When |
|---|---|
AuthenticationError | 401 — bad credentials or missing key |
PermissionError | 403 — credential lacks the scope |
NotFoundError | 404 — resource doesn't exist or isn't in your org |
RateLimitError | 429 — hit the throttle. Has retryAfterMs |
InvalidSignatureError | From constructEvent() only — bad / missing / expired signature |
NexBasiraError | Base class — catch this for "any SDK error" |
try {
await nb.sessions.create({ ... });
} catch (err) {
if (err instanceof RateLimitError) {
await sleep(err.retryAfterMs);
return retry();
}
if (err instanceof NexBasiraError) {
log.warn({ status: err.status, code: err.code }, "cvp error");
}
throw err;
}OpenAPI types
The SDK ships with openapi-typescript-generated
request + response types under @nexbasira/node/types.
Import them directly if you want strongly-typed handlers
upstream of the SDK call:
import type { Session, Evidence, WebhookEvent } from "@nexbasira/node/types";
function onSessionCompleted(session: Session) {
// ...
}