Prerequisites

Before you can embed the editor or talk to the backend, you need two tokens from nuIT. They serve different purposes and have very different secrecy requirements — so it matters which one you use where.

Token	Used for	Lives in the browser?
Secret token	The embedded editor (front end)	Yes — visible to end users
Access token	The Exchange API (back end)	No — must be kept private

Secret token (front end)

The secret token authenticates your company in the embedded editor. You pass it to the <nu-evolution-editor> component through its token attribute, and the component forwards it to the EVO editor running inside the iframe.

<nu-evolution-editor token="your-secret-token"></nu-evolution-editor>

Because it travels to the browser — it appears both in your page markup and in the editor's iframe URL — the secret token is not confidential. Treat it as a public, client-side credential. Two things keep it safe to expose:

• It only unlocks the embedded editor; it grants no access to your backend data.
• It is constrained to specific domains — it only works on the origins nuIT has whitelisted for your account, so a copied token cannot be reused on another site.

See Getting Started for the full set of editor attributes.

Access token (back end)

The access token authenticates calls to the Exchange API — reading, updating and deleting profiles, and creating orders. You send it as the nuit-exchange-token request header.

nuit-exchange-token: your-access-token

Unlike the secret token, the access token grants direct access to your data, so it must be kept secret. Only ever use it from your own backend — never embed it in front-end code, commit it to a repository, or expose it to end users.

See Integration for how the access token is used across the API.

Use the right token in the right place

The secret token belongs in the browser; the access token never does. Don't swap them.

Don't have a token pair yet?

If you don't have a token pair yet, contact nuIT sales to get set up.