Admin Mode
TenantsOriginsClientsWidgetsDesignerFormsSessionsSDKAudit
SESSION TESTING

Embed Sessions

View and revoke short-lived embed sessions. Session creation must be performed server-side by your host backend — never from the browser.

Browser Cannot Issue Embed Sessions

Client secrets are server-side only. The browser runtime must never send x-client-secret to the backend. Your host SIMRS backend is responsible for creating embed sessions and passing only the short-lived embedToken to the browser.

Correct Server-Side Flow (Host Backend → Clinical AI Engine)
// In your Host SIMRS backend (Node.js / Java / Python):
POST http://localhost:3101/api/v1/embed/sessions
Headers:
  x-client-id:     <your-client-id>
  x-client-secret: <your-client-secret>   ← server-side only
  Content-Type:    application/json
Body: { tenantId, origin, widgetCode, user, context, permissions }

// Response → pass only embedToken to browser:
{ sessionId, embedToken, embedUrl, expiresAt }

Active Embed Sessions

Revoke sessions to immediately invalidate all widgets using that token.

No active sessions found.