embedded-patternslisted

# Prismatic Embedded Reference documentation for embedding Prismatic's integration marketplace and workflow builder inside a customer-facing web application. ## Core Concepts Embedding Prismatic means your customers never leave your app to manage integrations. The flow is: 1. **Your backend** generates a short-lived signed JWT (10 min) authenticating the customer user 2. **Your frontend** calls `prismatic.authenticate({ token })` with that JWT — **never sign JWTs on the frontend** 3. The frontend calls `prismatic.showMarketplace()`, `prismatic.showWorkflows()`, or another screen method to render an embedded iframe Before the JWT expires, the frontend re-fetches a fresh JWT from your backend and calls `prismatic.authenticate({ token })` again. Existing iframes update automatically. ## Critical Security Rule **JWT tokens MUST be signed on your backend using your private key.** Never expose the private signing key to the frontend. The frontend only receives the signed JWT string from a backend API endpoint. ## Signing Keys Before any embedding can work, your organization needs a signing key. To check or create one: ```bash # Check existing signing keys prism organization:signing-keys:list --extended --output json # Generate a new signing key (Prismatic creates the key pair) prism organization:signing-keys:generate # OR: import your own key generated with OpenSSL openssl genrsa -out my-private-key.pem 4096 openssl rsa -in my-private-key.pem -pubout > my-public-key.pub