Environment Matrix
Plan dev, staging, and production embeds
Each environment should have explicit runtime URLs, allowed origins, identity configuration, certificate coverage, and validation checks.
Environment Matrix
| Environment | Portal URL | Aura Home baseUrl | Identity | Certificate |
|---|---|---|---|---|
| Development | https://dev-portal.customer-domain.com | Customer or Cadisa dev runtime | Test IdP app or test tenant | Trusted dev certificate |
| Staging | https://staging.customer-domain.com | Staging Aura Home runtime | Staging IdP app with production-like claims | Trusted staging certificate |
| Production | https://portal.customer-domain.com | Production Aura Home runtime | Production IdP app | Production certificate with automatic renewal |
Configuration Pattern
const aura = AuraHome.init({
container: "#aura-home",
baseUrl: window.AURA_HOME_BASE_URL,
allowedOrigin: window.AURA_HOME_ALLOWED_ORIGIN,
sdkHost: window.location.hostname,
auth: {
mode: "oidc",
getToken: async () => customerIdentity.getIdToken()
}
});Per-Environment Values
| Value | Must Be Different Per Environment? | Notes |
|---|---|---|
baseUrl | Usually yes | Points the SDK at the target Aura Home runtime. |
allowedOrigin | Usually yes | Must exactly match the runtime origin. |
theme.id | Sometimes | Visual request only. It must be approved by the runtime allowlist or published through the dashboard Appearance Editor. |
| OIDC issuer | Sometimes | Some customers use separate IdP apps for staging and production. |
| OIDC client ID or audience | Often yes | Recommended when the IdP supports environment-specific applications. |
| Portal parent origin | Yes | Runtime allowlists should only include approved customer origins. |
Production Promotion Checklist
- Staging token claims match the production token contract.
- Production certificate is valid and auto-renewal is active.
- Production CSP allows the runtime and identity endpoints.
- Production runtime allowlist includes the portal origin only.
- Production appearance profile has been previewed and published for light, dark, or system mode.
- SDK lifecycle events are monitored during the first launch window.