Public API + SDKs + embed widget
Four first-party SDKs over a versioned REST API. Cursor pagination, Idempotency-Key headers, HMAC webhook signing, async-iterator helpers, typed errors. The developer-experience pieces that should be there — not afterthoughts.
The four SDKs
@nexbasira/node
Server-side. Typed against the OpenAPI schema; async iterators for paginated lists; constructEvent(body, sig, secret) for webhook verify. Zero runtime dependencies beyond the global fetch.
nexbasira (PyPI)
Server-side. Pydantic v2 models generated from the schema. Sync + async clients share the same surface; webhook verify lives at WebhookSigner.verify(body, sig, secret).
@nexbasira/react
Hooks + components for the operator surface. <CertivisioSessionView /> renders the in-session UI with branding, evidence, and chat. Drop into your existing React app — no portal redirect.
Iframe widget
<script src=".../nb-embed.js"> + a div — the lowest-friction integration. For ops teams who run the operator UI from a non-React stack. Branding inherits from the embedding page via postMessage.
Built on the OpenAPI spec
The Node + Python SDKs are generated from the same filtered OpenAPI 3.1 schema we publish at app.nexbasira.com/api/public-schema/ — so if you want to skip the SDK and generate your own typed client in Go or Rust, you can:
# Node typed client
npx openapi-typescript https://app.nexbasira.com/api/public-schema/ -o src/nb-types.ts
# Python typed models
datamodel-codegen \
--url https://app.nexbasira.com/api/public-schema/ \
--input-file-type openapi \
--output-model-type pydantic_v2.BaseModel \
--output cvp_models.pyThe hand-written ergonomic surface (typed errors, async iterators, webhook verify) goes on top of those generated types. You're not picking between "fast typed client" and "nice DX" — both ship.
REST conventions, made boring on purpose
| Convention | Why |
|---|---|
| Cursor pagination | Stable under concurrent writes. next_cursor in the response; pass it back as ?cursor=…. |
Idempotency-Key header | Send a UUID; retry on timeout; the server returns the original response either way. |
| HMAC-SHA256 webhooks | NB-Signature: t=…,v1=…. SDKs ship a one-liner verify; 5-min replay window. |
| Versioned URL prefix | /api/v1/public/. Breaking changes move to /v2/ with 12 months of overlap. |
| Scope-gated credentials | Every credential carries explicit scopes (sessions:write, evidence:read, …). Rotate without losing a tenant. |
| Typed error envelope | Same shape every endpoint. code, detail, retry_after_seconds when relevant. |
Stability promise
Additive changes — new optional fields, new endpoints, new webhook event types — ship in place; the SDKs treat unknown fields as forward-compatible. Breaking changes move to a new URL prefix and overlap with the previous version for at least 12 months. You won't wake up to a green-to-red migration on a Tuesday morning.
Start with the quickstart
Create a session, mint a field invite, verify a webhook — in under 5 minutes. Copy-paste curl + Node + Python in the same page.