Kaunt UI,
inside your app.
Skip the build.

Prebuilt browser-side experiences you drop into your UI as an iframe or direct link. Mint a session from your backend, the component talks to Kaunt with a scoped token - your API key never reaches the browser.

Get started Pricing

// 1. Server: mint a short-lived session
POST /v1/tenants/{tenantId}/embedded-components/sessions
{ component: "documentai-feedback-agent", accessMode: "iframe" }
‍
// 2. Browser: embed the iframe
<iframe src={session.url} />

That's the integration. The component handles auth via a JWT token handshake — revoke any session with DELETE …/sessions/{id}.

iframe or direct link

JWT-scoped session

EU/US regions

VX

VendorX Trading ApS

Frederiksberg Allé 14 · 2000 DK · CVR 38211904

Invoice

INV‑2026‑00821

Issued 2026‑05‑21 · Due 2026‑06‑20

Bill to Acme Logistics ApS · København

#	Description	Qty	Price	Amount
1	Office desk · oak	2	1 250,00	2 500,00
2	Office chair · ergo	3	749,00	2 247,00
3	FREIGHT EU · pallet	1	245,00	245,00
4	Setup & assembly	1	328,00	328,00

Subtotal5 320,00

VAT 25%1 330,00

Total DKK6 650,00

Drop-in ready

One iframe tag.

Your shell hosts the component. Kaunt's host serves it. No bundling, no SDK churn.

Scoped

Narrow by default.

Each session carries the exact permissions you mint into it — never broader, never the browser's call, revocable anytime.

Always Current

Updates ship automatically.

Improvements to the agent and UX reach your users without a frontend release on your side.

—What a component is

Whole workflows.
Not just widgets.

Each embedded component packages a complete user task — interaction, validation, preview, audit — behind one iframe. You provide context; the component handles the work. One example is the Document AI Feedback Agent, which turns plain-language requests into previewable rule proposals.

Scoped to the session. Permissions you grant on session creation are enforced by the component — users can't act outside them.
Safe to commit. Where the action is non-trivial, components show a read-only preview before anything writes.
Audit-friendly. The userId you mint into the session lands on every artifact the component produces.

Proposal card document #227aebd0

Summary

Exclude lines matching freight, shipping, or delivery from totals for documents issued by VendorX.

Scope Vendor · VendorX Affected field totals.netTotal Applies when line description matches freight, shipping, delivery Does not apply to documents not from VendorX Conflicts None · safe to commit

Confidence

0.86

Preview document #227aebd0 · read-only

Field	Current	Previewed	Δ
`totals.netTotal`	5 320,00	5 075,00	−245,00
`totals.tax`	1 330,00	1 268,75	−61,25
`totals.grand`	6 650,00	6 343,75	−306,25
line `FREIGHT EU`	included	excluded	flagged

Source-of-truth extraction is unchanged. Click Apply to commit.

— Anchored, not exposed

Bound to one resource.
And one user.

Every component is anchored to a specific Kaunt resource and a specific end user — both set server-side when you mint the session. Nothing else is in reach. Today that resource can be a documentId; future components will bind to other resource types using the same model.

Scoped to the session. Permissions you grant on session creation are enforced by the component — users can't act outside them.
Safe to commit. Where the action is non-trivial, components show a read-only preview before anything writes.
Audit-friendly. The userId you mint into the session lands on every artifact the component produces.

— The Contract

One Integration. Every Component.

The same session - create endpoint, the same JWT handshake, and the same iframe contract powers every embedded component. Switching components is a matter of changing the component identifier and the data payload - the integration code you write today doesn't move.

Building a non-browser surface instead? Call the Kaunt API directly.

// 1. Mint a session from your backend (never the browser)
const res = await fetch(
  `https://api.kaunt.com/v1/tenants/${tenantId}/embedded-components/sessions`,
  {
    method: "POST",
    headers: {
      "Authorization": `Bearer ${process.env.KAUNT_API_KEY}`,
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      component: "documentai-feedback-agent",
      accessMode: "iframe",
      allowedOrigins: ["https://app.partner.com"],
      data: {
        documentId: "227aebd0-36a4-4d17-…",
        userId: "mira@partner.com",
        companyName: "acme-logistics",
        permissions: {
          canManageRulesAtScope: ["Vendor", "Buyer"],
        },
      },
    }),
  }
);

const { url, token } = await res.json();
// → hand `url` and `token` to your frontend

<iframe id="kaunt" src={session.url} />

<script>
  const iframe = document.getElementById("kaunt");
  const origin = "https://components.kaunt.com";

  window.addEventListener("message", (event) => {
    if (event.origin !== origin) return;

    if (event.data?.type === "kaunt-ready") {
      // 2. Hand the JWT to the iframe — only on demand,
      //    and only to the components origin.
      iframe.contentWindow.postMessage(
        { type: "kaunt-token", token },
        origin
      );
    }

    if (event.data?.type === "kaunt-error") {
      console.warn("kaunt:", event.data.code);
    }
  });
</script>

— Security Model

Designed for embedding in customer facing products.

Three commitments make embedded components safe to drop into a SaaS shell — even when the surrounding application is built by someone else.

API key stays server-side

You mint sessions from your backend with your Kaunt API key. The browser only ever sees a JWT scoped to one session — no key, no rotation drama.

JWT scoped to one session

Each token is bound to one document, one user, the scopes you granted, and the origins you allow — checked both by the component and the components host's CSP.

Short-lived, revocable

Sessions expire automatically (typically one hour). Revoke any active session with DELETE /sessions/{id} — the next request gets 401 and the component posts session-revoked.

— What ships in the box

Less code, fewer corners cut.

Each component bundles the surface area that's tedious or risky to rebuild — auth, error events, layout, audit, region routing — behind one consistent API.

EMBEDDING

iframe mode with postMessage handshake
Direct-link mode for one-shot URLs
Allowed-origins enforcement
Compact layout below ~420 px

Lifecycle

Short-lived sessions (~1h)
Revoke endpoint for logout flows
Expiry timestamps on every session
session-revoked error events

Permissions

Per-session scope grants
Tenant / Company / Vendor / Buyer
Conservative defaults
Agent respects scope limits

Hosting & trust

Multi-regional data isolation
Audit-friendly user IDs
CSP frame-ancestors enforcement
Audit logs

Embed Kaunt – Skip the build.

Mint a session, drop an iframe, ship the feature. Your users get an agent grounded on the document in front of them — without you owning the UI.